Riaan's SysAdmin Blog

My tips, howtos, gotchas, snippets and stuff. Use at your own risk!

FirewallSolaris

Solaris Ipfilter Pools

admin

I wasn't aware before that ipfilter (ipf) has a concept of pools.  In other words list of IP addresses etc..

I previously had this basic article on enabling ipf in Solaris and following here is a little on pools.

** Note this was a Solaris 10 LDOM so therefore NIC was vnet0. You have to check your NIC it's most likely net0 in Solaris 11.

Setup the pools you need as follow.

# pwd
/etc/ipf
# cat ippool.conf
### Pool 13 some essential static addresses
table role = ipf type = tree number = 13
{ 10.1.11.34/32, 10.2.10.6/32 };
### Pool 14 some temporary IP's
table role = ipf type = tree number = 14
{ 192.168.8.0/24, 10.200.97.82/32 };

Use the pools in your ipf.conf.

# cat ipf.conf
[...]
pass in quick on lo0 all
pass out quick on lo0 all

### Block all inbound and outbound traffic by default
block in log on vnet0 all head 100
block out log on vnet0 all head 150

### Allow inbound SSH connections
pass in quick on vnet0 proto tcp from any to 10.1.11.87 port = 22 keep state group 100

### Use /etc/ipf/ippool.conf for pools
pass in on vnet0 from pool/13 group 100
pass in on vnet0 from pool/14 group 100

### Allow my box to utilize all UDP, TCP and ICMP services
pass out quick all

Of course flush and reload from file.

# ipf -Fa -f /etc/ipf/ipf.conf

Check the running set.

# ipfstat -io
pass out quick on lo0 all
block out log on vnet0 all head 150
pass out quick all
# Group 150
pass in quick on lo0 all
block in log on vnet0 all head 100
# Group 100
pass in quick on vnet0 proto tcp from any to 10.1.11.87/32 port = ssh keep state group 100
pass in on vnet0 from pool/13 to any group 100
pass in on vnet0 from pool/14 to any group 100

Note that updating the ippools you might need to reload also.

# ippool -F; ippool -f /etc/ipf/ippool.conf

For me that did not always work so I also did.

# svcadm disable ipfilter
# svcadm refresh ipfilter
# svcadm enable ipfilter

Listing the pools will save you a lot of time root causing rules that are actually correct.

# ippool -l
table role = ipf type = tree number = 14
        { 192.168.8.0/24; 10.200.97.82/32; };
table role = ipf type = tree number = 13
        { 10.1.11.34/32; 10.2.10.6/32 };

As always with firewalls test test test.

admin

Bio Info for Riaan