| Skip Navigation Links | |
| Exit Print View | |
|
Securing the Network in Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Securing the Network in Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library |
1. Using Link Protection in Virtualized Environments
2. Tuning Your Network (Tasks)
3. Web Servers and the Secure Sockets Layer Protocol
4. IP Filter in Oracle Solaris (Overview)
How to Display IP Filter Service Defaults
How to Create IP Filter Configuration Files
How to Enable and Refresh IP Filter
How to Disable Packet Reassembly
How to Enable Loopback Filtering
How to Disable Packet Filtering
Working With IP Filter Rule Sets
Managing Packet Filtering Rule Sets for IP Filter
How to View the Active Packet Filtering Rule Set
How to View the Inactive Packet Filtering Rule Set
How to Activate a Different or Updated Packet Filtering Rule Set
How to Remove a Packet Filtering Rule Set
How to Append Rules to the Active Packet Filtering Rule Set
How to Append Rules to the Inactive Packet Filtering Rule Set
How to Switch Between Active and Inactive Packet Filtering Rule Sets
How to Remove an Inactive Packet Filtering Rule Set From the Kernel
Managing NAT Rules for IP Filter
How to View Active NAT Rules in IP Filter
How to Deactivate NAT Rules in IP Filter
How to Append Rules to the NAT Packet Filtering Rules
Managing Address Pools for IP Filter
Displaying Statistics and Information for IP Filter
How to View State Tables for IP Filter
How to View State Statistics for IP Filter
How to View IP Filter Tunable Parameters
How to View NAT Statistics for IP Filter
How to View Address Pool Statistics for IP Filter
Working With Log Files for IP Filter
How to Set Up a Log File for IP Filter
How to View IP Filter Log Files
How to Flush the Packet Log Buffer
How to Save Logged Packets to a File
IP Filter Configuration File Examples
6. IP Security Architecture (Overview)
8. IP Security Architecture (Reference)
9. Internet Key Exchange (Overview)
You might want to modify or deactivate packet filtering and NAT rules under the following circumstances:
For testing purposes
To troubleshoot system problems when you think the problems are caused by IP Filter
The following task map identifies the procedures associated with IP Filter rule sets.
Table 5-2 Working With IP Filter Rule Sets (Task Map)
|
IP Filter allows both active and inactive packet filtering rule sets to reside in the kernel. The active rule set determines what filtering is being done on incoming packets and outgoing packets. The inactive rule set also stores rules. These rules are not used unless you make the inactive rule set the active rule set. You can manage, view, and modify both active and inactive packet filtering rule sets.
Note - The following procedures provide examples for IPv4 networks. For IPv6 packets, use the -6 option, as described in Step 2 of How to Display IP Filter Service Defaults.
Before You Begin
You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
The following example shows output from the active packet filtering rule set that is loaded in the kernel.
$ ipfstat -io empty list for ipfilter(out) pass in quick on net1 from 192.168.1.0/24 to any pass in all block in on net1 from 192.168.1.10/32 to any
Before You Begin
You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
The following example shows output from the inactive packet filtering rule set.
$ ipfstat -I -io pass out quick on net1 all pass in quick on net1 all
Use the following procedure if you want to perform either of the following tasks:
Activate a packet filtering rule set other than the one that is currently in use by IP Filter.
Reload the same filtering rule set that has been newly updated.
Before You Begin
You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
Create a new rule set in a separate file if you want to activate an entirely different rule set.
Update the current rule set in your configuration file.
$ ipf -Fa -f filename
The rules in filename replace the active rule set.
Note - Do not use commands such as ipf -D or svcadm restart to load the updated rule set. Such commands expose your network because they disable the firewall before loading the new rule set.
Example 5-1 Activating a Different Packet Filtering Rule Set
The following example shows how to replace one packet filtering rule set with a different rule set.
$ ipfstat -io empty list for ipfilter(out) pass in quick on net0 all $ ipf -Fa -f /etc/ipf/ipfnew.conf $ ipfstat -io empty list for ipfilter(out) block in log quick from 10.0.0.0/8 to any
Example 5-2 Reloading an Updated Packet Filtering Rule Set
The following example shows how to reload a packet filtering rule set that is currently active and which is then updated.
$ ipfstat -io (Optional) empty list for ipfilter (out) block in log quick from 10.0.0.0/8 to any (Edit the /etc/ipf/myorg.ipf.conf configuration file.) $ svcadm refresh network/ipfilter $ ipfstat -io (Optional) empty list for ipfilter (out) block in log quick from 10.0.0.0/8 to any block in quick on net11 from 192.168.0.0/12 to any
Before You Begin
You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
$ ipf -F [a|i|o]
Removes all filtering rules from the rule set.
Removes the filtering rules for incoming packets.
