Solaris 11 ipfilter 防火牆

啟動客制policy: (指定ipf執行時參照的設定檔，如果沒有設定此部份，必須每次手動啟動設定擋

# svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom" # svccfg -s ipfilter:default listprop firewall_config_default/policy firewall_config_default/policy astring     custom

# svccfg -s ipfilter:default setprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/ipf.conf" # svccfg -s ipfilter:default listprop firewall_config_default/custom_policy_file firewall_config_default/custom_policy_file astring /etc/ipf/ipf.conf

客制policy 檔案:

Run the firewall service:

# svcadm refresh ipfilter:default # svcs -a | grep ipfilterdisabled Sep_20 svc:/network/ipfilter:default # svcs -xv svc:/network/ipfilter:default svc:/network/ipfilter:default (IP Filter)  State: disabled since September 20, 2013 12:21:20 PM PDT Reason: Disabled by an administrator.  See: http://support.oracle.com/msg/SMF-8000-05  See: man -M /usr/share/man -s 5 ipfilter Impact: This service is not running. # svcadm enable svc:/network/ipfilter:default # svcs -xv svc:/network/ipfilter:default svc:/network/ipfilter:default (IP Filter)  State: online since September 23, 2013 05:46:51 AM PDT  See: man -M /usr/share/man -s 5 ipfilter  See: /var/svc/log/network-ipfilter:default.log Impact: None.

啟動 IP Filter服務

# svcadm enable network/ipfilter

關閉封包過濾及允許所有的網路上的封包.

# ipf –D

啟動 IP Filter.

# ipf -E

Activate packet filtering.

# ipf -f filename

(Optional) Activate NAT.

# ipnat -f filename

可以由複製/etc/nwam/loc/NoNet/ipf.conf 範例

# cp /etc/nwam/loc/NoNet/ipf.conf /etc/ipf/ipf

移除kernel中啟動的rule.

# ipf -Fa

這個指令會將所有的封包過濾rule 停用.

移除流入封包過濾rule.

# ipf -Fi

這個指令會將所有流入的封包過濾rule 停用.

移除流出封包過濾

# ipf -Fo

        這個指令會將所有流出的封包過濾rule 停用.

Some Commonly used ipf commands
==================================

ipf -E                          : Enable ipfilter when running
                                : for the first time.
                                : (Needed for ipf on Tru64)

ipf -f /etc/ipf/ipf.conf        : Load rules in /etc/ipf/ipf.conf file
                                : into the active firewall.

ipf -Fa -f /etc/ipf/ipf.conf    : Flush all rules, then load rules in
                                : /etc/ipf/ipf.conf into active firwall.

ipf -Fi                         : Flush all input rules.

ipf -I -f /etc/ipf/ipf.conf     : Load rules in /etc/ipf/ipf.conf file
                                : into inactive firewall.

ipf -V                          : Show version info and active list.

ipf -s                          : Swap active and inactive firewalls.

ipfstat                         : Show summary

ipfstat -i                      : Show input list

ipfstat -o                      : Show output list

ipfstat -hio                    : Show hits against all rules

ipfstat -t -T 5                 : Monitor the state table and refresh every  
                                : 5 seconds. Output is similiar to      
                                : 'top' monitoring the process table.

Monitoring
=============


ipmon -s S                      : Watch state table.

ipmon -sn                       : Write logged entries to syslog, and
                                : convert back to hostnames and servicenames.

ipmon -s [file]                 : Write logged entries to some file.

ipmon -Ds                       : Run ipmon as a daemon, and log to
                                : default location. 
                                : (/var/adm/messages for Solaris , maybe.)
                                : (/var/log/syslog for Tru64)

參考文件：

http://blog.ls-al.com/solaris-ipfilter-pools/

http://blog.ls-al.com/solaris-11-firewall/