This chapter provides step-by-step instructions for Solaris IP Filter tasks. For overview information about Solaris IP Filter, see Chapter 25, Solaris IP Filter (Overview).This chapter contains the following information:Configuring Solaris IP Filter Deactivating and Disabling Solaris IP Filter Working With Solaris IP Filter Rule Sets Displaying Statistics and Information for Solaris IP Filter Working With Log Files for Solaris IP Filter Creating and Editing Solaris IP Filter Configuration Files The following task map identifies the procedures associated with configuring Solaris IP Filter.Task Description For Instructions Initially enable Solaris IP Filter. Solaris IP Filter is not enabled by default. You must either enable it manually or use the configuration files in the /etc/ipf/ directory and reboot the system. Beginning with Solaris Express, Developer Edition 2/07 release, packet filter hooks replaced the pfil module to enable Solaris IP filter. How to Enable Solaris IP Filter Re-enable Solaris IP Filter. If Solaris IP Filter is deactivated or disabled, you can re-enable Solaris IP Filter either by rebooting the system or by using the ipf command. How to Re-Enable Solaris IP Filter Enable loopback filtering As an option, you can enable loopback filtering, for example, to filter traffic between zones. How to Enable Loopback Filtering Use this procedure to enable Solaris IP Filter on a system that is running at least Solaris Express, Developer Edition 2/07 OS. Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Create a packet filtering rule set.The packet filtering rule set contains packet filtering rules that are used by Solaris IP Filter. If you want the packet filtering rules to be loaded at boot time, edit the /etc/ipf/ipf.conf file to implement IPv4 packet filtering. Use the /etc/ipf/ipf6.conf file for IPv6 packet filtering rules. If you do not want the packet filtering rules loaded at boot time, put the rules in a file of your choice, and manually activate packet filtering. For information about packet filtering, see Using Solaris IP Filter's Packet Filtering Feature. For information about working with configuration files, see Creating and Editing Solaris IP Filter Configuration Files. (Optional) Create a network address translation (NAT) configuration file.Network Address Translation (NAT) does not support IPv6. Create an ipnat.conf file if you want to use network address translation. If you want the NAT rules to be loaded at boot time, create a file called /etc/ipf/ipnat.conf in which to put NAT rules. If you do not want the NAT rules loaded at boot time, put the ipnat.conf file in a location of your choice, and manually activate the NAT rules.For more information about NAT, see Using Solaris IP Filter's NAT Feature. (Optional) Create an address pool configuration file.Create an ipool.conf file if you want to refer to a group of addresses as a single address pool. If you want the address pool configuration file to be loaded at boot time, create a file called /etc/ipf/ippool.conf in which to put the address pool. If you do not want the address pool configuration file to be loaded at boot time, put the ippool.conf file in a location of your choice, and manually activate the rules.An address pool can contain only IPv4 addresses or only IPv6 addresses. It can also contain both IPv4 and IPv6 addresses.For more information about address pools, see Using Solaris IP Filter's Address Pools Feature. (Optional) Enable filtering of loopback traffic.If you intend to filter traffic between zones that are configured in your system, you must enable loopback filtering. See How to Enable Loopback Filtering. Make sure that you also define the appropriate rule sets that apply to the zones. Activate Solaris IP Filter.# svcadm enable network/ipfilter You can re-enable packet filtering after it has been temporarily disabled. Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Enable Solaris IP Filter and activate filtering using one of the following methods:Reboot the machine.# rebootWhen IP Filter is enabled, after a reboot the following files are loaded if they are present: the /etc/ipf/ipf.conf file, the /etc/ipf/ipf6.conf file when using IPv6, or the /etc/ipf/ipnat.conf. Perform the following series of commands to enable Solaris IP Filter and activate filtering:Enable Solaris IP Filter.# ipf -E Activate packet filtering.# ipf -f filename (Optional) Activate NAT.# ipnat -f filenameNetwork Address Translation (NAT) does not support IPv6. You can filter loopback traffic only if your system is running at least Solaris Express, Developer Edition 2/07 release. In previous Solaris 10 releases, loopback filtering is not supported. Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Stop Solaris IP Filter if it is running.