Removes the filtering rules for outgoing packets.
Example 5-3 Removing a Packet Filtering Rule Set
The following example shows how to remove all filtering rules from the active filtering rule set.
$ ipfstat -io block out log on net0 all block in log quick from 10.0.0.0/8 to any $ ipf -Fa $ ipfstat -io empty list for ipfilter(out) empty list for ipfilter(in)
Appending rules to an existing rule set can be useful when testing or debugging. The IP Filter service remains enabled when the rules are added. However, when the service is refreshed, restarted, or enabled, the rules are lost, unless they exist in files that are a property of the IP Filter service.
Before You Begin
You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
Append rules to the rule set at the command line using the ipf -f - command.
$ echo "block in on net1 proto tcp from 10.1.1.1/32 to any" | ipf -f -
These appended rules are not part of IP Filter configuration when the service is refreshed, restarted, or enabled.
Perform the following commands:
Create a rule set in a file of your choice.
Add the rules that you have created to the active rule set.
$ ipf -f filename
The rules in filename are added to the end of the active rule set. Because IP Filter uses a “last matching rule” algorithm, the added rules determine filtering priorities, unless you use the quick keyword. If the packet matches a rule containing the quick keyword, the action for that rule is taken, and no subsequent rules are checked.
If filename is the value of one of the IP Filter configuration file properties, then the rules are reloaded when the service is enabled, restarted, or refreshed. Otherwise, the appended rules provide a temporary rule set.
Example 5-4 Appending Rules to the Active Packet Filtering Rule Set
The following example shows how to add a rule to the active packet filtering rule set from the command line.
$ ipfstat -io empty list for ipfilter(out) block in log quick from 10.0.0.0/8 to any $ echo "block in on net1 proto tcp from 10.1.1.1/32 to any" | ipf -f - $ ipfstat -io empty list for ipfilter(out) block in log quick from 10.0.0.0/8 to any block in on net1 proto tcp from 10.1.1.1/32 to any
Creating an inactive rule set in the kernel can be useful when testing or debugging. The rule set can be switched with the active rule set without stopping the IP Filter service. However, when the service is refreshed, restarted, or enabled, the inactive rule set must be added.
Before You Begin
You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
$ ipf -I -f filename
The rules in filename are added to the end of the inactive rule set. Because IP Filter uses a “last matching rule” algorithm, the added rules determine filtering priorities, unless you use the quick keyword. If the packet matches a rule containing the quick keyword, the action for that rule is taken, and no subsequent rules are checked.
Example 5-5 Appending Rules to the Inactive Rule Set
The following example shows how to add a rule to the inactive rule set from a file.
$ ipfstat -I -io pass out quick on net1 all pass in quick on net1 all $ ipf -I -f /etc/ipf/ipftrial.conf $ ipfstat -I -io pass out quick on net1 all pass in quick on net1 all block in log quick from 10.0.0.0/8 to any
Switching to a different rule set in the kernel can be useful when testing or debugging. The rule set can be made active without stopping the IP Filter service.
Before You Begin
You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
$ ipf -s
This command enables you to switch between the active and inactive rule sets in the kernel. Note that if the inactive rule set is empty, there is no packet filtering.
Note - When the IP Filter service is refreshed, restarted, or enabled, the rules that are in files that are properties of the IP Filter service are restored. The inactive rule set is not restored.
Example 5-6 Switching Between the Active and Inactive Packet Filtering Rule Sets
The following example shows how using the ipf -s command results in the inactive rule set becoming the active rule set and the active rule set becoming the inactive rule set.
Before running the ipf -s command, the output from the ipfstat -I -io command shows the rules in the inactive rule set. The output from the ipfstat -io command shows the rules in the active rule set.
$ ipfstat -io empty list for ipfilter(out) block in log quick from 10.0.0.0/8 to any block in on net1 proto tcp from 10.1.1.1/32 to any $ ipfstat -I -io pass out quick on net1 all pass in quick on net1 all block in log quick from 10.0.0.0/8 to any
After running the ipf -s command, the output from the ipfstat -I -io and the ipfstat -io command show that the content of the two rules sets have switched.
$ ipf -s Set 1 now inactive $ ipfstat -io pass out quick on net1 all pass in quick on net1 all block in log quick from 10.0.0.0/8 to any $ ipfstat -I -io empty list for inactive ipfilter(out) block in log quick from 10.0.0.0/8 to any block in on net1 proto tcp from 10.1.1.1/32 to any
Before You Begin
You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
$ ipf -I -Fa
Note - If you subsequently run ipf -s, the empty inactive rule set will become the active rule set. An empty active rule set means that no filtering will be done.
Example 5-7 Removing an Inactive Packet Filtering Rule Set From the Kernel
The following example shows how to flush the inactive packet filtering rule set so that all rules have been removed.
