1ipfilter(5)           Standards, Environments, and Macros          ipfilter(5)
2
3
4

NAME

6       ipfilter - IP packet filtering software
7

DESCRIPTION

9       IP  Filter is software that provides packet filtering capabilities on a
10       Solaris system. On a properly setup system, it can be used to  build  a
11       firewall.
12
13
14       Solaris  IP Filter is installed with the Solaris operating system. How‐
15       ever, packet filtering is not enabled by default.  See  ipf(1M)  for  a
16       procedure to enable and activate the IP Filter feature.
17

HOST-BASED FIREWALL

19       To simplify IP Filter configuration management, a firewall framework is
20       created to allow users to configure IP Filter  by  expressing  firewall
21       policy  at  system  and  service level. Given the user-defined firewall
22       policy, the framework generates a set of IP Filter rules to enforce the
23       desired  system  behavior.  Users  specify  system and service firewall
24       policies that allow or deny network traffic from  certain  hosts,  sub‐
25       nets,  and  interface(s).  The  policies  are  translated into a set of
26       active IPF rules to enforce the specified firewall policies.
27
28       Note -
29
30         Users can still specify their own ipf rule file if they choose not to
31         take advantage of the framework. See ipf(1M) and ipf(4).
32
33   Model
34       This   section   describes   the  host-based  firewall  framework.  See
35       svc.ipfd(1M) for details on how to configure firewall policies.
36
37
38       A three-layer approach with different precedence levels helps the  user
39       achieve the desired behaviors.
40
41       Global Default
42
43           Global  Default  - Default system-wide firewall policy. This policy
44           is automatically inherited by all services unless  services  modify
45           their firewall policy.
46
47
48       Network Services
49
50           Higher   precedence   than   Global  Default.  A  service's  policy
51           allows/disallows traffic  to  its  specific  ports,  regardless  of
52           Global Default policy.
53
54
55       Global Override
56
57           Another  system-wide policy that takes precedence over the needs of
58           specific services in Network Services layer.
59
60
61         Global Override
62               |
63               |
64         Network Services
65               |
66               |
67         Global Default
68
69
70
71
72       A firewall policy includes a firewall mode and an optional set of  net‐
73       work sources. Network sources are IP addresses, subnets, and local net‐
74       work interfaces, from all of which a system can receive incoming  traf‐
75       fic. The basic set of firewall modes are:
76
77       None
78
79           No firewall, allow all incoming traffic.
80
81
82       Deny
83
84           Allow all incoming traffic but deny from specified source(s).
85
86
87       Allow
88
89           Deny all incoming traffic but allow from specified source(s).
90
91
92   Layers in Detail
93       The  first system-wide layer, Global Default, defines a firewall policy
94       that applies to any incoming traffic, for example, allowing or blocking
95       all  traffic  from an IP address. This makes it simple to have a policy
96       that blocks all incoming traffic or all incoming traffic from  unwanted
97       source(s).
98
99
100       The  Network  Services  layer contains firewall policies for local pro‐
101       grams that provide service to remote  clients,  for  example,  telnetd,
102       sshd, and httpd. Each of these programs, a network service, has its own
103       firewall policy that controls access to its service. Initially, a  ser‐
104       vice's  policy  is  set to inherit Global Default policy, a "Use Global
105       Default" mode. This makes it simple to set  a  single  policy,  at  the
106       Global Default layer, that can be inherited by all services.
107
108
109       When  a  service's  policy is different from Global Default policy, the
110       service's policy has higher precedence. If Global Default policy is set
111       to block all traffic from a subnet, the SSH service could be configured
112       to allow access from certain hosts in that subnet. The set of all poli‐
113       cies for all network services comprises the Network Service layer.
114
115
116       The  second  system-wide  layer, Global Override, has a firewall policy
117       that also applies to any incoming  network  traffic.  This  policy  has
118       highest precedence and overrides policies in the other layers, specifi‐
119       cally overriding the needs of network services. The example is when  it
120       is desirable to block known malicious source(s) regardless of services'
121       policies.
122
123   User Interaction
124       This framework leverages IP Filter functionality  and  is  active  only
125       when  svc:/network/ipfilter is enabled and inactive when network/ipfil‐
126       ter is disabled. Similarly, a network service's firewall policy is only
127       active  when  that  service is enabled and inactive when the service is
128       disabled. A system with an active firewall has IP Filter rules for each
129       running/enabled  network  service and system-wide policy(s) whose fire‐
130       wall mode is not None.
131
132
133       A user configures a firewall by setting the  system-wide  policies  and
134       policy for each network service. See svc.ipfd(1M) on how to configure a
135       firewall policy.
136
137
138       The firewall framework composes of policy configuration and a mechanism
139       to generate IP Filter rules from the policy and applying those rules to
140       get the desired IP Filter configuration. A quick summary of the  design
141       and user interaction:
142
143           o      system-wide policy(s) are stored in network/ipfilter
144
145           o      network services' policies are stored in each SMF service
146
147           o      a  user  activates  a  firewall by enabling network/ipfilter
148                  (see ipf(1M))
149
150           o      a  user  activates/deactivate  a   service's   firewall   by
151                  enabling/disabling that network service
152
153           o      changes   to  system-wide  or  per-service  firewall  policy
154                  results in an update to the system's firewall rules
155

ATTRIBUTES

157       See attributes(5) for a description of the following attributes:
158
159
160
161
162       ┌─────────────────────────────┬─────────────────────────────┐
163ATTRIBUTE TYPE         ATTRIBUTE VALUE        
164       ├─────────────────────────────┼─────────────────────────────┤
165       │Interface Stability          │Committed                    │
166       └─────────────────────────────┴─────────────────────────────┘
167

SEE ALSO

169       svcs(1),  ipf(1M),   ipnat(1M),   svcadm(1M),   svc.ipfd(1M),   ipf(4),
170       ipnat(4), attributes(5), smf(5)
171
172
173       System Administration Guide: IP Services
174

NOTES

176       The  ipfilter  service  is  managed by the service management facility,
177       smf(5), under the service identifier:
178
179         svc:/network/ipfilter:default
180
181
182
183
184       Administrative actions on this service, such as enabling, disabling, or
185       requesting  restart,  can  be performed using svcadm(1M). The service's
186       status can be queried using the svcs(1) command.
187
188
189       IP Filter startup configuration files are stored in /etc/ipf.
190
191
192
193SunOS 5.11                        20 May 2009                      ipfilter(5)
Impressum