| Skip Navigation Links | |
| Exit Print View | |
|
Securing the Network in Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Securing the Network in Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library |
1. Using Link Protection in Virtualized Environments
2. Tuning Your Network (Tasks)
3. Web Servers and the Secure Sockets Layer Protocol
4. IP Filter in Oracle Solaris (Overview)
How to Display IP Filter Service Defaults
How to Create IP Filter Configuration Files
How to Enable and Refresh IP Filter
How to Disable Packet Reassembly
How to Enable Loopback Filtering
How to Disable Packet Filtering
Working With IP Filter Rule Sets
Managing Packet Filtering Rule Sets for IP Filter
How to View the Active Packet Filtering Rule Set
How to View the Inactive Packet Filtering Rule Set
How to Activate a Different or Updated Packet Filtering Rule Set
How to Remove a Packet Filtering Rule Set
How to Append Rules to the Active Packet Filtering Rule Set
How to Append Rules to the Inactive Packet Filtering Rule Set
How to Switch Between Active and Inactive Packet Filtering Rule Sets
How to Remove an Inactive Packet Filtering Rule Set From the Kernel
Managing NAT Rules for IP Filter
How to View Active NAT Rules in IP Filter
How to Deactivate NAT Rules in IP Filter
How to Append Rules to the NAT Packet Filtering Rules
Managing Address Pools for IP Filter
How to View Active Address Pools
How to Append Rules to an Address Pool
Displaying Statistics and Information for IP Filter
How to View State Tables for IP Filter
How to View State Statistics for IP Filter
How to View IP Filter Tunable Parameters
How to View NAT Statistics for IP Filter
How to View Address Pool Statistics for IP Filter
Working With Log Files for IP Filter
How to Set Up a Log File for IP Filter
How to View IP Filter Log Files
How to Flush the Packet Log Buffer
How to Save Logged Packets to a File
6. IP Security Architecture (Overview)
8. IP Security Architecture (Reference)
9. Internet Key Exchange (Overview)
The following examples illustrate packet filtering rules that apply to a single host, a server, and a router.
Configuration files follow standard UNIX syntax rules:
The pound sign (#) indicates a line containing comments.
Rules and comments can coexist on the same line.
Extraneous white space is allowed to keep rules easy to read.
Rules can be more than one line long. Use the backslash (\) at the end of a line to indicate that the rule continues on the next line.
For more detailed syntax information, see Configuring Packet Filtering Rules.
Example 5-20 IP Filter Host Configuration
This example shows a configuration on a host machine with a net0 network interface.
# pass and log everything by default pass in log on net0 all pass out log on net0 all # block, but don't log, incoming packets from other reserved addresses block in quick on net0 from 10.0.0.0/8 to any block in quick on net0 from 172.16.0.0/12 to any # block and log untrusted internal IPs. 0/32 is notation that replaces # address of the machine running IP Filter. block in log quick from 192.168.1.15 to <thishost> block in log quick from 192.168.1.43 to <thishost> # block and log X11 (port 6000) and remote procedure call # and portmapper (port 111) attempts block in log quick on net0 proto tcp from any to net0/32 port = 6000 keep state block in log quick on net0 proto tcp/udp from any to net0/32 port = 111 keep state
This rule set begins with two unrestricted rules that allow everything to pass into and out of the net0 interface. The second set of rules blocks any incoming packets from the private address spaces 10.0.0.0 and 172.16.0.0 from entering the firewall. The next set of rules blocks specific internal addresses from the host machine. Finally, the last set of rules blocks packets coming in on port 6000 and port 111.
Example 5-21 IP Filter Server Configuration
This example shows a configuration for a host machine acting as a web server. This machine has an net0 network interface.
