[OpenIndiana-discuss] Teo En Ming's IPFILTER (IPF) Firewall Rules for Solaris 11 (Version 1.0)
Teo En Ming
teo.en.ming at gmail.com
Wed Apr 23 21:50:02 UTC 2014
Attached /etc/ipf/ipf.conf and /usr/sbin/fw.ksh.
Regards,
Teo En Ming
On Thu, Apr 24, 2014 at 5:24 AM, Teo En Ming <teo.en.ming at gmail.com> wrote:
> /etc/ipf/ipf.conf
> ===========
>
> #
> # ipf.conf
> #
> # IP Filter rules to be loaded during startup
> #
> # See ipf(4) manpage for more information on
> # IP Filter rules syntax.
>
> # Written by Teo En Ming on 24 April 2014 Thu SGT. Based on IPFILTER rules
> for FreeBSD.
> # Version 1.0
>
> # no restrictions on loopback interface
> pass in quick on lo0 all
> pass out quick on lo0 all
>
> # interface facing Internet (outbound)
> # Matches session start requests originating from or behind the
> # firewall, destined for the Internet.
>
> # Allow outbound access to public DNS servers.
> # Replace x.x.x. with address listed in /etc/resolv.conf.
> # Repeat for each DNS server.
> pass out quick on net0 proto tcp from any to 192.168.1.1 port = 53 flags S
> keep state
> pass out quick on net0 proto udp from any to 192.168.1.1 port = 53 keep
> state
>
> # Allow access to ISP's specified DHCP server for cable or DSL networks.
> # Use the first rule, then check log for the IP address of DHCP server.
> # Then, uncomment the second rule, replace z.z.z.z with the IP address,
> # and comment out the first rule
> #pass out log quick on net0 proto udp from any to any port = 67 keep state
> pass out quick on net0 proto udp from any to 192.168.1.1 port = 67 keep
> state
>
> # Allow HTTP and HTTPS
> pass out quick on net0 proto tcp from any to any port = 80 flags S keep
> state
> pass out quick on net0 proto tcp from any to any port = 443 flags S keep
> state
>
> # Allow email
> pass out quick on net0 proto tcp from any to any port = 110 flags S keep
> state
> pass out quick on net0 proto tcp from any to any port = 143 flags S keep
> state
> pass out quick on net0 proto tcp from any to any port = 993 flags S keep
> state
> pass out quick on net0 proto tcp from any to any port = 995 flags S keep
> state
> pass out quick on net0 proto tcp from any to any port = 25 flags S keep
> state
>
> # Allow NTP
> pass out quick on net0 proto tcp from any to any port = 123 flags S keep
> state
>
> # Allow FTP
> pass out quick on net0 proto tcp from any to any port = 21 flags S keep
> state
>
> # Allow SSH
> pass out quick on net0 proto tcp from any to any port = 22 flags S keep
> state
>
> # Allow ping
> pass out quick on net0 proto icmp from any to any icmp-type 8 keep state
>
> # Block and log everything else
> block out log first quick on net0 all
>
> # interface facing Internet (inbound)
> # Block all inbound traffic from non-routable or reserved address spaces
> block in quick on net0 from 192.168.0.0/16 to any #RFC 1918 private IP
> block in quick on net0 from 172.16.0.0/12 to any #RFC 1918 private IP
> block in quick on net0 from 10.0.0.0/8 to any #RFC 1918 private IP
> block in quick on net0 from 127.0.0.0/8 to any #loopback
> block in quick on net0 from 0.0.0.0/8 to any #loopback
> block in quick on net0 from 169.254.0.0/16 to any #DHCP auto-config
> block in quick on net0 from 192.0.2.0/24 to any #reserved for docs
> block in quick on net0 from 204.152.64.0/23 to any #Sun cluster
> interconnect
> block in quick on net0 from 224.0.0.0/3 to any #Class D & E
> multicast
>
> # Block fragments and too short tcp packets
> block in quick on net0 all with frags
> block in quick on net0 proto tcp all with short
>
> # block source routed packets
> block in quick on net0 all with opt lsrr
> block in quick on net0 all with opt ssrr
>
> # Block OS fingerprint attempts and log first occurrence
> block in log first quick on net0 proto tcp from any to any flags FUP
>
> # Block anything with special options
> block in quick on net0 all with ipopts
>
> # Block public pings and ident
> block in quick on net0 proto icmp all icmp-type 8
> block in quick on net0 proto tcp from any to any port = 113
>
> # Block incoming Netbios services
> block in log first quick on net0 proto tcp/udp from any to any port = 137
> block in log first quick on net0 proto tcp/udp from any to any port = 138
> block in log first quick on net0 proto tcp/udp from any to any port = 139
> #block in log first quick on net0 proto tcp/udp from any to any port = 81
>
> # Allow traffic in from ISP's DHCP server. Replace z.z.z.z with
> # the same IP address used in the outbound section.
> pass in quick on net0 proto udp from 192.168.1.1 to any port = 68 keep
> state
>
> # Allow public connections to specified internal web server
> #pass in quick on net0 proto tcp from any to x.x.x.x port = 80 flags S
> keep state
>
> # Block and log only first occurrence of all remaining traffic.
> block in log first quick on net0 all
>
> /usr/sbin/fw.ksh
> ============
>
> #! /bin/ksh
>
> #
>
> # FILENAME: fw.ksh
>
> # Manage Solaris firewall script
>
> # Usage:
>
> # fw.ksh {start|stop|restart|status}
>
>
> case "$1" in
>
> start)
>
> /usr/sbin/svcadm enable svc:/network/ipfilter:default
>
>
> while [[ $serviceStatus != online && $serviceStatus !=
> maintenance ]] ; do
>
> sleep 5
>
> serviceStatus=`/usr/bin/svcs -H -o STATE
> svc:/network/ipfilter:default`
>
> done
>
> /usr/sbin/ipf -Fa -f /etc/ipf/ipf.conf
>
> ;;
>
> restart)
>
> $0 stop
>
> $0 start
>
> ;;
>
> stop)
>
> /usr/sbin/svcadm disable svc:/network/ipfilter:default
>
> ;;
>
> status)
>
> serviceStatus=`/usr/bin/svcs -H -o STATE
> svc:/network/ipfilter:default`
>
>
> if [[ $serviceStatus != "online" ]] ; then
>
> /usr/bin/echo "The Firewall service is offline"
>
> else
>
> /usr/bin/echo "\nThe Firewall service is online\n"
>
> /usr/sbin/ipfstat -io
>
> fi
>
> ;;
>
> *)
>
> /usr/bin/echo "Usage: $0 {start|stop|restart|status}"
>
> exit 1
>
> ;;
>
> esac
>
> exit 0
>
>
>
>
>
>
> Regards,
>
> Teo En Ming
>
More information about the OpenIndiana-discuss
mailing list