# ifconfig -a inet
lo0: flags=2001000849 mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
pcn0: flags=1000843 mtu 1500 index 3
inet 10.4.128.226 netmask ffffff00 broadcast 10.4.128.25
(查看网卡设备名)
#vi /etc/ipf/pfil.ap
.......
#dnet -1 0 pfil
#pcelx -1 0 pfil
#spwr -1 0 pfil
pcn -1 0 pfil
.......
(将网卡设备名前注释去掉)
#vi /etc/ipf/ipf.conf
block in log quick proto tcp from 10.4.128.0/24 to any port = ftp
(编辑防火墙规则)
#svcadm enable svc:/network/ipfilter:default
(启动服务)
#svcs -a |grep -i ipf
(再次查看服务是否启动)
#autopush -f /etc/ipf/pfil.ap
(生效pfil.ap配置,此步骤只需要做一次,以后更改防火墙规则就不需要再做)
#ifconfig pcn0 down unplumb
(禁用网卡)
#ifconfig pcn0 plumb 10.4.128.226 netmask 255.255.255.0 broadcast 10.4.128.255 up
(启用网卡)
这时候防火墙已经生效,大家可以试着FTP配置好的服务器,若以后需要更改规则请参照以下步骤:
#vi /etc/ipf/ipf.conf
block in log proto tcp from 10.4.128.0/24 to any port = ftp
block in log proto tcp from 10.4.128.0/24 to any port = telnet
#ipf -Fa -f /etc/ipf/ipf.conf
#ipfstat -io
#ipfstat
#ipmon
更改完以后可以再次试着FTP。
大家可能比较迷茫的就是规则方面了,其实它的规则很好懂,配置起来也很简单:
禁止就是block
通过就是pass
进来就是in
出去就是out
那么配合起来使用就行了,再加上可以指定在哪个网卡上使用,也就是再加个on pcn0,另外还有一个关键字就是all,这是匹配(禁止或者通过)所有的包,组合起来的例子就是:
block in on pcn0 all
(禁止所有的包进入)
还可以针对网段、IP以及端口的配置,就是在包的后面加如from .... to .... port = ..就可以,等号的地方可以改成其他运算符,如<、>
网段:block in log proto tcp from 10.4.128.0/24 to any port = ftp
地址:block in log proto tcp from 10.4.128.163/32 to any port = ftp
对于协议的控制,它一样可以做的很好。协议的关键字有4种(icmp、tcp、udp、tcp/udp),启用对协议的控制就是在协议的关键字前加proto关键字如:
block in on pcn0 proto icmp from any to any
在使用ICMP协议控制的时候,可以使用icmp-type关键字来指定ICMP协议的类型,类型的值有4种:
ICMP Type Value Keyword
Echo reply 0 echorep
Echo request 8 echo
Router advertisement 9 routerad
Router solicitation 10 routersol
例如:
block out quick proto icmp from any to 10.4.128.163/32 icmp-type 0
(禁止对PING的响应)
在这里要解释一下quick的用法,这是个很好用的关键字,假如你的防火墙有100条规则,最有用的可能只有前10条,那么quick是非常有必要的。
pass in log quick proto tcp from 10.4.128.163/32 to any port = telnet
block in log all from any to any
假如你希望禁止服务器的所有包而只希望一个IP只能够telnet的话,那么就可以加上quick关键字,quick的作用是当包符合这条规则以后,就不再向下进行遍历了。如果没有quick的情况下,每一个包都要遍历整个规则表,这样的开销是十分大的,但是如果滥用quick也是不明智的,因为它毕竟不会产生日志。
bash-3.00# svcs /network/ipfilter (初始ipfilter为disable)
STATE STIME FMRI
disabled 8:54:30 svc:/network/ipfilter:default
bash-3.00# svcadm enable /network/ipfilter (开启服务)
bash-3.00# svcs /network/ipfilter (查询是否开启,结果提示该服务在维护! 怎么解决?)
STATE STIME FMRI
maintenance 8:55:11 svc:/network/ipfilter:default
bash-3.00# svcs -d /network/ipfilter (谁依赖ipfilter的服务都是开启)
STATE STIME FMRI
online 8:26:18 svc:/network/pfil:default
online 8:26:20 svc:/system/filesystem/usr:default
online 8:26:20 svc:/network/physical:default
online 8:26:20 svc:/system/identity:node
bash-3.00# svcs -D /network/ipfilter (依赖ipfilter的服务也都是开启)
STATE STIME FMRI
online 8:26:23 svc:/milestone/network:default
bash-3.00# svcs -l ipfilter (查看单个服务状态)
bash-3.00# svcs -xv ipfilter (查找未正常启动的服务)
svcadm clear /network/ipfilter (清除维护状态)
Creating an IPF Firewall with Solaris 10
Last Updated 12/10/04
Rich Shattuck
Outline
=======
1. Background
2. Configuring IPF
3. Enabling IPF
4. Common IPF commands
Background
==========
With the release of Solaris 10, ipfilter is now supported. Before
Solaris 10, EFS or SunScreen Lite was the default firewall. IPfilter
is a mature product traditionally found in BSDish Operating Systems.
