Javier Barber
Senior Sysadmin Freelancer
IREWALL EN SOLARIS 10 (IPFILTER)
Lo primero es definir un set de reglas. El fichero de configuración está en /etc/ipf/ipf.conf. Por ejemplo:
—>8—
# Suponemos que la interfaz es «elx10»
# Mi IP: 172.16.1.100
#
# Bloquear cualquier paquete lo suficientemente pequeño como para ser útil
block in log quick all with short
#
# Descartar y reflejar en el log cualquier paquete con opciones dentro
block in log all with ipopts
#
# Permitir tráfico loopback.
pass in quick on lo0 all
pass out quick on lo0 all
#
# Red publica. Bloquear todo lo que no este especificamente permitido
block in on elxl0 all
block out on elxl0 all
#
# Permitir salida de pings
pass out quick on elxl0 proto icmp all keep state
#
# Para testeo podemos permitir llegada de pings de otros equipos
# for testing, allow pings from ben and jerry
pass in quick on elxl0 proto icmp from 172.16.1.11/32 to 172.16.1.100/32
pass in quick on elxl0 proto icmp from 172.16.1.12/32 to 172.16.1.100/32
#
# Allow outbound state related packets.
pass out quick on elxl0 proto tcp/udp from any to any keep state
#
# Permitir ssh solo desde la subred 172.16.0.0/16
# pass in log quick on elxl0 from 172.16.0.0/16 to 172.16.1.100/32 port = 22
# Actually, allow ssh only from ben, jerry, MSU
pass in log quick on elxl0 proto tcp from 172.16.1.11/32 to 172.16.1.100/32 port = 22
pass in log quick on elxl0 proto tcp from 172.16.1.12/32 to 172.16.1.100/32 port = 22
pass in log quick on elxl0 proto tcp from 153.90.0.0/16 to 172.16.1.100/32 port = 22
—>8—
Otro ejemplo de fichero de configuración es el siguiente:
—>8—
pass in quick proto tcp from any to any port = 22 keep state
pass in quick proto tcp from any to any port = 80 keep state
pass in quick proto tcp from any to any port = 8080 keep state
pass in quick proto tcp from any to any port = 443 keep state
pass in quick proto icmp from any to any icmp-type 8 keep state
pass in quick proto icmp from any to any icmp-type 13 keep state
pass out quick from any to any keep state
block in quick all
—>8—
Una vez que tenemos el set de reglas del firewall, debemos decirle a IPFilter en qué interfaz de red debe aplicar esas reglas. Esto lo hacemos descomentando la interfaz que queremos en el fichero /etc/ipf/pfil.ap.
Los cambios tomarán efecto en el siguiente rebote. (Puede que no sea necesario rebotar la maquina y valga simplemente con bajar (unplumb) y subir (plumb) la interfaz, pero mejor rebotar si se puede.
Algunos comandos útiles:
ipf -E : Enable ipfilter when running
: for the first time.
: (Needed for ipf on Tru64)
ipf -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file
: into the active firewall.
ipf -Fa -f /etc/ipf/ipf.conf : Flush all rules, then load rules in
: /etc/ipf/ipf.conf into active firwall.
ipf -Fi : Flush all input rules.
ipf -I -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file
: into inactive firewall.
ipf -V : Show version info and active list.
ipf -s : Swap active and inactive firewalls.
ipfstat : Show summary
ipfstat -i : Show input list
ipfstat -o : Show output list
ipfstat -hio : Show hits against all rules
ipfstat -t -T 5 : Monitor the state table and refresh every
: 5 seconds. Output is similiar to
: ‘top’ monitoring the process table.
ipmon -s S : Watch state table.
ipmon -sn : Write logged entries to syslog, and
: convert back to hostnames and servicenames.
ipmon -s [file] : Write logged entries to some file.
ipmon -Ds : Run ipmon as a daemon, and log to
: default location.
: (/var/adm/messages for Solaris)
: (/var/log/syslog for Tru64)