11.23.2006

Enabling the Solaris 10 IP packet filter (IP Filter) HowTo

Okay, here a little post to stay on the security topic :)

How does one enable the supplied packet filter within the Solaris 10 OS to secure ones system?

Note: in my case, i already setup the actual filtering policy by populating /etc/ipf/ipf.conf.

Well here we go:

You start by reading either ipf(1M) or ipfilter(5) which clearly states you need to edit /etc/ipf/pfil.ap to include the names of the network interface(s) to be filtered.
My system uses a Broadcom Gigabit Ethernet controller using the bge(7D) driver.
So uncomment the bge line in the pfil.ap file and write the change to that file.

Then you need to configure the network interface so it makes use of the network/pfil service.
You can accomplish this by rebooting the system (this clearly is the easiest way).
Once you've rebooted your system you can verify via ifconfig(1M) if the pfil module has been inserted to the ethernet controller.

# ifconfig bge0 modlist
0 arp
1 ip
2 pfil
3 bge

So you can see that the pfil module has been successfully inserted at position 2.

After the reboot you only have to enable the network/ipfilter service instance via svcadm(1M) to end up with a working packet filter.
For those who wonder why you only need to enable the network/ipfilter service instance and not also the network/pfil service instance is 'cuz the network/pfil service instance is actually a dependency for the network/ipfilter instance and thus will be enabled automagically thanks to the great smf(5) implementation into the Solaris 10 OS !

# svcs -d network/ipfilter
STATE STIME FMRI
online 11:42:34 svc:/network/pfil:default
online 11:42:42 svc:/system/filesystem/usr:default
online 11:42:45 svc:/network/physical:default
online 11:42:46 svc:/system/identity:node

But ipf(1M) clearly states that you can also restart/enable the network/pfil service instance via svcadm(1M) and then enable the network/ipfilter service instance.
Then unplumb and plumb the network interface and manually enable ipf.
That way you don't have to reboot your system.

If you have the Solaris IP Filter up and running you can use ipfstat(1M) to list your active ruleset by issueing the following command(s):

# ipfstat -ihn (dislays the inbound list)
# ipfstat -ohn (displays the outbound list)

As always, please do read the supplied manpages as they are valuable information for getting things working ;)

posted by Marco @ 16:52

0 Comments:

Post a Comment

<< Home