Detailed description of Solaris10IPFilter technology

Source: Internet
Author: User
Solaris10IPFilter technology detailed explanation Solaris10 integrated a lot of open source software, IPFilter is one of them, this software package directly replaces the original SUNscreen firewall software package. The functions of the IPFilter package completely replace sunscreen. the functions include... solaris 10 IP Filter technology detailed explanation Solaris 10 integrated a lot of open source software, IP Filter is one of them, this software package directly replaces the original SUN screen firewall software package. The IP Filter package completely replaces sun screen, which provides stateful packet filtering and network address translation (NAT). It also provides non-Stateful packet filtering and the ability to create and manage address pools. Packet filtering is the most direct and effective protection method to prevent network attacks. Solaris IP Filter can load filtering functions for network packets through IP addresses, ports, protocols, and NICs based on different requirements. Solaris IP Filter can also Filter network packets through private source IP addresses and target IP addresses, or an IP address range or an IP address pool. That is to say, its customized policies are very flexible. The Solaris IP Filter configuration file introduces the firewall and network address translation (NAT) functions provided by the Solaris IP Filter package, and the configuration information can be provided using the corresponding configuration file. The Solaris IP Filter configuration files are stored in the/etc/ipf Directory, including ipf. conf, ipf. nat, and ippool. conf files. These files are automatically read during system boot as long as they are stored in the/etc/ipf directory. The Solaris IP Filter packet filtering feature allows you to easily set firewall functions by using the packet filtering rule set. The Command ipf is used to configure functions with these rule sets. These rule sets can be set either through the command line or by writing the configuration file. The/etc/ipf. conf configuration file contains all the packet filtering rule sets, which are read by the ipfilter service during system boot. If the ipf. conf file is not stored in the/etc/ipf/directory, these rule sets will not be read, but can be dynamically read after startup. The Solaris IP Filter maintains two rule sets at the same time, one for activation (in the kernel) and the other for non-activation. IP Filter filters packets from the beginning of the rule set to the last row, and sets a flag. Based on this flag, IP Filter determines whether to forward or intercept network packets. The preceding traversal processing methods from start to end have two exceptions. One is that the rule contains the quick keyword, and the other is that it contains the group keyword. If the rule contains the quick keyword, the rule compliance processing is completed after the rule row is processed, and other rules are no longer read. If the rule contains the group keyword, only network packets with the group flag are processed. The Solaris IP Filter syntax is in/etc/ipf. the syntax of each row in the conf file is described as follows: action [in | out] option keyword, keyword... 1. the starting part of each rule of action. these actions are the actions used when the rule is matched. The details are as follows: block network packet pass allows network packets to log all packets that are passed and blocked. use the ipmon command to view count to calculate the number of network packets, use ipfstat to view statistics skip number. when filtering and processing, skip the number of rules. auth verifies the network report information through the user program. you need to perform a packet authorization request preauth filter to view the pre-authorization table request, determine how to handle the network Package 2. action must be followed by in or outin as the incoming network package, and out is the outgoing network package. the third part is rule options. if the following options are used, rules must be written in order. When the last rule of the set log is matched, the network package will be recorded as quick. if the rule line when the network package is matched contains the quick option, it will be processed according to this rule, the following rule is not read. on interface-name: only the network package that comes in and out of the specified Nic can apply this rule dup-to interface-name on the specified Nic, copy the package and then send the copied package to the specified IP address to move the network package sequentially on the NIC. 4. part 4: matching principles of network packets. tos filters packets based on service types, it is a hexadecimal or decimal integer to express ttl matching based on the package's survival value time-to-live. The value is stored in the data packet header and matched by the specified protocol, you can use any protocol named in the/etc/protocols file. for example, tcp/udp is used to match TCP or UDP data packets from/to/all/any to match any or all of the following data packets: source IP address, target IP address, and port number Match the data packet associated with the specified attribute. if not or no is inserted, it is used to match flags for TCP data packets only when the option is not expressed, when the TCP flag is set, icmp-type filters the keep-options based on the ICMP type to detect the information of the retained data packets, only when the keep-optons is included in the state option can the valid head number create a new group for the filter rule, add a rule using the number to mark the group number. replace the default group configuration file with the number. The rule example is described in detail later. Solaris IP Filter network address translation NAT feature introduction network address translation NAT is a set of ing rules, it is responsible for ing the source IP address and target IP address to another IP address or INTERNET address. These