Firewalling on Solaris 10

22 May 2009

Firewalling on Solaris 10:

• config file: /etc/ipf/ipf.conf
• flush all rules: ipf -Fa
• reload: ipf -f /etc/ipf/ipf.conf

Email from Julian:

The native firewall that comes with Solaris is “ipf”.

Configuration files are in the directory /etc/ipf and the file is “ipf.conf”, NAT rules in “ipnat.conf”. Unlike iptables, where the configuration file is a series of “iptable” commands, “ipf.conf” is purely a configuration file. Traffiic must be enabled on each interface, so you have “pass in” to allow traffic in on interface A and a “pass out” to allow traffic out on interface B, if it is acting as a firewall, obviously this is not.

As of Solaris 10, processes are started via service manager. To check if ipf is running, you can:

# svcs -a |grep ipf
online May_05 svc:/network/ipfilter:default

“online” status tells you that it is running.

Commands to see what is happening.

“ipfstat”: show statistics, bytes in, bytes out etc.

“ipfstat -i” to display input running rule set

“ipfstat -o” to display output running rule set

“ipf -f /etc/ipf/ipf.conf” to load rules from config file.

“ipmon -s [file]” to have ipf log to “file”

To restart using service manager

“svcadm restart svc:/network/ipfilter:default”

See man page for “ipnat” for options to display NAT options.

Link from Rusty’s blog: http://ozlabs.org/~rusty/index.cgi/2006/08/15

Last word: Solaris’s version of tcpdump is “snoop”. So to monitor traffic: “snoop -d e1000g0 not port 22” you can add “-v” etc.