Configuring IPF
===============
First, you will need an ipf ruleset. The Solaris default location for
this file is /etc/ipf/ipf.conf. Below is the ruleset I used for a
Solaris 10 x86 workstation. Note that the public NIC is called elx10.
Simply copy this ruleset to a file called /etc/ipf/ipf.conf, and edit
to your needs.
--->8---
# 11/18/04 - Newest Firewall for testing.
# Rich Shattuck
# My IP: 172.16.1.100
#
# Block any packets which are too short to be real
block in log quick all with short
#
# drop and log any IP packets with options set in them.
block in log all with ipopts
#
# Allow all traffic on loopback.
pass in quick on lo0 all
pass out quick on lo0 all
#
# Public Network. Block everything not explicity allowed.
block in on elxl0 all
block out on elxl0 all
#
# Allow pings out.
pass out quick on elxl0 proto icmp all keep state
#
# for testing, allow pings from ben and jerry
pass in quick on elxl0 proto icmp from 172.16.1.11/32 to 172.16.1.100/32
pass in quick on elxl0 proto icmp from 172.16.1.12/32 to 172.16.1.100/32
#
# Allow outbound state related packets.
pass out quick on elxl0 proto tcp/udp from any to any keep state
#
# allow ssh from 172.16.0.0/16 only.
# pass in log quick on elxl0 from 172.16.0.0/16 to 172.16.1.100/32 port = 22
# Actually, allow ssh only from ben, jerry, MSU
pass in log quick on elxl0 proto tcp from 172.16.1.11/32 to 172.16.1.100/32 port = 22
pass in log quick on elxl0 proto tcp from 172.16.1.12/32 to 172.16.1.100/32 port = 22
pass in log quick on elxl0 proto tcp from 153.90.0.0/16 to 172.16.1.100/32 port = 22
--->8---
Enabling IPF
============
Now that you have an ipf ruleset in place, you'll need to tell the
Solaris packet filter which interface to use. This is accomplished by
uncommenting your interface name from /etc/ipf/pfil.ap.
My pfil.ap file looks like this:
--->8---
# IP Filter pfil autopush setup
#
# See the autopush(1M) manpage for more information.
#
# Format of the entries in this file is:
#
#major minor lastminor modules
#iprb -1 0 pfil
elxl -1 0 pfil
#e1000g -1 0 pfil
#bge -1 0 pfil
#nf -1 0 pfil
#fa -1 0 pfil
#ci -1 0 pfil
#el -1 0 pfil
#ipdptp -1 0 pfil
#lane -1 0 pfil
#dnet -1 0 pfil
#pcelx -1 0 pfil
#spwr -1 0 pfil
--->8---
That's It! The ipf firewall should be enabled and working with the next reboot!
Note that the Solaris 10 implementation of ipf will start ipmon.
Ipmon is the ipf utility used to monitor and log packets. By default,
ipmon will write logged packets to /var/adm/messages.
Some Commonly used ipf commands
===============================
ipf -E : Enable ipfilter when running
: for the first time.
: (Needed for ipf on Tru64)
ipf -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file
: into the active firewall.
ipf -Fa -f /etc/ipf/ipf.conf : Flush all rules, then load rules in
: /etc/ipf/ipf.conf into active firwall.
ipf -Fi : Flush all input rules.
ipf -I -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file
: into inactive firewall.
ipf -V : Show version info and active list.
ipf -s : Swap active and inactive firewalls.
ipfstat : Show summary
ipfstat -i : Show input list
ipfstat -o : Show output list
ipfstat -hio : Show hits against all rules
ipfstat -t -T 5 : Monitor the state table and refresh every
: 5 seconds. Output is similiar to
: 'top' monitoring the process table.
ipmon -s S : Watch state table.
ipmon -sn : Write logged entries to syslog, and
: convert back to hostnames and servicenames.
ipmon -s [file] : Write logged entries to some file.
ipmon -Ds : Run ipmon as a daemon, and log to
: default location.
: (/var/adm/messages for Solaris)
: (/var/log/syslog for Tru64)