1ipfilter(5) Standards, Environments, and Macros ipfilter(5)
2
3
4
6 ipfilter - IP packet filtering software
7
9 IP Filter is software that provides packet filtering capabilities on a
10 Solaris system. On a properly setup system, it can be used to build a
11 firewall.
12
13
14 Solaris IP Filter is installed with the Solaris operating system. How‐
15 ever, packet filtering is not enabled by default. See ipf(1M) for a
16 procedure to enable and activate the IP Filter feature.
17
19 To simplify IP Filter configuration management, a firewall framework is
20 created to allow users to configure IP Filter by expressing firewall
21 policy at system and service level. Given the user-defined firewall
22 policy, the framework generates a set of IP Filter rules to enforce the
23 desired system behavior. Users specify system and service firewall
24 policies that allow or deny network traffic from certain hosts, sub‐
25 nets, and interface(s). The policies are translated into a set of
26 active IPF rules to enforce the specified firewall policies.
27
28 Note -
29
30 Users can still specify their own ipf rule file if they choose not to
31 take advantage of the framework. See ipf(1M) and ipf(4).
32
33 Model
34 This section describes the host-based firewall framework. See
35 svc.ipfd(1M) for details on how to configure firewall policies.
36
37
38 A three-layer approach with different precedence levels helps the user
39 achieve the desired behaviors.
40
41 Global Default
42
43 Global Default - Default system-wide firewall policy. This policy
44 is automatically inherited by all services unless services modify
45 their firewall policy.
46
47
48 Network Services
49
50 Higher precedence than Global Default. A service's policy
51 allows/disallows traffic to its specific ports, regardless of
52 Global Default policy.
53
54
55 Global Override
56
57 Another system-wide policy that takes precedence over the needs of
58 specific services in Network Services layer.
59
60
61 Global Override
62 |
63 |
64 Network Services
65 |
66 |
67 Global Default
68
69
70
71
72 A firewall policy includes a firewall mode and an optional set of net‐
73 work sources. Network sources are IP addresses, subnets, and local net‐
74 work interfaces, from all of which a system can receive incoming traf‐
75 fic. The basic set of firewall modes are:
76
77 None
78
79 No firewall, allow all incoming traffic.
80
81
82 Deny
83
84 Allow all incoming traffic but deny from specified source(s).
85
86
87 Allow
88
89 Deny all incoming traffic but allow from specified source(s).
90
91
92 Layers in Detail
93 The first system-wide layer, Global Default, defines a firewall policy
94 that applies to any incoming traffic, for example, allowing or blocking
95 all traffic from an IP address. This makes it simple to have a policy
96 that blocks all incoming traffic or all incoming traffic from unwanted
97 source(s).
98
99
100 The Network Services layer contains firewall policies for local pro‐
101 grams that provide service to remote clients, for example, telnetd,
102 sshd, and httpd. Each of these programs, a network service, has its own
103 firewall policy that controls access to its service. Initially, a ser‐
104 vice's policy is set to inherit Global Default policy, a "Use Global
105 Default" mode. This makes it simple to set a single policy, at the
106 Global Default layer, that can be inherited by all services.
107
108
109 When a service's policy is different from Global Default policy, the
110 service's policy has higher precedence. If Global Default policy is set
111 to block all traffic from a subnet, the SSH service could be configured
112 to allow access from certain hosts in that subnet. The set of all poli‐
113 cies for all network services comprises the Network Service layer.
114
115
116 The second system-wide layer, Global Override, has a firewall policy
117 that also applies to any incoming network traffic. This policy has
118 highest precedence and overrides policies in the other layers, specifi‐
119 cally overriding the needs of network services. The example is when it
120 is desirable to block known malicious source(s) regardless of services'
121 policies.
122
123 User Interaction
124 This framework leverages IP Filter functionality and is active only
125 when svc:/network/ipfilter is enabled and inactive when network/ipfil‐
126 ter is disabled. Similarly, a network service's firewall policy is only
127 active when that service is enabled and inactive when the service is
128 disabled. A system with an active firewall has IP Filter rules for each
129 running/enabled network service and system-wide policy(s) whose fire‐
130 wall mode is not None.
131
132
133 A user configures a firewall by setting the system-wide policies and
134 policy for each network service. See svc.ipfd(1M) on how to configure a
135 firewall policy.
136
137
138 The firewall framework composes of policy configuration and a mechanism
139 to generate IP Filter rules from the policy and applying those rules to
140 get the desired IP Filter configuration. A quick summary of the design
141 and user interaction:
142
143 o system-wide policy(s) are stored in network/ipfilter
144
145 o network services' policies are stored in each SMF service
146
147 o a user activates a firewall by enabling network/ipfilter
148 (see ipf(1M))
149
150 o a user activates/deactivate a service's firewall by
151 enabling/disabling that network service
152
153 o changes to system-wide or per-service firewall policy
154 results in an update to the system's firewall rules
155
157 See attributes(5) for a description of the following attributes:
158
159
160
161
162 ┌─────────────────────────────┬─────────────────────────────┐
163 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
164 ├─────────────────────────────┼─────────────────────────────┤
165 │Interface Stability │Committed │
166 └─────────────────────────────┴─────────────────────────────┘
167
169 svcs(1), ipf(1M), ipnat(1M), svcadm(1M), svc.ipfd(1M), ipf(4),
170 ipnat(4), attributes(5), smf(5)
171
172
173 System Administration Guide: IP Services
174
176 The ipfilter service is managed by the service management facility,
177 smf(5), under the service identifier:
178
179 svc:/network/ipfilter:default
180
181
182
183
184 Administrative actions on this service, such as enabling, disabling, or
185 requesting restart, can be performed using svcadm(1M). The service's
186 status can be queried using the svcs(1) command.
187
188
189 IP Filter startup configuration files are stored in /etc/ipf.
190
191
192
193SunOS 5.11 20 May 2009 ipfilter(5)