This page contains scripts, links to other sites and "howto" docs that the staff at Open Technologies Inc. commonly use. You are free to use this material as you wish, but we take NO responsibility for your proper or improper use of this material. See Limitation of Liability below. -------------------------------------------------------------------------------- Description: IPFilter howto for Solaris 10 Below is a sample /etc/ipf/ipf.conf file. Most secure, block everything, only allow ssh inbound. Allow all outbound, works well for network clients. # ipf.conf # # IP Filter rules to be loaded during startup # # See ipf(4) manpage for more information on # IP Filter rules syntax. pass in quick on eri0 proto tcp from any to any port = 22 keep state block return-icmp in all pass out all keep state # # END ipf.conf Below is a sample /etc/ipf/pfil.ap Uncomment the device you wish to firewall. (our example uses eri0) # IP Filter pfil autopush setup # # See autopush(1M) manpage for more information. # # Format of the entries in this file is: # #major minor lastminor modules #le -1 0 pfil #qe -1 0 pfil #hme -1 0 pfil #qfe -1 0 pfil eri -1 0 pfil #ce -1 0 pfil #bge -1 0 pfil #be -1 0 pfil #vge -1 0 pfil #ge -1 0 pfil #nf -1 0 pfil #fa -1 0 pfil #ci -1 0 pfil #el -1 0 pfil #ipdptp -1 0 pfil #lane -1 0 pfil #dmfe -1 0 pfil # svcadm enable svc:/network/ipfilter # svcadm restart svc:/network/ipfilter Reboot the system if the above commands to not enable ipfilter. Before: Solaris 10, by default, has many services installed and open. Host 192.168.0.74 is a global zone. Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Host myhost.myorg.com (192.168.1.100) appears to be up ... good. Initiating SYN Stealth Scan against myhost.myorg.com (192.168.1.100) Adding open port 21/tcp Adding open port 22/tcp Adding open port 23/tcp Adding open port 25/tcp Adding open port 79/tcp Adding open port 111/tcp Adding open port 513/tcp Adding open port 514/tcp Adding open port 587/tcp Adding open port 898/tcp Adding open port 4045/tcp Adding open port 6000/tcp Adding open port 7100/tcp Adding open port 32771/tcp Adding open port 32772/tcp Adding open port 32773/tcp Adding open port 32774/tcp Adding open port 32775/tcp Adding open port 32776/tcp Adding open port 32777/tcp Adding open port 32778/tcp Adding open port 32779/tcp Adding open port 32780/tcp Bumping up senddelay by 10000 (to 10000), due to excessive drops The SYN Stealth Scan took 51 seconds to scan 1601 ports. For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled Interesting ports on myhost.myorg.com (192.168.1.100): (The 1578 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 79/tcp open finger 111/tcp open sunrpc 513/tcp open login 514/tcp open shell 587/tcp open submission 898/tcp open unknown 4045/tcp open lockd 6000/tcp open X11 7100/tcp open font-service 32771/tcp open sometimes-rpc5 32772/tcp open sometimes-rpc7 32773/tcp open sometimes-rpc9 32774/tcp open sometimes-rpc11 32775/tcp open sometimes-rpc13 32776/tcp open sometimes-rpc15 32777/tcp open sometimes-rpc17 32778/tcp open sometimes-rpc19 32779/tcp open sometimes-rpc21 32780/tcp open sometimes-rpc23 Remote operating system guess: Solaris 9 Beta through Release on SPARC Uptime 0.017 days (since Thu Jan 13 13:34:48 2005) TCP Sequence Prediction: Class=random positive increments Difficulty=67996 (Worthy challenge) IPID Sequence Generation: Incremental Nmap run completed -- 1 IP address (1 host up) scanned in 55 seconds After: (enabling ipfilter with above rules) The only port open is port 22 for SSH, as intended. Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Host myhost.myorg.com (192.168.1.100) appears to be up ... good. Initiating SYN Stealth Scan against myhost.myorg.com (192.168.1.100) Adding open port 22/tcp The SYN Stealth Scan took 198 seconds to scan 1601 ports. Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port For OSScan assuming that port 22 is open and port 34213 is closed and neither are firewalled Interesting ports on myhost.myorg.com (192.168.1.100): (The 1600 ports scanned but not shown below are in state: filtered) Port State Service 22/tcp open ssh Remote operating system guess: Solaris 9 Beta through Release on SPARC Uptime 0.007 days (since Thu Jan 13 14:08:59 2005) TCP Sequence Prediction: Class=random positive increments Difficulty=63755 (Worthy challenge) IPID Sequence Generation: Incremental Nmap run completed -- 1 IP address (1 host up) scanned in 202 seconds Use the below commands to check how many hits the firewall rules have seen. bash-3.00# ipfstat -hi 12 pass in quick on eri0 proto tcp from any to any port = ssh keep state 235 block return-icmp in all bash-3.00# ipfstat -ho 0 pass out all keep state If a more conservative stance is warranted, ipfilter can be set to only block and protect vulnerable ports. The below rules are an example allowing all traffic while blocking ports deemed vulnerable. # # ipf.conf # # IP Filter rules to be loaded during startup # # See ipf(4) manpage for more information on # IP Filter rules syntax. # # block vulnerable ports # block ftp block in quick on eri0 proto tcp from any to any port = 21 # block telnet block in quick on eri0 proto tcp from any to any port = 23 # block sendmail block in quick on eri0 proto tcp from any to any port = 25 # block finger block in quick on eri0 proto tcp from any to any port = 79 # block rpc block in quick on eri0 proto tcp from any to any port = 111 # block lockd block in quick on eri0 proto tcp from any to any port = 4045 # block font server block in quick on eri0 proto tcp from any to any port = 7100 # block login, shell, and printer block in quick on eri0 proto tcp from any to any port 512 >< 516 # block X block in quick on eri0 proto tcp from any to any port 5999 >< 6010 # # default is to pass in all pass in on eri0 all keep state # # default is to pass out all, keep state pass out on eri0 all keep state Install the new rules with the following command: bash-3.00# ipf -v -Fa -f /etc/ipf/ipf.conf remove flags IO (49152) removed 11 filter rules block in quick on eri0 proto tcp from any to any port = ftp block in quick on eri0 proto tcp from any to any port = telnet block in quick on eri0 proto tcp from any to any port = smtp block in quick on eri0 proto tcp from any to any port = finger block in quick on eri0 proto tcp from any to any port = sunrpc block in quick on eri0 proto tcp from any to any port = lockd block in quick on eri0 proto tcp from any to any port = fs block in quick on eri0 proto tcp from any to any port 512 >< 516 block in quick on eri0 proto tcp from any to any port 5999 >< 6010 pass in on eri0 all keep state pass out on eri0 all keep state After the new rules are installed: (The filtered ports are protected as designed.) Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Host myhost.myorg.com (192.168.1.100) appears to be up ... good. Initiating SYN Stealth Scan against myhost.myorg.com (192.168.1.100) Adding open port 22/tcp Adding open port 587/tcp Adding open port 898/tcp Adding open port 32771/tcp Adding open port 32772/tcp Adding open port 32773/tcp Adding open port 32774/tcp Adding open port 32775/tcp Adding open port 32776/tcp Adding open port 32777/tcp Adding open port 32780/tcp Bumping up senddelay by 10000 (to 10000), due to excessive drops The SYN Stealth Scan took 59 seconds to scan 1601 ports. For OSScan assuming that port 22 is open and port 1 is closed and neither are firewalled Interesting ports on myhost.myorg.com (192.168.1.100): (The 1570 ports scanned but not shown below are in state: closed) Port State Service 21/tcp filtered ftp 22/tcp open ssh 23/tcp filtered telnet 25/tcp filtered smtp 79/tcp filtered finger 111/tcp filtered sunrpc 513/tcp filtered login 514/tcp filtered shell 515/tcp filtered printer 587/tcp open submission 898/tcp open unknown 4045/tcp filtered lockd 6000/tcp filtered X11 6001/tcp filtered X11:1 6002/tcp filtered X11:2 6003/tcp filtered X11:3 6004/tcp filtered X11:4 6005/tcp filtered X11:5 6006/tcp filtered X11:6 6007/tcp filtered X11:7 6008/tcp filtered X11:8 