IP Filter: Small UNIX Packet Filter

Source: Internet
Author: User

IP Filter is a software package that enables network address translation (NAT) or firewall services. It can be used as a core module of UNIX, you can also choose not to embed the core, it is strongly recommended to use it as the core module of UNIX. install and use scripts to patch system files. IP Filter is built into FreeBSD, NetBSD, and Solaris. OpenBSD can use Openbsd PF, linux users can use Netfilter. Installation Steps: Install Version 3.4.17 in this article to put the downloaded ip-filtersource code file ip-fil3.4.17.tar.gz in the/tmp directory, run the gzip-d ip-fil3.4.17.tar.gz tar-xvf ip-fil3.4.17.tar cd ip_fil3.4.17 make sunos5 to compile the downloaded source package. When the IP Filter is compiled successfully, the installation process uses the common packaging methods of solaris, it will create the corresponding package file in the/var/spool/pkg directory. In the installation directory, enter make solaris to compile all the required binary files, note that you cannot use GNU make for compiling. Go to the SunOS5 directory of the installation directory and run the make package command. This command creates an "ipf. pkg "package file, automatically start the pkgadd process at the same time. If you manually start the package process, you need to enter: pkgadd-d ipf. pkg. After the installation is complete, the IP Filter will be installed in the/opt/ipf directory, and at the same time in the/etc/opt/ipf create a name named "ipf. conf "Filter configuration file, which is empty at the beginning. IP Filter is started by running/etc/init. d/ipfboot to start, execute ipfboot start to start IP Filter. Create an IP Filter configuration file, /opt/ipf/bin/mkfilters can generate basic configuration files by executing the following command: #/opt/ipf/bin/mkfilters>/etc/opt/ipf. each time ipf is added or modified in conf. after the conf file, you must restart ipfboot to read the configuration file again. The specific method is as follows:/etc/init. d/ipfboot reloadwww.myhack58.com. A typical IP-Filter configuration is described in two parts. The first part is the basic rule policy configuration of the IP-Filter firewall; the second part is the advanced rule policy configuration of the IP-Filter firewall. Note: All the following configuration statements can be added to/etc/opt/ipf. in the conf file, but you need to restart ipfboot to make the configuration take effect. IP-Filter uses the top-down method for rule processing, in IP-Filter, if the keyword "quick" is added to any rule, the matching speed of the rule can be accelerated. IP-Filter firewall's basic rule Policy Configuration: IP address-based basic filtering method: block in quick from 192.168.0.0/24 to any pass in all apply this rule to block all packets from the 192.168.0.0 segment, however, packages of other network segments are allowed to enter the firewall without any restrictions on outgoing packets. The basic filtering method based on IP addresses and firewall interfaces is as follows: block in quick on hme0 from 192.168.0.0/24 to any block in quick on hme0 from 172.16.0.0/16 to any pass in all apply this rule will block all the hme0 ports from 192.168.0.0 and 172.16.0.0 package entry, however, packages of other network segments are allowed to enter the firewall without any restrictions on the outgoing packets. Use the "out" keyword to filter the outgoing packets: pass out quick on hme0 from 192.168.0.0/24 to any block out quick on hme0 from any to any apply this rule to allow all packets from the 192.168.0.0 network segment to go out through the firewall, however, all packets from other network segments will be blocked in the firewall and cannot go out. Use the "log" keyword to record the packet filtering condition: block in quick on hme0 from 192.168.0.0/24 to any block in log quick on hme0 from 172.16.0.0/16 to any pass in all apply this rule, it will block the use of hme0 ports from 192.168.0.0 and 172.16.0.0 network segments of all packages, at the same time, the filtering status of all packets in the 172.16.0.0 network segment is recorded, but packets in other network segments are allowed to enter the firewall, at the same time, no restrictions are imposed on outgoing packets. A full two-way Filtering Method Based on IP addresses and firewall interfaces: block out quick on hme0 from any to 192.168.0.0/24 block out quick on hme0 from any to 172.16.0.0/16 block in quick on hme0 from 192.168.0.0/24 to any block in quick on hme0 from 172.16.0.0 /16 to any pass in all after applying this rule, all packets from 192.168.0.0 and 172.16.0.0 through the hme0 port will be blocked from entering and going out, however, allow packages of other network segments to enter the firewall without any restrictions on the outgoing packets. Use the "proto" keyword to control specific protocols: block in log quick on hme0 proto icmp from any to 192.168.0.40/32 apply this rule to prevent any icmp packets that are pinged to 192.168.0.40. Use the "ICMP-type" keyword to filter icmp packets, merge rule sets. pass in quick on hme0 proto icmp from any to 192.168.0.0/24 icmp-type 0 pass in quick on hme0 proto icmp from any to 192.168.0.0/24 icmp-type 11 block in log quick on hme0 proto icmp from any to any after applying this rule, only the ICMP protocol types 0 and 11 are allowed (type0 & type11) the packet enters the firewall through the hme0 port, and prevents any ICMP protocol that you want to access through the hme0 port, logs the packets matching the rule. Use the "port" keyword to filter TCP and UDP ports: block in log quick on hme0 proto tcp from any to 192.168.0.0/24 port = 513 block in log quick on hme0 proto tcp from any to 192.168.0.0/24 port = 8080 block in log quick on hme0 proto tcp from any to 192.168.0.0/24 port = 23 pass in all after applying this rule, data communication from the 192.168.0.0 network segment to the firewall is blocked through ports 8080 and 23, however, packets of other network segments are allowed to enter the firewall without any restrictions on the outgoing packets. The advanced rules and policies of the IP-Filter firewall are configured as follows: use the "keep state" keyword to create a default rule block in quick on hme0 all pass out quick on hme0 proto tcp from allow timeout 20.1/32 to any keep state. Applying this rule will first prevent access from the hme0 Port packet, to improve the firewall performance by using a Rule group (Rule Groups), you can add more and more complex rules to expand the firewall performance. The following example modifies the Interface Name and network number, assume that the firewall has three interfaces: xl0, xl1, and xl2. The external network connected by xl0 is 255.20.0/26; the external network connected by xl1 is DMZ region 20171000020.0/26; xl2 is connected to the protected CIDR Block 255.255.255.128/25. The rules applied to this firewall are as follows:

