IP Filter in OpenSolaris

Posted on June 22, 2007

IP Filter is easier than ever to use in Solaris. I don’t do a lot of firewalling, but I have a strange case where I need to block access to a single port on a remote server from all but a single (my) IP. I’m no big security nut, but in this case I’ll write about it because most of the docs out there have the wrong procedure for using IP Filter on Solaris if your using something newer than build 52.

So, here is the procedure for setting up IP Filter on an OpenSolaris B52 or newer system:

  1. Add your IP Filter rules to /etc/ipf/ipf.conf
  2. Enable the IP Filter SMF service: svcadm enable network/ipfilter
  3. Ensure that your rules are loaded: ipf -Fa -f /etc/ipf/ipf.conf
  4. Ensure that the rules are in effect: ipfstat -ioh
  5. Buy Darren Reed a Guinness.

Seriously, thats it. No reboot, no ifconfig, and no more “pfil” stuff.

All this goodness is thanks to Darren Reed and Packet Filtering Hooks. Read about them in his blog. Read the flag day notice here.

If your in need of rule creation help like I am, check out ipf(4) and the IP Filter examples page. If your new to IP FIlter or need a rules walk through check out SecurityFocus’s Introduction to IP Filter.

Thanks to cmihai and LeftWing in #opensolaris for their help getting me squared away.