IP Filter is software that provides packet filtering capabilities on a Solaris system. On a properly setup system, it can be used to build a firewall.
Solaris IP Filter is installed with the Solaris operating system. However, packet filtering is not enabled by default. See ipf(1M) for a procedure to enable and activate the IP Filter feature.
IP Filter configuration and activation is managed in Location profiles (refer to netcfg(1M) for more information about location profiles). These profiles are either fixed, meaning the network configuration is being managed in the traditional way, or reactive, meaning the network configuration is being managed automatically, reacting to changes in the network environment according to policy rules specified in the profiles.
When a fixed location (there can currently be only one, the DefaultFixed location) is active, changes made to the SMF repository will be applied to the location when it is disabled, and thus will be restored if that location is later re-enabled.
When a reactive location is active, changes should not be applied directly to the SMF repository; these changes will not be preserved in the location profile, and will thus be lost if the location is disabled, or if the system's network configuration, as managed by svc:/network/physical:default and svc:/network/location:default, is refreshed or restarted Changes should instead be applied to the location itself, using the netcfg command; this will save the change to the location profile repository, and will also apply it to the SMF repository (if the change is made to the currently active location).
The ipfilter SMF service will be enabled if an IPv4 filter configuration file is specified in the ipfilter-config-file property. To enable additional types of filtering, the ipfilter-v6-config-file, ipnat-config-file, and ippool-config-file properties may also be specified.
The ipfilter SMF service supports the start, stop, restart, and refresh methods. The methods are invoked using svcadm (1M).
Loads the ipfilter kernel module and activates any firewall or NAT rules as per the configuration.
Clears out all of the applied firewall and NAT rules and any active session information that has been created. Stopping the service with networking enabled should only be performed when there is no risk of any network traffic being able to enter the host.
Performs a stop and then start of the ipfilter service. Using this method on an active firewall results in a window of exposure where traffic can enter and/or pass through the firewall without being filtered.
Loads the current configuration and switches over from the old configuration to the new one without there being a moment in time when neither security policy is in active use.
To simplify IP Filter configuration management, a firewall framework is created to allow users to configure IP Filter by expressing firewall policy at system and service level. Given the user-defined firewall policy, the framework generates a set of IP Filter rules to enforce the desired system behavior. Users specify system and service firewall policies that allow or deny network traffic from certain hosts, subnets, and interface(s). The policies are translated into a set of active IPF rules to enforce the specified firewall policies.
IPF uses the ipmon(1M) service to log firewall events. The ipmon SMF service depends on the ipfilter SMF service. The ipmon service gets enabled temporarily by the ipfilter service start method as soon as ipfilter gets enabled automatically by “svcadm enable ipfilter”.
This section describes the host-based firewall framework. See svc.ipfd(1M) for details on how to configure firewall policies.
A three-layer approach with different precedence levels helps the user achieve the desired behaviors.
Global Default - Default system-wide firewall policy. This policy is automatically inherited by all services unless services modify their firewall policy.
Higher precedence than Global Default. A service's policy allows/disallows traffic to its specific ports, regardless of Global Default policy.
Another system-wide policy that takes precedence over the needs of specific services in Network Services layer.
Global Override | | Network Services | | Global Default
A firewall policy includes a firewall mode and an optional set of network sources. Network sources are IP addresses, subnets, and local network interfaces, from all of which a system can receive incoming traffic. The basic set of firewall modes are:
No firewall, allow all incoming traffic.
Allow all incoming traffic but deny from specified source(s).
Deny all incoming traffic but allow from specified source(s).
The first system-wide layer, Global Default, defines a firewall policy that applies to any incoming traffic, for example, allowing or blocking all traffic from an IP address. This makes it simple to have a policy that blocks all incoming traffic or all incoming traffic from unwanted source(s).
The Network Services layer contains firewall policies for local programs that provide service to remote clients, for example, telnetd, sshd, and httpd. Each of these programs, a network service, has its own firewall policy that controls access to its service. Initially, a service's policy is set to inherit Global Default policy, a “Use Global Default” mode. This makes it simple to set a single policy, at the Global Default layer, that can be inherited by all services.
When a service's policy is different from Global Default policy, the service's policy has higher precedence. If Global Default policy is set to block all traffic from a subnet, the SSH service could be configured to allow access from certain hosts in that subnet. The set of all policies for all network services comprises the Network Service layer.
The second system-wide layer, Global Override, has a firewall policy that also applies to any incoming network traffic. This policy has highest precedence and overrides policies in the other layers, specifically overriding the needs of network services. The example is when it is desirable to block known malicious source(s) regardless of services' policies.
This framework leverages IP Filter functionality and is active only when svc:/network/ipfilter is enabled and inactive when network/ipfilter is disabled. Similarly, a network service's firewall policy is only active when that service is enabled and inactive when the service is disabled. A system with an active firewall has IP Filter rules for each running/enabled network service and system-wide policy(s) whose firewall mode is not None.
A user configures a firewall by setting the system-wide policies and policy for each network service. See svc.ipfd(1M) on how to configure a firewall policy.
The firewall framework composes of policy configuration and a mechanism to generate IP Filter rules from the policy and applying those rules to get the desired IP Filter configuration. A quick summary of the design and user interaction:
system-wide policy(s) are stored in network/ipfilter
network services' policies are stored in each SMF service
a user activates a firewall by enabling network/ipfilter (see ipf(1M))
a user activates/deactivate a service's firewall by enabling/disabling that network service
changes to system-wide or per-service firewall policy results in an update to the system's firewall rules
See attributes(5) for a description of the following attributes:
The ipfilter service is managed by the service management facility, smf(5), under the service identifier:
IP Filter startup configuration files are stored in /etc/ipf.