# web server with an net0 interface # block and log everything by default; # then allow specific services # group 100 - inbound rules # group 200 - outbound rules # (0/32) resolves to our IP address) *** FTP proxy *** # block short packets which are packets # fragmented too short to be real. block in log quick all with short # block and log inbound and outbound by default, # group by destination block in log on net0 from any to any head 100 block out log on net0 from any to any head 200 # web rules that get hit most often pass in quick on net0 proto tcp from any \ to net0/32 port = http flags S keep state group 100 pass in quick on net0 proto tcp from any \ to net0/32 port = https flags S keep state group 100 # inbound traffic - ssh, auth pass in quick on net0 proto tcp from any \ to net0/32 port = 22 flags S keep state group 100 pass in log quick on net0 proto tcp from any \ to net0/32 port = 113 flags S keep state group 100 pass in log quick on net0 proto tcp from any port = 113 \ to net0/32 flags S keep state group 100 # outbound traffic - DNS, auth, NTP, ssh, WWW, smtp pass out quick on net0 proto tcp/udp from net0/32 \ to any port = domain flags S keep state group 200 pass in quick on net0 proto udp from any \ port = domain to net0/32 group 100 pass out quick on net0 proto tcp from net0/32 \ to any port = 113 flags S keep state group 200 pass out quick on net0 proto tcp from net0/32 port = 113 \ to any flags S keep state group 200 pass out quick on net0 proto udp from net0/32 to any \ port = ntp group 200 pass in quick on net0 proto udp from any \ port = ntp to net0/32 port = ntp group 100 pass out quick on net0 proto tcp from net0/32 \ to any port = ssh flags S keep state group 200 pass out quick on net0 proto tcp from net0/32 \ to any port = http flags S keep state group 200 pass out quick on net0 proto tcp from net0/32 \ to any port = https flags S keep state group 200 pass out quick on net0 proto tcp from net0/32 \ to any port = smtp flags S keep state group 200 # pass icmp packets in and out pass in quick on net0 proto icmp from any to net0/32 keep state group 100 pass out quick on net0 proto icmp from net0/32 to any keep state group 200 # block and ignore NETBIOS packets block in quick on net0 proto tcp from any \ to any port = 135 flags S keep state group 100 block in quick on net0 proto tcp from any port = 137 \ to any flags S keep state group 100 block in quick on net0 proto udp from any to any port = 137 group 100 block in quick on net0 proto udp from any port = 137 to any group 100 block in quick on net0 proto tcp from any port = 138 \ to any flags S keep state group 100 block in quick on net0 proto udp from any port = 138 to any group 100 block in quick on net0 proto tcp from any port = 139 to any flags S keep state group 100 block in quick on net0 proto udp from any port = 139 to any group 100
Example 5-22 IP Filter Router Configuration
This example shows a configuration for a router that has an internal interface, net0, and an external interface, net1.
# internal interface is net0 at 192.168.1.1 # external interface is net1 IP obtained via DHCP # block all packets and allow specific services *** NAT *** *** POOLS *** # Short packets which are fragmented too short to be real. block in log quick all with short # By default, block and log everything. block in log on net0 all block in log on net1 all block out log on net0 all block out log on net1 all # Packets going in/out of network interfaces that aren't on the loopback # interface should not exist. block in log quick on net0 from 127.0.0.0/8 to any block in log quick on net0 from any to 127.0.0.0/8 block in log quick on net1 from 127.0.0.0/8 to any block in log quick on net1 from any to 127.0.0.0/8 # Deny reserved addresses. block in quick on net1 from 10.0.0.0/8 to any block in quick on net1 from 172.16.0.0/12 to any block in log quick on net1 from 192.168.1.0/24 to any block in quick on net1 from 192.168.0.0/16 to any # Allow internal traffic pass in quick on net0 from 192.168.1.0/24 to 192.168.1.0/24 pass out quick on net0 from 192.168.1.0/24 to 192.168.1.0/24 # Allow outgoing DNS requests from our servers on .1, .2, and .3 pass out quick on net1 proto tcp/udp from net1/32 to any port = domain keep state pass in quick on net0 proto tcp/udp from 192.168.1.2 to any port = domain keep state pass in quick on net0 proto tcp/udp from 192.168.1.3 to any port = domain keep state # Allow NTP from any internal hosts to any external NTP server. pass in quick on net0 proto udp from 192.168.1.0/24 to any port = 123 keep state pass out quick on net1 proto udp from any to any port = 123 keep state # Allow incoming mail pass in quick on net1 proto tcp from any to net1/32 port = smtp keep state pass in quick on net1 proto tcp from any to net1/32 port = smtp keep state pass out quick on net1 proto tcp from 192.168.1.0/24 to any port = smtp keep state # Allow outgoing connections: SSH, WWW, NNTP, mail, whois pass in quick on net0 proto tcp from 192.168.1.0/24 to any port = 22 keep state pass out quick on net1 proto tcp from 192.168.1.0/24 to any port = 22 keep state pass in quick on net0 proto tcp from 192.168.1.0/24 to any port = 80 keep state pass out quick on net1 proto tcp from 192.168.1.0/24 to any port = 80 keep state pass in quick on net0 proto tcp from 192.168.1.0/24 to any port = 443 keep state pass out quick on net1 proto tcp from 192.168.1.0/24 to any port = 443 keep state pass in quick on net0 proto tcp from 192.168.1.0/24 to any port = nntp keep state block in quick on net1 proto tcp from any to any port = nntp keep state pass out quick on net1 proto tcp from 192.168.1.0/24 to any port = nntp keep state pass in quick on net0 proto tcp from 192.168.1.0/24 to any port = smtp keep state pass in quick on net0 proto tcp from 192.168.1.0/24 to any port = whois keep state pass out quick on net1 proto tcp from any to any port = whois keep state # Allow ssh from offsite pass in quick on net1 proto tcp from any to net1/32 port = 22 keep state # Allow ping out pass in quick on net0 proto icmp all keep state pass out quick on net1 proto icmp all keep state # allow auth out pass out quick on net1 proto tcp from net1/32 to any port = 113 keep state pass out quick on net1 proto tcp from net1/32 port = 113 to any keep state # return rst for incoming auth block return-rst in quick on net1 proto tcp from any to any port = 113 flags S/SA # log and return reset for any TCP packets with S/SA block return-rst in log on net1 proto tcp from any to any flags S/SA # return ICMP error packets for invalid UDP packets block return-icmp(net-unr) in proto udp all
|