跳过导航链接 | |
退出打印视图 | |
Oracle Solaris 管理:IP 服务 Oracle Solaris 11 Information Library (简体中文) |
必须直接编辑配置文件以创建和修改规则集合及地址池。配置文件遵循标准的 UNIX 语法规则:
井号 (#) 指示包含注释的行。
规则和注释可以共存于同一行上。
允许使用额外的空格来增强规则的可读性。
规则可以延续多行。在行尾使用反斜杠 (\) 以指示规则在下一行上继续。
以下过程介绍如何设置以下文件:
包过滤配置文件
NAT 规则配置文件
地址池配置文件
可以将 IP 过滤器管理权限配置文件指定给您创建的角色。要创建该角色并将其指定给用户,请参见《Oracle Solaris 管理:安全服务》中的"初次配置 RBAC(任务列表)"。
要为包过滤规则创建配置文件,请编辑 ipf.conf 文件。
IP 过滤器使用放置在 ipf.conf 文件中的包过滤规则。如果在 /etc/ipf/ipf.conf 文件中放置包过滤的规则文件,则在引导系统时会装入此文件。如果不希望在引导时装入过滤规则,请将其放置在所选的文件中。然后可以使用 ipf 命令激活规则,如如何激活不同的或更新的包过滤规则集中所述。
有关创建包过滤规则的信息,请参见使用 IP 过滤器的包过滤功能。
注 - 如果 ipf.conf 文件为空,则没有过滤。空的 ipf.conf 文件相当于具有以下规则集合:
pass in all pass out all
要为 NAT 规则创建配置文件,请编辑 ipnat.conf 文件。
IP 过滤器使用放置在 ipnat.conf 文件中的 NAT 规则。如果在 /etc/ipf/ipnat.conf 文件中放置 NAT 的规则文件,则在引导系统时会装入此文件。如果不希望在引导时装入 NAT 规则,请将 ipnat.conf 文件放置在所选的位置中。然后可以使用 ipnat 命令激活 NAT 规则。
有关为 NAT 创建规则的信息,请参见使用 IP 过滤器的 NAT 功能。
要为地址池创建配置文件,请编辑 ippool.conf 文件。
IP 过滤器使用放置在 ippool.conf 文件中的地址池。如果在 /etc/ipf/ippool.conf 文件中放置地址池的规则文件,则在引导系统时会装入此文件。如果不希望在引导时装入地址池,请将 ippool.conf 文件放置在所选的位置中。然后可以使用 ippool 命令激活地址池。
有关创建地址池的信息,请参见使用 IP 过滤器的地址池功能。
以下示例说明了在过滤配置中使用的包过滤规则。
示例 21-24 IP 过滤器主机配置
此示例说明具有 bge 网络接口的主机上的配置。
# pass and log everything by default pass in log on bge0 all pass out log on bge0 all # block, but don't log, incoming packets from other reserved addresses block in quick on bge0 from 10.0.0.0/8 to any block in quick on bge0 from 172.16.0.0/12 to any # block and log untrusted internal IPs. 0/32 is notation that replaces # address of the machine running Solaris IP Filter. block in log quick from 192.168.1.15 to <thishost> block in log quick from 192.168.1.43 to <thishost> # block and log X11 (port 6000) and remote procedure call # and portmapper (port 111) attempts block in log quick on bge0 proto tcp from any to bge0/32 port = 6000 keep state block in log quick on bge0 proto tcp/udp from any to bge0/32 port = 111 keep state
此规则集以两个无限制规则开始,分别允许将任何内容传入和传出 bge 接口。第二个规则集合阻止从专用地址空间 10.0.0.0 和 172.16.0.0 传入的任何包进入防火墙。下一个规则集合阻止来自主机的特定内部地址。最后一个规则集合阻止从端口 6000 和端口 111 上传入的包。
示例 21-25 IP 过滤器服务器配置
此示例显示用作 Web 服务器的主机的配置。此计算机具有 e1000g 网络接口。
# web server with an e1000g interface # block and log everything by default; # then allow specific services # group 100 - inbound rules # group 200 - outbound rules # (0/32) resolves to our IP address) *** FTP proxy *** # block short packets which are packets # fragmented too short to be real. block in log quick all with short # block and log inbound and outbound by default, # group by destination block in log on e1000g0 from any to any head 100 block out log on e1000g0 from any to any head 200 # web rules that get hit most often pass in quick on e1000g0 proto tcp from any \ to e1000g0/32 port = http flags S keep state group 100 pass in quick on e1000g0 proto tcp from any \ to e1000g0/32 port = https flags S keep state group 100 # inbound traffic - ssh, auth pass in quick on e1000g0 proto tcp from any \ to e1000g0/32 port = 22 flags S keep state group 100 pass in log quick on e1000g0 proto tcp from any \ to e1000g0/32 port = 113 flags S keep state group 100 pass in log quick on e1000g0 proto tcp from any port = 113 \ to e1000g0/32 flags S keep state group 100 # outbound traffic - DNS, auth, NTP, ssh, WWW, smtp pass out quick on e1000g0 proto tcp/udp from e1000g0/32 \ to any port = domain flags S keep state group 200 pass in quick on e1000g0 proto udp from any \ port = domain to e1000g0/32 group 100 pass out quick on e1000g0 proto tcp from e1000g0/32 \ to any port = 113 flags S keep state group 200 pass out quick on e1000g0 proto tcp from e1000g0/32 port = 113 \ to any flags S keep state group 200 pass out quick on e1000g0 proto udp from e1000g0/32 to any \ port = ntp group 200 pass in quick on e1000g0 proto udp from any \ port = ntp to e1000g0/32 port = ntp group 100 pass out quick on e1000g0 proto tcp from e1000g0/32 \ to any port = ssh flags S keep state group 200 pass out quick on e1000g0 proto tcp from e1000g0/32 \ to any port = http flags S keep state group 200 pass out quick on e1000g0 proto tcp from e1000g0/32 \ to any port = https flags S keep state group 200 pass out quick on e1000g0 proto tcp from e1000g0/32 \ to any port = smtp flags S keep state group 200 # pass icmp packets in and out pass in quick on e1000g0 proto icmp from any to e1000g0/32 keep state group 100 pass out quick on e1000g0 proto icmp from e1000g0/32 