block in quick on xl0 all head 1 block in quick on xl0 from 192.168.0.0/16 to any group 1 block in quick on xl0 from 172.16.0.0/12 to any group 1 block in quick on xl0 from 10.0.0.0/8 to any group 1 block in quick on xl0 from 127.0.0.0/8 to any group 1 block in quick on xl0 from 0.0.0.0/8 to any group 1 block in quick on xl0 from 169.254.0.0/16 to any group 1 block in quick on xl0 from 192.0.2.0/24 to any group 1 block in quick on xl0 from 204.152.64.0/23 to any group 1 block in quick on xl0 from 224.0.0.0/3 to any group 1 block in log quick on xl0 from 20.20.20.0/24 to any group 1 block in log quick on xl0 from any to 20.20.20.0/32 group 1 block in log quick on xl0 from any to 20.20.20.63/32 group 1 block in log quick on xl0 from any to 20.20.20.64/32 group 1 block in log quick on xl0 from any to 20.20.20.127/32 group 1 block in log quick on xl0 from any to 20.20.20.128/32 group 1 block in log quick on xl0 from any to 20.20.20.255/32 group 1 pass in on xl0 all group 1 pass out on xl0 all block out quick on xl1 all head 10 pass out quick on xl1 proto tcp from any to 20.20.20.64/26 port = 80 flags S keep state group 10 pass out quick on xl1 proto tcp from any to 20.20.20.64/26 port = 21 flags S keep state group 10 pass out quick on xl1 proto tcp from any to 20.20.20.64/26 port = 20 flags S keep state group 10 pass out quick on xl1 proto tcp from any to 20.20.20.65/32 port = 53 flags S keep state group 10 pass out quick on xl1 proto udp from any to 20.20.20.65/32 port = 53 keep state group 10 pass out quick on xl1 proto tcp from any to 20.20.20.66/32 port = 53 flags S keep state pass out quick on xl1 proto udp from any to 20.20.20.66/32 port = 53 keep state group 10 pass in quick on xl1 proto tcp/udp from 20.20.20.64/26 to any keep state block out on xl2 all pass in quick on xl2 proto tcp/udp from 20.20.20.128/25 to any keep state

 

