Configuring the i-Planet Firewall Application

The firewall application is the only application in the i-Planet software that you configure and administer solely through the command-line user interface. It uses a special version of Sun Microsystems' proven firewall technology.

The fw.configure command is the command used to install and minimally configure the firewall application. You usually run this command as part of the installation procedure on the i-Planet gateway.

The commands for the i-Planet firewall application are located in /opt/SUNWsrfw/bin.

To Configure the i-Planet Firewall Application

1. As root, run the following command on the i-Planet gateway to bootstrap the firewall to a point where it can filter network packets:

   # fw.configure

2. Respond to the questions to activate and minimally configure the firewall.

   The fw.configure process initializes the firewall application.

3. Add or change rules as necessary to configure your firewall fully.

   By default, only packets coming from the external i-Planet gateway interface are examined and few rules are installed. fw.configure installs the following three default rules:

   1. Allow external access from the i-Planet gateway's Internet interface to the SSL port. (The default port number is 443.)

   2. Allow the i-Planet gateway access to anywhere.

   3. Allow routing information from the Internet interface on the i-Planet gateway to be updated.

      Everything that is not expressly allowed in these rules is denied.

4. Reboot the i-Planet gateway after the command fw.configure finishes running for the rules to take effect.

Administering the i-Planet Firewall Application

You must administer the firewall application as root (superuser). Before you can begin, ensure that the following directories are included in root's default path on the i-Planet gateway:

• /usr/bin

• /usr/sbin

You administer the i-Planet firewall application only from the command-line user interface. There are only three commands used to administer the firewall application:

• fw.activate

• fw.address

• fw.rule

Using fw.activate

This command turns the firewall application off or on. Turning the firewall application off means that it is no longer filtering inbound and outbound packets. Turning the firewall application on reactivates the rules that were active before it was turned off.

To Use fw.activate

1. As root, type one of the following :

   • To turn the firewall application off:

     # fw.activate off

   • To turn the firewall application on:

     # fw.activate on

Using fw.address

This command manipulates address definitions that the firewall application's packet filtering rules use. Use this command to:

• Add the IP address for a machine that is located on the Internet. When you add an IP address, you name it, e.g., sales_office_boston. You can also include a descriptive comment for the address that you are defining.

• Add a range of IP addresses for machines that are located on the Internet. You only need to specify the beginning IP address and the ending IP address of the range. You name this range when you define it. You can also include a descriptive comment for the range of addresses that you are defining.

• Add a list of IP address that consists of host addresses, ranges of addresses, and other address lists.

• Delete an address by IP address or by name from the address file.

• List a particular address by name or all the address that are currently defined in the address file.

Address Management

The firewall application identifies network elements--networks, subnetworks, and individual hosts--by mapping a named address object to one or more addresses. These address objects are used in defining the firewall application's network interfaces and as a source and destination addresses for rules. An address object can represent a single computer or a whole network. You can gather address objects representing individual and network addresses together to form address groups. The firewall application lets you define address objects that specifically include or exclude other address objects (single IP hosts and ranges of contiguous IP addresses).

Individual IP Addresses

The firewall application identifies an individual host by linking its unique IP address to an address object, which can use the name or IP address of the host.

To Add an Address

1. As root, type the following to add an address, for example:

   # fw.address add myhost HOST 1.1.1.1 "An example of an added \ address named myhost"

Address Ranges

An address range is a set of numerically contiguous IP addresses. Networks and subnetworks are typically identified by an address range name. You use the beginning and ending addresses to identify an IP address range.

To Add a Range of Addresses

1. As root, type the following to add a range of addresses, for example:

   # fw.address add mynet RANGE 1.1.1.1 1.1.1.5 "An example of a \ range of address named mynet"

   The range represents all the addresses inclusive between the address 1.1.1.1 and 1.1.1.5. It is named mynet.

To Delete an Address or a Range of Addresses

1. As root, type the following to delete the range of addresses that you have named myhome, for example:

   # fw.address delete myhome

To List an Address

1. As root, type the following to list a single name of an address or a range of addresses, for example:

   # fw.address list myhome

   The address range currently defined as myhome is listed.

To List All Addresses

1. As root, type the following to list all addresses currently defined:

   # fw.address list

   All addresses currently defined are listed.

Using fw.rule

This command uses various options to manipulate the firewall application's packet filtering rules. You can change the action or service or both by writing new rules, deleting old rules, and moving rules to the position that you want. Use fw.rule to:

• Add a rule with a new action (ALLOW or DENY) or a different service or both. ALLOW means permit the packet that meets the qualifications in the rule through. DENY means reject the packet. You also add new port numbers with this command.

• Delete a rule from the list of rules.

• List the ordered rules governing the firewall application or to list the interface that the firewall application is using.

• Move a rule from one position to another in the ordered list of rules, thus changing the order in which it will take effect.

Services and Service Groups

The basic firewall application is shipped with a number of predefined network services, such ftp, telnet, dns, and rsh, as well as predefined service groups.

Standard Services

Besides the basic services, every TCP/IP implementation provides services such as echo, discard, daytime, chargen, and time. Each service use a state engine, a sort of protocol checker. For example, the FTP state engine checks port numbers when the ftp service is being used.

Service Groups

In addition to the basics services, the basic firewall application is shipped with predefined service group. One such group, for example, is common services, which consists of tcp traffic on port 0 to 3850 or port 3855 to 65535, udp traffic on all ports, syslog, dns, rpc, nfs, icmp, route, ftp, rsh, real audio, pmap udp all, nis, archie, traceroute, and ping.

To List the Services

1. Type the following to list the services:

   # fw.rule list service

   You use this command with the option list service to list the available services and with the option list interface to list the interface that the firewall application is using.

To Add a Port

1. As root, type the following to add a new port:

   # fw.rule add ALLOW port-number from host to host

This rule allows to add a new port from a remote host to a local host. if a service is not defined, tcp is the service used. If the new port is not in the services file, it is added.

For example, if you use this rule to add port 3000 from a-remote-host to ALL, a new tcp service on port 30000 is added to the service table and the i-Planet gateway would accept communication on port 30000 from a named remote host.

Rules

The configurations for the basic firewall application are based on sets of ordered rules. The default rules that are installed with the basic firewall establish a security policy that works well with i-Planet. These rules specify the action to be taken for services between two addresses that are on different interfaces of the firewall.

To List the Rules

1. As root, type the following to list the rules:

   # fw.rule list rule

   The rules (in this case, the default rules) are listed in the order in which they examine incoming packets.

   1 ALLOW "ssl" from "le0" to "localhost" 2 ALLOW "common services" from "localhost" to "*" 3 ALLOW "rip" from "*" to "*"

To Add a Rule

1. As root, type the following to add a rule:

   # fw.rule add ALLOW service from host to host

This rule allows you to add a service from a named remote host to a local host. Use the list option to see the new list of rules.

To Delete a Rule

1. As root, type the following to delete a rule:

   # fw.rule delete 4

Rule number 4 is deleted. Use the list option to see the new list of rules.

To Move a Rule

1. As root, type the following to move a rule:

   # fw.rule move 5 4

Rules 5 and 4 are reordered. Use the list option to see the new ordering.