System Administration Guide: IP Services

Chapter 25 Solaris IP Filter (Tasks)

This chapter provides step-by-step instructions for Solaris IP Filter tasks. For overview information about Solaris IP Filter, see Chapter 24, Solaris IP Filter (Overview).

This chapter contains the following information:

Configuring Solaris IP Filter

The following task map identifies the procedures associated with configuring Solaris IP Filter.

Table 25–1 Configuring Solaris IP Filter (Task Map)

Task 

Description 

For Instructions 

Initially enable Solaris IP Filter. 

Solaris IP Filter is not enabled by default. You must either enable it manually or use the configuration files in the /etc/ipf/ directory and reboot the system. Beginning with Solaris Express, Developer Edition 1/08 release, packet filter hooks replaced the pfil module to enable Solaris IP filter.

How to Enable Solaris IP Filter

Re-enable Solaris IP Filter. 

If Solaris IP Filter is deactivated or disabled, you can re-enable Solaris IP Filter either by rebooting the system or by using the ipf command.

How to Re-Enable Solaris IP Filter

Enable loopback filtering 

As an option, you can enable loopback filtering, for example, to filter traffic between zones. 

How to Enable Loopback Filtering

ProcedureHow to Enable Solaris IP Filter

Use this procedure to enable Solaris IP Filter on a system that is running at least Solaris Express, Developer Edition 1/08 OS.

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Create a packet filtering rule set.

    The packet filtering rule set contains packet filtering rules that are used by Solaris IP Filter. If you want the packet filtering rules to be loaded at boot time, edit the /etc/ipf/ipf.conf file to implement IPv4 packet filtering. Use the /etc/ipf/ipf6.conf file for IPv6 packet filtering rules. If you do not want the packet filtering rules loaded at boot time, put the rules in a file of your choice, and manually activate packet filtering. For information about packet filtering, see Using Solaris IP Filter's Packet Filtering Feature. For information about working with configuration files, see Creating and Editing Solaris IP Filter Configuration Files.

  3. (Optional) Create a network address translation (NAT) configuration file.


    Note –

    Network Address Translation (NAT) does not support IPv6.


    Create an ipnat.conf file if you want to use network address translation. If you want the NAT rules to be loaded at boot time, create a file called /etc/ipf/ipnat.conf in which to put NAT rules. If you do not want the NAT rules loaded at boot time, put the ipnat.conf file in a location of your choice, and manually activate the NAT rules.

    For more information about NAT, see Using Solaris IP Filter's NAT Feature.

  4. (Optional) Create an address pool configuration file.

    Create an ipool.conf file if you want to refer to a group of addresses as a single address pool. If you want the address pool configuration file to be loaded at boot time, create a file called /etc/ipf/ippool.conf in which to put the address pool. If you do not want the address pool configuration file to be loaded at boot time, put the ippool.conf file in a location of your choice, and manually activate the rules.

    An address pool can contain only IPv4 addresses or only IPv6 addresses. It can also contain both IPv4 and IPv6 addresses.

    For more information about address pools, see Using Solaris IP Filter's Address Pools Feature.

  5. (Optional) Enable filtering of loopback traffic.

    If you intend to filter traffic between zones that are configured in your system, you must enable loopback filtering. See How to Enable Loopback Filtering. Make sure that you also define the appropriate rule sets that apply to the zones.

  6. Activate Solaris IP Filter.


    # svcadm enable network/ipfilter
    

ProcedureHow to Re-Enable Solaris IP Filter

You can re-enable packet filtering after it has been temporarily disabled.

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Enable Solaris IP Filter and activate filtering using one of the following methods:

    • Reboot the machine.


      # reboot
      

      Note –

      When IP Filter is enabled, after a reboot the following files are loaded if they are present: the /etc/ipf/ipf.conf file, the /etc/ipf/ipf6.conf file when using IPv6, or the /etc/ipf/ipnat.conf.


    • Perform the following series of commands to enable Solaris IP Filter and activate filtering:

      1. Enable Solaris IP Filter.


        # ipf -E
        
      2. Activate packet filtering.


        # ipf -f filename
        
      3. (Optional) Activate NAT.


        # ipnat -f filename
        

        Note –

        Network Address Translation (NAT) does not support IPv6.


ProcedureHow to Enable Loopback Filtering


Note –

You can filter loopback traffic only if your system is running at least Solaris Express, Developer Edition 1/08 release. In previous Solaris 10 releases, loopback filtering is not supported.


  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Stop Solaris IP Filter if it is running.


    # svcadm disable network/ipfilter
    
  3. Edit the /etc/ipf.conf or /etc/ipf6.conf file by adding the following line at the beginning of the file:


    set intercept_loopback true;

    This line must precede all the IP filter rules that are defined in the file. However, you can insert comments before the line, similar to the following example:


    # 
    # Enable loopback filtering to filter between zones 
    # 
    set intercept_loopback true; 
    # 
    # Define policy 
    # 
    block in all 
    block out all 
    <other rules>
    ...
  4. Start the Solaris IP filter.


