February 04, 2011

IPFilter changes in Solaris 11 Express

Configuration of IP Filter in Solaris 11 Express has changed. It used to be fairly simple; decide on some rules and put them in /etc/ipf/ipf.conf, enable the service with ‘svcadm enable ipfilter’ and check with ipfstat / ipfstat -io. This is optional, but I like to customise my logging by adding ‘log first level local0.info’ to rules which I would like information about when they are fired. This also leads to the following line in syslog.conf:

#
# logging for ipfilter
#
local0.info;local0.notice;local0.warn;local0.err;local0.debug   /var/log/ipfilter.log

However, in Solaris 11 Express, by default the rules for your firewall are not expected to be found in a configuration file. Instead they have become SMF properties for the IP Filter service. If you attempt to put an ipf.conf file in place and start up IP Filter, everything will seem to start, but you will have no matches as intended because the rule base will be empty:

root@sol-esx01:/var/log# ipfstat -io
empty list for ipfilter(out)
empty list for ipfilter(in)

The answer to this lies in the man page to svc.ipfd(1m);

 firewall_config_default/policy

         Global Default policy, firewall_config property group in
         svc:/network/ipfilter:default,  can  also be set to cus-
         tom. Users can set policy to custom to use  prepopulated
         IP  Filter  configuration,  for  example, an existing IP
         Filter configuration or custom configurations that  can-
         not  be  provided by the framework. This Global Default-
         only policy mode allows users to supply a text file con-
         taining  the complete set of IPF rules. When custom mode
         is selected, the specified set of IPF rules is  complete
         and  the framework will not generate IPF rules from con-
         figured firewall policies.

     firewall_config_default/custom_policy_file

         A file path to be used when Global Default policy is set
         to  custom.  The  file  contains a set of IPF rules that
         provide the desired IP Filter configuration.  For  exam-
         ple,  users with existing IPF rules in /etc/ipf/ipf.conf
         can execute the following commands to use  the  existing
         rules:

             1.   Set custom policy:

                    # svccfg -s ipfilter:default setprop \
                    firewall_config_default/policy = astring: "custom" 

             2.   Specify custom file:

                    # svccfg -s ipfilter:default setprop \
                    firewall_config_default/custom_policy_file = astring: \
                    "/etc/ipf/ipf.conf" 

             3.   Refresh configuration:

                    # svcadm refresh ipfilter:default

So, following the instructions;

# svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom" 

# svccfg -s ipfilter:default listprop firewall_config_default/policy
firewall_config_default/policy  astring  custom

# svccfg -s ipfilter:default setprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/ipf.conf" 

# svccfg -s ipfilter:default listprop firewall_config_default/custom_policy_file
firewall_config_default/custom_policy_file  astring  /etc/ipf/ipf.conf

# svcadm refresh ipfilter:default

Seems to do the trick….

# svcs -xv ipfiltersvc:/network/ipfilter:default (IP Filter)
 State: online since February  4, 2011 02:05:01 PM GMT
   See: man -M /usr/share/man -s 5 ipfilter
   See: /var/svc/log/network-ipfilter:default.log
Impact: None.

#
# ipfstat  |grep blocked
 input packets:         blocked 989 passed 1766 nomatch 1753 counted 0 short 0
output packets:         blocked 0 passed 1390 nomatch 1377 counted 0 short 0
 input packets logged:  blocked 403 passed 13
output packets logged:  blocked 0 passed 0

# ipfstat -io |head

pass out quick on lo0 all
pass out quick on e1000g0 proto udp from any to any
pass out quick on e1000g0 proto tcp from any to any flags S/FSRPAU keep state
block in quick from any to any with short
block in quick on e1000g0 from any to any port = 137
block in quick on e1000g0 from any to any port = 138
block in quick on e1000g0 from any to any port = 1434
pass in quick on lo0 all
pass in quick on e1000g0 from 12.34.56.78/32 to any keep state
pass in log first level local0.info quick on e1000g0 proto tcp from 12.34.56.78/16 to any port = ssh flags S/FSRPAU keep state

I’m not sure I’ll ever use anything other than a configuration file for the firewall configs. The configs I need to use are quite complex and lengthy and management/distribution of this seems easiest through a standard text file.

Incidentally, there does seem to be a function to do this for you in /lib/svc/method/ipfilter;

upgrade_config()
{
    old_ipfconf="/etc/ipf/ipf.conf" 

    if [ -f ${old_ipfconf} ]; then
        grep '^[ \t]*[^# \t]' ${old_ipfconf} >/dev/null 2>&1
        if [ $? -eq 0 ]; then
            svccfg -s $SMF_FMRI setprop \
                $FW_CONFIG_DEF_PG/$POLICY_PROP = astring: \
                "custom" >/dev/null 2>&1
            svccfg -s $SMF_FMRI setprop \
                $FW_CONFIG_DEF_PG/$CUSTOM_FILE_PROP = astring: \
                "$old_ipfconf" >/dev/null 2>&1
        fi
    fi

    svccfg -s $SMF_FMRI setprop $FW_CONFIG_DEF_PG/version = count: \
        "$CURRENT_VERSION" >/dev/null 2>&1
    svcadm refresh $SMF_FMRI >/dev/null 2>&1
}

But is isn’t clear to me how this gets called. There is no reference to it from the case statement – none of these options results in it being called (echo “(start|stop|reload|reipf|reipnat|pause|resume)”).

Paul.


- 4 comments by 1 or more people Not publicly viewable

  1. Andrew

    Thanks for documenting these changes since clearly Oracle didn’t in their online documentation! This probably saved me several hours.

    20 Mar 2011, 19:30

  2. Tom C

    Paul,

    Thanks for your information. It got me started quickly. I have discovered , thought I’ve not spent a lot or time with it, that the ‘ipf’ command appears to be able to convert old format filter files into service properties.

    regards,

    tom

    02 May 2011, 16:26

  3. Nilton

    Really useful information, thanks a lot! I do a NAT using IPFILTER and all was working good, until I do a reboot. So, all connections suddenly stopped. And I’m asking for myself: why the hell IPFILTER is not reading ipf.conf and ipnat.conf at boot? You saved me several hours of hard work. Cheers from Brazil.

    12 Jun 2011, 08:26

  4. Maria MacCallum

    Solaris 11.1 is slightly different, I only had to do this before starting ipfilter:
    svccfg -s setprop ipfilter tm_proppat_nt_firewall_config_default_custom_policy/name = astring: ”/etc/ipf/ipf.conf”

    12 Dec 2013, 13:48


Add a comment

You are not allowed to comment on this entry as it has restricted commenting permissions.

February 2011

Mo Tu We Th Fr Sa Su
Jan |  Today  | Mar
   1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28                  

Search this blog

Tags

Galleries

Most recent comments

  • Started sorting out new vers for sparc: http://blogs.warwick.ac.uk/mariamaccallum/entry/apache_249_i… by Maria MacCallum on this entry
  • Solaris 11.1 is slightly different, I only had to do this before starting ipfilter: svccfg –s setpro… by Maria MacCallum on this entry
  • Really useful information, thanks a lot! I do a NAT using IPFILTER and all was working good, until I… by Nilton on this entry
  • Paul, Thanks for your information. It got me started quickly. I have discovered , thought I've not s… by Tom C on this entry
  • Are you familiar with the Monty Python sketch? by Ian Eiloart on this entry

Blog archive

Loading…
Not signed in
Sign in

Powered by BlogBuilder
© MMXIX