Packet filtering provides basic protection against network-based attacks. Oracle Solaris includes the IP Filter feature and TCP wrappers.
The IP Filter feature of Oracle Solaris creates a firewall to ward off network-based attacks.
Specifically, IP Filter provides stateful packet filtering capabilities and can filter packets by IP address or network, port, protocol, network interface, and traffic direction. It also includes stateless packet filtering and the capability to create and manage address pools. In addition, IP Filter also has the capability to perform network address translation (NAT) and port address translation (PAT).
For more information, see the following:
For an overview of IP Filter, see Chapter 4, About IP Filter in Oracle Solaris, in Securing the Network in Oracle Solaris 11.2 .
For examples of using IP Filter, see Chapter 5, Configuring IP Filter, in Securing the Network in Oracle Solaris 11.2 and the man pages.
For information and examples about the syntax of the IP Filter policy language, see the ipnat(4) man page.
TCP wrappers provide access control for internet services. When various internet (inetd) services are enabled, the tcpd daemon checks the address of a host requesting a particular network service against an ACL. Requests are granted or denied accordingly. TCP wrappers also log host requests for network services in syslog, which is a useful monitoring function.
The Secure Shell (ssh)and sendmail features of Oracle Solaris are configured to use TCP wrappers. Network services that have a one-to-one mapping to executable files, such as proftpd and rpcbind, are candidates for TCP wrappers.
TCP wrappers support a rich configuration policy language that enables organizations to specify security policy not only globally but on a per-service basis. Further access to services can be permitted or restricted based upon host name, IPv4 or IPv6 address, netgroup name, network, and even DNS domain.