OpenSolaris / OpenIndiana IPF

After I spent hours thinking I have lost the plot, I finally read about how IPF is configured by default now. I am not sure what build this was changed, but now, by default IPF on OpenIndiana does not look @ /etc/ipf/ipf.conf for default IPv4 IPF Rules to load @ start. To make it look @ this file apply the following.



# Turn IPF back to legacy text file usage

$PRV_EXEC svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"

$PRV_EXEC svccfg -s ipfilter:default setprop firewall_config_default/custom_policy_file = astring: "$IPFW_CFG"

$PRV_EXEC svcadm refresh ipfilter:default

echo "Done – Edit $IPFW_CFG and enable IPF now …"

Sample Conf:

# Default policies
pass out all keep state
block in all
block return-rst in log first proto tcp all
block return-icmp(host-unr) in log proto udp all

# Allow Loopback
pass in quick on lo0 all
pass out quick on lo0 all

# Allow ICMP
pass out quick proto icmp all keep state
pass in quick proto icmp all keep state

# Allow SSH
pass in quick proto tcp from any to any port = 22 flags S/FSRPAU keep state keep frags

# Allow SSH
pass in quick proto tcp from any to any port = 80 keep state

Now just enable the service
pfexec svcadm enable svc:/network/ipfilter:default

Handy IPF Commands

ipf -E                          : Enable ipfilter when running
                                : for the first time.
				: (Needed for ipf on Tru64)

ipf -f /etc/ipf/ipf.conf        : Load rules in /etc/ipf/ipf.conf file
                                : into the active firewall.

ipf -Fa -f /etc/ipf/ipf.conf    : Flush all rules, then load rules in
                                : /etc/ipf/ipf.conf into active firwall.

ipf -Fi                         : Flush all input rules.

ipf -I -f /etc/ipf/ipf.conf     : Load rules in /etc/ipf/ipf.conf file
                                : into inactive firewall.

ipf -V                          : Show version info and active list.

ipf -s                          : Swap active and inactive firewalls.

ipfstat                         : Show summary

ipfstat -i                      : Show input list

ipfstat -o                      : Show output list

ipfstat -hio                    : Show hits against all rules

ipfstat -t -T 5			: Monitor the state table and refresh every  
				: 5 seconds. Output is similiar to	
				: 'top' monitoring the process table.

ipmon -s S                      : Watch state table.

ipmon -sn                       : Write logged entries to syslog, and
                                : convert back to hostnames and servicenames.

ipmon -s [file]                 : Write logged entries to some file.

ipmon -Ds			: Run ipmon as a daemon, and log to
				: default location. 
				: (/var/adm/messages for Solaris)