Pages

Sunday, December 19, 2010

How to configure IP filter firewall

Solaris IP Filter firewall is a utility that enables a Solaris OS system to act as a firewall. The configuration file of IP filter saved in /etc/ipf/ipf.conf. Below tips will show how we manage telnet connection of a host with IP filter utility.

  1. Check that telnet connection is running normally. In this example we use host 172.16.31.150 as target host.
    root@solaris-sunray # cp /etc/inet/ntp.client /etc/inet/ntp.conf
    root@solaris-sunray # telnet 172.16.31.150
    Trying 172.16.31.150...
    Connected to 172.16.31.150.
    Escape character is '^]'.
    login: root
    Password:
    Last login: Thu Nov 11 16:42:00 on pts/2
    Sun Microsystems Inc. SunOS 5.10 Generic January 2005
    # bash
    bash-3.00#
  2. See the status of ipfilter and pfil service.
    bash-3.00# svcs -a|grep pfil
    disabled Nov_10 svc:/network/ipfilter:default
    online Nov_10 svc:/network/pfil:default
  3. See host interface. Below shows that this host use e1000g0.
    bash-3.00# ifconfig -a
    lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
    inet 127.0.0.1 netmask ff000000
    e1000g0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
    inet 172.16.31.150 netmask fffffc00 broadcast 172.16.31.255
  4. Edit /etc/ipf/pfil.ap to include e1000g interface.
    bash-3.00# more /etc/ipf/pfil.ap
    # cat /etc/ipf/pfil.ap
     # IP Filter pfil autopush setup
     #
     # See autopush(1M) manpage for more information.
     #
     # Format of the entries in this file is:
     #
     #major minor lastminor modules
     e1000g -1 0 pfil
  1. Enable IP filter on the interface. This step is only needed to do once when you configure IP filter for the first time on a specific interface.
    bash-3.00# autopush -f /etc/ipf/pfil.ap
    bash-3.00# ifconfig e1000g0 down unplumb
    bash-3.00# ifconfig e1000g0 plumb 172.16.31.150 netmask + broadcast + up
    bash-3.00# svcadm enable ipfilter
    root@solaris-sunray # svcs -a|grep pfil
    online 9:10:14 svc:/network/pfil:default
    online 10:28:25 svc:/network/ipfilter:default
  1. Edit /etc/ipf/ipf.conf to specify how we block telnet connection to host 172.16.31.150
    bash-3.00# more /etc/ipf/ipf.conf
    #
    # ipf.conf
    #
    # IP Filter rules to be loaded during startup
    #
    # See ipf(4) manpage for more information on
    # IP Filter rules syntax.
    block in proto tcp from any to 172.16.31.150/21 port = 23
  2. Update Solaris IP filter to include last updated ipf.conf.
    bash-3.00# ipf -Fa -f /etc/ipf/ipf.conf
  3. Check the new rule by using ipfstat command.
    bash-3.00# ipfstat -io
    empty list for ipfilter(out)
    block in proto tcp from any to 172.16.31.150/21 port = telnet
  4. Test IP filter with make a telnet connection to 172.16.31.150
    root@solaris-sunray # telnet 172.16.31.150
    Trying 172.16.31.150...
    telnet: Unable to connect to remote host: Connection timed out

1 comment:

  1. hmm.. I hope this will work on configuring my firewall filter. Thanks much for sharing. Firewall Security Consulting NY

    ReplyDelete