IREWALL EN SOLARIS 10 (IPFILTER)

diciembre 20, 2007 a las 2:16 pm | Publicado en Solaris | 8 comentarios

Lo primero es definir un set de reglas. El fichero de configuración está en /etc/ipf/ipf.conf. Por ejemplo:

—>8—
# Suponemos que la interfaz es “elx10”
# Mi IP: 172.16.1.100
#
# Bloquear cualquier paquete lo suficientemente pequeño como para ser útil
block in log quick all with short
#
# Descartar y reflejar en el log cualquier paquete con opciones dentro
block in log all with ipopts
#
# Permitir tráfico loopback.
pass in quick on lo0 all
pass out quick on lo0 all
#
# Red publica. Bloquear todo lo que no este especificamente permitido
block in  on elxl0 all
block out on elxl0 all
#
# Permitir salida de pings
pass out quick on elxl0 proto icmp all keep state
#
# Para testeo podemos permitir llegada de pings de otros equipos
# for testing, allow pings from ben and jerry
pass in quick on elxl0 proto icmp from 172.16.1.11/32 to 172.16.1.100/32
pass in quick on elxl0 proto icmp from 172.16.1.12/32 to 172.16.1.100/32
#
# Allow outbound state related packets.
pass out quick on elxl0 proto tcp/udp from any to any keep state
#
# Permitir ssh solo desde la subred 172.16.0.0/16
# pass in log quick on elxl0 from 172.16.0.0/16 to 172.16.1.100/32 port = 22
# Actually, allow ssh only from ben, jerry, MSU
pass in log quick on elxl0 proto tcp from 172.16.1.11/32 to 172.16.1.100/32 port = 22
pass in log quick on elxl0 proto tcp from 172.16.1.12/32 to 172.16.1.100/32 port = 22
pass in log quick on elxl0 proto tcp from 153.90.0.0/16 to 172.16.1.100/32 port = 22
—>8—

Otro ejemplo de fichero de configuración es el siguiente:

—>8—
pass in quick proto tcp from any to any port = 22 keep state
pass in quick proto tcp from any to any port = 80 keep state
pass in quick proto tcp from any to any port = 8080 keep state
pass in quick proto tcp from any to any port = 443 keep state
pass in quick proto icmp from any to any icmp-type 8 keep state
pass in quick proto icmp from any to any icmp-type 13 keep state
pass out quick from any to any keep state
block in quick all
—>8—

Una vez que tenemos el set de reglas del firewall, debemos decirle a IPFilter en qué interfaz de red debe aplicar esas reglas. Esto lo hacemos descomentando la interfaz que queremos en el fichero /etc/ipf/pfil.ap.

Los cambios tomarán efecto en el siguiente rebote. (Puede que no sea necesario rebotar la maquina y valga simplemente con bajar (unplumb) y subir (plumb) la interfaz, pero mejor rebotar si se puede.

Algunos comandos útiles:

ipf -E                          : Enable ipfilter when running
: for the first time.
: (Needed for ipf on Tru64)

ipf -f /etc/ipf/ipf.conf        : Load rules in /etc/ipf/ipf.conf file
: into the active firewall.

ipf -Fa -f /etc/ipf/ipf.conf    : Flush all rules, then load rules in
: /etc/ipf/ipf.conf into active firwall.

ipf -Fi                         : Flush all input rules.

ipf -I -f /etc/ipf/ipf.conf     : Load rules in /etc/ipf/ipf.conf file
: into inactive firewall.

ipf -V                          : Show version info and active list.

ipf -s                          : Swap active and inactive firewalls.

ipfstat                         : Show summary

ipfstat -i                      : Show input list

ipfstat -o                      : Show output list

ipfstat -hio                    : Show hits against all rules

ipfstat -t -T 5                 : Monitor the state table and refresh every
: 5 seconds. Output is similiar to
: ‘top’ monitoring the process table.

ipmon -s S                      : Watch state table.

ipmon -sn                       : Write logged entries to syslog, and
: convert back to hostnames and servicenames.

ipmon -s [file]                 : Write logged entries to some file.

ipmon -Ds                       : Run ipmon as a daemon, and log to
: default location.
: (/var/adm/messages for Solaris)
: (/var/log/syslog for Tru64)

8 comentarios »

RSS feed for comments on this post. TrackBack URI

  1. Wow, awesome blog structure! How long have you been blogging for?
    you make blogging glance easy. The overall glance of your site is magnificent, let alone the content!

  2. I have discovered some new issues from your internet
    site about computers. Another thing I have always
    considered is that computers have become an item that each
    residence must have for several reasons. They offer convenient ways to
    organize households, pay bills, go shopping, study, listen to music and in many cases watch
    tv programs. An innovative technique to complete all of these
    tasks has been a notebook computer. These desktops are mobile, small, robust and portable.

  3. Aw, this was an exceptionally nice post. Taking a few minutes
    and actual effort to make a superb article… but what can I
    say… I put things off a lot and don’t manage to get anything done.

  4. These are the websites that offer cheap flights from London to paphos car hire, apart
    from the windows down both sides. Just a quick update on the wild violet car up last week.
    Madrid’s lower creditworthiness” not only affects the government’s ability to repay debt.

  5. Molta gente che compra farmacia on line, Cialis and Levita warn people about that risk.
    It’s not that we don’t have similar issues on the
    Droid.

  6. I got this website from my pal who shared with me regarding this web site and
    at the moment this time I am visiting this site and reading
    very informative content here.

  7. 30 scRnd 13: Sc in next sc rep around, join, leaving a length of yarn for sewing,
    fasten off. However, Farmacia On Line is facing some stiff competition in a three-way battle for the erectile dysfunction
    dollar. I understand your concern, but the
    speaker on the Hero.

  8. I would like to thank you for the efforts you have put in
    writing this website. I really hope to see the same high-grade
    content from you later on as well. In truth, your creative writing abilities has
    inspired me to get my very own blog now😉


Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s

Blog de WordPress.com.
Entries y comentarios feeds.

A %d blogueros les gusta esto: