Softpanorama

Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
May the source be with you, but remember the KISS principle ;-)
Skepticism and critical thinking is not panacea, but can help to understand the world better

IP filter on Solaris

News See also Recommended Links Reference  
Log processing GUI Frontends GUI processing of logs Humor Etc

The Solaris OS has included firewall protection technology with every copy shipped for years, with the specific goal of protecting individual systems from attack. In the Solaris 10 OS, Sun provides the Solaris IP Filter firewall software, which is based on the popular IP Filter project from the free and open source software community.

It's integrated into the Solaris IP stack high-speed firewall which allows administrators to restrict access to particular networking services in a stateful manner.

Generally reducing the network services exposed reduces your security risk.

NEWS CONTENTS

Old News ;-)

Solaris 10 and configuring ipfilter

I am wondering what everyone is using to configure ipfilter, the new
firewall software included with Solaris 10, which has replaced SunScreen?

So far I have turned up the following in my current research (below):

Is everyone using one of the following to modify ipfilter configs? Is
there something else out there?

Thanks,

Jerry K.


-=-=-=-

Per Sun at the following (2) links

<http://docs.sun.com/app/docs/doc/816-4554/6maoq023d?a=view>

<http://docs.sun.com/app/docs/doc/816-4554/6maoq023m?a=view>

you can create/edit a configuration file with you favorite text editor
(i.e. textedit, dtpad, vi, emacs, etc)

-=-=-=-

There is a GUI editor written as Perl/TK called Isba here

<http://inc2.com/isba/>

it appears that this is no longer being maintained

-=-=-=-

There is a GUI editor called fwbuilder here

<http://www.fwbuilder.org/>

that will edit configurations for several firewalls, to include a module
for ipfilter

-=-=-=-

Solaris x86 firewall using IP Filter by Thang T. Mai & Hoang Q. Tran

It is really easy to make a Solaris gateway for a private network. When installing, choose to install the Core System Support component.

Setting Up NAT on Solaris Using IP Filter

So, you've got several computers on your home or business network, and you'd like to be able to access the Internet from all of them, probably via a cable (or DSL) modem. Basically you have three options:
  1. You connect all your machines and your cable modem to a hub, set them all up as DHCP clients (see this page for how to do this on Solaris), and go for it.
  2. You set up one of your machines to do NAT (Network Address Translation), hiding the rest behind a firewall using RFC 1918 compliant addresses on your network.
  3. You use one of those Netgear routers, or someting similar (e.g., those from Linksys), as your firewall, and let it perform NAT for you.

The last option is very popular, and is better than nothing, but you can't beat having your own dedicated firewall machine. The first method, as well as being insecure, lacks a certain je ne sais quoi, so I'll show you how to set up NAT using Darren Reed's IP Filter. If you want to use the first or last methods, you're on your own!

Hardware

In my experiments, I could only get NAT to work reliably when I had two physical interfaces (i.e., using two virtual interfaces, say le0 and le0:1, didn't work). I used le0 to connect directly to my cable modem, and hme0 as the connection to the rest of my network via a 100 baseT switch. le0 is under DHCP control per these instructions, and hme0 was set up the conventional way, with the hostname in /etc/hostname.hme0, and the corresponding IP address in /etc/hosts.

Installing IP Filter

By far the best way to get IP Filter is install Solaris 10, which comes with Solaris IP Filter (which is based on IP Filter). For previous versions of Solaris, the best way to get IP Filter is to compile a copy of the latest source code, which can be downloaded from the IP Filter home page. As an alternative, I have a compiled version of the package here. This is IP Filer version 3.3.11, compiled on a Sun SPARCstation 20, running Solaris 2.6. I'm also using it on a SPARCstation 2 running Solaris 7, but it is provided here without any support. You should probably download a more recent binary from Marauding Pirates.