6009/tcp filtered X11:9 7100/tcp filtered font-service 32771/tcp open sometimes-rpc5 32772/tcp open sometimes-rpc7 32773/tcp open sometimes-rpc9 32774/tcp open sometimes-rpc11 32775/tcp open sometimes-rpc13 32776/tcp open sometimes-rpc15 32777/tcp open sometimes-rpc17 32780/tcp open sometimes-rpc23 Remote operating system guess: Solaris 9 Beta through Release on SPARC Uptime 0.002 days (since Thu Jan 13 14:35:36 2005) TCP Sequence Prediction: Class=random positive increments Difficulty=38070 (Worthy challenge) IPID Sequence Generation: Incremental Nmap run completed -- 1 IP address (1 host up) scanned in 66 seconds Again, check which firewall rules have seen hits: bash-3.00# ipfstat -hi 24 block in quick on eri0 proto tcp from any to any port = ftp 24 block in quick on eri0 proto tcp from any to any port = telnet 24 block in quick on eri0 proto tcp from any to any port = smtp 15 block in quick on eri0 proto tcp from any to any port = finger 15 block in quick on eri0 proto tcp from any to any port = sunrpc 27 block in quick on eri0 proto tcp from any to any port = lockd 27 block in quick on eri0 proto tcp from any to any port = fs 81 block in quick on eri0 proto tcp from any to any port 512 >< 516 270 block in quick on eri0 proto tcp from any to any port 5999 >< 6010 7772 pass in on eri0 all keep state bash-3.00# ipfstat -ho 39 pass out on eri0 all keep state With Solaris 10, ipfilter on an interface impacts all virtual Ips of subzones sharing the ethernet interface. Nmap scan of a subzone 192.168.1.101 on the eri0 interface shows the filtered ports also protect subzones: Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Host myhost2.myorg.com (192.168.1.101) appears to be up ... good. Initiating SYN Stealth Scan against myhost2.myorg.com (192.168.1.101) Adding open port 22/tcp Adding open port 587/tcp Adding open port 898/tcp The SYN Stealth Scan took 51 seconds to scan 1601 ports. For OSScan assuming that port 22 is open and port 1 is closed and neither are firewalled Interesting ports on myhost2.myorg.com (192.168.1.101): (The 1578 ports scanned but not shown below are in state: closed) Port State Service 21/tcp filtered ftp 22/tcp open ssh 23/tcp filtered telnet 25/tcp filtered smtp 79/tcp filtered finger 111/tcp filtered sunrpc 513/tcp filtered login 514/tcp filtered shell 515/tcp filtered printer 587/tcp open submission 898/tcp open unknown 4045/tcp filtered lockd 6000/tcp filtered X11 6001/tcp filtered X11:1 6002/tcp filtered X11:2 6003/tcp filtered X11:3 6004/tcp filtered X11:4 6005/tcp filtered X11:5 6006/tcp filtered X11:6 6007/tcp filtered X11:7 6008/tcp filtered X11:8 6009/tcp filtered X11:9 7100/tcp filtered font-service Remote operating system guess: Solaris 9 Beta through Release on SPARC Uptime 0.015 days (since Thu Jan 13 14:35:36 2005) TCP Sequence Prediction: Class=random positive increments Difficulty=54790 (Worthy challenge) IPID Sequence Generation: Incremental Nmap run completed -- 1 IP address (1 host up) scanned in 58 seconds -------------------------------------------------------------------------------- LIMITATION OF LIABILITY TO THE FULL EXTENT PERMITTED BY LAW, HOST IS NOT LIABLE TO YOU OR ANY OTHER INDIVIDUAL OR ENTITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, SPECIAL OR CONSEQUENTIAL DAMAGES RELATED TO OR ARISING OUT OF ANY USE OF, ACCESS TO, OR INABILITY TO ACCESS THIS WEBSITE, CONTENT, SERVICES, OR OF ANY OTHER LINKED WEBSITE OR EXTERNAL RESOURCE INCLUDING, WITHOUT LIMITATION, ANY LOST PROFITS, LOST SALES, LOST REVENUE, LOSS OF GOODWILL, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR OTHER DATA EVEN IF OPEN TECHNOLOGIES INC. IS EXPRESSLY ADVISED OR AWARE OF THE POSSIBILITY OF SUCH DAMAGES OR LOSSES. YOU ASSUME ALL RISK FOR ANY DAMAGE TO YOUR COMPUTER SYSTEM OR LOSS OF DATA THAT RESULTS FROM OBTAINING ANY CONTENT FROM THE WEBSITE, INCLUDING ANY DAMAGES RESULTING FROM COMPUTER VIRUSES, WORMS, OR OTHER ITEMS OF A DESTRUCTIVE NATURE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE LIMITATION MAY NOT APPLY TO YOU.