    # svcadm enable network/ipfilter
    
  5. To verify the status of loopback filtering, use the following command:


    # ipf —T ipf_loopback
    ipf_loopback    min 0   max 0x1 current 1
    #

    If loopback filtering is disabled, the command would generate the following output:


    ipf_loopback    min 0   max 0x1 current 0

Deactivating and Disabling Solaris IP Filter

You might want to deactivate or disable packet filtering and NAT under the following circumstances:

The following task map identifies the procedures associated with deactivating or disabling Solaris IP Filter features.

Table 25–2 Deactivating and Disabling Solaris IP Filter (Task Map)

Task 

Description 

For Instructions 

Deactivate packet filtering. 

Deactivate packet filtering using the ipf command.

How to Deactivate Packet Filtering

Deactivate NAT. 

Deactivate NAT using the ipnat command.

How to Deactivate NAT

Disable packet filtering and NAT. 

Disable packet filtering and NAT using the ipf command.

How to Disable Packet Filtering

ProcedureHow to Deactivate Packet Filtering

The following procedure deactivates Solaris IP Filter packet filtering by flushing the packet filtering rules from the active filtering rule set. The procedure does not disable Solaris IP Filter. You can reactivate Solaris IP Filter by adding rules to the rule set.

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Use one of the following methods to deactivate Solaris IP Filter rules:

    • Remove the active rule set from the kernel.


      # ipf -Fa
      

      This command deactivates all packet filtering rules.

    • Remove incoming packet filtering rules.


      # ipf -Fi
      

      This command deactivates packet filtering rules for incoming packets.

    • Remove outgoing packet filtering rules.


      # ipf -Fo
      

      This command deactivates packet filtering rules for outgoing packets.

ProcedureHow to Deactivate NAT

The following procedure deactivates Solaris IP Filter NAT rules by flushing the NAT rules from the active NAT rules set. The procedure does not disable Solaris IP Filter. You can reactivate Solaris IP Filter by adding rules to the rule set.

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Remove NAT from the kernel.


    # ipnat -FC
    

    The -C option removes all entries in the current NAT rule listing. The -F option removes all active entries in the current NAT translation table, which shows the currently active NAT mappings.

ProcedureHow to Disable Packet Filtering

When you run this procedure, both packet filtering and NAT are removed from the kernel. If you use this procedure, you must re-enable Solaris IP Filter in order to reactivate packet filtering and NAT. For more information, see How to Re-Enable Solaris IP Filter.

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Disable packet filtering and allow all packets to pass into the network.


    # ipf –D
    

    Note –

    The ipf -D command flushes the rules from the rule set. When you re-enable filtering, you must add rules to the rule set.


Working With Solaris IP Filter Rule Sets

The following task map identifies the procedures associated with Solaris IP Filter rule sets.

Table 25–3 Working With Solaris IP Filter Rule Sets (Task Map)

Task 

Description 

For Instructions 

Manage, view and modify Solaris IP Filter packet filtering rule sets. 

 

Managing Packet Filtering Rule Sets for Solaris IP Filter

 

View an active packet filtering rule set. 

How to View the Active Packet Filtering Rule Set

 

View an inactive packet filtering rule set. 

How to View the Inactive Packet Filtering Rule Set

 

Activate a different active rule set. 

How to Activate a Different or Updated Packet Filtering Rule Set

 

Remove a rule set. 

How to Remove a Packet Filtering Rule Set

 

Add rules to the rule sets. 

How to Append Rules to the Active Packet Filtering Rule Set

How to Append Rules to the Inactive Packet Filtering Rule Set

 

Move between active and inactive rule sets. 

How to Switch Between Active and Inactive Packet Filtering Rule Sets

 

Delete an inactive rule set from the kernel. 

How to Remove an Inactive Packet Filtering Rule Set From the Kernel

Manage, view and modify Solaris IP Filter NAT rules. 

 

Managing NAT Rules for Solaris IP Filter

 

View active NAT rules. 

How to View Active NAT Rules

 

Remove NAT rules. 

How to Remove NAT Rules

 

Add additional rules to NAT rules. 

How to Append Rules to the NAT Rules

Manage, view and modify Solaris IP Filter address pools. 

 

Managing Address Pools for Solaris IP Filter

 

View active address pools. 

How to View Active Address Pools

 

Remove an address pool. 

How to Remove an Address Pool

 

Add additional rules to an address pool. 

How to Append Rules to an Address Pool

Managing Packet Filtering Rule Sets for Solaris IP Filter

When Solaris IP Filter is enabled, both active and inactive packet filtering rule sets can reside in the kernel. The active rule set determines what filtering is being done on incoming packets and outgoing packets. The inactive rule set also stores rules. These rules are not used unless you make the inactive rule set the active rule set. You can manage, view, and modify both active and inactive packet filtering rule sets.

ProcedureHow to View the Active Packet Filtering Rule Set

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. View the active packet filtering rule set that is loaded in the kernel.


