||Home||Switchboard||Unix Administration||Red Hat||TCP/IP Networks||Neoliberalism||Toxic Managers|
|(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix|
|News||See also||Recommended Links||Reference|
|Log processing||GUI Frontends||GUI processing of logs||Humor||Etc|
The Solaris OS has included firewall protection technology with every copy shipped for years, with the specific goal of protecting individual systems from attack. In the Solaris 10 OS, Sun provides the Solaris IP Filter firewall software, which is based on the popular IP Filter project from the free and open source software community.
It's integrated into the Solaris IP stack high-speed firewall which allows administrators to restrict access to particular networking services in a stateful manner.
Generally reducing the network services exposed reduces your security risk.
Solaris 10 and configuring ipfilter
I am wondering what everyone is using to configure ipfilter, the new
firewall software included with Solaris 10, which has replaced SunScreen?
So far I have turned up the following in my current research (below):
Is everyone using one of the following to modify ipfilter configs? Is
there something else out there?
Per Sun at the following (2) links
you can create/edit a configuration file with you favorite text editor
(i.e. textedit, dtpad, vi, emacs, etc)
There is a GUI editor written as Perl/TK called Isba here
it appears that this is no longer being maintained
There is a GUI editor called fwbuilder here
that will edit configurations for several firewalls, to include a module
Solaris x86 firewall using IP Filter by Thang T. Mai & Hoang Q. Tran
It is really easy to make a Solaris gateway for a private network. When installing, choose to install the Core System Support component.
Setting Up NAT on Solaris Using IP Filter
So, you've got several computers on your home or business network, and you'd like to be able to access the Internet from all of them, probably via a cable (or DSL) modem. Basically you have three options:
- You connect all your machines and your cable modem to a hub, set them all up as DHCP clients (see this page for how to do this on Solaris), and go for it.
- You set up one of your machines to do NAT (Network Address Translation), hiding the rest behind a firewall using RFC 1918 compliant addresses on your network.
- You use one of those Netgear routers, or someting similar (e.g., those from Linksys), as your firewall, and let it perform NAT for you.
The last option is very popular, and is better than nothing, but you can't beat having your own dedicated firewall machine. The first method, as well as being insecure, lacks a certain je ne sais quoi, so I'll show you how to set up NAT using Darren Reed's IP Filter. If you want to use the first or last methods, you're on your own!
In my experiments, I could only get NAT to work reliably when I had two physical interfaces (i.e., using two virtual interfaces, say le0 and le0:1, didn't work). I used le0 to connect directly to my cable modem, and hme0 as the connection to the rest of my network via a 100 baseT switch. le0 is under DHCP control per these instructions, and hme0 was set up the conventional way, with the hostname in /etc/hostname.hme0, and the corresponding IP address in /etc/hosts.
Installing IP Filter
By far the best way to get IP Filter is install Solaris 10, which comes with Solaris IP Filter (which is based on IP Filter). For previous versions of Solaris, the best way to get IP Filter is to compile a copy of the latest source code, which can be downloaded from the IP Filter home page. As an alternative, I have a compiled version of the package here. This is IP Filer version 3.3.11, compiled on a Sun SPARCstation 20, running Solaris 2.6. I'm also using it on a SPARCstation 2 running Solaris 7, but it is provided here without any support. You should probably download a more recent binary from Marauding Pirates.
Configuring IP Filter
Once you've successfully installed IP Filter, you need to configure it. First of all, you need to make sure that your NAT box will forward IP packets (it's possible this ability was disabled for security reasons). As root, run this command:
ndd -get /dev/tcp ip_forwarding
If the result is "1", you're all set. Zero means that IP forwarding is not enabled. To enable it, delete the file/etc/notrouter, and possibly /etc/defaultrouter too. Create an empty /etc/gateways file, and IP forwarding will be enabled at the next reboot.
One caveat applies, though: if you're using NAT and DHCP on the same server (like I do), IP forwarding will not get enabled. So, I install this script as /etc/init.d/ip_forwarding, with a symbolic link to it from /etc/rc2.d/S69ip_forwarding. With this script in place, IP forwarding will be enabled even if you are using a DHCP client.
When you're happy that IP Filter is running, and IP forwarding is enabled, you need to set up your NAT rules. The file /etc/opt/ipf/ipnat.conf contains the rules you want to use. This is the ipnat.conf file I use, bearing in mind that all of my machines have an IP address in the 192.168.0.1 to 192.168.0.254 range; you should change the addresses between "le0" and the "->" to suit your needs (note also that I've specified le0; put the name of your outbound interface here instead):
map le0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp
map le0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto
map le0 192.168.0.0/24 -> 0/32
The 0/32 stuff is some magic to tell IP Filter to use the address currently assigned to the interface - very useful in DHCP client environments!
The order of the rules is important; don't change them unless you know what you're doing, otherwise things will break! The first rule allows FTP access from all of your hosts. The second maps the source port numbers to a high range (10000 to 40000 by default), and the third rule maps all other TCP traffic.
Use /etc/init.d/ipfboot stop and /etc/init.d/ipfboot start to test your configuration, and when you're happy that all is working well, reboot. This will make sure that everything still works as expected, even after a reboot.
That's about it - enjoy! If this page has been useful to you, please consider buying a copy of my book, Solaris Systems Programming.
IPF Firewall Solaris 10Creating an IPF Firewall with Solaris 10 Updated 12/10/04 Rich Shattuck
2. Configuring IPF
3. Enabling IPF
4. Common IPF commands
Filtering Network Traffic with Solaris 10 And IP Filter
I use Solaris 10 as my primary desktop, and like to use the Java desktop environment (GNOME w/ enhancements). To allow everything to function correctly, I have to run rpcbind and a font server. To remediate the risks associated with these services, I filter all ingress traffic with IP filter, which has been integrated into the Solaris 10 Operating System.
Since my host doesn't need to accept inbound connections from other network (other than SSH), I use the followng IP filter rules to allow stateful outbound connectivity, and limit ingress traffic to port 22 (SSH)
Google matched content
IP Filter - TCP-IP Firewall-NAT Software
The IPFilter FAQ by Phil Dibowitz!
How-To for IP Filter
Firewall Approach to Internet Security Table of Contents
docs.sun.com System Administration Guide IP Services Overview
docs.sun.com System Administration Guide IP Services Tasks
by Balázs Bárány - Thursday, March 18th 2004 10:35 PST
About: fwanalog is a shell script that parses and summarizes firewall logfiles. It understands logs from ipf (xBSD, Solaris), OpenBSD 3.x pf, Linux 2.2 ipchains, Linux 2.4 iptables, and a few types of routers and firewalls (Cisco, Checkpoint FW-1, and Watchguard). The excellent log analysis program Analog is used to create the reports.
Changes: This release has further PIX fixes and a better error message if no input files are found.
Internet :: Log Analysis
System :: Logging
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2020 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to to buy a cup of coffee for authors of this site|
Last modified: March 12, 2019