Firewall

A quick guide to the firewall on Solaris 10.

The Firewall

I strongly recommend using the firewall.

Edit /etc/ipf/pfil.ap. Uncomment the interfaces you want filtering on, probably your primary ethernet interface. Use /sbin/ifconfig -a if you don't know the interface names

/usr/sbin/svcadm restart network/pfil

Create /etc/ipf/ipf.conf. I suggest starting with rules that allow all traffic:

pass in quick all
pass out quick all

Reboot. You're supposed to be able to replumb but it didn't work for me.

Once the system is up and you verify that you can still use the network, try doing some real rules. Here's an example ipf.conf. It is 'default deny'. I.e. it allows specific things and prohibits everything else. I strongly recommend that. It also runs in stateful mode, which is the only practical way to allow all outgoing transactions and deny incoming.

This example allows all outgoing connections, and incoming for a few services. For a pure client machine I'd remove all the pass in TCP rules and maybe also ICMP. icmp type 8 is needed to respond to ping. 13 is time stamp request, which may or may not matter. With this setting you won't get or process various error mesages that are sent by routers, etc using ICMP. They have been a source of security issues, but may still be useful. Obviously you can turn on all ICMP by removing the icmp-type NN or omit the icmp rules in which case all ICMP incoming will be off. (Note that the instructions in the web page below are wrong for allowing ping. It is icmp type 8, not 0)

pass in quick proto tcp from any to any port = 22 keep state
pass in quick proto tcp from any to any port = 80 keep state
pass in quick proto tcp from any to any port = 8080 keep state
pass in quick proto tcp from any to any port = 443 keep state
pass in quick proto icmp from any to any icmp-type 8 keep state
pass in quick proto icmp from any to any icmp-type 13 keep state
pass out quick from any to any keep state
block in quick all

ipf -Fa -f /etc/ipf/ipf.conf

Even if you're not going to create a NAT, you'll want one entry in ipnat.conf. It's a proxy that makes FTP work. Otherwise you can only use passive FTP. Put the following in /etc/ipf/ipnat.conf

map bge0 0/0 -> 0/32 proxy port 21 ftp/tcp

Note that is needs your ethernet interface name, which on my machine is bge0. Use ifconfig -a to find your name if you don't know it. This only handles clients who want to use FTP. If you want incoming FTP to work, things get a lot more complex. You'll need to see the full instructions

After changing /etc/ipf/ipnat.conf do

ipnat -CF -f /etc/ipf/ipnat.conf

There's a utility "ipfstat" that will show you the current rules and how they are working. See the man page for details.

For more detailed instructions, see http://www.obfuscation.org/ipf/ipf-howto.html.

(Source)