# svcadm disable network/ipfilter Edit the /etc/ipf.conf or /etc/ipf6.conf file by adding the following line at the beginning of the file:set intercept_loopback true;This line must precede all the IP filter rules that are defined in the file. However, you can insert comments before the line, similar to the following example:# # Enable loopback filtering to filter between zones # set intercept_loopback true; # # Define policy # block in all block out all <other rules> ... Start the Solaris IP filter.# svcadm enable network/ipfilter To verify the status of loopback filtering, use the following command:# ipf —T ipf_loopback ipf_loopback min 0 max 0x1 current 1 #If loopback filtering is disabled, the command would generate the following output:ipf_loopback min 0 max 0x1 current 0 You might want to deactivate or disable packet filtering and NAT under the following circumstances:For testing purposes To troubleshoot system problems when you think the problems are caused by Solaris IP Filter The following task map identifies the procedures associated with deactivating or disabling Solaris IP Filter features.Task Description For Instructions Deactivate packet filtering. Deactivate packet filtering using the ipf command. How to Deactivate Packet Filtering Deactivate NAT. Deactivate NAT using the ipnat command. How to Deactivate NAT Disable packet filtering and NAT. Disable packet filtering and NAT using the ipf command. How to Disable Packet Filtering The following procedure deactivates Solaris IP Filter packet filtering by flushing the packet filtering rules from the active filtering rule set. The procedure does not disable Solaris IP Filter. You can reactivate Solaris IP Filter by adding rules to the rule set. Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Use one of the following methods to deactivate Solaris IP Filter rules:Remove the active rule set from the kernel.# ipf -FaThis command deactivates all packet filtering rules. Remove incoming packet filtering rules.# ipf -FiThis command deactivates packet filtering rules for incoming packets. Remove outgoing packet filtering rules.# ipf -FoThis command deactivates packet filtering rules for outgoing packets. The following procedure deactivates Solaris IP Filter NAT rules by flushing the NAT rules from the active NAT rules set. The procedure does not disable Solaris IP Filter. You can reactivate Solaris IP Filter by adding rules to the rule set. Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Remove NAT from the kernel.# ipnat -FCThe C option removes all entries in the current NAT rule listing. The F option removes all active entries in the current NAT translation table, which shows the currently active NAT mappings. When you run this procedure, both packet filtering and NAT are removed from the kernel. If you use this procedure, you must re-enable Solaris IP Filter in order to reactivate packet filtering and NAT. For more information, see How to Re-Enable Solaris IP Filter. Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Disable packet filtering and allow all packets to pass into the network.# ipf –DThe ipf D command flushes the rules from the rule set. When you re-enable filtering, you must add rules to the rule set. The following task map identifies the procedures associated with Solaris IP Filter rule sets.Task Description For Instructions Manage, view and modify Solaris IP Filter packet filtering rule sets. Managing Packet Filtering Rule Sets for Solaris IP Filter View an active packet filtering rule set. How to View the Active Packet Filtering Rule Set View an inactive packet filtering rule set. How to View the Inactive Packet Filtering Rule Set Activate a different active rule set. How to Activate a Different or Updated Packet Filtering Rule Set Remove a rule set. How to Remove a Packet Filtering Rule Set Add rules to the rule sets. How to Append Rules to the Active Packet Filtering Rule SetHow to Append Rules to the Inactive Packet Filtering Rule Set Move between active and inactive rule sets. How to Switch Between Active and Inactive Packet Filtering Rule Sets Delete an inactive rule set from the kernel. How to Remove an Inactive Packet Filtering Rule Set From the Kernel Manage, view and modify Solaris IP Filter NAT rules. Managing NAT Rules for Solaris IP Filter View active NAT rules. How to View Active NAT Rules Remove NAT rules. How to Remove NAT Rules Add additional rules to NAT rules. How to Append Rules to the NAT Rules Manage, view and modify Solaris IP Filter address pools. Managing Address Pools for Solaris IP Filter View active address pools. How to View Active Address Pools Remove an address pool. How to Remove an Address Pool Add additional rules to an address pool. How to Append Rules to an Address Pool When Solaris IP Filter is enabled, both active and inactive packet filtering rule sets can reside in the kernel. The active rule set determines what filtering is being done on incoming packets and outgoing packets. The inactive rule set also stores rules. These rules are not used unless you make the inactive rule set the active rule set. You can manage, view, and modify both active and inactive packet filtering rule sets.Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. View the active packet filtering rule set that is loaded in the kernel.# ipfstat -io The following example shows output from the active packet filtering rule set that is loaded in the kernel.# ipfstat -io empty list for ipfilter(out) pass in quick on dmfe1 from 192.168.1.0/24 to any pass in all block in on dmfe1 from 192.168.1.10/32 to any Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. View the inactive packet filtering rule set.# ipfstat -I -io The following example shows output from the inactive packet filtering rule set.# ipfstat -I -io pass out quick on dmfe1 all pass in quick on dmfe1 all Use the following procedure if you want to perform either of the following tasks:Activate a packet filtering rule set other than the one that is currently in use by Solaris IP Filter. Reload the same filtering rule set that has been newly updated. Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Choose one of the following steps:Create a new rule set in a separate file of your choice if you want to activate an entirely different rule set. Update the current rule set by editing the configuration file that contains that rule set. Remove the current rule set and load the new rule set.# ipf -Fa -f filenameThe filename can either be the new file with the new rule set or the updated file that contains the active rule set.The active rule set is removed from the kernel. The rules in the filename file become the active rule set.You still need to issue the command even if you are reloading the current configuration file. Otherwise, the old rule set continues to be operative, and the modified rule set in the updated configuration file is not applied.Do not use commands such as ipf D or svcadm restart to load the updated rule set. Such commands expose your network by disabling the firewall first before loading the new rule set. The following example shows how to replace one packet filtering rule set with another packet filtering rule set in a separate configuration file, /etc/ipf/ipf.conf.# ipfstat -io empty list for ipfilter(out) pass in quick on dmfe all # ipf -Fa -f /etc/ipf/ipf.conf # ipfstat -io empty list for ipfilter(out) block in log quick from 10.0.0.0/8 to any The following example shows how to reload a packet filtering rule set that is currently active and which is then updated. In this example, the file in use is /etc/ipf/ipf.conf.# ipfstat -io (Optional) empty list for ipfilter (out) block in log quick from 10.0.0.0/8 to any (Edit the /etc/ipf/ipf.conf configuration file.) # ip -Fa -f /etc/ipf/ipf.conf # ipfstat -io (Optional) empty list for ipfilter (out) block in log quick from 10.0.0.0/8 to any block in quick on elx10 from 192.168.0.0/12 to any Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Remove the rule set.# ipf -F [a|i|o]aRemoves all filtering rules from the rule set. iRemoves the filtering rules for incoming packets. oRemoves the filtering rules for outgoing packets. The following example shows how to remove all filtering rules from the active filtering rule set.# ipfstat -io block out log on dmf0 all block in log quick from 10.0.0.0/8 to any # ipf -Fa # ipfstat -io empty list for ipfilter(out) empty list for ipfilter(in) Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Use one of the following methods to append rules to the active rule set:Append rules to the rule set at the command line using the ipf f - command.# echo "block in on dmfe1 proto tcp from 10.1.1.1/32 to any" | ipf -f - Perform the following commands:Create a rule set in a file of your choice. Add the rules you have created to the active rule set.# ipf -f filenameThe rules in filename are added to the end of the active rule set. Because Solaris IP Filter uses a “last matching rule” algorithm, the added rules determine filtering priorities, unless you use the quick keyword. If the packet matches a rule containing the quick keyword, the action for that rule is taken, and no subsequent rules are checked. The following example shows how to add a rule to the active packet filtering rule set from the command line.