After this rule is applied, the firewall will complete the following functions: disable access from 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 127.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/231, 224.0.0.0/ 3. Route route 20.0/24, route 20.0/32, route 0000000063/32, route 0000000064/32, route 00000000127/32, route 00000000128/32, route 00000000255/32, and other network segment data packets enter, at the same time, this rule is written by binding these rules into a group. At the same time, there is no limit on outbound packages passed from Xl0 ports. In the DMZ zone, Zookeeper limit 64/26 machines in the CIDR Block allow them to use the www and ftp services, for machines with IP addresses 255.255.255.255.65/32, they are allowed to provide external DNS services. For the Intranet security zone, more strict security rules are applied. Only machines with CIDR blocks of 255.255.255.255.128/25 can access the Intranet, at the same time, all machines in other network segments are blocked from accessing the Intranet. For NAT applications on IP-Filter, you must first enable the Solaris ip_forwarding switch and run the following command: # ndd-get/dev/tcp ip_forwarding: You can query whether ip_forwarding is enabled. If it is 0, ip_forwarding is disabled. You can enter: # enable ndd-set/dev/tcp ip_forwarding 1. The following is an example of a NAT rule: map hme0 192.168.100.0/24-> 0/32 proxy port ftp/tcp map hme0 192.168.100.0/24-> 0/32 portmap tcp/udp map hme0 192.168.100.0/24-> 0/32 after applying the above rules, you can implement the following functions: the first rule allows all hosts in the Intranet to access the Internet through the ftp of the hme0 port. The second rule maps the high-end ports 10000 to 40000, some network services are allowed to access through this port range. The last rule maps some common TCP traffic to inbound and outbound networks. For applying NAT rules on IP-Filter, you can use the ipnat command to start the instance. In this case, the NAT rule can be stored in any file, but in typical cases, the rule file is still stored in/etc/ipnat. rules;/usr/local/etc/ipnat. rules;/etc/opt/ipf/ipnat. rules, medium, you can use the-r parameter to remove the NAT rules that have been added to the rule set. For the NAT rule set detection, run the-l parameter. The simplest method to load NAT rules is: # ipnat-CF-f/etc/ipnat. rules monitors and debugs IP-Filter: ipfstat attributes and usage: ipfstat displays the list of data filtered by your firewall, such: how many packets are filtered by the firewall, how many packets are blocked, and whether the log function is enabled? The following information is output after ipfstat is run: # ipfstat input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0 output packets: blocked 4200 passed 1284345 nomatch 14687 counted 0 input packets logged: blocked 99286 passed 0 output packets logged: blocked 0 passed 0 packets logged: input 0 output 0 log failures: input 3898 output 0 fragment state (in): kept 0 lost 0 fragment state (out): kept 0 lost 0 packet state (in ): kept 169364 lost 0 packet state (out): kept 431395 lost 0 ICMP replies: 0 TCP RSTs sent: 0 Result cache hits (in): 1215208 (out): 1098963 IN Pullups succeeded: 2 failed: 0 OUT Pullups succeeded: 0 failed: 0 Fastroute successes: 0 failures: 0 TCP cksum fails (in): 0 (out): 0 Packet log flags set: (0) none you can use the-I and-o parameters to display the currently loaded Input and Output rules. attributes and Applications of Ipmon tool: Ipmon is a tool for collecting system snapshots, ipmon can directly view the logs of packets generated by the "log" keyword in the rule. This tool can run on both the foreground and log deamon. You can use the following command to start ipmon.:
  # ipmon -o S 01/08/1999 15:58:57.836053 STATE:NEW 100.100.100.1,53 -> 20.20.20.15,53 PR udp 01/08/1999 15:58:58.030815 STATE:NEW 20.20.20.15,123 -> 128.167.1.69,123 PR udp 01/08/1999 15:59:18.032174 STATE:NEW 20.20.20.15,123 -> 128.173.14.71,123 PR udp 01/08/1999 15:59:24.570107 STATE:EXPIRE 100.100.100.1,53 -> 20.20.20.15,53 PR udp Pkts 4 Bytes 356 01/08/1999 16:03:51.754867 STATE:NEW 20.20.20.13,1019 -> 100.100.100.10,22 PR tcp 01/08/1999 16:04:03.070127 STATE:EXPIRE 20.20.20.13,1019 -> 100.100.100.10,22 PR tcp Pkts 63 Bytes 4604

 

Some adjustments to Solaris kernel parameters: Ip Forwarding part: # ndd-set/dev/ip ip_forwarding 1 port adjustment part: # ndd-set/dev/tcp tcp_smallest_anon_port 25000 # ndd-set/dev/tcp tcp_largest_anon_port 65535 other useful parameters: # ndd-set/dev/ip ip_forward_directed_broadcasts 0 # ndd-set/dev/ip ip_forward_src_routed 0 # ndd-set/dev/ip ip_respond_to_echo_broadcast 0

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.