$ ipfstat -I -io empty list for inactive ipfilter(out) block in log quick from 10.0.0.0/8 to any block in on net1 proto tcp from 10.1.1.1/32 to any $ ipf -I -Fa $ ipfstat -I -io empty list for inactive ipfilter(out) empty list for inactive ipfilter(in)
Use the following procedures to manage, view, and modify NAT rules for IP Filter.
Before You Begin
You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
The following example shows the output from the active NAT rules set.
$ ipnat -l List of active MAP/Redirect filters: map net0 192.168.1.0/24 -> 20.20.20.1/32 List of active sessions:
Before You Begin
You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
$ ipnat -FC
The -C option removes all entries in the current NAT rule listing. The -F option removes all active entries in the current NAT translation table, which shows the currently active NAT mappings.
Example 5-8 Removing NAT Rules
The following example shows how to remove the entries in the current NAT rules.
$ ipnat -l List of active MAP/Redirect filters: map net0 192.168.1.0/24 -> 20.20.20.1/32 List of active sessions: $ ipnat -C 1 entries flushed from NAT list $ ipnat -l List of active MAP/Redirect filters: List of active sessions:
Appending rules to an existing rule set can be useful when testing or debugging. The IP Filter service remains enabled when the rules are added. However, when the service is refreshed, restarted, or enabled, the NAT rules are lost, unless they exist in a file that is a property of the IP Filter service.
Before You Begin
You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
Append rules to the NAT rule set at the command line using the ipnat -f - command.
$ echo "map net0 192.168.1.0/24 -> 20.20.20.1/32" | ipnat -f -
These appended rules are not part of IP Filter configuration when the service is refreshed, restarted, or enabled.
Perform the following commands:
Create additional NAT rules in a file of your choice.
Add the rules that you have created to the active NAT rules.
$ ipnat -f filename
The rules in filename are added to the end of the NAT rules.
If filename is the value of one of the IP Filter configuration file properties, then the rules are reloaded when the service is enabled, restarted, or refreshed. Otherwise, the appended rules provide a temporary rule set.
Example 5-9 Appending Rules to the NAT Rule Set
The following example shows how to add a rule to the NAT rule set from the command line.
$ ipnat -l List of active MAP/Redirect filters: List of active sessions: $ echo "map net0 192.168.1.0/24 -> 20.20.20.1/32" | ipnat -f - $ ipnat -l List of active MAP/Redirect filters: map net0 192.168.1.0/24 -> 20.20.20.1/32 List of active sessions:
Use the following procedures to manage, view, and modify address pools.
Before You Begin
You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
The following example shows how to view the contents of the active address pool.
$ ippool -l
table role = ipf type = tree number = 13
{ 10.1.1.1/32, 10.1.1.2/32, 192.168.1.0/24; };Before You Begin
You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
$ ippool -F
Example 5-10 Removing an Address Pool
The following example shows how to remove an address pool.
$ ippool -l
table role = ipf type = tree number = 13
{ 10.1.1.1/32, 10.1.1.2/32, 192.168.1.0/24; };
$ ippool -F
1 object flushed
$ ippool -l
Appending rules to an existing rule set can be useful when testing or debugging. The IP Filter service remains enabled when the rules are added. However, when the service is refreshed, restarted, or enabled, the address pool rules are lost, unless they exist in a file that is a property of the IP Filter service.
Before You Begin
You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
Append rules to the rule set at the command line using the ippool -f - command.
$ echo "table role = ipf type = tree number = 13
{10.1.1.1/32, 10.1.1.2/32, 192.168.1.0/24};" | ippool -f -
These appended rules are not part of IP Filter configuration when the service is refreshed, restarted, or enabled.
Perform the following commands:
Create additional address pools in a file of your choice.
Add the rules that you have created to the active address pool.
$ ippool -f filename
The rules in filename are added to the end of the active address pool.
Follow the instructions in How to Append Rules to the Active Packet Filtering Rule Set.
Note - Do not refresh or restart the IP Filter service, You will lose your added address pool rules.
Example 5-11 Appending Rules to an Address Pool
The following example shows how to add an address pool to the address pool rule set from the command line.
$ ippool -l
table role = ipf type = tree number = 13
{ 10.1.1.1/32, 10.1.1.2/32, 192.168.1.0/24; };
$ echo "table role = ipf type = tree number = 100
{10.0.0.0/32, 172.16.1.2/32, 192.168.1.0/24};" | ippool -f -
$ ippool -l
table role = ipf type = tree number = 100
{ 10.0.0.0/32, 172.16.1.2/32, 192.168.1.0/24; };
table role = ipf type = tree number = 13
{ 10.1.1.1/32, 10.1.1.2/32, 192.168.1.0/24; };
|