# ipfstat -io empty list for ipfilter(out) block in log quick from 10.0.0.0/8 to any # echo "block in on dmfe1 proto tcp from 10.1.1.1/32 to any" | ipf -f - # ipfstat -io empty list for ipfilter(out) block in log quick from 10.0.0.0/8 to any block in on dmfe1 proto tcp from 10.1.1.1/32 to any Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Create a rule set in a file of your choice. Add the rules you have created to the inactive rule set.# ipf -I -f filenameThe rules in filename are added to the end of the inactive rule set. Because Solaris IP Filter uses a “last matching rule” algorithm, the added rules determine filtering priorities, unless you use the quick keyword. If the packet matches a rule containing the quick keyword, the action for that rule is taken, and no subsequent rules are checked. The following example shows how to add a rule to the inactive rule set from a file.# ipfstat -I -io pass out quick on dmfe1 all pass in quick on dmfe1 all # ipf -I -f /etc/ipf/ipf.conf # ipfstat -I -io pass out quick on dmfe1 all pass in quick on dmfe1 all block in log quick from 10.0.0.0/8 to any Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Switch the active and inactive rule sets.# ipf -sThis command enables you to switch between the active and inactive rule sets in the kernel. Note that if the inactive rule set is empty, there is no packet filtering. The following example shows how using the ipf s command results in the inactive rule set becoming the active rule set and the active rule set becoming the inactive rule set.Before running the ipf s command, the output from the ipfstat I io command shows the rules in the inactive rule set. The output from the ipfstat io command shows the rules in the active rule set.# ipfstat -io empty list for ipfilter(out) block in log quick from 10.0.0.0/8 to any block in on dmfe1 proto tcp from 10.1.1.1/32 to any # ipfstat -I -io pass out quick on dmfe1 all pass in quick on dmfe1 all block in log quick from 10.0.0.0/8 to any After running the ipf s command, the output from the ipfstat I io and the ipfstat io command show that the content of the two rules sets have switched.# ipf -s Set 1 now inactive # ipfstat -io pass out quick on dmfe1 all pass in quick on dmfe1 all block in log quick from 10.0.0.0/8 to any # ipfstat -I -io empty list for inactive ipfilter(out) block in log quick from 10.0.0.0/8 to any block in on dmfe1 proto tcp from 10.1.1.1/32 to any Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Specify the inactive rule set in the “flush all” command.# ipf -I -FaThis command flushes the inactive rule set from the kernel. If you subsequently run ipf s, the empty inactive rule set will become the active rule set. An empty active rule set means that no filtering will be done. The following example shows how to flush the inactive packet filtering rule set so that all rules have been removed.# ipfstat -I -io empty list for inactive ipfilter(out) block in log quick from 10.0.0.0/8 to any block in on dmfe1 proto tcp from 10.1.1.1/32 to any # ipf -I -Fa # ipfstat -I -io empty list for inactive ipfilter(out) empty list for inactive ipfilter(in) Use the following procedures to manage, view, and modify NAT rules.Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. View the active NAT rules.# ipnat -l The following example shows the output from the active NAT rules set.# ipnat -l List of active MAP/Redirect filters: map dmfe0 192.168.1.0/24 -> 20.20.20.1/32 List of active sessions: Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Remove the current NAT rules.# ipnat -C The following example shows how to remove the entries in the current NAT rules.# ipnat -l List of active MAP/Redirect filters: map dmfe0 192.168.1.0/24 -> 20.20.20.1/32 List of active sessions: # ipnat -C 1 entries flushed from NAT list # ipnat -l List of active MAP/Redirect filters: List of active sessions: Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Use one of the following methods to append rules to the active rule set:Append rules to the NAT rule set at the command line using the ipnat f - command.# echo "map dmfe0 192.168.1.0/24 -> 20.20.20.1/32" | ipnat -f - Perform the following commands:Create additional NAT rules in a file of your choice. Add the rules you have created to the active NAT rules.# ipnat -f filenameThe rules in filename are added to the end of the NAT rules. The following example shows how to add a rule to the NAT rule set from the command line.# ipnat -l List of active MAP/Redirect filters: List of active sessions: # echo "map dmfe0 192.168.1.0/24 -> 20.20.20.1/32" | ipnat -f - # ipnat -l List of active MAP/Redirect filters: map dmfe0 192.168.1.0/24 -> 20.20.20.1/32 List of active sessions: Use the following procedures to manage, view, and modify address pools.Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. View the active address pool.# ippool -l The following example shows how to view the contents of the active address pool.