Standards, Environments, and Macros ipfilter(5)
NAME
ipfilter - IP packet filtering software
DESCRIPTION
IP Filter is software that provides packet filtering capa-
bilities on a Solaris system. On a properly setup system, it
can be used to build a firewall.
Solaris IP Filter is installed with the Solaris operating
system. However, packet filtering is not enabled by default.
See ipf(1M) for a procedure to enable and activate the IP
Filter feature.
HOST-BASED FIREWAL
To simplify IP Filter configuration management, a firewall
framework is created to allow users to configure IP Filter
by expressing firewall policy at system and service level.
Given the user-defined firewall policy, the framework gen-
erates a set of IP Filter rules to enforce the desired sys-
tem behavior. Users specify system and service firewall pol-
icies that allow or deny network traffic from certain hosts,
subnets, and interface(s). The policies are translated into
a set of active IPF rules to enforce the specified firewall
policies.
Note -
Users can still specify their own ipf rule file if they
choose not to take advantage of the framework. See ipf(1M)
and ipf(4).
Model
This section describes the host-based firewall framework.
See svc.ipfd(1M) for details on how to configure firewall
policies.
A three-layer approach with different precedence levels
helps the user achieve the desired behaviors.
Global Default
Global Default - Default system-wide firewall policy.
This policy is automatically inherited by all services
unless services modify their firewall policy.
Network Services
Higher precedence than Global Default. A service's pol-
icy allows/disallows traffic to its specific ports,
SunOS 5.11 Last change: 18 Feb 2009 1
Standards, Environments, and Macros ipfilter(5)
regardless of Global Default policy.
Global Override
Another system-wide policy that takes precedence over
the needs of specific services in Network Services
layer.
Global Override
Network Services
Global Default
A firewall policy includes a firewall mode and an optional
set of network sources. Network sources are IP addresses,
subnets, and local network interfaces, from all of which a
system can receive incoming traffic. The basic set of
firewall modes are:
None
No firewall, allow all incoming traffic.
Deny
Allow all incoming traffic but deny from specified
source(s).
Allow
Deny all incoming traffic but allow from specified
source(s).
Layers in Detail
The first system-wide layer, Global Default, defines a
firewall policy that applies to any incoming traffic, for
example, allowing or blocking all traffic from an IP
address. This makes it simple to have a policy that blocks
all incoming traffic or all incoming traffic from unwanted
source(s).
SunOS 5.11 Last change: 18 Feb 2009 2
Standards, Environments, and Macros ipfilter(5)
The Network Services layer contains firewall policies for
local programs that provide service to remote clients, for
example, telnetd, sshd, and httpd. Each of these programs, a
network service, has its own firewall policy that controls
access to its service. Initially, a service's policy is set
to inherit Global Default policy, a "Use Global Default"
mode. This makes it simple to set a single policy, at the
Global Default layer, that can be inherited by all services.
When a service's policy is different from Global Default
policy, the service's policy has higher precedence. If Glo-
bal Default policy is set to block all traffic from a sub-
net, the SH service could be configured to allow access
from certain hosts in that subnet. The set of all policies
for all network services comprises the Network Service
layer.
The second system-wide layer, Global Override, has a
firewall policy that also applies to any incoming network
traffic. This policy has highest precedence and overrides
policies in the other layers, specifically overriding the
needs of network services. The example is when it is desir-
able to block known malicious source(s) regardless of ser-
vices' policies.
User Interaction
This framework leverages IP Filter functionality and is
active only when svc:/network/ipfilter is enabled and inac-
tive when network/ipfilter is disabled. Similarly, a network
service's firewall policy is only active when that service
is enabled and inactive when the service is disabled. A sys-
tem with an active firewall has IP Filter rules for each
running/enabled network service and system-wide policy(s)
whose firewall mode is not None.
A user configures a firewall by setting the system-wide pol-
icies and policy for each network service. See svc.ipfd(1M)
on how to configure a firewall policy.
The firewall framework composes of policy configuration and
a mechanism to generate IP Filter rules from the policy and
applying those rules to get the desired IP Filter configura-
tion. A quick summary of the design and user interaction:
o system-wide policy(s) are stored in
network/ipfilter
o network services' policies are stored in each SMF
SunOS 5.11 Last change: 18 Feb 2009 3
Standards, Environments, and Macros ipfilter(5)
service
o a user activates a firewall by enabling
network/ipfilter (see ipf(1M))
o a user activates/deactivate a service's firewall by
enabling/disabling that network service
o changes to system-wide or per-service firewall pol-
icy results in an update to the system's firewall
rules
ATRIBUTES
See attributes(5) for a description of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Interface Stability Committed
SEE ALSO
svcs(1), ipf(1M), ipnat(1M), svcadm(1M), svc.ipfd(1M),
ipf(4), ipnat(4), attributes(5), smf(5)
System Administration Guide: IP Services
NOTES
The nfsd service is managed by the service management facil-
ity, smf(5), under the service identifier:
svc:/network/ipfilter:default
Administrative actions on this service, such as enabling,
disabling, or requesting restart, can be performed using
svcadm(1M). The service's status can be queried using the
svcs(1) command.
IP Filter startup configuration files are stored in
/etc/ipf.
SunOS 5.11 Last change: 18 Feb 2009 4
|
