OpenSolaris / OpenIndiana IPF

After I spent hours thinking I have lost the plot, I finally read about how IPF is configured by default now. I am not sure what build this was changed, but now, by default IPF on OpenIndiana does not look @ /etc/ipf/ipf.conf for default IPv4 IPF Rules to load @ start. To make it look @ this file apply the following.



# Turn IPF back to legacy text file usage

$PRV_EXEC svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"

$PRV_EXEC svccfg -s ipfilter:default setprop firewall_config_default/custom_policy_file = astring: "$IPFW_CFG"

$PRV_EXEC svcadm refresh ipfilter:default

echo "Done - Edit $IPFW_CFG and enable IPF now ..."

Sample Conf:

# Default policies
pass out all keep state
block in all
block return-rst in log first proto tcp all
block return-icmp(host-unr) in log proto udp all

# Allow Loopback
pass in quick on lo0 all
pass out quick on lo0 all

# Allow ICMP
pass out quick proto icmp all keep state
pass in quick proto icmp all keep state

# Allow SSH
pass in quick proto tcp from any to any port = 22 flags S/FSRPAU keep state keep frags

# Allow SSH
pass in quick proto tcp from any to any port = 80 keep state

Now just enable the service
pfexec svcadm enable svc:/network/ipfilter:default

Handy IPF Commands

ipf -E                          : Enable ipfilter when running
                                : for the first time.
				: (Needed for ipf on Tru64)

ipf -f /etc/ipf/ipf.conf        : Load rules in /etc/ipf/ipf.conf file
                                : into the active firewall.

ipf -Fa -f /etc/ipf/ipf.conf    : Flush all rules, then load rules in
                                : /etc/ipf/ipf.conf into active firwall.

ipf -Fi                         : Flush all input rules.

ipf -I -f /etc/ipf/ipf.conf     : Load rules in /etc/ipf/ipf.conf file
                                : into inactive firewall.

ipf -V                          : Show version info and active list.

ipf -s                          : Swap active and inactive firewalls.

ipfstat                         : Show summary

ipfstat -i                      : Show input list

ipfstat -o                      : Show output list

ipfstat -hio                    : Show hits against all rules

ipfstat -t -T 5			: Monitor the state table and refresh every  
				: 5 seconds. Output is similiar to	
				: 'top' monitoring the process table.

ipmon -s S                      : Watch state table.

ipmon -sn                       : Write logged entries to syslog, and
                                : convert back to hostnames and servicenames.

ipmon -s [file]                 : Write logged entries to some file.

ipmon -Ds			: Run ipmon as a daemon, and log to
				: default location. 
				: (/var/adm/messages for Solaris)

Related Posts

Book REVIEW: Linux Service Management Made Easy with systemd: Advanced techniques to effectively manage, control, and monitor Linux systems and services 1st Edition

Amazon Link Disclaimer: I get no royalites or anything here – Just had coworkers ask me about it So since I’m no systems guru and am now…

CLI Templates for Python + Rust

Do you also write a lot of services that need a few CLI option (e.g. –config) and or little CLI tools from time to time? Want a…

Stop IPv4 Point-To-Point Addressing your Networks

IPv4 addressing on links is no longer required to route IPv4. What you say?? Yes, you can stop IPv4 addressing your point to point links with Legacy…

NAT64: Using `jool` on Ubuntu 20.04

I found that jool has very good tutorials, but all the commands to get going are hidden in these large tutorials. Here are the steps I took…

Raspberry Pi Powered Fireplace

Mr Aijay Adams and I am back making my Fireplace Internet / Smart device controllable. Now, via a very sexy Web UI, when I’m heading back to…


Are you using the latest Linux kernel firewall?. Here are some notes I’ve saved that I use and forget all the time. I plan to add to…

This Post Has One Comment

  1. I just upgraded to OI and was wondering what happened to IPF. So glad to see you already tackled this. When you say “To make it look @ this file apply the following.” What is “this file”?

Leave a Reply

Your email address will not be published. Required fields are marked *