IP Filter : Utilisation du firewall sous Solaris

From Deimos.fr / Bloc Notes Informatique
Jump to: navigation, search

1 Introduction

IPFilter (commonly referred to as ipf) is an open source software package that provides firewall services and network address translation (NAT) for many UNIX-like operating systems. The author and software maintainer is Darren Reed. IPFilter supports both IPv4 and IPv6 protocols, and is a stateful firewall.

IPFilter is delivered with FreeBSD, NetBSD and Solaris 10. It used to be a part of OpenBSD, but it was removed in May 2001 due to problems with the license of IP Filter, after negotiations between Theo de Raadt and Reed broke down. At first glance, the license looks a lot like BSD Licenses, but does not allow redistribution of modified versions. Reed came back with another proposal but it was already too late. The software was removed from OpenBSD.

IPFilter can be installed as a runtime-loadable kernel module or directly incorporated into the operating system kernel, depending on the specifics of each kernel and user preferences. The software's documentation recommends the module approach, if possible.

2 Usage

  • To activate Solaris IP Filter :
Command svcadm 
svcadm enable network/ipfilter

  • To enable IPF :
Command ipf 
ipf -E

  • To disable IPF :
Command ipf 
ipf -D

  • Reload configuration
Command ipf 
ipf -f config_file

  • Activate Nat (optionnal) :
Command ipf 
ipfnat -f config_file

  • Remove active rule set from the kernel :
Command ipf 
ipf -Fa

  • Remove incoming packet filtering rules :
Command ipf 
ipf -Fi

  • Remove outgoinf packet filtering rules :
Command ipf 
ipf -Fo

  • Get stats :
Command ipfstat 
ipfstat -io

or

Command ipfstat 
ipfstat

3 Configuration

3.1 Files locations

The default configurations files are located in /etc/ipf :

  • ipf.conf : Containing the main configuration
  • ipnat.conf : Containing Nat configuration
  • ippool.conf : Define server pool

If files are named like this, they will be loaded at boot time. If you don't want, rename them in an other name.

3.2 Redirect all incoming connections to a specific IP on a specific port

This is an example to forward any incoming connection to the port 4175 :

Command 
svcadm enable svc:/network/ipv4-forwarding:default
ipf -E
rdr e1000g0 192.168.76.0/24 port 4175 -> 192.168.15.30 port 4175 tcp
rdr e1000g1 192.168.76.0/24 port 4175 -> 192.168.15.30 port 4175 tcp
map e1000g0 from any to 192.168.15.30 port = 4175 -> 0/32
map e1000g1 from any to 192.168.15.30 port = 4175 -> 0/32

192.168.76.0 is the subnet of the "forwarder", 192.168.15.30 is the destination ip.

Retrieved from "https://wiki.deimos.fr/index.php?title=IP_Filter_:_Utilisation_du_firewall_sous_Solaris&oldid=9426"