Using IPFilter Rules


At a Glance
Using and setting up IPFilter.

SmartMachines include crossbow networking and access to the virtual NIC by default. This means you have full control over the networking stack of your machine.

A security best practice is to configure back-end services behind a load balancer (such as Stingray), through a bastion host, or VPN server.

You can assign IPFilter rules that ensure secure communication between services and your SmartMachine, making it easier for your SmartMachines to pass security audits. For example, you can setup rules that only allow SSH from your static IP or a block of IPs in use by your ISP.

You can only connect to your system through the IP addresses you specify.

The following briefly describes how to assign IPFilter rules to your SmartMachine.
In this topic:
    * Starting and Stopping IPfilter
    * Sample IPfilter rules

        * Allow inbound traffic from a specific IP address
        * Allow inbound traffic from a specific IP address to a specific port
        * Allow inbound traffic icmp only from a specific IP address
        * Allow outbound traffic from SmartMachine to anyone
        * Block traffic from a specific IP address
        * Block traffic from a specific range
        * Block traffic from anyone to a specific IP
        * Block icmp only from a specific IP
        * Block a specific port from anyone
        * Setup a default deny policy, block all ports except 443 and 80
    * Testing IPF rules

        * Debugging what ipfilter is doing


More information on using IPF can be found in this Oracle IPF Documentation

Starting and Stopping IPfilter
The IPfilter process is configured to run under the Service Management Facility.

IPfilter is disabled by default. You need to use svcadm to enable, disable, start or stop the service. For initial setup of the service:
svccfg -s network/ipfilter:default setprop firewall_config_default/policy = astring: custom

svccfg -s network/ipfilter:default setprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/ipf.conf"

svcadm refresh ipfilter

svcadm enable ipfilter
Use restart to restart the service:
svcadm restart ipfilter
Use this to check the status of the service. Notice the use of grep:
svcs -a | grep ipfilter
online         20:49:27 svc:/network/ipfilter:default
Sample IPfilter rules
IPfilter rules are contained in /etc/ipf/ipf.conf:
    * src.ip.addr specifies the source.
    * dest.ip.addr specifies the destination.

Allow inbound traffic from a specific IP address
pass in quick from src.ip.addr to dest.ip.addr
Allow inbound traffic from a specific IP address to a specific port
pass in quick from src.ip.addr to dest.ip.addr port=22
Allow inbound traffic icmp only from a specific IP address
pass in quick proto icmp from src.ip.addr to dest.ip.addr keep state
Allow outbound traffic from SmartMachine to anyone
pass out from src.ip.addr to any keep state
Block traffic from a specific IP address
block in from src.ip.addr to dest.ip.addr
Block traffic from a specific range
block in from src.ip.addr/xx to dest.ip.addr
Block traffic from anyone to a specific IP
block in from any to dest.ip.addr
Block icmp only from a specific IP
block in proto icmp from src.ip.addr to dest.ip.addr
Block a specific port from anyone
(Use proto tcp to block only on TCP. Otherwise, it blocks both TCP and UDP.

block in from any to dest.ip.addr port = (example:22)
Setup a default deny policy, block all ports except 443 and 80
pass out from src.ip.addr to any keep state
pass in quick proto tcp from any to dest.ip.addr port=443
pass in quick proto tcp from any to dest.ip.addr port=80
block in from any to dest.ip.addr

Ranges can apply to any rule, just use x.x.x.x/xx instead of a specific IP.

Testing IPF rules
You can use this command to test active IP packet filtering:
ipfstat -io
Debugging what ipfilter is doing
You can use ipmon to write data to a logfile and then tail the logfile:
ipmon -aD /var/log/ipmon.log
More information for IPF can be found in this Oracle documentation
来源: <http://wiki.joyent.com/wiki/display/jpc2/Using+IPFilter+Rules>