IP Filter : Utilisation du firewall sous Solaris

From Deimos.fr / Bloc Notes Informatique
Jump to: navigation, search

1 Introduction

IPFilter (commonly referred to as ipf) is an open source software package that provides firewall services and network address translation (NAT) for many UNIX-like operating systems. The author and software maintainer is Darren Reed. IPFilter supports both IPv4 and IPv6 protocols, and is a stateful firewall.

IPFilter is delivered with FreeBSD, NetBSD and Solaris 10. It used to be a part of OpenBSD, but it was removed in May 2001 due to problems with the license of IP Filter, after negotiations between Theo de Raadt and Reed broke down. At first glance, the license looks a lot like BSD Licenses, but does not allow redistribution of modified versions. Reed came back with another proposal but it was already too late. The software was removed from OpenBSD.

IPFilter can be installed as a runtime-loadable kernel module or directly incorporated into the operating system kernel, depending on the specifics of each kernel and user preferences. The software's documentation recommends the module approach, if possible.

2 Usage

  • To activate Solaris IP Filter :
Command svcadm
svcadm enable network/ipfilter

  • To enable IPF :
Command ipf
ipf -E

  • To disable IPF :
Command ipf
ipf -D

  • Reload configuration
Command ipf
ipf -f config_file

  • Activate Nat (optionnal) :
Command ipf
ipfnat -f config_file

  • Remove active rule set from the kernel :
Command ipf
ipf -Fa

  • Remove incoming packet filtering rules :
Command ipf
ipf -Fi

  • Remove outgoinf packet filtering rules :
Command ipf
ipf -Fo

  • Get stats :
Command ipfstat
ipfstat -io


Command ipfstat

3 Configuration

3.1 Files locations

The default configurations files are located in /etc/ipf :

  • ipf.conf : Containing the main configuration
  • ipnat.conf : Containing Nat configuration
  • ippool.conf : Define server pool

If files are named like this, they will be loaded at boot time. If you don't want, rename them in an other name.

3.2 Redirect all incoming connections to a specific IP on a specific port

This is an example to forward any incoming connection to the port 4175 :

svcadm enable svc:/network/ipv4-forwarding:default
ipf -E
rdr e1000g0 port 4175 -> port 4175 tcp
rdr e1000g1 port 4175 -> port 4175 tcp
map e1000g0 from any to port = 4175 -> 0/32
map e1000g1 from any to port = 4175 -> 0/32 is the subnet of the "forwarder", is the destination ip.