Filtering Network Traffic with Solaris 10 And IP Filter


I use Solaris 10 as my primary desktop, and like to use the Java desktop environment (GNOME w/ enhancements). To allow everything to function correctly, I have to run rpcbind and a font server. To remediate the risks associated with these services, I block all inbound traffic, and allow stateful outbound conenctions. This is super easy to do in Solaris 10, since IP Filter is now integrated into the core Operating System. This tutorial will walk through the steps required to setup IP Filter on a Solaris 10 desktop.

Configuring IP Filter

Since my desktop only needs to accept inbound connection on TCP port 22 (SSH), I use the following policy to allow stateful outbound connections, and inbound connections to the SSH daemon:

$ cat /etc/ipf/ipf.conf
#
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.

### Block all inbound and outbound traffic by default
block in log on eri0 all head 100
block out log on eri0 all head 150

### Allow inbound SSH connections
pass in quick proto tcp from any to 172.16.64.199 port = 22 keep state group 100

### Allow my box to utilize all UDP, TCP and ICMP services
pass out quick proto tcp all flags S/SA keep state group 150
pass out quick proto udp all keep state group 150
pass out quick proto icmp all keep state group 150

The rules should be stored in /etc/ipf/ipf.conf, since that is the location IP Filter will check by default. To enable these rules, IP Filter needs to be bound to a physical interface. This is accomplished by uncommenting the interface in the file /etc/ipf/pfil.ap:

$ grep eri /etc/ipf/pfil.ap

eri     -1      0       pfil

After the interface is uncommented, you will need to start the IP Filter services with the SMF svcadm(1m) utility:

$ svcadm enable pfil

$ svcadm enable ipfilter

You can check that IP Filter is running by running the svcs(1m) utility and grepping for the string “fil”:

$ svcs | egrep '(pfil|ipfilter)'

online         Mar_11   svc:/network/pfil:default
online         Mar_11   svc:/system/rmtmpfiles:default
online         Mar_11   svc:/network/ipfilter:default

Once IP Filter is activated, IP Filter will filter traffic on the interface you uncommented in pfil.ap. If you used the “log” keyword to log headers or the packet contents, IP Filter will write the contents to the /dev/ipld pseudo-device. This device is monitored by ipmon(1m), which is started by the IP Filter initialization scripts. When ipmon(1m) detects that a new entry has been logged to /dev/ipl, the message will be routed to syslogd’s local0 facility ( you can also configure IP Filter to log directly to a file) using one of several priorities listed in the ipmon(1m) manual page:

LOG_INFO
   Packets logged using the log keyword as the action
   rather than pass or block.

LOG_NOTICE
   Packets logged that are also passed.

LOG_WARNING
   Packets logged that are also blocked.

LOG_ERR
   Packets that have been logged and that can  be  con-
   sidered "short".

If you would like to have syslog write the packet to a logfile, you will need to append a line similar to the following to /etc/syslog.conf:

local0.debug                                    /var/log/ipflog

After this entry is added to the syslog.conf configuration file (remember to use tabs to delimit the entries), syslogd needs to be restarted. This can be accomplished with the svcadm(1m) utility:

$ svcadm restart system-log

Once syslogd restarts, packets that match a rule with the “log” keyword will be written to the logfile. This file will grow rapidly on busy networks, so it’s best to add a daily log rotation job to ensure that the /var file system doesn’t fill up. This can be accomplished with the logadm utility:

$ logadm -w ipflog -C 30 -o sys -g sys -m 600 /var/log/ipflog -a 'kill -HUP cat /var/run/syslog.pid'`

This will keep thirty copies of ipflog, set the owner and group to sys, and restart syslogd after the logfiles are rotated.