    # ipfstat -io
    

Example 25–1 Viewing the Active Packet Filtering Rule Set

The following example shows output from the active packet filtering rule set that is loaded in the kernel.


# ipfstat -io
empty list for ipfilter(out)
pass in quick on dmfe1 from 192.168.1.0/24 to any
pass in all
block in on dmfe1 from 192.168.1.10/32 to any

ProcedureHow to View the Inactive Packet Filtering Rule Set

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. View the inactive packet filtering rule set.


    # ipfstat -I -io
    

Example 25–2 Viewing the Inactive Packet Filtering Rule Set

The following example shows output from the inactive packet filtering rule set.


# ipfstat -I -io
pass out quick on dmfe1 all
pass in quick on dmfe1 all

ProcedureHow to Activate a Different or Updated Packet Filtering Rule Set

Use the following procedure if you want to perform either of the following tasks:

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Choose one of the following steps:

    • Create a new rule set in a separate file of your choice if you want to activate an entirely different rule set.

    • Update the current rule set by editing the configuration file that contains that rule set.

  3. Remove the current rule set and load the new rule set.


    # ipf -Fa -f filename
    

    The filename can either be the new file with the new rule set or the updated file that contains the active rule set.

    The active rule set is removed from the kernel. The rules in the filename file become the active rule set.


    Note –

    You still need to issue the command even if you are reloading the current configuration file. Otherwise, the old rule set continues to be operative, and the modified rule set in the updated configuration file is not applied.

    Do not use commands such as ipf -D or svcadm restart to load the updated rule set. Such commands expose your network by disabling the firewall first before loading the new rule set.



Example 25–3 Activating a Different Packet Filtering Rule Set

The following example shows how to replace one packet filtering rule set with another packet filtering rule set in a separate configuration file, /etc/ipf/ipf.conf.


# ipfstat -io
empty list for ipfilter(out)
pass in quick on dmfe all
# ipf -Fa -f /etc/ipf/ipf.conf
# ipfstat -io
empty list for ipfilter(out)
block in log quick from 10.0.0.0/8 to any


Example 25–4 Reloading an Updated Packet Filtering Rule Set

The following example shows how to reload a packet filtering rule set that is currently active and which is then updated. In this example, the file in use is /etc/ipf/ipf.conf.


# ipfstat -io (Optional)
empty list for ipfilter (out)
block in log quick from 10.0.0.0/8 to any

(Edit the /etc/ipf/ipf.conf configuration file.)

# ip -Fa -f /etc/ipf/ipf.conf
# ipfstat -io (Optional)
empty list for ipfilter (out)
block in log quick from 10.0.0.0/8 to any
block in quick on elx10 from 192.168.0.0/12 to any

ProcedureHow to Remove a Packet Filtering Rule Set

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Remove the rule set.


    # ipf -F [a|i|o]
    
    -a

    Removes all filtering rules from the rule set.

    -i

    Removes the filtering rules for incoming packets.

    -o

    Removes the filtering rules for outgoing packets.


Example 25–5 Removing a Packet Filtering Rule Set

The following example shows how to remove all filtering rules from the active filtering rule set.


# ipfstat -io
block out log on dmf0 all
block in log quick from 10.0.0.0/8 to any
# ipf -Fa
# ipfstat -io
empty list for ipfilter(out)
empty list for ipfilter(in)

ProcedureHow to Append Rules to the Active Packet Filtering Rule Set

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Use one of the following methods to append rules to the active rule set:

    • Append rules to the rule set at the command line using the ipf -f - command.


      # echo "block in on dmfe1 proto tcp from 10.1.1.1/32 to any" | ipf -f -
      
    • Perform the following commands:

      1. Create a rule set in a file of your choice.

      2. Add the rules you have created to the active rule set.


        # ipf -f filename
        

        The rules in filename are added to the end of the active rule set. Because Solaris IP Filter uses a “last matching rule” algorithm, the added rules determine filtering priorities, unless you use the quick keyword. If the packet matches a rule containing the quick keyword, the action for that rule is taken, and no subsequent rules are checked.


Example 25–6 Appending Rules to the Active Packet Filtering Rule Set

The following example shows how to add a rule to the active packet filtering rule set from the command line.


# ipfstat -io
empty list for ipfilter(out)
block in log quick from 10.0.0.0/8 to any
# echo "block in on dmfe1 proto tcp from 10.1.1.1/32 to any" | ipf -f -
# ipfstat -io
empty list for ipfilter(out)
block in log quick from 10.0.0.0/8 to any
block in on dmfe1 proto tcp from 10.1.1.1/32 to any

ProcedureHow to Append Rules to the Inactive Packet Filtering Rule Set

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Create a rule set in a file of your choice.

  3. Add the rules you have created to the inactive rule set.


    # ipf -I -f filename
    

    The rules in filename are added to the end of the inactive rule set. Because Solaris IP Filter uses a “last matching rule” algorithm, the added rules determine filtering priorities, unless you use the quick keyword. If the packet matches a rule containing the quick keyword, the action for that rule is taken, and no subsequent rules are checked.


