While trying to clone a production stack for development I got a little paranoid and added some firewall rules to avoid some accidental communication between the stacks. Mainly my concern was about the poorly documented process for cloning as well as the poor use of VLAN's in the client's environment. Below is a quick and dirty way to add some IPF rules to Solaris 11.
Check current rules:
empty list for ipfilter(out) |
empty list for ipfilter( in ) |
Enable a custom policy:
firewall_config_default/policy astring custom |
Custom policy file:
firewall_config_default/custom_policy_file astring /etc/ipf/ipf.conf |
Run the firewall service:
disabled Sep_20 svc:/network/ipfilter:default |
svc:/network/ipfilter:default (IP Filter) |
State: disabled since September 20, 2013 12:21:20 PM PDT |
Reason: Disabled by an administrator. |
See: http://support.oracle.com/msg/SMF-8000-05 |
See: man -M /usr/share/ man -s 5 ipfilter |
Impact: This service is not running. |
svc:/network/ipfilter:default (IP Filter) |
State: online since September 23, 2013 05:46:51 AM PDT |
See: man -M /usr/share/ man -s 5 ipfilter |
See: /var/svc/log/network-ipfilter:default.log |
Some commands to check with:
input packets: blocked 0 passed 176 nomatch 176 counted 0 short 0 |
output packets: blocked 0 passed 161 nomatch 161 counted 0 short 0 |
input packets logged: blocked 0 passed 0 |
output packets logged: blocked 0 passed 0 |
empty list for ipfilter(out) |
empty list for ipfilter( in ) |
Try adding a rule:
empty list for ipfilter(out) |
block in on ipmp1 proto tcp from 10.200.0.0/32 to any |
Ok that did nothing. Lets try a better mask.
Hmm that worked. I dropped myself out. Nice.
Get in through the LDOM console and flush the rules:
empty list for ipfilter(out) |
empty list for ipfilter( in ) |
Trying a more realistic rule:
block in quick from 10.200.43.70/31 to any |
Yep that worked as my ping failed...
Persistency:
I thought ipf -f should add it to the file but it did not. So I added manually and that worked after a reboot.
block in quick from 10.200.43.70/31 to any |
block in quick from 10.200.53.110/31 to any |
References:
http://docs.oracle.com/cd/E23824_01/html/821-1453/eubbd.html
http://docs.oracle.com/cd/E19253-01/816-4554/ezecx/index.html
http://docs.oracle.com/cd/E23824_01/html/821-1453/ipfilter-admin-2.html#scrolltoc