Начиная с Solaris 10, файрволл теперь строится на основе ipfilter, тогда как ранее приходилось разбираться
с мощным и навороченным SunScreen.
Конфигурация
По умолчанию файл конфигурации ipf.conf лежат в /etc/ipf.
Напишем простой файрволл:
# Firewall for testing.
#
# My IP: 172.16.1.100
# My local NIC: elxl0
#
# Block any packets which are too short to be real
block in log quick all with short
#
# drop and log any IP packets with options set in them.
block in log all with ipopts
#
# Allow all traffic on loopback.
pass in quick on lo0 all
pass out quick on lo0 all
#
# Public Network. Block everything not explicity allowed.
block in on elxl0 all
block out on elxl0 all
#
# Allow pings out.
pass out quick on elxl0 proto icmp all keep state
#
# for testing, allow pings from ben and jerry
pass in quick on elxl0 proto icmp from 172.16.1.11/32 to 172.16.1.100/32
pass in quick on elxl0 proto icmp from 172.16.1.12/32 to 172.16.1.100/32
#
# Allow outbound state related packets.
pass out quick on elxl0 proto tcp/udp from any to any keep state
#
# allow ssh from 172.16.0.0/16 only.
# pass in log quick on elxl0 from 172.16.0.0/16 to 172.16.1.100/32 port = 22
# Actually, allow ssh only from ben, jerry, MSU
pass in log quick on elxl0 proto tcp from 172.16.1.11/32 to 172.16.1.100/32 port = 22
pass in log quick on elxl0 proto tcp from 172.16.1.12/32 to 172.16.1.100/32 port = 22
pass in log quick on elxl0 proto tcp from 153.90.0.0/16 to 172.16.1.100/32 port = 22
Правила nat прописываются в файле /etc/ipf/ipnat.conf:
Пример:
# My real NIC: elxl1
#
# Use ipfilter ftp proxy for ftp client transfers mode: active
map elxl1 172.16.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp
#
# Map all tcp and udp connections from 192.168.1.0/24 to external IP address,
# changing the source port number to something between 40,000 and 60,000 inclusive
map elxl1 172.16.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 40000:60000
#
# For all other IP packets, map to the external IP address
map elxl1 172.16.0.0/16 -> 0.0.0.0/32
#
# Redirect incoming smtp traffic to mail server behind NAT
rdr elxl1 0.0.0.0/0 port 25 -> 172.16.1.14 port 25
#
Поднимаем IPF
Иногда может потребоваться сказать Solaris ipfilter какой сетевой интерфейс надо использовать (Это я делал когда ставил ipfilter на 9). Раскомментируем нужную строку в /etc/ipf/pfil.ap.
пример pfil.ap:
# IP Filter pfil autopush setup
#
# See the autopush(1M) manpage for more information.
#
# Format of the entries in this file is:
#
#major minor lastminor modules
#iprb -1 0 pfil
elxl -1 0 pfil
#e1000g -1 0 pfil
#bge -1 0 pfil
#nf -1 0 pfil
#fa -1 0 pfil
#ci -1 0 pfil
#el -1 0 pfil
#ipdptp -1 0 pfil
#lane -1 0 pfil
#dnet -1 0 pfil
#pcelx -1 0 pfil
#spwr -1 0 pfil
Solaris 10 при запуске ipf запускает также утилиту ipmon, которая мониторит файрволл и пишет логи (по умолчанию в /var/adm/messages).
Полезные команды:
ipf -E : Enable ipfilter when running for the first time (Need for ipf on Tru64)
ipf -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file into the active firewall.
ipf -Fa -f /etc/ipf/ipf.conf : Flush all rules, then load rules in /etc/ipf/ipf.conf into active firwall.
ipf -Fi : Flush all input rules.
ipf -I -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file into inactive firewall.
ipf -V : Show version info and active list.
ipf -s : Swap active and inactive firewalls.
ipfstat : Show summary
ipfstat -i : Show input list
ipfstat -o : Show output list
ipfstat -hio : Show hits against all rules
ipfstat -t -T 5 : Monitor the state table and refresh every 5 seconds. Output is similiar to 'top' monitoring the process table.
ipmon -s S : Watch state table.
ipmon -sn : Write logged entries to syslog, and convert back to hostnames and servicenames.
ipmon -s [file] : Write logged entries to some file.
ipmon -Ds : Run ipmon as a daemon, and log to default location (/var/adm/messages for Solaris or /var/log/syslog for Tru64)
ipnat -CF -f /etc/ipf/ipnat.conf : Load rules from /etc/ipf/ipnat.conf file into the active firewall.