rules modify the source IP address and target IP address of the data packet so that these data packets can be sent to the correct address. NAT can also send packets from one port to another. You can use the ipnat command to maintain and define the NAT list. you can also use the configuration file to maintain and develop this list. these lists can be written in the ipnat. conf file. Like the IP Filter package filtering configuration file, if you need to read and call the file during boot, you can use ipnat. the conf file is stored in the/etc/ipf Directory. if this is not required, it can be stored in any specified directory and read using commands. Configure the NAT list according to the following syntax: command interface-name parameters1. each rule must start with the following keyword to map an IP address or network to another IP address or network rdr from one IP address and port pairing to another IP address and port pairing bimap in create a two-way NATmap-block between the external IP address and the internal IP address to create a static IP address translation 2. the second part is the name of the network card 3. the third part is some of the following parameters: ipmask indicates the network mask dstipmask indicates the IP mask translation to the network address mapport specifies TCP, udp, or TCP/UDP port, or a port number range Solaris IP Filter IP address pool feature introduction IP address pool creates a reference standard for naming an address/Port pair Group, this greatly reduces the time required for matching IP addresses by rules and improves the processing efficiency. IP address pool configuration rules are placed in ippool. in the conf file, like the previous FILTER and NAT, if you need to load the file into the kernel in the boot system, put the file in the/etc/ipf/directory. You can use the following syntax to configure an IP address pool: table role = role-name type = storage-format number = reference-numbertable defines a reference table for multiple addresses. role specifies the storage format of the pool specified by the role type in the Solaris IP Filter. number indicates a reference number filtering rule. to activate the IP Filter using the pfil STREAMS module to activate the Solaris IP Filter, the pfil STREAMS module must be used, solaris IP Filter does not provide automatic mechanism to call modules for each interface (such as the NIC). The alternative method is that the pfil STRAMS module uses the SMF svc:/network/pfil mechanism for management. To enable the network packet filtering function for the NIC, you need to configure the pfil. ap configuration file for the NIC and activate svc:/network/pfil so that the pfil STRAMS module can serve each Nic. Enable this module, which must be implemented in either of the following two methods: reboot System, or unplumb, which is used to manually configure the network port in plumb. Solaris IP Filter Configuration Guide 1. the Enable IP FilterSolaris IP Filter software has been integrated in solaris 10 and later versions. by default, this service is not enabled. follow these steps to Enable this service:. use IP Filter to log on to the system or directly use root user B. create the Filter rule configuration file/etc/ipf. confc. enable system Filter function svcadm enable network/ipfilter the following steps are to complete the Filter function set by the specified Nic. create a file pfil for the NIC. the ap file contains the NIC that requires packet filtering. you only need to write the nic name, for example, bge-1 0 pfilb. restart the process to read the file content scvadm restart network/pfilc. another method for activating the rule policy for Nic packet filtering l # sync; init 6 System l # ifconfig bge0 unplumb; # ifconfig bge0 plumb 192.168.0.199/24 up manual stop enable Nic, configure network IP address, etc. 2. after Re-Enable IP filter modifies the configuration file, the process must Re-read the file content to make the newly modified package filtering rule take effect: # ipf-D stop Filter # ipf-E enable Filter # ipf-f/etc/ipf. conf reads ipf again. conf file content Solaris IP Filter configuration file content example the following content is a detailed description of the configuration content, mainly to provide reference for the formulation of some packet Filter rule policies: 1. by default, all incoming and outgoing nxge0 packets are recorded in log on nxge0 allpass out log on nxge0 all 2. block, but do not record the block in quick on nxgel0 fr Om 10.0.0.0/8 to anyblock in quick on nxgel0 from 172.16.0.0/12 to any. when reading the configuration file, as long as the data packet matches the rule of this row, the subsequent rule line is no longer read. blocks and records all packets of untrusted internal IP addresses. 192.168.100.100/32 is the machine block in log quick from 192.168.0.15 to 192.168.100.100/324 running IP filter. blocks and records all data packets of the X11 (port 600) protocol, as well as RPC and portmapper (port 111 ), 192.168.100.100/32 is the machine block running IP filter in log quick on nxge0 proto tcp from any to 192.168.100.100/32 port = 6000 kee P stateblock in log quick on nxge0 proto tcp/udp from any to192.168.100.100/32 port = 111 keep state 5. flexible use of quick example pass in quick on nxgel0 from 192.168.0.101/32 to anypass out quick on nxgel0 from 192.168.0.101/32 to anypass in quick on nxgel0 from 192.168.0.200/32 to anypass out quick on nxgel0 from 192.168.0.200/32 to anyblock in quick on nxgel0 from 192.168.0.0/24 to anyblock out quick on nxgel 0 from 192.168.0.0/24 to any This example blocks all incoming and outgoing packets from the 192.168.0.0 network segment, but all the packets of the 192.168.0.101 and 192.168.0.200 network segments can still be sent and accepted normally. This is an example of flexible use of quick. quick indicates that after a rule is matched, subsequent rules will not be read, so that other rows containing the rule can be blocked.
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.