# ippool -l table role = ipf type = tree number = 13 { 10.1.1.1/32, 10.1.1.2/32, 192.168.1.0/24; }; Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Remove the entries in the current address pool.# ippool -F The following example shows how to remove an address pool.# ippool -l table role = ipf type = tree number = 13 { 10.1.1.1/32, 10.1.1.2/32, 192.168.1.0/24; }; # ippool -F 1 object flushed # ippool -l Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Use one of the following methods to append rules to the active rule set:Append rules to the rule set at the command line using the ippool f - command.# echo "table role = ipf type = tree number = 13 {10.1.1.1/32, 10.1.1.2/32, 192.168.1.0/24};" | ippool -f - Perform the following commands:Create additional address pools in a file of your choice. Add the rules you have created to the active address pool.# ippool -f filenameThe rules in filename are added to the end of the active address pool. The following example shows how to add an address pool to the address pool rule set from the command line.# ippool -l table role = ipf type = tree number = 13 { 10.1.1.1/32, 10.1.1.2/32, 192.168.1.0/24; }; # echo "table role = ipf type = tree number = 100 {10.0.0.0/32, 172.16.1.2/32, 192.168.1.0/24};" | ippool -f - # ippool -l table role = ipf type = tree number = 100 { 10.0.0.0/32, 172.16.1.2/32, 192.168.1.0/24; }; table role = ipf type = tree number = 13 { 10.1.1.1/32, 10.1.1.2/32, 192.168.1.0/24; }; Task Description For Instructions View state tables. View state tables to obtain information about packet filtering using the ipfstat command. How to View State Tables for Solaris IP Filter View state statistics. View statistics on packet state information using the ipfstat s command. How to View State Statistics for Solaris IP Filter View NAT statistics. View NAT statistics using the ipnat s command. How to View NAT Statistics for Solaris IP Filter View address pool statistics. View address pool statistics using the ippool s command. How to View Address Pool Statistics for Solaris IP Filter Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. View the state table.# ipfstatYou can use the t option to view the state table in the top utility format. The following example shows how to view a state table.# ipfstat bad packets: in 0 out 0 input packets: blocked 160 passed 11 nomatch 1 counted 0 short 0 output packets: blocked 0 passed 13681 nomatch 6844 counted 0 short 0 input packets logged: blocked 0 passed 0 output packets logged: blocked 0 passed 0 packets logged: input 0 output 0 log failures: input 0 output 0 fragment state(in): kept 0 lost 0 fragment state(out): kept 0 lost 0 packet state(in): kept 0 lost 0 packet state(out): kept 0 lost 0 ICMP replies: 0 TCP RSTs sent: 0 Invalid source(in): 0 Result cache hits(in): 152 (out): 6837 IN Pullups succeeded: 0 failed: 0 OUT Pullups succeeded: 0 failed: 0 Fastroute successes: 0 failures: 0 TCP cksum fails(in): 0 (out): 0 IPF Ticks: 14341469 Packet log flags set: (0) none Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. View the state statistics.# ipfstat -s The following example shows how to view state statistics.# ipfstat -s IP states added: 0 TCP 0 UDP 0 ICMP 0 hits 0 misses 0 maximum 0 no memory 0 max bucket 0 active 0 expired 0 closed State logging enabled State table bucket statistics: 0 in use 0.00% bucket usage 0 minimal length 0 maximal length 0.000 average length Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. View NAT statistics.# ipnat -s The following example shows how to view NAT statistics.# ipnat -s mapped in 0 out 0 added 0 expired 0 no memory 0 bad nat 0 inuse 0 rules 1 wilds 0 Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. View address pool statistics.# ippool -s The following example shows how to view address pool statistics.# ippool -s Pools: 3 Hash Tables: 0 Nodes: 0 Task Description For Instructions Create a log file. Create a separate Solaris IP filter log file. How to Set Up a Log File for Solaris IP Filter View log files. View state, NAT, and normal log files using the ipmon command. How to View Solaris IP Filter Log Files Flush the packet log buffer. Remove the contents of the packet log buffer using the ipmon F command. How to Flush the Packet Log File Save logged packets to a file. Save logged packets to a file for later reference. How to Save Logged Packets to a File By default, all log information for Solaris IP Filter is recorded in the syslogd file. You should set up a log file to record Solaris IP Filter traffic information separately from other data that might be logged in the default log file. Perform the following steps. Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Edit the /etc/syslog.conf file by adding the following two lines:# Save IPFilter log output to its own file local0.debug /var/log/log-nameOn the second line, make sure to use the Tab key, not the Spacebar, to separate local0.debug from /var/log/log-name. Create the new log file.# touch /var/log/log-name Restart the system-log service.# svcadm restart system-log The following example shows how to create ipmon.log to archive IP filter information.In /etc/syslog.conf:# Save IPFilter log output to its own file local0.debug /var/log/ipmon.logAt the command line:# touch /var/log/ipmon.log # svcadm restart system-log You should create a separate log file to record Solaris IP Filter data. Refer to How to Set Up a Log File for Solaris IP Filter. Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. View the state, NAT, or normal log files. To view a log file, type the following command, using the appropriate option:# ipmon -o [S|N|I] filenameSDisplays the state log file. NDisplays the NAT log file. IDisplays the normal IP log file. To view all state, NAT, and normal log files, use all the options:# ipmon -o SNI filenameProvided that you have manually stopped the ipmon daemon first, you can also use the following command to display state, NAT, and Solaris IP filter log files:# ipmon -a filenameDo not use the ipmon a syntax if the ipmon daemon is still running. Normally, the daemon is automatically started during system boot. Issuing the ipmon a command also opens another copy of ipmon. In such a case, both copies read the same log information, and only one gets a particular log message. For more information about viewing log files, see the ipmon1M man page. The following example shows the output from /var/ipmon.log.# ipmon -o SNI /var/ipmon.log 02/09/2004 15:27:20.606626 hme0 @0:1 p 129.146.157.149 -> 129.146.157.145 PR icmp len 20 84 icmp echo/0 INor# pkill ipmon # ipmon -aD /var/ipmon.log 02/09/2004 15:27:20.606626 hme0 @0:1 p 129.146.157.149 -> 129.146.157.145 PR icmp len 20 84 icmp echo/0 IN Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Flush the pack log buffer.# ipmon -F The following example shows the output when a log file is removed. The system provides a report even when there is nothing stored in the log file, as in this example.# ipmon -F 0 bytes flushed from log buffer 0 bytes flushed from log buffer 0 bytes flushed from log buffer Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Save the logged packets to a file.# cat /dev/ipl > filenameContinue logging packets to the filename file until you interrupt the procedure by typing Control-C to get the command line prompt back. The following example shows the result when logged packets are saved to a file.# cat /dev/ipl > /tmp/logfile ^C# # ipmon -f /tmp/logfile 02/09/2004 15:30:28.708294 hme0 @0:1 p 129.146.157.149,33923 -> 129.146.157.145,23 PR tcp len 20 52 -S IN 02/09/2004 15:30:28.708708 hme0 @0:1 p 129.146.157.149,33923 -> 129.146.157.145,23 PR tcp len 20 40 -A IN 02/09/2004 15:30:28.792611 hme0 @0:1 p 129.146.157.149,33923 -> 129.146.157.145,23 PR tcp len 20 70 -AP IN 02/09/2004 15:30:28.872000 hme0 @0:1 p 129.146.157.149,33923 -> 129.146.157.145,23 PR tcp len 20 40 -A IN 02/09/2004 15:30:28.872142 hme0 @0:1 p 129.146.157.149,33923 -> 129.146.157.145,23 PR tcp len 20 43 -AP IN 02/09/2004 15:30:28.872808 hme0 @0:1 p 129.146.157.149,33923 -> 129.146.157.145,23 PR tcp len 20 40 -A IN 02/09/2004 15:30:28.872951 hme0 @0:1 p 129.146.157.149,33923 -> 129.146.157.145,23 PR tcp len 20 47 -AP IN 02/09/2004 15:30:28.926792 hme0 @0:1 p 129.146.157.149,33923 -> 129.146.157.145,23 PR tcp len 20 40 -A IN . . (output truncated) You must directly edit the configuration files to create and modify rule sets and address pools. Configuration files follow standard UNIX syntax rules:The pound sign (#) indicates a line containing comments. Rules and comments can coexist on the same line. Extraneous white space is allowed to keep rules easy to read. Rules can be more than one line long. Use the backslash (\) at the end of a line to indicate that the rule continues on the next line. The following procedure describes how to set up the following:Packet filtering configuration files NAT rules configuration files Address pool configuration files Assume a role that includes the IP Filter Management rights profile, or become superuser.You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Start the file editor of your choice. Create or edit the configuration file for the feature you want to configure.To create a configuration file for packet filtering rules, edit the ipf.conf file.Solaris IP Filter uses the packet filtering rules that you put in to the ipf.conf file. If you locate the rules file for packet filtering in the /etc/ipf/ipf.conf file, this file is loaded when the system is booted. If you do not want the filtering