Friday, February 6, 2009

Minimal IP Filter rules for OpenSolaris 2008.11

IP Filter is disabled by default on OpenSolaris 2008.11. Edit the following file then enable ipfilter with 'svcadm enable -r ipfilter'. If the file below is modified after ipfilter has been started, 'svcadm refresh ipfilter' may be used to reload the rules.

Here's what I used as a minimal configuration on my workstation:
/etc/ipf/ipf.conf

# Allow all traffic on loopback device lo0
pass in quick on lo0 all
pass out quick on lo0 all

# Actively refuse connections to IDENT port
block return-rst in quick proto tcp to port = 113

# block all other traffic by default unless something below passes
block in log all
block out all

# Allow incoming ping
pass in quick proto icmp from any to any icmp-type 8 code 0 keep state
# Allow incoming ssh
pass in quick proto tcp from any to any port = 22 flags S keep state
# Allow incoming VNC
pass in quick proto tcp from any to any port = 5900 flags S keep state
# Necessary for FTP client to work properly (passive mode) active mode still doesn't work
pass in quick proto tcp from any port = 20 to any port 39999 >< 45000 flags S keep state

# Allow outgoing icmp
pass out quick proto icmp from any to any keep state
# Allow outgoing tcp/udp
pass out quick proto tcp/udp from any to any keep state keep frags
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)