Example 25–7 Appending Rules to the Inactive Rule Set

The following example shows how to add a rule to the inactive rule set from a file.


# ipfstat -I -io
pass out quick on dmfe1 all
pass in quick on dmfe1 all
# ipf -I -f /etc/ipf/ipf.conf
# ipfstat -I -io
pass out quick on dmfe1 all
pass in quick on dmfe1 all
block in log quick from 10.0.0.0/8 to any

ProcedureHow to Switch Between Active and Inactive Packet Filtering Rule Sets

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Switch the active and inactive rule sets.


    # ipf -s
    

    This command enables you to switch between the active and inactive rule sets in the kernel. Note that if the inactive rule set is empty, there is no packet filtering.


Example 25–8 Switching Between the Active and Inactive Packet Filtering Rule Sets

The following example shows how using the ipf -s command results in the inactive rule set becoming the active rule set and the active rule set becoming the inactive rule set.


ProcedureHow to Remove an Inactive Packet Filtering Rule Set From the Kernel

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Specify the inactive rule set in the “flush all” command.


    # ipf -I -Fa
    

    This command flushes the inactive rule set from the kernel.


    Note –

    If you subsequently run ipf -s, the empty inactive rule set will become the active rule set. An empty active rule set means that no filtering will be done.



Example 25–9 Removing an Inactive Packet Filtering Rule Set From the Kernel

The following example shows how to flush the inactive packet filtering rule set so that all rules have been removed.


# ipfstat -I -io
empty list for inactive ipfilter(out)
block in log quick from 10.0.0.0/8 to any
block in on dmfe1 proto tcp from 10.1.1.1/32 to any
# ipf -I -Fa
# ipfstat -I -io
empty list for inactive ipfilter(out)
empty list for inactive ipfilter(in)

Managing NAT Rules for Solaris IP Filter

Use the following procedures to manage, view, and modify NAT rules.

ProcedureHow to View Active NAT Rules

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. View the active NAT rules.


    # ipnat -l
    

Example 25–10 Viewing Active NAT Rules

The following example shows the output from the active NAT rules set.


# ipnat -l
List of active MAP/Redirect filters:
map dmfe0 192.168.1.0/24 -> 20.20.20.1/32

List of active sessions:

ProcedureHow to Remove NAT Rules

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Remove the current NAT rules.


    # ipnat -C
    

Example 25–11 Removing NAT Rules

The following example shows how to remove the entries in the current NAT rules.


# ipnat -l
List of active MAP/Redirect filters:
map dmfe0 192.168.1.0/24 -> 20.20.20.1/32

List of active sessions:
# ipnat -C
1 entries flushed from NAT list
# ipnat -l
List of active MAP/Redirect filters:

List of active sessions:

ProcedureHow to Append Rules to the NAT Rules

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Use one of the following methods to append rules to the active rule set:

    • Append rules to the NAT rule set at the command line using the ipnat -f - command.


      # echo "map dmfe0 192.168.1.0/24 -> 20.20.20.1/32" | ipnat -f -
      
    • Perform the following commands:

      1. Create additional NAT rules in a file of your choice.

      2. Add the rules you have created to the active NAT rules.


        # ipnat -f filename
        

        The rules in filename are added to the end of the NAT rules.


Example 25–12 Appending Rules to the NAT Rule Set

The following example shows how to add a rule to the NAT rule set from the command line.


# ipnat -l
List of active MAP/Redirect filters:

List of active sessions:
# echo "map dmfe0 192.168.1.0/24 -> 20.20.20.1/32" | ipnat -f -
# ipnat -l
List of active MAP/Redirect filters:
map dmfe0 192.168.1.0/24 -> 20.20.20.1/32

List of active sessions:

Managing Address Pools for Solaris IP Filter

Use the following procedures to manage, view, and modify address pools.

ProcedureHow to View Active Address Pools

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. View the active address pool.


    # ippool -l
    

Example 25–13 Viewing the Active Address Pool

The following example shows how to view the contents of the active address pool.


# ippool -l
table role = ipf type = tree number = 13
        { 10.1.1.1/32, 10.1.1.2/32, 192.168.1.0/24; };

ProcedureHow to Remove an Address Pool

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Remove the entries in the current address pool.


    # ippool -F
    

Example 25–14 Removing an Address Pool

The following example shows how to remove an address pool.


# ippool -l
table role = ipf type = tree number = 13
        { 10.1.1.1/32, 10.1.1.2/32, 192.168.1.0/24; };
# ippool -F
1 object flushed
# ippool -l

ProcedureHow to Append Rules to an Address Pool

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Use one of the following methods to append rules to the active rule set:

    • Append rules to the rule set at the command line using the ippool -f - command.


      # echo "table role = ipf type = tree number = 13 
      {10.1.1.1/32, 10.1.1.2/32, 192.168.1.0/24};" | ippool -f -
      
    • Perform the following commands:

      1. Create additional address pools in a file of your choice.

      2. Add the rules you have created to the active address pool.


        # ippool -f filename
        

        The rules in filename are added to the end of the active address pool.