to any keep state group 200 # block and ignore NETBIOS packets block in quick on e1000g0 proto tcp from any \ to any port = 135 flags S keep state group 100 block in quick on e1000g0 proto tcp from any port = 137 \ to any flags S keep state group 100 block in quick on e1000g0 proto udp from any to any port = 137 group 100 block in quick on e1000g0 proto udp from any port = 137 to any group 100 block in quick on e1000g0 proto tcp from any port = 138 \ to any flags S keep state group 100 block in quick on e1000g0 proto udp from any port = 138 to any group 100 block in quick on e1000g0 proto tcp from any port = 139 to any flags S keep state group 100 block in quick on e1000g0 proto udp from any port = 139 to any group 100
示例 21-26 IP 过滤器路由器配置
此示例说明具有内部接口 nge 和外部接口 ce1 的路由器的配置。
# internal interface is nge0 at 192.168.1.1 # external interface is nge1 IP obtained via DHCP # block all packets and allow specific services *** NAT *** *** POOLS *** # Short packets which are fragmented too short to be real. block in log quick all with short # By default, block and log everything. block in log on nge0 all block in log on nge1 all block out log on nge0 all block out log on nge1 all # Packets going in/out of network interfaces that aren't on the loopback # interface should not exist. block in log quick on nge0 from 127.0.0.0/8 to any block in log quick on nge0 from any to 127.0.0.0/8 block in log quick on nge1 from 127.0.0.0/8 to any block in log quick on nge1 from any to 127.0.0.0/8 # Deny reserved addresses. block in quick on nge1 from 10.0.0.0/8 to any block in quick on nge1 from 172.16.0.0/12 to any block in log quick on nge1 from 192.168.1.0/24 to any block in quick on nge1 from 192.168.0.0/16 to any # Allow internal traffic pass in quick on nge0 from 192.168.1.0/24 to 192.168.1.0/24 pass out quick on nge0 from 192.168.1.0/24 to 192.168.1.0/24 # Allow outgoing DNS requests from our servers on .1, .2, and .3 pass out quick on nge1 proto tcp/udp from nge1/32 to any port = domain keep state pass in quick on nge0 proto tcp/udp from 192.168.1.2 to any port = domain keep state pass in quick on nge0 proto tcp/udp from 192.168.1.3 to any port = domain keep state # Allow NTP from any internal hosts to any external NTP server. pass in quick on nge0 proto udp from 192.168.1.0/24 to any port = 123 keep state pass out quick on nge1 proto udp from any to any port = 123 keep state # Allow incoming mail pass in quick on nge1 proto tcp from any to nge1/32 port = smtp keep state pass in quick on nge1 proto tcp from any to nge1/32 port = smtp keep state pass out quick on nge1 proto tcp from 192.168.1.0/24 to any port = smtp keep state # Allow outgoing connections: SSH, WWW, NNTP, mail, whois pass in quick on nge0 proto tcp from 192.168.1.0/24 to any port = 22 keep state pass out quick on nge1 proto tcp from 192.168.1.0/24 to any port = 22 keep state pass in quick on nge0 proto tcp from 192.168.1.0/24 to any port = 80 keep state pass out quick on nge1 proto tcp from 192.168.1.0/24 to any port = 80 keep state pass in quick on nge0 proto tcp from 192.168.1.0/24 to any port = 443 keep state pass out quick on nge1 proto tcp from 192.168.1.0/24 to any port = 443 keep state pass in quick on nge0 proto tcp from 192.168.1.0/24 to any port = nntp keep state block in quick on nge1 proto tcp from any to any port = nntp keep state pass out quick on nge1 proto tcp from 192.168.1.0/24 to any port = nntp keep state pass in quick on nge0 proto tcp from 192.168.1.0/24 to any port = smtp keep state pass in quick on nge0 proto tcp from 192.168.1.0/24 to any port = whois keep state pass out quick on nge1 proto tcp from any to any port = whois keep state # Allow ssh from offsite pass in quick on nge1 proto tcp from any to nge1/32 port = 22 keep state # Allow ping out pass in quick on nge0 proto icmp all keep state pass out quick on nge1 proto icmp all keep state # allow auth out pass out quick on nge1 proto tcp from nge1/32 to any port = 113 keep state pass out quick on nge1 proto tcp from nge1/32 port = 113 to any keep state # return rst for incoming auth block return-rst in quick on nge1 proto tcp from any to any port = 113 flags S/SA # log and return reset for any TCP packets with S/SA block return-rst in log on nge1 proto tcp from any to any flags S/SA # return ICMP error packets for invalid UDP packets block return-icmp(net-unr) in proto udp all