While trying to clone a production stack for development I got a little paranoid and added some firewall rules to avoid some accidental communication between the stacks. Mainly my concern was about the poorly documented process for cloning as well as the poor use of VLAN's in the client's environment. Below is a quick and dirty way to add some IPF rules to Solaris 11.<\/p>\n
Check current rules:<\/strong><\/span><\/p>\n Enable a custom policy:<\/strong><\/span><\/p>\n Custom policy file:<\/strong><\/span><\/p>\n Run the firewall service:<\/strong><\/span><\/p>\n Some commands to check with:<\/strong><\/span><\/p>\n Try adding a rule:<\/strong><\/span><\/p>\n Ok that did nothing. Lets try a better mask.<\/span><\/p>\n Hmm that worked. I dropped myself out. Nice.<\/span><\/p>\n Get in through the LDOM console and flush the rules:<\/strong><\/span><\/p>\n Trying a more realistic rule:<\/strong><\/span><\/p>\n Yep that worked as my ping failed...<\/span><\/p>\n Persistency:<\/strong><\/span><\/p>\n I thought ipf -f should add it to the file but it did not. \u00a0So I added manually and that worked after a reboot.<\/span><\/p>\n References:<\/strong> http:\/\/docs.oracle.com\/cd\/E19253-01\/816-4554\/ezecx\/index.html<\/p>\n http:\/\/docs.oracle.com\/cd\/E23824_01\/html\/821-1453\/ipfilter-admin-2.html#scrolltoc<\/p>\n","protected":false},"excerpt":{"rendered":" While trying to clone a production stack for development I got a little paranoid and added some firewall rules to<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35,14],"tags":[],"class_list":["post-451","post","type-post","status-publish","format-standard","hentry","category-firewall","category-solaris"],"_links":{"self":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/451","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/comments?post=451"}],"version-history":[{"count":0,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/451\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/media?parent=451"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/categories?post=451"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/tags?post=451"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\r\n# ipfstat -io\r\nempty list for ipfilter(out)\r\nempty list for ipfilter(in)\r\n<\/pre>\n
\r\n# svccfg -s ipfilter:default setprop firewall_config_default\/policy = astring: "custom"\r\n# svccfg -s ipfilter:default listprop firewall_config_default\/policy\r\nfirewall_config_default\/policy astring custom\r\n<\/pre>\n
\r\n# svccfg -s ipfilter:default setprop firewall_config_default\/custom_policy_file = astring: "\/etc\/ipf\/ipf.conf"\r\n# svccfg -s ipfilter:default listprop firewall_config_default\/custom_policy_file\r\nfirewall_config_default\/custom_policy_file astring \/etc\/ipf\/ipf.conf\r\n<\/pre>\n
\r\n# svcadm refresh ipfilter:default\r\n# svcs -a | grep ipfilter\r\ndisabled Sep_20 svc:\/network\/ipfilter:default\r\n\r\n# svcs -xv svc:\/network\/ipfilter:default\r\nsvc:\/network\/ipfilter:default (IP Filter)\r\n State: disabled since September 20, 2013 12:21:20 PM PDT\r\nReason: Disabled by an administrator.\r\n See: http:\/\/support.oracle.com\/msg\/SMF-8000-05\r\n See: man -M \/usr\/share\/man -s 5 ipfilter\r\nImpact: This service is not running.\r\n\r\n# svcadm enable svc:\/network\/ipfilter:default\r\n\r\n# svcs -xv svc:\/network\/ipfilter:default\r\nsvc:\/network\/ipfilter:default (IP Filter)\r\n State: online since September 23, 2013 05:46:51 AM PDT\r\n See: man -M \/usr\/share\/man -s 5 ipfilter\r\n See: \/var\/svc\/log\/network-ipfilter:default.log\r\nImpact: None.\r\n<\/pre>\n
\r\n# ipfstat |grep blocked\r\n input packets: blocked 0 passed 176 nomatch 176 counted 0 short 0\r\noutput packets: blocked 0 passed 161 nomatch 161 counted 0 short 0\r\n input packets logged: blocked 0 passed 0\r\noutput packets logged: blocked 0 passed 0\r\n\r\n# ipfstat -io |head\r\nempty list for ipfilter(out)\r\nempty list for ipfilter(in)\r\n<\/pre>\n
\r\n# echo "block in on ipmp1 proto tcp from 10.200.0.0\/32 to any" | ipf -f -\r\n\r\n# ipfstat -io\r\nempty list for ipfilter(out)\r\nblock in on ipmp1 proto tcp from 10.200.0.0\/32 to any\r\n<\/pre>\n
\r\n# echo "block in on ipmp1 proto tcp from 10.200.0.0\/16 to any" | ipf -f -\r\n# Timeout, server usli-dsdb-ag11.dev.asg.ad not responding.\r\n<\/pre>\n
# ipf -F a\r\n# ipfstat -io\r\nempty list for ipfilter(out)\r\nempty list for ipfilter(in)\r\n<\/pre>\n
\r\n# echo "block in quick from 10.200.53.110\/31 to any" | ipf -f -\r\n# ipfstat -io\r\nblock in quick from 10.200.43.70\/31 to any\r\n<\/pre>\n
\r\n# ping 10.200.53.110\r\n<\/pre>\n
\r\n# ipf -f \/etc\/ipf\/ipf.conf\r\n\r\n# tail \/etc\/ipf\/ipf.conf\r\n#\r\n# ipf.conf\r\n#\r\n# IP Filter rules to be loaded during startup\r\n#\r\n# See ipf(4) manpage for more information on\r\n# IP Filter rules syntax.\r\n<\/pre>\n
\r\n# tail -2 \/etc\/ipf\/ipf.conf\r\nblock in quick from 10.200.43.70\/31 to any\r\nblock in quick from 10.200.53.110\/31 to any\r\n<\/pre>\n
\nhttp:\/\/docs.oracle.com\/cd\/E23824_01\/html\/821-1453\/eubbd.html<\/p>\n