Example 25–15 Appending Rules to an Address Pool

The following example shows how to add an address pool to the address pool rule set from the command line.


# ippool -l
table role = ipf type = tree number = 13
        { 10.1.1.1/32, 10.1.1.2/32, 192.168.1.0/24; };
# echo "table role = ipf type = tree number = 100
 {10.0.0.0/32, 172.16.1.2/32, 192.168.1.0/24};" | ippool -f -
# ippool -l
table role = ipf type = tree number = 100
        { 10.0.0.0/32, 172.16.1.2/32, 192.168.1.0/24; };
table role = ipf type = tree number = 13
        { 10.1.1.1/32, 10.1.1.2/32, 192.168.1.0/24; };

Displaying Statistics and Information for Solaris IP Filter

Table 25–4 Displaying Solaris IP Filter Statistics and Information (Task Map)

Task 

Description 

For Instructions 

View state tables. 

View state tables to obtain information about packet filtering using the ipfstat command.

How to View State Tables for Solaris IP Filter

View state statistics. 

View statistics on packet state information using the ipfstat -s command.

How to View State Statistics for Solaris IP Filter

View NAT statistics. 

View NAT statistics using the ipnat -s command.

How to View NAT Statistics for Solaris IP Filter

View address pool statistics. 

View address pool statistics using the ippool -s command.

How to View Address Pool Statistics for Solaris IP Filter

ProcedureHow to View State Tables for Solaris IP Filter

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. View the state table.


    # ipfstat
    

    Note –

    You can use the -t option to view the state table in the top utility format.



Example 25–16 Viewing State Tables for Solaris IP Filter

The following example shows how to view a state table.


# ipfstat
bad packets:            in 0    out 0
 input packets:         blocked 160 passed 11 nomatch 1 counted 0 short 0
output packets:         blocked 0 passed 13681 nomatch 6844 counted 0 short 0
 input packets logged:  blocked 0 passed 0
output packets logged:  blocked 0 passed 0
 packets logged:        input 0 output 0
 log failures:          input 0 output 0
fragment state(in):     kept 0  lost 0
fragment state(out):    kept 0  lost 0
packet state(in):       kept 0  lost 0
packet state(out):      kept 0  lost 0
ICMP replies:   0       TCP RSTs sent:  0
Invalid source(in):     0
Result cache hits(in):  152     (out):  6837
IN Pullups succeeded:   0       failed: 0
OUT Pullups succeeded:  0       failed: 0
Fastroute successes:    0       failures:       0
TCP cksum fails(in):    0       (out):  0
IPF Ticks:      14341469
Packet log flags set: (0)
        none

ProcedureHow to View State Statistics for Solaris IP Filter

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. View the state statistics.


    # ipfstat -s
    

Example 25–17 Viewing State Statistics for Solaris IP Filter

The following example shows how to view state statistics.


# ipfstat -s
IP states added:
        0 TCP
        0 UDP
        0 ICMP
        0 hits
        0 misses
        0 maximum
        0 no memory
        0 max bucket
        0 active
        0 expired
        0 closed
State logging enabled

State table bucket statistics:
        0 in use        
        0.00% bucket usage
        0 minimal length
        0 maximal length
        0.000 average length

ProcedureHow to View NAT Statistics for Solaris IP Filter

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. View NAT statistics.


    # ipnat -s
    

Example 25–18 Viewing NAT Statistics for Solaris IP Filter

The following example shows how to view NAT statistics.


# ipnat -s
mapped  in      0       out     0
added   0       expired 0
no memory       0       bad nat 0
inuse   0
rules   1
wilds   0

ProcedureHow to View Address Pool Statistics for Solaris IP Filter

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. View address pool statistics.


    # ippool -s
    

Example 25–19 Viewing Address Pool Statistics for Solaris IP Filter

The following example shows how to view address pool statistics.


# ippool -s
Pools:  3
Hash Tables:    0
Nodes:  0

Working With Log Files for Solaris IP Filter

Table 25–5 Working With Solaris IP Filter Log Files (Task Map)

Task 

Description 

For Instructions 

Create a log file. 

Create a separate Solaris IP filter log file. 

How to Set Up a Log File for Solaris IP Filter

View log files. 

View state, NAT, and normal log files using the ipmon command.

How to View Solaris IP Filter Log Files

Flush the packet log buffer. 

Remove the contents of the packet log buffer using the ipmon -F command.

How to Flush the Packet Log File

Save logged packets to a file. 

Save logged packets to a file for later reference. 

How to Save Logged Packets to a File

ProcedureHow to Set Up a Log File for Solaris IP Filter

By default, all log information for Solaris IP Filter is recorded in the syslogd file. You should set up a log file to record Solaris IP Filter traffic information separately from other data that might be logged in the default log file. Perform the following steps.

