Using IPFilter Rules

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
IPfilter is disabled by default. You need to use svcadm to enable, disable, start or stop the service. For initial setup of the service:
svccfg -s network/ipfilter:defaultsetprop firewall_config_default/policy = astring: custom
svccfg -s network/ipfilter:defaultsetprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/ipf.conf"
svcadm refresh ipfilter
svcadm enable ipfilter
Starting and Stopping IPfilter
svcadm enable ipfilter
svcs -a | grep ipfilter
online         20:49:27svc:/network/ipfilter:default
Adding your own rules
#
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# pass out as if we were a single internet client
pass out log quick on localvnic0 proto tcp from dst_ip_addr/32 to any keep state
pass out log quick on localvnic0 proto udp from dst_ip_addr/32 to any keep state
pass out log quick on localvnic0 proto icmp from dst_ip_addr/32 to any keep state
#
# By default, block and log everything.
block in log quick all with short
block in log on localvnic0 all
#
pass in log quick on localvnic0 from src_ip to dst_ip/23 port = 22 keep state
pass in log quick on localvnic0 proto icmp from src_ip to dst_ip/23
#
pass in log quick on localvnic0 from src_ip to dst_ip_net/23 port = 22 keep state
pass in log quick on localvnic0 proto icmp from src_ip to dst_ip
Activating a new ipfilter rule

ipf -Fa -f /etc/ipf/ipf.conf

Testing IPF rule

ipfstat -io

Reference

http://wiki.joyent.com/wiki/display/jpc2/Using+IPFilter+Rules#UsingIPFilterRules-AllowinboundtrafficicmponlyfromaspecificIPaddress

Leave a Reply

avatar
300
  Subscribe  
Notify of