2014年11月17日 星期一

Solaris 11 ipfilter 防火牆


啟動客制policy: (指定ipf執行時參照的設定檔,如果沒有設定此部份,必須每次手動啟動設定擋
# svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"
# svccfg -s ipfilter:default listprop firewall_config_default/policy
firewall_config_default/policy astring     custom
# svccfg -s ipfilter:default setprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/ipf.conf"
# svccfg -s ipfilter:default listprop firewall_config_default/custom_policy_file
firewall_config_default/custom_policy_file astring /etc/ipf/ipf.conf
客制policy 檔案:
Run the firewall service:
# svcadm refresh ipfilter:default
# svcs -a | grep ipfilterdisabled Sep_20 svc:/network/ipfilter:default
# svcs -xv svc:/network/ipfilter:default
svc:/network/ipfilter:default (IP Filter)
 State: disabled since September 20, 2013 12:21:20 PM PDT
Reason: Disabled by an administrator.
 See: http://support.oracle.com/msg/SMF-8000-05
 See: man -M /usr/share/man -s 5 ipfilter
Impact: This service is not running.
# svcadm enable svc:/network/ipfilter:default
# svcs -xv svc:/network/ipfilter:default
svc:/network/ipfilter:default (IP Filter)
 State: online since September 23, 2013 05:46:51 AM PDT
 See: man -M /usr/share/man -s 5 ipfilter
 See: /var/svc/log/network-ipfilter:default.log
Impact: None.


啟動 IP Filter服務
# svcadm enable network/ipfilter


關閉封包過濾及允許所有的網路上的封包.
# ipf –D

啟動 IP Filter.
# ipf -E


Activate packet filtering.
# ipf -f filename

(Optional) Activate NAT.
# ipnat -f filename


可以由複製/etc/nwam/loc/NoNet/ipf.conf 範例
# cp /etc/nwam/loc/NoNet/ipf.conf /etc/ipf/ipf





移除kernel中啟動的rule.
# ipf -Fa
這個指令會將所有的封包過濾rule 停用.

移除流入封包過濾rule.
# ipf -Fi
這個指令會將所有流入的封包過濾rule 停用.

移除流出封包過濾
# ipf -Fo
        這個指令會將所有流出的封包過濾rule 停用.






Some Commonly used ipf commands
==================================

ipf -E                          : Enable ipfilter when running
                                : for the first time.
                                : (Needed for ipf on Tru64)

ipf -f /etc/ipf/ipf.conf        : Load rules in /etc/ipf/ipf.conf file
                                : into the active firewall.

ipf -Fa -f /etc/ipf/ipf.conf    : Flush all rules, then load rules in
                                : /etc/ipf/ipf.conf into active firwall.

ipf -Fi                         : Flush all input rules.

ipf -I -f /etc/ipf/ipf.conf     : Load rules in /etc/ipf/ipf.conf file
                                : into inactive firewall.

ipf -V                          : Show version info and active list.

ipf -s                          : Swap active and inactive firewalls.

ipfstat                         : Show summary

ipfstat -i                      : Show input list

ipfstat -o                      : Show output list

ipfstat -hio                    : Show hits against all rules

ipfstat -t -T 5                 : Monitor the state table and refresh every  
                                : 5 seconds. Output is similiar to      
                                : 'top' monitoring the process table.

Monitoring
=============


ipmon -s S                      : Watch state table.

ipmon -sn                       : Write logged entries to syslog, and
                                : convert back to hostnames and servicenames.

ipmon -s [file]                 : Write logged entries to some file.

ipmon -Ds                       : Run ipmon as a daemon, and log to
                                : default location. 
                                : (/var/adm/messages for Solaris , maybe.)
                                : (/var/log/syslog for Tru64)



參考文件:
http://blog.ls-al.com/solaris-ipfilter-pools/
http://blog.ls-al.com/solaris-11-firewall/