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Edit the /etc/syslog.conf file by adding the following two lines:


    # Save IPFilter log output to its own file 
    local0.debug             /var/log/log-name
    

    Note –

    On the second line, make sure to use the Tab key, not the Spacebar, to separate local0.debug from /var/log/log-name.


  3. Create the new log file.


    # touch /var/log/log-name
    
  4. Restart the system-log service.


    # svcadm restart system-log
    

Example 25–20 Creating a Solaris IP Filter Log

The following example shows how to create ipmon.log to archive IP filter information.

In /etc/syslog.conf:


# Save IPFilter log output to its own file 
local0.debug             /var/log/ipmon.log

At the command line:


# touch /var/log/ipmon.log
# svcadm restart system-log

ProcedureHow to View Solaris IP Filter Log Files

Before You Begin

You should create a separate log file to record Solaris IP Filter data. Refer to How to Set Up a Log File for Solaris IP Filter.

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. View the state, NAT, or normal log files. To view a log file, type the following command, using the appropriate option:


    # ipmon -o [S|N|I] filename
    
    S

    Displays the state log file.

    N

    Displays the NAT log file.

    I

    Displays the normal IP log file.

    To view all state, NAT, and normal log files, use all the options:


    # ipmon -o SNI filename
    
    • Provided that you have manually stopped the ipmon daemon first, you can also use the following command to display state, NAT, and Solaris IP filter log files:


      # ipmon -a filename
      

      Note –

      Do not use the ipmon -a syntax if the ipmon daemon is still running. Normally, the daemon is automatically started during system boot. Issuing the ipmon -a command also opens another copy of ipmon. In such a case, both copies read the same log information, and only one gets a particular log message.


    For more information about viewing log files, see the ipmon(1M) man page.


Example 25–21 Viewing Solaris IP Filter Log Files

The following example shows the output from /var/ipmon.log.


# ipmon -o SNI /var/ipmon.log
02/09/2004 15:27:20.606626 hme0 @0:1 p 129.146.157.149 -> 
129.146.157.145 PR icmp len 20 84 icmp echo/0 IN

or


# pkill ipmon
# ipmon -aD /var/ipmon.log
02/09/2004 15:27:20.606626 hme0 @0:1 p 129.146.157.149 -> 
129.146.157.145 PR icmp len 20 84 icmp echo/0 IN

ProcedureHow to Flush the Packet Log File

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Flush the pack log buffer.


    # ipmon -F
    

Example 25–22 Flushing the Packet Log File

The following example shows the output when a log file is removed. The system provides a report even when there is nothing stored in the log file, as in this example.


# ipmon -F
0 bytes flushed from log buffer
0 bytes flushed from log buffer
0 bytes flushed from log buffer

ProcedureHow to Save Logged Packets to a File

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Save the logged packets to a file.


    # cat /dev/ipl > filename
    

    Continue logging packets to the filename file until you interrupt the procedure by typing Control-C to get the command line prompt back.


Example 25–23 Saving Logged Packets to a File

The following example shows the result when logged packets are saved to a file.


# cat /dev/ipl > /tmp/logfile
^C#

# ipmon -f /tmp/logfile
02/09/2004 15:30:28.708294 hme0 @0:1 p 129.146.157.149,33923 -> 
  129.146.157.145,23 PR tcp len 20 52 -S IN
02/09/2004 15:30:28.708708 hme0 @0:1 p 129.146.157.149,33923 -> 
  129.146.157.145,23 PR tcp len 20 40 -A IN
02/09/2004 15:30:28.792611 hme0 @0:1 p 129.146.157.149,33923 -> 
  129.146.157.145,23 PR tcp len 20 70 -AP IN
02/09/2004 15:30:28.872000 hme0 @0:1 p 129.146.157.149,33923 -> 
 129.146.157.145,23 PR tcp len 20 40 -A IN
02/09/2004 15:30:28.872142 hme0 @0:1 p 129.146.157.149,33923 -> 
  129.146.157.145,23 PR tcp len 20 43 -AP IN
02/09/2004 15:30:28.872808 hme0 @0:1 p 129.146.157.149,33923 -> 
  129.146.157.145,23 PR tcp len 20 40 -A IN
02/09/2004 15:30:28.872951 hme0 @0:1 p 129.146.157.149,33923 -> 
  129.146.157.145,23 PR tcp len 20 47 -AP IN
02/09/2004 15:30:28.926792 hme0 @0:1 p 129.146.157.149,33923 -> 
  129.146.157.145,23 PR tcp len 20 40 -A IN 
.
.
(output truncated)

Creating and Editing Solaris IP Filter Configuration Files

You must directly edit the configuration files to create and modify rule sets and address pools. Configuration files follow standard UNIX syntax rules:

ProcedureHow to Create a Configuration File for Solaris IP Filter

The following procedure describes how to set up the following:

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Start the file editor of your choice. Create or edit the configuration file for the feature you want to configure.

    • To create a configuration file for packet filtering rules, edit the ipf.conf file.