rules to be loaded at boot time, put the in a file of your choice. You can then activate the rules with the ipf command, as described in How to Activate a Different or Updated Packet Filtering Rule Set.See Using Solaris IP Filter's Packet Filtering Feature for information about creating packet filtering rules.If the ipf.conf file is empty, there is no filtering. An empty ipf.conf file is the same as having a rule set that reads:pass in all pass out all To create a configuration file for NAT rules, edit the ipnat.conf file.Solaris IP Filter uses the NAT rules that you put in to the ipnat.conf file. If you locate the rules file for NAT in the /etc/ipf/ipnat.conf file, this file is loaded when the system is booted. If you do not want the NAT rules loaded at boot time, put the ipnat.conf file in a location of your choice. You can then activate the NAT rules with the ipnat command.See Using Solaris IP Filter's NAT Feature for information about creating rules for NAT. To create a configuration file for address pools, edit the ippool.conf file.Solaris IP Filter uses the pool of addresses that you put in to the ippool.conf file. If you locate the rules file for the pool of addresses in the /etc/ipf/ippool.conf file, this file is loaded when the system is booted. If you do not want the pool of addresses loaded at boot time, put the ippool.conf file in a location of your choice. You can then activate the pool of addresses with the ippool command.See Using Solaris IP Filter's Address Pools Feature for information about creating address pools. The following examples provide an illustration of packet filtering rules used in filtering configurations.This example shows a configuration on a host machine with an elxl network interface.# pass and log everything by default pass in log on elxl0 all pass out log on elxl0 all # block, but don't log, incoming packets from other reserved addresses block in quick on elxl0 from 10.0.0.0/8 to any block in quick on elxl0 from 172.16.0.0/12 to any # block and log untrusted internal IPs. 0/32 is notation that replaces # address of the machine running Solaris IP Filter. block in log quick from 192.168.1.15 to <thishost> block in log quick from 192.168.1.43 to <thishost> # block and log X11 (port 6000) and remote procedure call # and portmapper (port 111) attempts block in log quick on elxl0 proto tcp from any to elxl0/32 port = 6000 keep state block in log quick on elxl0 proto tcp/udp from any to elxl0/32 port = 111 keep stateThis rule set begins with two unrestricted rules that allow everything to pass into and out of the elxl interface. The second set of rules blocks any incoming packets from the private address spaces 10.0.0.0 and 172.16.0.0 from entering the firewall. The next set of rules blocks specific internal addresses from the host machine. Finally, the last set of rules blocks packets coming in on port 6000 and port 111. This example shows a configuration for a host machine acting as a web server. This machine has an eri network interface.# web server with an eri interface # block and log everything by default; then allow specific services # group 100 - inbound rules # group 200 - outbound rules # (0/32) resolves to our IP address) *** FTP proxy *** # block short packets which are packets fragmented too short to be real. block in log quick all with short # block and log inbound and outbound by default, group by destination block in log on eri0 from any to any head 100 block out log on eri0 from any to any head 200 # web rules that get hit most often pass in quick on eri0 proto tcp from any \ to eri0/32 port = http flags S keep state group 100 pass in quick on eri0 proto tcp from any \ to eri0/32 port = https flags S keep state group 100 # inbound traffic - ssh, auth pass in quick on eri0 proto tcp from any \ to eri0/32 port = 22 flags S keep state group 100 pass in log quick on eri0 proto tcp from any \ to eri0/32 port = 113 flags S keep state group 100 pass in log quick on eri0 proto tcp from any port = 113 \ to eri0/32 flags S keep state group 100 # outbound traffic - DNS, auth, NTP, ssh, WWW, smtp pass out quick on eri0 proto tcp/udp from eri0/32 \ to any port = domain flags S keep state group 200 pass in quick on eri0 proto udp from any port = domain to eri0/32 group 100 pass out quick on eri0 proto tcp from eri0/32 \ to any port = 113 flags S keep state group 200 pass out quick on eri0 proto tcp from eri0/32 port = 113 \ to any flags S keep state group 200 pass out quick on eri0 proto udp from eri0/32 to any port = ntp group 200 pass in quick on eri0 proto udp from any port = ntp to eri0/32 port = ntp group 100 pass out quick on eri0 proto tcp from eri0/32 \ to any port = ssh flags S keep state group 200 pass out quick on eri0 proto tcp from