|IPFILTER(5)||Standards, Environments, and Macros||IPFILTER(5)|
Solaris IP Filter is installed with the Solaris operating system. However, packet filtering is not enabled by default. See ipf(1M) for a procedure to enable and activate the IP Filter feature.
In a given zone, a three-layer approach with different precedence levels helps the user achieve the desired behaviors.
Global Override | | Network Services | | Global Default
A firewall policy includes a firewall mode and an optional set of network sources. Network sources are IP addresses, subnets, and local network interfaces, from all of which a system can receive incoming traffic. The basic set of firewall modes are:
The Network Services layer contains firewall policies for local programs that provide service to remote clients, for example, telnetd, sshd, and httpd. Each of these programs, a network service, has its own firewall policy that controls access to its service. Initially, a service's policy is set to inherit Global Default policy, a "Use Global Default" mode. This makes it simple to set a single policy, at the Global Default layer, that can be inherited by all services.
When a service's policy is different from Global Default policy, the service's policy has higher precedence. If Global Default policy is set to block all traffic from a subnet, the SSH service could be configured to allow access from certain hosts in that subnet. The set of all policies for all network services comprises the Network Service layer.
The second system-wide layer, Global Override, has a firewall policy that also applies to any incoming network traffic. This policy has highest precedence and overrides policies in the other layers, specifically overriding the needs of network services. The example is when it is desirable to block known malicious source(s) regardless of services' policies.
A user configures a firewall by setting the system-wide policies and policy for each network service. See svc.ipfd(1M) on how to configure a firewall policy.
The firewall framework composes of policy configuration and a mechanism to generate IP Filter rules from the policy and applying those rules to get the desired IP Filter configuration. A quick summary of the design and user interaction:
For inbound traffic (from an external source to the zone), the traffic flow looks like the following diagram. Traffic blocked by the GZ-controlled firewall will not be processed by the in-zone firewall.
External Source | | GZ-controlled Firewall | | In-Zone Firewall | | Zone
For outbound traffic (from the zone to an external destination), the traffic flow looks like the following diagram. Traffic blocked by the in-zone firewall will not be processed by the GZ-controlled firewall.
Zone | | In-Zone Firewall | | GZ-controlled Firewall | | External Destination
Either of the in-Zone or GZ-controlled firewalls can be enabled, or both at the same time.
The Global Zone does not have a GZ-controlled firewall, only an in-zone firewall. For inbound traffic (from an external source to the global zone), the traffic flow therefore looks like the following diagram.
External Source | | In-Zone Firewall | | Zone
For outbound traffic (from the global zone to an external destination), the traffic flow looks like the following diagram.
Zone | | In-Zone Firewall | | External Destination
|ATTRIBUTE TYPE||ATTRIBUTE VALUE|
System Administration Guide: IP Services
IP Filter startup configuration files are stored in /etc/ipf.
|October 7, 2014||OmniOS|