      Solaris IP Filter uses the packet filtering rules that you put in to the ipf.conf file. If you locate the rules file for packet filtering in the /etc/ipf/ipf.conf file, this file is loaded when the system is booted. If you do not want the filtering rules to be loaded at boot time, put the in a file of your choice. You can then activate the rules with the ipf command, as described in How to Activate a Different or Updated Packet Filtering Rule Set.

      See Using Solaris IP Filter's Packet Filtering Feature for information about creating packet filtering rules.


      Note –

      If the ipf.conf file is empty, there is no filtering. An empty ipf.conf file is the same as having a rule set that reads:


      pass in all
      pass out all

    • To create a configuration file for NAT rules, edit the ipnat.conf file.

      Solaris IP Filter uses the NAT rules that you put in to the ipnat.conf file. If you locate the rules file for NAT in the /etc/ipf/ipnat.conf file, this file is loaded when the system is booted. If you do not want the NAT rules loaded at boot time, put the ipnat.conf file in a location of your choice. You can then activate the NAT rules with the ipnat command.

      See Using Solaris IP Filter's NAT Feature for information about creating rules for NAT.

    • To create a configuration file for address pools, edit the ippool.conf file.

      Solaris IP Filter uses the pool of addresses that you put in to the ippool.conf file. If you locate the rules file for the pool of addresses in the /etc/ipf/ippool.conf file, this file is loaded when the system is booted. If you do not want the pool of addresses loaded at boot time, put the ippool.conf file in a location of your choice. You can then activate the pool of addresses with the ippool command.

      See Using Solaris IP Filter's Address Pools Feature for information about creating address pools.

Solaris IP Filter Configuration File Examples

The following examples provide an illustration of packet filtering rules used in filtering configurations.


Example 25–24 Solaris IP Filter Host Configuration

This example shows a configuration on a host machine with an elxl network interface.


# pass and log everything by default
pass in log on elxl0 all
pass out log on elxl0 all

# block, but don't log, incoming packets from other reserved addresses
block in quick on elxl0 from 10.0.0.0/8 to any
block in quick on elxl0 from 172.16.0.0/12 to any

# block and log untrusted internal IPs. 0/32 is notation that replaces 
# address of the machine running Solaris IP Filter.
block in log quick from 192.168.1.15 to <thishost>
block in log quick from 192.168.1.43 to <thishost>

# block and log X11 (port 6000) and remote procedure call 
# and portmapper (port 111) attempts
block in log quick on elxl0 proto tcp from any to elxl0/32 port = 6000 keep state
block in log quick on elxl0 proto tcp/udp from any to elxl0/32 port = 111 keep state

This rule set begins with two unrestricted rules that allow everything to pass into and out of the elxl interface. The second set of rules blocks any incoming packets from the private address spaces 10.0.0.0 and 172.16.0.0 from entering the firewall. The next set of rules blocks specific internal addresses from the host machine. Finally, the last set of rules blocks packets coming in on port 6000 and port 111.



Example 25–25 Solaris IP Filter Server Configuration

This example shows a configuration for a host machine acting as a web server. This machine has an eri network interface.


# web server with an eri interface
# block and log everything by default; then allow specific services
# group 100 - inbound rules
# group 200 - outbound rules
# (0/32) resolves to our IP address)
*** FTP proxy ***


# block short packets which are packets fragmented too short to be real.
block in log quick all with short


# block and log inbound and outbound by default, group by destination
block in log on eri0 from any to any head 100
block out log on eri0 from any to any head 200


# web rules that get hit most often
pass in quick on eri0 proto tcp from any \
to eri0/32 port = http flags S keep state group 100
pass in quick on eri0 proto tcp from any \
to eri0/32 port = https flags S keep state group 100


# inbound traffic - ssh, auth
pass in quick on eri0 proto tcp from any \
to eri0/32 port = 22 flags S keep state group 100
pass in log quick on eri0 proto tcp from any \
to eri0/32 port = 113 flags S keep state group 100
pass in log quick on eri0 proto tcp from any port = 113 \
to eri0/32 flags S keep state group 100


# outbound traffic - DNS, auth, NTP, ssh, WWW, smtp
pass out quick on eri0 proto tcp/udp from eri0/32 \
to any port = domain flags S keep state group 200
pass in quick on eri0 proto udp from any port = domain to eri0/32 group 100

pass out quick on eri0 proto tcp from eri0/32 \
to any port = 113 flags S keep state group 200
pass out quick on eri0 proto tcp from eri0/32 port = 113 \
to any flags S keep state group 200

pass out quick on eri0 proto udp from eri0/32 to any port = ntp group 200
pass in quick on eri0 proto udp from any port = ntp to eri0/32 port = ntp group 100

pass out quick on eri0 proto tcp from eri0/32 \
to any port = ssh flags S keep state group 200

pass out quick on eri0 proto tcp from eri0/32 \
to any port = http flags S keep state group 200
pass out quick on eri0 proto tcp from eri0/32 \
to any port = https flags S keep state group 200

pass out quick on eri0 proto tcp from eri0/32 \
to any port = smtp flags S keep state group 200