Configuring IP Filter

Once you've successfully installed IP Filter, you need to configure it. First of all, you need to make sure that your NAT box will forward IP packets (it's possible this ability was disabled for security reasons). As root, run this command:

ndd -get /dev/tcp ip_forwarding

If the result is "1", you're all set. Zero means that IP forwarding is not enabled. To enable it, delete the file /etc/notrouter, and possibly /etc/defaultrouter too. Create an empty /etc/gateways file, and IP forwarding will be enabled at the next reboot.

One caveat applies, though: if you're using NAT and DHCP on the same server (like I do), IP forwarding will not get enabled. So, I install this script as /etc/init.d/ip_forwarding, with a symbolic link to it from /etc/rc2.d/S69ip_forwarding. With this script in place, IP forwarding will be enabled even if you are using a DHCP client.

When you're happy that IP Filter is running, and IP forwarding is enabled, you need to set up your NAT rules. The file /etc/opt/ipf/ipnat.conf contains the rules you want to use. This is the ipnat.conf file I use, bearing in mind that all of my machines have an IP address in the 192.168.0.1 to 192.168.0.254 range; you should change the addresses between "le0" and the "->" to suit your needs (note also that I've specified le0; put the name of your outbound interface here instead):

map le0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp
map le0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto
map le0 192.168.0.0/24 -> 0/32

The 0/32 stuff is some magic to tell IP Filter to use the address currently assigned to the interface - very useful in DHCP client environments!

The order of the rules is important; don't change them unless you know what you're doing, otherwise things will break! The first rule allows FTP access from all of your hosts. The second maps the source port numbers to a high range (10000 to 40000 by default), and the third rule maps all other TCP traffic.

Use /etc/init.d/ipfboot stop and /etc/init.d/ipfboot start to test your configuration, and when you're happy that all is working well, reboot. This will make sure that everything still works as expected, even after a reboot.

That's about it - enjoy! If this page has been useful to you, please consider buying a copy of my book, Solaris Systems Programming.

IPF Firewall Solaris 10Creating an IPF Firewall with Solaris 10 Updated 12/10/04 Rich Shattuck

1. Background
2. Configuring IPF
3. Enabling IPF
4. Common IPF commands

Filtering Network Traffic with Solaris 10 And IP Filter

I use Solaris 10 as my primary desktop, and like to use the Java desktop environment (GNOME w/ enhancements). To allow everything to function correctly, I have to run rpcbind and a font server. To remediate the risks associated with these services, I filter all ingress traffic with IP filter, which has been integrated into the Solaris 10 Operating System.

Since my host doesn't need to accept inbound connections from other network (other than SSH), I use the followng IP filter rules to allow stateful outbound connectivity, and limit ingress traffic to port 22 (SSH)

Recommended Links

Google matched content

Softpanorama Recommended

Top articles

Sites

IP Filter - TCP-IP Firewall-NAT Software

The IPFilter FAQ by Phil Dibowitz!

How-To for IP Filter

http://www.false.net/ipfilter/ The searchable ipfilter mailing list archive
http://www.iae.nl/users/guido/bsdcon2000/ Slides from Guido Van Rooij's ipfilter presentation at BSDcon 2000

Firewall Approach to Internet Security Table of Contents

Mirrors

Reference

docs.sun.com System Administration Guide IP Services Overview

docs.sun.com System Administration Guide IP Services Tasks

Log Processing

fwanalog 0.6.4
by Balázs Bárány - Thursday, March 18th 2004 10:35 PST

About: fwanalog is a shell script that parses and summarizes firewall logfiles. It understands logs from ipf (xBSD, Solaris), OpenBSD 3.x pf, Linux 2.2 ipchains, Linux 2.4 iptables, and a few types of routers and firewalls (Cisco, Checkpoint FW-1, and Watchguard). The excellent log analysis program Analog is used to create the reports.

Changes: This release has further PIX fixes and a better error message if no input files are found.

Categories Focus License URLs
Internet :: Log Analysis
Security
System :: Logging



Etc

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019