| Skip Navigation Links | |
| Exit Print View | |
|
Securing the Network in Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Securing the Network in Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library |
1. Using Link Protection in Virtualized Environments
2. Tuning Your Network (Tasks)
3. Web Servers and the Secure Sockets Layer Protocol
4. IP Filter in Oracle Solaris (Overview)
How to Display IP Filter Service Defaults
How to Create IP Filter Configuration Files
How to Enable and Refresh IP Filter
How to Disable Packet Reassembly
Working With IP Filter Rule Sets
Managing Packet Filtering Rule Sets for IP Filter
How to View the Active Packet Filtering Rule Set
How to View the Inactive Packet Filtering Rule Set
How to Activate a Different or Updated Packet Filtering Rule Set
How to Remove a Packet Filtering Rule Set
How to Append Rules to the Active Packet Filtering Rule Set
How to Append Rules to the Inactive Packet Filtering Rule Set
How to Switch Between Active and Inactive Packet Filtering Rule Sets
How to Remove an Inactive Packet Filtering Rule Set From the Kernel
Managing NAT Rules for IP Filter
How to View Active NAT Rules in IP Filter
How to Deactivate NAT Rules in IP Filter
How to Append Rules to the NAT Packet Filtering Rules
Managing Address Pools for IP Filter
How to View Active Address Pools
How to Append Rules to an Address Pool
Displaying Statistics and Information for IP Filter
How to View State Tables for IP Filter
How to View State Statistics for IP Filter
How to View IP Filter Tunable Parameters
How to View NAT Statistics for IP Filter
How to View Address Pool Statistics for IP Filter
Working With Log Files for IP Filter
How to Set Up a Log File for IP Filter
How to View IP Filter Log Files
How to Flush the Packet Log Buffer
How to Save Logged Packets to a File
IP Filter Configuration File Examples
6. IP Security Architecture (Overview)
8. IP Security Architecture (Reference)
9. Internet Key Exchange (Overview)
The following task map identifies the procedures to create IP Filter rules, and enable and disable the service.
Table 5-1 Configuring IP Filter (Task Map)
|
Before You Begin
To run the ipfstat command, you must become an administrator who is assigned the IP Filter Management rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
% svccfg -s ipfilter:default listprop | grep file config/ipf6_config_file astring /etc/ipf/ipf6.conf config/ipnat_config_file astring /etc/ipf/ipnat.conf config/ippool_config_file astring /etc/ipf/ippool.conf firewall_config_default/custom_policy_file astring none
The first three file properties have suggested file locations. These files do not exist until you create them. You can change the location of a configuration file by changing the property value for that file. For the procedure, see How to Create IP Filter Configuration Files.
You modify the fourth file property when you customize your own packet filtering rules. See Step 1 and Step 2 in How to Create IP Filter Configuration Files.
On a manually networked system, IP Filter is not enabled by default.
% svcs -x ipfilter:default svc:/network/ipfilter:default (IP Filter) State: disabled since Mon Sep 10 10:10:50 2012 Reason: Disabled by an administrator. See: http://oracle.com/msg/SMF-8000-05 See: ipfilter(5) Impact: This service is not running.
On an automatically networked system on an IPv4 network, run the following command to view the IP Filter policy:
$ ipfstat -io
To view the file that created the policy, read /etc/nwam/loc/NoNet/ipf.conf. This file is for viewing only. To modify the policy, see How to Create IP Filter Configuration Files.
Note - To view IP Filter policy on an IPv6 network, add the -6 option, as in: ipfstat -6io. For more information, see the ipfstat(1M) man page.
To modify the IP Filter policy for an automatically configured network configuration or to use IP Filter in a manually configured network, you create configuration files, inform the service about these files, then enable the service.
Before You Begin
You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
This file contains the packet filtering rule set.
$ svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"
For example, make /etc/ipf/myorg.ipf.conf the location of your packet filtering rule set.
