[OpenIndiana-discuss] Teo En Ming's IPFILTER (IPF) Firewall Rules for Solaris 11 (Version 1.0)

Teo En Ming teo.en.ming at gmail.com
Wed Apr 23 21:24:38 UTC 2014


/etc/ipf/ipf.conf
===========

#
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.

# Written by Teo En Ming on 24 April 2014 Thu SGT. Based on IPFILTER rules
for FreeBSD.
# Version 1.0

# no restrictions on loopback interface
pass in quick on lo0 all
pass out quick on lo0 all

# interface facing Internet (outbound)
# Matches session start requests originating from or behind the
# firewall, destined for the Internet.

# Allow outbound access to public DNS servers.
# Replace x.x.x. with address listed in /etc/resolv.conf.
# Repeat for each DNS server.
pass out quick on net0 proto tcp from any to 192.168.1.1 port = 53 flags S
keep state
pass out quick on net0 proto udp from any to 192.168.1.1 port = 53 keep
state

# Allow access to ISP's specified DHCP server for cable or DSL networks.
# Use the first rule, then check log for the IP address of DHCP server.
# Then, uncomment the second rule, replace z.z.z.z with the IP address,
# and comment out the first rule
#pass out log quick on net0 proto udp from any to any port = 67 keep state
pass out quick on net0 proto udp from any to 192.168.1.1 port = 67 keep
state

# Allow HTTP and HTTPS
pass out quick on net0 proto tcp from any to any port = 80 flags S keep
state
pass out quick on net0 proto tcp from any to any port = 443 flags S keep
state

# Allow email
pass out quick on net0 proto tcp from any to any port = 110 flags S keep
state
pass out quick on net0 proto tcp from any to any port = 143 flags S keep
state
pass out quick on net0 proto tcp from any to any port = 993 flags S keep
state
pass out quick on net0 proto tcp from any to any port = 995 flags S keep
state
pass out quick on net0 proto tcp from any to any port = 25 flags S keep
state

# Allow NTP
pass out quick on net0 proto tcp from any to any port = 123 flags S keep
state

# Allow FTP
pass out quick on net0 proto tcp from any to any port = 21 flags S keep
state

# Allow SSH
pass out quick on net0 proto tcp from any to any port = 22 flags S keep
state

# Allow ping
pass out quick on net0 proto icmp from any to any icmp-type 8 keep state

# Block and log everything else
block out log first quick on net0 all

# interface facing Internet (inbound)
# Block all inbound traffic from non-routable or reserved address spaces
block in quick on net0 from 192.168.0.0/16 to any    #RFC 1918 private IP
block in quick on net0 from 172.16.0.0/12 to any     #RFC 1918 private IP
block in quick on net0 from 10.0.0.0/8 to any        #RFC 1918 private IP
block in quick on net0 from 127.0.0.0/8 to any       #loopback
block in quick on net0 from 0.0.0.0/8 to any         #loopback
block in quick on net0 from 169.254.0.0/16 to any    #DHCP auto-config
block in quick on net0 from 192.0.2.0/24 to any      #reserved for docs
block in quick on net0 from 204.152.64.0/23 to any   #Sun cluster
interconnect
block in quick on net0 from 224.0.0.0/3 to any       #Class D & E multicast

# Block fragments and too short tcp packets
block in quick on net0 all with frags
block in quick on net0 proto tcp all with short

# block source routed packets
block in quick on net0 all with opt lsrr
block in quick on net0 all with opt ssrr

# Block OS fingerprint attempts and log first occurrence
block in log first quick on net0 proto tcp from any to any flags FUP

# Block anything with special options
block in quick on net0 all with ipopts

# Block public pings and ident
block in quick on net0 proto icmp all icmp-type 8
block in quick on net0 proto tcp from any to any port = 113

# Block incoming Netbios services
block in log first quick on net0 proto tcp/udp from any to any port = 137
block in log first quick on net0 proto tcp/udp from any to any port = 138
block in log first quick on net0 proto tcp/udp from any to any port = 139
#block in log first quick on net0 proto tcp/udp from any to any port = 81

# Allow traffic in from ISP's DHCP server. Replace z.z.z.z with
# the same IP address used in the outbound section.
pass in quick on net0 proto udp from 192.168.1.1 to any port = 68 keep state

# Allow public connections to specified internal web server
#pass in quick on net0 proto tcp from any to x.x.x.x port = 80 flags S keep
state

# Block and log only first occurrence of all remaining traffic.
block in log first quick on net0 all

/usr/sbin/fw.ksh
============

#! /bin/ksh

#

# FILENAME:    fw.ksh

# Manage Solaris firewall script

# Usage:

# fw.ksh {start|stop|restart|status}


case "$1" in

 start)

        /usr/sbin/svcadm enable svc:/network/ipfilter:default


         while [[ $serviceStatus != online && $serviceStatus != maintenance
]] ; do

            sleep 5

            serviceStatus=`/usr/bin/svcs -H -o STATE
svc:/network/ipfilter:default`

        done

        /usr/sbin/ipf -Fa -f /etc/ipf/ipf.conf

   ;;

 restart)

        $0 stop

        $0 start

   ;;

 stop)

        /usr/sbin/svcadm disable svc:/network/ipfilter:default

   ;;

 status)

        serviceStatus=`/usr/bin/svcs -H -o STATE
svc:/network/ipfilter:default`


        if [[ $serviceStatus != "online" ]] ; then

            /usr/bin/echo "The Firewall service is offline"

        else

            /usr/bin/echo "\nThe Firewall service is online\n"

            /usr/sbin/ipfstat -io

        fi

   ;;

*)

        /usr/bin/echo "Usage: $0 {start|stop|restart|status}"

        exit 1

   ;;

esac

exit 0






Regards,

Teo En Ming


More information about the OpenIndiana-discuss mailing list