eri0/32 \ to any port = http flags S keep state group 200 pass out quick on eri0 proto tcp from eri0/32 \ to any port = https flags S keep state group 200 pass out quick on eri0 proto tcp from eri0/32 \ to any port = smtp flags S keep state group 200 # pass icmp packets in and out pass in quick on eri0 proto icmp from any to eri0/32 keep state group 100 pass out quick on eri0 proto icmp from eri0/32 to any keep state group 200 # block and ignore NETBIOS packets block in quick on eri0 proto tcp from any \ to any port = 135 flags S keep state group 100 block in quick on eri0 proto tcp from any port = 137 \ to any flags S keep state group 100 block in quick on eri0 proto udp from any to any port = 137 group 100 block in quick on eri0 proto udp from any port = 137 to any group 100 block in quick on eri0 proto tcp from any port = 138 \ to any flags S keep state group 100 block in quick on eri0 proto udp from any port = 138 to any group 100 block in quick on eri0 proto tcp from any port = 139 to any flags S keep state group 100 block in quick on eri0 proto udp from any port = 139 to any group 100 This example shows a configuration for a router that has an internal interface, ce0, and an external interface, ce1.# internal interface is ce0 at 192.168.1.1 # external interface is ce1 IP obtained via DHCP # block all packets and allow specific services *** NAT *** *** POOLS *** # Short packets which are fragmented too short to be real. block in log quick all with short # By default, block and log everything. block in log on ce0 all block in log on ce1 all block out log on ce0 all block out log on ce1 all # Packets going in/out of network interfaces that aren't on the loopback # interface should not exist. block in log quick on ce0 from 127.0.0.0/8 to any block in log quick on ce0 from any to 127.0.0.0/8 block in log quick on ce1 from 127.0.0.0/8 to any block in log quick on ce1 from any to 127.0.0.0/8 # Deny reserved addresses. block in quick on ce1 from 10.0.0.0/8 to any block in quick on ce1 from 172.16.0.0/12 to any block in log quick on ce1 from 192.168.1.0/24 to any block in quick on ce1 from 192.168.0.0/16 to any # Allow internal traffic pass in quick on ce0 from 192.168.1.0/24 to 192.168.1.0/24 pass out quick on ce0 from 192.168.1.0/24 to 192.168.1.0/24 # Allow outgoing DNS requests from our servers on .1, .2, and .3 pass out quick on ce1 proto tcp/udp from ce1/32 to any port = domain keep state pass in quick on ce0 proto tcp/udp from 192.168.1.2 to any port = domain keep state pass in quick on ce0 proto tcp/udp from 192.168.1.3 to any port = domain keep state # Allow NTP from any internal hosts to any external NTP server. pass in quick on ce0 proto udp from 192.168.1.0/24 to any port = 123 keep state pass out quick on ce1 proto udp from any to any port = 123 keep state # Allow incoming mail pass in quick on ce1 proto tcp from any to ce1/32 port = smtp keep state pass in quick on ce1 proto tcp from any to ce1/32 port = smtp keep state pass out quick on ce1 proto tcp from 192.168.1.0/24 to any port = smtp keep state # Allow outgoing connections: SSH, WWW, NNTP, mail, whois pass in quick on ce0 proto tcp from 192.168.1.0/24 to any port = 22 keep state pass out quick on ce1 proto tcp from 192.168.1.0/24 to any port = 22 keep state pass in quick on ce0 proto tcp from 192.168.1.0/24 to any port = 80 keep state pass out quick on ce1 proto tcp from 192.168.1.0/24 to any port = 80 keep state pass in quick on ce0 proto tcp from 192.168.1.0/24 to any port = 443 keep state pass out quick on ce1 proto tcp from 192.168.1.0/24 to any port = 443 keep state pass in quick on ce0 proto tcp from 192.168.1.0/24 to any port = nntp keep state block in quick on ce1 proto tcp from any to any port = nntp keep state pass out quick on ce1 proto tcp from 192.168.1.0/24 to any port = nntp keep state pass in quick on ce0 proto tcp from 192.168.1.0/24 to any port = smtp keep state pass in quick on ce0 proto tcp from 192.168.1.0/24 to any port = whois keep state pass out quick on ce1 proto tcp from any to any port = whois keep state # Allow ssh from offsite pass in quick on ce1 proto tcp from any to ce1/32 port = 22 keep state # Allow ping out pass in quick on ce0 proto icmp all keep state pass out quick on ce1 proto icmp all keep state # allow auth out pass out quick on ce1 proto tcp from ce1/32 to any port = 113 keep state pass out quick on ce1 proto tcp from ce1/32 port = 113 to any keep state # return rst for incoming auth block return-rst in quick on ce1 proto tcp from any to any port = 113 flags S/SA # log and return reset for any TCP packets with S/SA block return-rst in log on ce1 proto tcp from any to any flags S/SA # return ICMP error packets for invalid UDP packets block return-icmp(net-unr) in proto udp all