Go to main content

Securing the Network in Oracle® Solaris 11.4

Exit Print View

Updated: January 2019
 
 

How to Use Groups to Simplify Firewall Policy in a Network

Groups enable you to write one firewall policy for a type of network traffic, then apply the policy to the appropriate interfaces on different systems. Members of an interface group handle similar types of traffic. For example, a group of interfaces that filter LAN traffic could be added to the group "lan".

  1. Create a group name by using the name in a rule in the PF configuration file.

    Typical names are lan, wan, email, and imap. The names should identify the purpose of the group, such as the type of traffic being filtered.

    .

    For example, the following rule uses the group name lan.

    pass in on lan from 198.51.100.0/27 to any
  2. On each system where the PF configuration file contains the group name, attach the group to the interface that performs that function.

    PF cannot use the group name to filter packets until you make the group name a property of the interface.

    For example, on HostB, the net1 and net2 interfaces provide the LAN firewall. The following command makes the group a property of the interface.

    HostB# ipadm set-ifprop -p fwifgroup+=lan -m ip net1
    HostB# ipadm set-ifprop -p fwifgroup+=lan -m ip net2

    Tip  -  To modify the active interface group configuration for testing purposes, use the –t option to make the change temporary. Upon reboot, the initial interface group configuration is restored.
  3. Verify the group assignments.

    See Example 10, Showing, Testing, and Deleting Firewall Interface Groups. For a fuller example, see Example 11, PF Configuration File Using Firewall Interface Groups.

Example 10  Showing, Testing, and Deleting Firewall Interface Groups

In this example, the administrator uses the –t option to the ipadm command to modify the active PF configuration file in the preceding task on two hosts. On reboot, the original persistent configuration is restored.

HostA has the following interfaces: net0, net1, vnic3, vnic4, and vnic5.

HostB has the following interfaces: net0, net1, and net2.

  1. The administrator adds the appropriate interfaces to the lan group.

    HostA# for i in `ipadm show-if -p -o ifname|grep vnic` ; do
    > ipadm set-ifprop -t -p fwifgroup+=lan -m ip $i;
    > done
    
    HostB# ipadm set-ifprop -t -p fwifgroup+=lan -m ip net1
    HostB# ipadm set-ifprop -t -p fwifgroup+=lan -m ip net2
  2. On each system, the administrator lists the firewall interface groups.

    HostA$ ipadm show-ifprop -p fwifgroup
    IFNAME      PROPERTY        PROTO PERM CURRENT    PERSISTENT DEFAULT    POSSIBLE
    lo0         fwifgroup       ip    rw   --         --         --         --
    net0        fwifgroup       ip    rw   --         --         --         --
    net1        fwifgroup       ip    rw   --         --        --          --
    vnic3       fwifgroup       ip    rw   lan        --        --          lan
    vnic4       fwifgroup       ip    rw   lan        --        --          lan
    vnic5       fwifgroup       ip    rw   lan        --        --          lan
    HostB$ ipadm show-ifprop -p fwifgroup
    IFNAME      PROPERTY        PROTO PERM CURRENT    PERSISTENT DEFAULT    POSSIBLE
    lo0         fwifgroup       ip    rw   --         --         --         --
    net0        fwifgroup       ip    rw   lan        --         --         lan
    net1        fwifgroup       ip    rw   lan        --         --         lan
  3. The administrator can also list the firewall interface groups per interface.

    HostA$ ipadm show-ifprop -p fwifgroup vnic3 
    IFNAME      PROPERTY        PROTO PERM CURRENT    PERSISTENT DEFAULT    POSSIBLE
    vnic3       fwifgroup       ip    rw   lan        --        --          lan
  4. After some testing, the administrator removes net0 from the lan firewall interface group on HostB, and removes all interface groups from vnic3 on HostA.

    HostB# ipadm set-ifprop -p fwifgroup-=lan -m ip net0
    HostA$ ipadm reset-ifprop -t -p fwifgroup -m ip vnic3  
    • The fwifgroup- argument removes one group assignment from net0.

      HostB# ipadm set-ifprop -p fwifgroup-=lan -m ip net0
    • The reset-ifprop subcommand removes all group assignments from vnic3.

      HostA# ipadm reset-ifprop -t -p fwifgroup -m ip vnic3

    If the administrator removes all firewall interface group assignments, the group name remains in the PF configuration file but is not used for packet filtering.