# pass icmp packets in and out
pass in quick on eri0 proto icmp from any to eri0/32  keep state group 100
pass out quick on eri0 proto icmp from eri0/32 to any keep state group 200


# block and ignore NETBIOS packets
block in quick on eri0 proto tcp from any \
to any port = 135 flags S keep state group 100

block in quick on eri0 proto tcp from any port = 137 \
to any flags S keep state group 100
block in quick on eri0 proto udp from any to any port = 137 group 100
block in quick on eri0 proto udp from any port = 137 to any group 100

block in quick on eri0 proto tcp from any port = 138 \
to any flags S keep state group 100
block in quick on eri0 proto udp from any port = 138 to any group 100

block in quick on eri0 proto tcp from any port = 139 to any flags S keep state
group 100
block in quick on eri0 proto udp from any port = 139 to any group 100


Example 25–26 Solaris IP Filter Router Configuration

This example shows a configuration for a router that has an internal interface, ce0, and an external interface, ce1.


# internal interface is ce0 at 192.168.1.1
# external interface is ce1 IP obtained via DHCP
# block all packets and allow specific services
*** NAT ***
*** POOLS ***


# Short packets which are fragmented too short to be real.
block in log quick all with short


# By default, block and log everything.
block in log on ce0 all
block in log on ce1 all
block out log on ce0 all
block out log on ce1 all


# Packets going in/out of network interfaces that aren't on the loopback
# interface should not exist.
block in log quick on ce0 from 127.0.0.0/8 to any
block in log quick on ce0 from any to 127.0.0.0/8
block in log quick on ce1 from 127.0.0.0/8 to any
block in log quick on ce1 from any to 127.0.0.0/8


# Deny reserved addresses.
block in quick on ce1 from 10.0.0.0/8 to any
block in quick on ce1 from 172.16.0.0/12 to any
block in log quick on ce1 from 192.168.1.0/24 to any
block in quick on ce1 from 192.168.0.0/16 to any


# Allow internal traffic
pass in quick on ce0 from 192.168.1.0/24 to 192.168.1.0/24
pass out quick on ce0 from 192.168.1.0/24 to 192.168.1.0/24


# Allow outgoing DNS requests from our servers on .1, .2, and .3
pass out quick on ce1 proto tcp/udp from ce1/32 to any port = domain keep state
pass in quick on ce0 proto tcp/udp from 192.168.1.2 to any port = domain keep state
pass in quick on ce0 proto tcp/udp from 192.168.1.3 to any port = domain keep state


# Allow NTP from any internal hosts to any external NTP server.
pass in quick on ce0 proto udp from 192.168.1.0/24 to any port = 123 keep state
pass out quick on ce1 proto udp from any to any port = 123 keep state


# Allow incoming mail
pass in quick on ce1 proto tcp from any to ce1/32 port = smtp keep state
pass in quick on ce1 proto tcp from any to ce1/32 port = smtp keep state
pass out quick on ce1 proto tcp from 192.168.1.0/24 to any port = smtp keep state


# Allow outgoing connections: SSH, WWW, NNTP, mail, whois
pass in quick on ce0 proto tcp from 192.168.1.0/24 to any port = 22 keep state
pass out quick on ce1 proto tcp from 192.168.1.0/24 to any port = 22 keep state

pass in quick on ce0 proto tcp from 192.168.1.0/24 to any port = 80 keep state
pass out quick on ce1 proto tcp from 192.168.1.0/24 to any port = 80 keep state
pass in quick on ce0 proto tcp from 192.168.1.0/24 to any port = 443 keep state
pass out quick on ce1 proto tcp from 192.168.1.0/24 to any port = 443 keep state

pass in quick on ce0 proto tcp from 192.168.1.0/24 to any port = nntp keep state
block in quick on ce1 proto tcp from any to any port = nntp keep state
pass out quick on ce1 proto tcp from 192.168.1.0/24 to any port = nntp keep state

pass in quick on ce0 proto tcp from 192.168.1.0/24 to any port = smtp keep state

pass in quick on ce0 proto tcp from 192.168.1.0/24 to any port = whois keep state
pass out quick on ce1 proto tcp from any to any port = whois keep state


# Allow ssh from offsite
pass in quick on ce1 proto tcp from any to ce1/32 port = 22 keep state


# Allow ping out
pass in quick on ce0 proto icmp all keep state
pass out quick on ce1 proto icmp all keep state


# allow auth out
pass out quick on ce1 proto tcp from ce1/32 to any port = 113 keep state
pass out quick on ce1 proto tcp from ce1/32 port = 113 to any keep state


# return rst for incoming auth
block return-rst in quick on ce1 proto tcp from any to any port = 113 flags S/SA


# log and return reset for any TCP packets with S/SA
block return-rst in log on ce1 proto tcp from any to any flags S/SA


# return ICMP error packets for invalid UDP packets
block return-icmp(net-unr) in proto udp all