Wednesday May 06, 2009

Firewall configuration in OpenSolaris 2009.06

The host-based firewall featured in the upcoming OpenSolaris 2009.06 release allows users to quickly configure system and/or service specific firewall. Based on the excellent IPfilter feature, host-based firewall provides a simple mechanism for OpenSolaris users and developers to harden their systems, specifying high-level policies (e.g. networks or hosts to allow/deny) that can be translated into a set of IPfilter rules.

Services have service specific firewall policy though a global policy would apply to all services. These high-level policies, the ability to translate them to IPfilter rules, and supporting changes to monitor and update a service's policy according to its state comprise the new firewall framework based on IPfilter, PSARC 2008/580 Solaris host-based firewall. At the moment, OpenSolaris users can configure the host-based firewall through CLI but stay tuned for the upcoming Firewall panel, courtesy of Visual Panels.

The what:
- You can configure a service's firewall by setting appropriate values in the new per service firewall_config property group.
- In addition to service specific policies, you can configure Global Default and Global Override policies which affect all services. The Global Default specify a common policy for all services though services can override the Global Default policy by modifying their service specific policy. The Global Override is the other global policy that overrides services' policies (typically block any holes exposed by services' policies though not necessary in most configuration).

Complete documentation on host-based firewall is in ipfilter(5), ipf(1m), and svc.ipfd(1m).

The how: In these examples, I'm configuring firewall on a workstation on my home LAN. The rule verifications shown in the examples serve only as clarifications and are not necessary.

Enable firewall with its default global policy
Configure Global Default to block all incoming traffic (allowing an empty set of entities)

$ svcadm enable network/ipfilter
$ svccfg -s network/ipfilter:default setprop firewall_config_default/policy = astring: allow
$ svcadm refresh network/ipfilter

Verify IPfilter rules

$ pfexec ipfstat -ni 
@1 pass in log quick from any to any port = 68    <== These two rules are necessary for
@2 pass in log quick from any to any port = 546   <== system's DHCP clients.
@3 block in log all 


Enable ftp and allow only machines on the LAN so I can transfer pictures and music
Except the girlfriend's Windows laptop :)

$ svcadm enable ftp 
$ svccfg -s network/ftp setprop firewall_config/policy = astring: allow 
$ svccfg -s network/ftp setprop firewall_config/apply_to = astring: network:192.168.1.0/24 
$ svccfg -s network/ftp setprop firewall_config/exceptions = astring: host:192.168.1.11 
$ svcadm refresh ftp 

Verify IPfilter rules

$ pfexec ipfstat -ni 
@1 block in log quick proto tcp from 192.168.1.11/32 to any port = ftp flags S/FSRPAU keep state keep frags
@2 pass in log quick proto tcp from 192.168.1.0/24 to any port = ftp flags S/FSRPAU keep state keep frags
@3 block in log quick proto tcp from any to any port = ftp flags S/FSRPAU keep state keep frags
@4 block in log quick proto tcp from 192.168.1.11/32 to any port = ftp-data flags S/FSRPAU keep state keep frags
@5 pass in log quick proto tcp from 192.168.1.0/24 to any port = ftp-data flags S/FSRPAU keep state keep frags
@6 block in log quick proto tcp from any to any port = ftp-data flags S/FSRPAU keep state keep frags
@7 pass in log quick from any to any port = 68
@8 pass in log quick from any to any port = 546
@9 block in log all 


Disable ftp once transferring is done

$ svcadm disable ftp

Verify IPfilter rules

$ pfexec ipfstat -ni 
@1 pass in log quick from any to any port = 68
@2 pass in log quick from any to any port = 546
@3 block in log all 


Use a custom policy similar to the above configuration but allow ftp only from the laptop

$ cat /etc/ipf/tony_ipf.conf 
@1 pass in log quick proto tcp from 192.168.1.4/32 to any port = ftp flags S/FSRPAU keep state keep frags
@2 block in log quick proto tcp from any to any port = ftp flags S/FSRPAU keep state keep frags
@3 pass in log quick proto tcp from 192.168.1.4/32 to any port = ftp-data flags S/FSRPAU keep state keep frags
@4 block in log quick proto tcp from any to any port = ftp-data flags S/FSRPAU keep state keep frags
@5 pass in log quick from any to any port = 68
@6 pass in log quick from any to any port = 546
@7 block in log all
@1 pass out log quick all keep state
@2 pass out log quick from any port = 68 to any keep state
@3 pass out log quick from any port = 546 to any keep state

$ svccfg -s network/ipfilter:default setprop firewall_config_default/policy = astring: custom
$ svccfg -s network/ipfilter:default setprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/tony_ipf.conf" 
$ svcadm refresh network/ipfilter

Verify IPfilter rules

$ pfexec ipfstat -nio
@1 pass out log quick all keep state
@2 pass out log quick from any port = 68 to any keep state
@3 pass out log quick from any port = 546 to any keep state
@1 pass in log quick proto tcp from 192.168.1.4/32 to any port = ftp flags S/FSRPAU keep state keep frags
@2 block in log quick proto tcp from any to any port = ftp flags S/FSRPAU keep state keep frags
@3 pass in log quick proto tcp from 192.168.1.4/32 to any port = ftp-data flags S/FSRPAU keep state keep frags
@4 block in log quick proto tcp from any to any port = ftp-data flags S/FSRPAU keep state keep frags
@5 pass in log quick from any to any port = 68
@6 pass in log quick from any to any port = 546
@7 block in log all 


Slightly more advanced configurations such as Global Override and opening ports for non-services should be in a follow on post.

About

tonyn

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today