[OpenIndiana-discuss] Teo En Ming's IPFILTER (IPF) Firewall Rules for Solaris 11 (Version 1.0)

Teo En Ming teo.en.ming at gmail.com
Wed Apr 23 22:45:22 UTC 2014 

Manual for IPFILTER (IPF) Firewall Rules for Oracle Solaris 11.1 Download
Link:

https://www.mediafire.com/?hdh1h01d5czxo99

Regards,

Teo En Ming


On Thu, Apr 24, 2014 at 5:50 AM, Teo En Ming <teo.en.ming at gmail.com> wrote:

> Attached /etc/ipf/ipf.conf and /usr/sbin/fw.ksh.
>
> Regards,
>
> Teo En Ming
>
>
> On Thu, Apr 24, 2014 at 5:24 AM, Teo En Ming <teo.en.ming at gmail.com>wrote:
>
>> /etc/ipf/ipf.conf
>> ===========
>>
>> #
>> # ipf.conf
>> #
>> # IP Filter rules to be loaded during startup
>> #
>> # See ipf(4) manpage for more information on
>> # IP Filter rules syntax.
>>
>> # Written by Teo En Ming on 24 April 2014 Thu SGT. Based on IPFILTER
>> rules for FreeBSD.
>> # Version 1.0
>>
>> # no restrictions on loopback interface
>> pass in quick on lo0 all
>> pass out quick on lo0 all
>>
>> # interface facing Internet (outbound)
>> # Matches session start requests originating from or behind the
>> # firewall, destined for the Internet.
>>
>> # Allow outbound access to public DNS servers.
>> # Replace x.x.x. with address listed in /etc/resolv.conf.
>> # Repeat for each DNS server.
>> pass out quick on net0 proto tcp from any to 192.168.1.1 port = 53 flags
>> S keep state
>> pass out quick on net0 proto udp from any to 192.168.1.1 port = 53 keep
>> state
>>
>> # Allow access to ISP's specified DHCP server for cable or DSL networks.
>> # Use the first rule, then check log for the IP address of DHCP server.
>> # Then, uncomment the second rule, replace z.z.z.z with the IP address,
>> # and comment out the first rule
>> #pass out log quick on net0 proto udp from any to any port = 67 keep state
>> pass out quick on net0 proto udp from any to 192.168.1.1 port = 67 keep
>> state
>>
>> # Allow HTTP and HTTPS
>> pass out quick on net0 proto tcp from any to any port = 80 flags S keep
>> state
>> pass out quick on net0 proto tcp from any to any port = 443 flags S keep
>> state
>>
>> # Allow email
>> pass out quick on net0 proto tcp from any to any port = 110 flags S keep
>> state
>> pass out quick on net0 proto tcp from any to any port = 143 flags S keep
>> state
>> pass out quick on net0 proto tcp from any to any port = 993 flags S keep
>> state
>> pass out quick on net0 proto tcp from any to any port = 995 flags S keep
>> state
>> pass out quick on net0 proto tcp from any to any port = 25 flags S keep
>> state
>>
>> # Allow NTP
>> pass out quick on net0 proto tcp from any to any port = 123 flags S keep
>> state
>>
>> # Allow FTP
>> pass out quick on net0 proto tcp from any to any port = 21 flags S keep
>> state
>>
>> # Allow SSH
>> pass out quick on net0 proto tcp from any to any port = 22 flags S keep
>> state
>>
>> # Allow ping
>> pass out quick on net0 proto icmp from any to any icmp-type 8 keep state
>>
>> # Block and log everything else
>> block out log first quick on net0 all
>>
>> # interface facing Internet (inbound)
>> # Block all inbound traffic from non-routable or reserved address spaces
>> block in quick on net0 from 192.168.0.0/16 to any    #RFC 1918 private IP
>> block in quick on net0 from 172.16.0.0/12 to any     #RFC 1918 private IP
>> block in quick on net0 from 10.0.0.0/8 to any        #RFC 1918 private IP