$ svccfg -s ipfilter:default \ setprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/myorg.ipf.conf"
For information about packet filtering, see Using IP Filter's Packet Filtering Feature. For examples of configuration files, see IP Filter Configuration File Examples, and the /etc/nwam/loc/NoNet/ipf.conf file.
Note - If your specified policy file is empty, no filtering occurs. An empty packet filtering file is the same as having a rule set that reads:
pass in all pass out all
To filter packets over a NAT, create a file for your NAT rules with an appropriate name, such as /etc/ipf/ipnat.conf. To change this name, change the value of the config/ipnat_config_file service property, as in:
$ svccfg -s ipfilter:default \ setprop config/ipnat_config_file = astring: "/etc/ipf/myorg.ipnat.conf"
For more information about NAT, see Using IP Filter's NAT Feature.
To refer to a group of addresses as a single address pool, create a file for the pool with an appropriate name, such as /etc/ipf/ippool.conf. To change this name, change the value of the config/ippool_config_file service property, as in:
$ svccfg -s ipfilter:default \ setprop config/ippool_config_file = astring: "/etc/ipf/myorg.ippool.conf"
An address pool can contain any combination of IPv4 and IPv6 addresses. For more information about address pools, see Using IP Filter's Address Pools Feature.
If you intend to filter traffic between zones that are configured in your system, you must enable loopback filtering. See How to Enable Loopback Filtering. You must also define rule sets that apply to the zones.
By default, fragments are reassembled in IP Filter. To modify the default, see How to Disable Packet Reassembly
Before You Begin
You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
You have completed How to Create IP Filter Configuration Files.
To enable IP Filter initially, type the following command:
$ svcadm enable network/ipfilter
$ svcadm refresh network/ipfilter
Note - The refresh command briefly disables the firewall. To retain the firewall, append rules or add a new configuration file. For procedures with examples, see Working With IP Filter Rule Sets.
By default, fragments are reassembled in IP Filter. To disable this reassembly, you insert a rule at the beginning of your policy file.
Before You Begin
You must become an administrator who is assigned the IP Filter Management rights profile and the solaris.admin.edit/path-to-IPFilter-policy-file authorization. The root role has all of these rights. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
$ svcadm disable network/ipfilter
set defrag off;
Use the pfedit command, as in:
$ pfedit /etc/ipf/myorg.ipf.conf
This rule must precede all block and pass rules that are defined in the file. However, you can insert comments before the line, similar to the following example:
# Disable fragment reassembly # set defrag off; # Define policy # block in all block out all other rules
$ svcadm enable network/ipfilter
$ ipf -T defrag defrag min 0 max 0x1 current 0
If current is 0, fragments are not being reassembled. If current is 1, fragments are being reassembled.
Before You Begin
You must become an administrator who is assigned the IP Filter Management rights profile and the solaris.admin.edit/path-to-IPFilter-policy-file authorization. The root role has all of these rights. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
$ svcadm disable network/ipfilter
set intercept_loopback true;
Use the pfedit command, as in:
$ pfedit /etc/ipf/myorg.ipf.conf
This line must precede all block and pass rules that are defined in the file. However, you can insert comments before the line, similar to the following example:
... #set defrag off; # # Enable loopback filtering to filter between zones # set intercept_loopback true; # # Define policy # block in all block out all other rules
$ svcadm enable network/ipfilter
$ ipf -T ipf_loopback ipf_loopback min 0 max 0x1 current 1 $
If current is 0, loopback filtering is disabled. If current is 1, loopback filtering is enabled.
This procedure removes all rules from the kernel and disables the service. If you use this procedure, you must enable IP Filter with the appropriate configuration files to restart packet filtering and NAT. For more information, see How to Enable and Refresh IP Filter.
Before You Begin
You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
$ svcadm disable network/ipfilter
To test or debug the service, you can remove rule sets while the service is running. For more information, see Working With IP Filter Rule Sets.
|