Using IP Filter to Protect a Solaris 7, 8, or 9 Workstation

This page contains simple configuration and init files, as well as instructions on how to install them on the following systems:

• Solaris 7, 32-bit
• Solaris 8, 32-bit
• Solaris 8, 64-bit
• Solaris 9, 32-bit, 64-bit

Outline of Procedure

1. Download and install the IP Filter package.
2. Modify the IP Filter configuration file(s), ipf.conf and ipnat.conf.
3. Start IP Filter.
4. Confirm that IP Filter works as expected.

Detailed Procedure

1. Download and install the IP Filter package.
   For Solaris 7, 32-bit:
   1. Download the IP Filter package for Solaris 7. (If you wish to compile the latest version, you can get the source code at the IP Filter Home Page listed in the References section at the bottom of this page.)
   2. Download a sample ipf.conf file (ipf.conf, for hme0 interface).
   3. Download a sample ipnat.conf file (ipnat.conf, for hme0 interface).
   4. Install the IP Filter package using pkgadd.
   For Solaris 8, 32-bit:
   1. Download the IP Filter package for Solaris 8. (If you wish to compile the latest version, you can get the source code at the IP Filter Home Page listed in the References section at the bottom of this page.)
   2. Download a sample ipf.conf file (ipf.conf, for hme0 interface).
   3. Download a sample ipnat.conf file (ipnat.conf, for hme0 interface).
   4. Install the IP Filter package using pkgadd. Only install #1 ipf.
   For Solaris 8, 64-bit:
   1. Download the IP Filter package for Solaris 8. (If you wish to compile the latest version, you can get the source code at the IP Filter Home Page listed in the References section at the bottom of this page.)
   2. Download a sample ipf.conf file (ipf.conf, for hme0 interface or ipf.conf, for eri0 interface).
   3. Download a sample ipnat.conf file (ipnat.conf, for hme0 interface or ipnat.conf, for eri0 interface).
   4. Download a modifed ipfboot file. Rename the file to the name ipfboot.
   5. Install the IP Filter package using pkgadd. IMPORTANT: Install #2 ipfx first, then re-run pkgadd and install #1 ipf.
   6. Rename /etc/init.d/ipfboot to /etc/init.d/ipfboot.orig.
   7. Copy the modified ipfboot file to /etc/init.d/.
   8. Make /etc/init.d/ipfboot executable.
   9. Make /etc/init.d/ipfboot owned by root.
   10. Remove the hard link /etc/rc2.d/S65ipfboot.
   11. Create a symlink from runlevel 2 to the modified ipfboot script, e.g.,:

           ln -s /etc/init.d/ipfboot /etc/rc2.d/S65ipfboot
           

   For Solaris 9, 32-bit, 64-bit:

   1. http://www.maraudingpirates.org/ipfilter/ has precompiled IPFilter binaries. Download the appropriate package, then follow the instructions for a 32-bit or 64-bit system as described for Solaris 8 above.

2. Modify the IP Filter configuration file(s), ipf.conf and ipnat.conf.
   (To learn how to set up the ipf.conf file, see the ipf HOW-TO page at http://www.obfuscation.org/ipf/ipf-howto.html.)
   1. Rename sample ipf.conf.hme0 or ipf.conf.eri0 to ipf.conf, as appropriate. Also, rename the sample ipnat.conf.hme0 or ipnat.conf.eri0 to ipnat.conf, as appropriate.
      Note: some Sun ethernet interfaces are named strangely, such as dmfe0 on the Netras, and you may have more than one ethernet interface. In such cases, you will have to edit both configuration files to reflect the proper ethernet interface name(s).
   2. Edit ipf.conf to suit your needs. The sample ipf.conf includes some commonly-used packet-filtering rules. Uncomment and edit those that are relevant to your situation.
   3. Copy ipf.conf to /etc/opt/ipf. Copy ipnat.conf to /etc/opt/ipf (all ipnat,conf does is allow you to use outbound active ftp).

3. Start IP Filter.

   Run the system initialization script to start IP Filter:

     /etc/init.d/ipfboot start
     

4. Confirm that IP Filter works as expected.

   Check what rules are set up on your system. The command below will show the rules for inbound and outbound, and additionally display the number of "hits" on a given rule.

     /usr/sbin/ipfstat -ioh
     

   You may also wish to run a port scan on your system to ensure that the ports you think are filtered really are. You might also find the output of "ipmon -a" interesting.

IP Filter Home Page
ipf HOW-TO