Solaris 10 firewalling
To make matters easy:
The configuration file for the firewall is on /etc/ipf/ipf.conf and its service's FMRI is svc:/network/pfil:default
ipf -E : Enable ipfilter when running for the first time.
ipf -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file into the active firewall.
ipf -Fa -f /etc/ipf/ipf.conf : Flush all rules, then load rules in /etc/ipf/ipf.conf into active firwall.
ipf -Fi : Flush all input rules.
ipf -I -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file into inactive firewall.
ipfstat -hio : Show hits against all rules
ipfstat -t -T 5 : Monitor the state table and refresh every 5 seconds. Output is similar to 'top'
And finally an example of a ipf.conf just for the heck of having one just in case:
Thanks for playing :)
iptables -L == ipfstat -io
The configuration file for the firewall is on /etc/ipf/ipf.conf and its service's FMRI is svc:/network/pfil:default
ipf -E : Enable ipfilter when running for the first time.
ipf -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file into the active firewall.
ipf -Fa -f /etc/ipf/ipf.conf : Flush all rules, then load rules in /etc/ipf/ipf.conf into active firwall.
ipf -Fi : Flush all input rules.
ipf -I -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file into inactive firewall.
ipfstat -hio : Show hits against all rules
ipfstat -t -T 5 : Monitor the state table and refresh every 5 seconds. Output is similar to 'top'
And finally an example of a ipf.conf just for the heck of having one just in case:
# 11/18/04 - Newest Firewall for testing. # Rich Shattuck # My IP: 172.16.1.100 # # Block any packets which are too short to be real block in log quick all with short # # drop and log any IP packets with options set in them. block in log all with ipopts # # Allow all traffic on loopback. pass in quick on lo0 all pass out quick on lo0 all # # Public Network. Block everything not explicity allowed. block in on elxl0 all block out on elxl0 all # # Allow pings out. pass out quick on elxl0 proto icmp all keep state # # for testing, allow pings from ben and jerry pass in quick on elxl0 proto icmp from 172.16.1.11/32 to 172.16.1.100/32 pass in quick on elxl0 proto icmp from 172.16.1.12/32 to 172.16.1.100/32 # # Allow outbound state related packets. pass out quick on elxl0 proto tcp/udp from any to any keep state # # allow ssh from 172.16.0.0/16 only. # pass in log quick on elxl0 from 172.16.0.0/16 to 172.16.1.100/32 port = 22 # Actually, allow ssh only from ben, jerry, MSU pass in log quick on elxl0 proto tcp from 172.16.1.11/32 to 172.16.1.100/32 port = 22 pass in log quick on elxl0 proto tcp from 172.16.1.12/32 to 172.16.1.100/32 port = 22 pass in log quick on elxl0 proto tcp from 153.90.0.0/16 to 172.16.1.100/32 port = 22
Thanks for playing :)
