Enabling IPFilter on Solaris 10
Incorporating packet filtering software on Solaris 10 was not as easy as it may look like. This complexity is not completely hidden yet as the ipfilter configuration suggests. Let’s try to see how it works.
Solaris implementation of the TCP/IP stack is using a modular facility called STREAMS to let network packets go from the network interface to an application and vice-versa. A stream is a full-duplex processing and data transfer path between a driver in kernel space and a process in user space. The main idea is to provide a standard and easy way to specify an ordered list of kernel modules that will process the network packet from the, say, hme driver to, say, the telnet daemon.
From release 4.0, IPFilter is using a STREAMS module to hook itself into the Solaris stack. “svc:/network/ipfilter:default” is the core packet filtering software service. The “svc:/network/pfil:default” service is the glue that will allow the “ipfilter” service to be configured and enabled on specific interfaces. This is technically done by using the autopush command so that the pfil STREAMS module will be automatically pushed on any stream opened to a certain network device driver.
The point to note here is that IPFilter is enabled per network device driver (hme, ge, qfe,… ). The difficulty is that for the “pfil” driver to be able to hook properly into the network stack, it must be present the first time a device of a certain type is opened, which basically comes down to interface plumbing time. So that each time an interface whose driver has not been autopushed yet is to be put under control of IPFilter, it will need to be unplumbed and plumbed again.
Although the “svc:/network/pfil:default” is enabled and online on a default Solaris 10 installation, no device driver has been configured for it. So that to enable IPFilter, you’ll need to configure “pfil” so that it gets autopushed for the network drivers for which you want to enable your firewall. And then the network interfaces will need to be plumbed or replumbed.
#vi /etc/ipf/pfil.ap
and uncomment there the specific drivers you are interested in.
#svcadm enable ipfilter
to enable and start the ipfilter service. If you now use the “modinfo” command, you will see that “pfil” and “ipfilter” are loaded in the kernel. But packet filtering is NOT active !
You now have 2 choices. One : reboot. At boot time, when the “pfil” service is started, the startup script /lib/svc/method/pfil will run the autopush command on the /etc/ipf/pfil.ap file before the network interfaces are confgured so that everything will work as expected. Note that the same script will also start IPFilter with a very restrictive set of rules to cover the window of vulnerability during the time network is initialized and the “ipfilter” service is started.
Second :
#autopush -f /etc/ipf/pfil.ap
#ifconfig eri0 unplumb
#ifconfig eri0 plumb IP up
Writing firewalls rules is a totally different topic. You will find some examples of the ipf.conf configuration file in /usr/share/ipfilter/examples. Just copy one of them over /etc/ipf/ipf.conf to start playing around. A simpler demo is to add the one line (spaces between each word):
block in quick proto tcp from any to any port = 23
to the default empty /etc/ipf/ipf.conf and check that you firewall is running by trying to telnet to your machine from another one…
References :
STREAMS introduction
Sun STREAMS Programming guide : Overview of STREAMS
Solaris 10 links, Security/IPFilter section