>> block in quick on net0 from 127.0.0.0/8 to any       #loopback
>> block in quick on net0 from 0.0.0.0/8 to any         #loopback
>> block in quick on net0 from 169.254.0.0/16 to any    #DHCP auto-config
>> block in quick on net0 from 192.0.2.0/24 to any      #reserved for docs
>> block in quick on net0 from 204.152.64.0/23 to any   #Sun cluster
>> interconnect
>> block in quick on net0 from 224.0.0.0/3 to any       #Class D & E
>> multicast
>>
>> # Block fragments and too short tcp packets
>> block in quick on net0 all with frags
>> block in quick on net0 proto tcp all with short
>>
>> # block source routed packets
>> block in quick on net0 all with opt lsrr
>> block in quick on net0 all with opt ssrr
>>
>> # Block OS fingerprint attempts and log first occurrence
>> block in log first quick on net0 proto tcp from any to any flags FUP
>>
>> # Block anything with special options
>> block in quick on net0 all with ipopts
>>
>> # Block public pings and ident
>> block in quick on net0 proto icmp all icmp-type 8
>> block in quick on net0 proto tcp from any to any port = 113
>>
>> # Block incoming Netbios services
>> block in log first quick on net0 proto tcp/udp from any to any port = 137
>> block in log first quick on net0 proto tcp/udp from any to any port = 138
>> block in log first quick on net0 proto tcp/udp from any to any port = 139
>> #block in log first quick on net0 proto tcp/udp from any to any port = 81
>>
>> # Allow traffic in from ISP's DHCP server. Replace z.z.z.z with
>> # the same IP address used in the outbound section.
>> pass in quick on net0 proto udp from 192.168.1.1 to any port = 68 keep
>> state
>>
>> # Allow public connections to specified internal web server
>> #pass in quick on net0 proto tcp from any to x.x.x.x port = 80 flags S
>> keep state
>>
>> # Block and log only first occurrence of all remaining traffic.
>> block in log first quick on net0 all
>>
>> /usr/sbin/fw.ksh
>> ============
>>
>> #! /bin/ksh
>>
>> #
>>
>> # FILENAME:    fw.ksh
>>
>> # Manage Solaris firewall script
>>
>> # Usage:
>>
>> # fw.ksh {start|stop|restart|status}
>>
>>
>> case "$1" in
>>
>>  start)
>>
>>         /usr/sbin/svcadm enable svc:/network/ipfilter:default
>>
>>
>>          while [[ $serviceStatus != online && $serviceStatus !=
>> maintenance ]] ; do
>>
>>             sleep 5
>>
>>             serviceStatus=`/usr/bin/svcs -H -o STATE
>> svc:/network/ipfilter:default`
>>
>>         done
>>
>>         /usr/sbin/ipf -Fa -f /etc/ipf/ipf.conf
>>
>>    ;;
>>
>>  restart)
>>
>>         $0 stop
>>
>>         $0 start
>>
>>    ;;
>>
>>  stop)
>>
>>         /usr/sbin/svcadm disable svc:/network/ipfilter:default
>>
>>    ;;
>>
>>  status)
>>
>>         serviceStatus=`/usr/bin/svcs -H -o STATE
>> svc:/network/ipfilter:default`
>>
>>
>>         if [[ $serviceStatus != "online" ]] ; then
>>
>>             /usr/bin/echo "The Firewall service is offline"
>>
>>         else
>>
>>             /usr/bin/echo "\nThe Firewall service is online\n"
>>
>>             /usr/sbin/ipfstat -io
>>
>>         fi
>>
>>    ;;
>>
>> *)
>>
>>         /usr/bin/echo "Usage: $0 {start|stop|restart|status}"
>>
>>         exit 1
>>
>>    ;;
>>
>> esac
>>
>> exit 0
>>
>>
>>
>>
>>
>>
>> Regards,
>>
>> Teo En Ming
>>
>
>

More information about the OpenIndiana-discuss mailing list