illumos: manual page: ipfilter.7

IPFILTER(7) Device and Network Interfaces IPFILTER(7)

NAME

ipfilter - IP packet filtering software

DESCRIPTION

IP Filter is software that provides packet filtering capabilities on a
Solaris system. On a properly setup system, it can be used to build a
firewall.

Solaris IP Filter is installed with the Solaris operating system.
However, packet filtering is not enabled by default. See ipf(8) for a
procedure to enable and activate the IP Filter feature.

HOST-BASED FIREWALL
To simplify IP Filter configuration management, a firewall framework is
created to allow users to configure IP Filter by expressing firewall
policy at system and service level. Given the user-defined firewall
policy, the framework generates a set of IP Filter rules to enforce the
desired system behavior. Users specify system and service firewall
policies that allow or deny network traffic from certain hosts, subnets,
and interface(s). The policies are translated into a set of active IPF
rules to enforce the specified firewall policies.

Note -

Users can still specify their own ipf rule file if they choose not to
take advantage of the framework. See ipf(8) and ipf(5).

Model

This section describes the host-based firewall framework. See svc.ipfd(8)
for details on how to configure firewall policies.

In a given zone, a three-layer approach with different precedence levels
helps the user achieve the desired behaviors.

Global Default

Global Default - Default system-wide firewall policy. This policy is
automatically inherited by all services unless services modify their
firewall policy.

Network Services

Higher precedence than Global Default. A service's policy
allows/disallows traffic to its specific ports, regardless of Global
Default policy.

Global Override

Another system-wide policy that takes precedence over the needs of
specific services in Network Services layer.

Global Override
|
|
Network Services
|
|
Global Default

A firewall policy includes a firewall mode and an optional set of network
sources. Network sources are IP addresses, subnets, and local network
interfaces, from all of which a system can receive incoming traffic. The
basic set of firewall modes are:

None

No firewall, allow all incoming traffic.

Deny

Allow all incoming traffic but deny from specified source(s).

Allow

Deny all incoming traffic but allow from specified source(s).

Layers in Detail

The first system-wide layer, Global Default, defines a firewall policy
that applies to any incoming traffic, for example, allowing or blocking
all traffic from an IP address. This makes it simple to have a policy
that blocks all incoming traffic or all incoming traffic from unwanted
source(s).

The Network Services layer contains firewall policies for local programs
that provide service to remote clients, for example, telnetd, sshd, and
httpd. Each of these programs, a network service, has its own firewall
policy that controls access to its service. Initially, a service's policy
is set to inherit Global Default policy, a "Use Global Default" mode.
This makes it simple to set a single policy, at the Global Default layer,
that can be inherited by all services.

When a service's policy is different from Global Default policy, the
service's policy has higher precedence. If Global Default policy is set
to block all traffic from a subnet, the SSH service could be configured
to allow access from certain hosts in that subnet. The set of all
policies for all network services comprises the Network Service layer.

The second system-wide layer, Global Override, has a firewall policy that
also applies to any incoming network traffic. This policy has highest
precedence and overrides policies in the other layers, specifically
overriding the needs of network services. The example is when it is
desirable to block known malicious source(s) regardless of services'
policies.

User Interaction

This framework leverages IP Filter functionality and is active only when
svc:/network/ipfilter is enabled and inactive when network/ipfilter is
disabled. Similarly, a network service's firewall policy is only active
when that service is enabled and inactive when the service is disabled. A
system with an active firewall has IP Filter rules for each
running/enabled network service and system-wide policy(s) whose firewall
mode is not None.

A user configures a firewall by setting the system-wide policies and
policy for each network service. See svc.ipfd(8) on how to configure a
firewall policy.

The firewall framework composes of policy configuration and a mechanism
to generate IP Filter rules from the policy and applying those rules to
get the desired IP Filter configuration. A quick summary of the design
and user interaction:

o system-wide policy(s) are stored in network/ipfilter

o network services' policies are stored in each SMF service

o a user activates a firewall by enabling network/ipfilter (see
ipf(8))

o a user activates/deactivate a service's firewall by
enabling/disabling that network service

o changes to system-wide or per-service firewall policy results
in an update to the system's firewall rules

In-Zone and Global Zone Controlled firewalls
Each non-global zone in the system can potentially have two firewalls
configured: the in-zone firewall and the Global Zone controlled (GZ-
controlled) firewall. The in-zone firewall can be controlled and observed
inside the zone using the framework detailed above, or from the Global
Zone. The GZ-controlled firewall can only be controlled and observed from
the Global Zone. The GZ-controlled firewall is always "outermost" with
respect to the zone.

For inbound traffic (from an external source to the zone), the traffic
flow looks like the following diagram. Traffic blocked by the GZ-
controlled firewall will not be processed by the in-zone firewall.

External Source
|
|
GZ-controlled Firewall
|
|
In-Zone Firewall
|
|
Zone

For outbound traffic (from the zone to an external destination), the
traffic flow looks like the following diagram. Traffic blocked by the in-
zone firewall will not be processed by the GZ-controlled firewall.

Zone
|
|
In-Zone Firewall
|
|
GZ-controlled Firewall
|
|
External Destination

Either of the in-Zone or GZ-controlled firewalls can be enabled, or both
at the same time.

The Global Zone does not have a GZ-controlled firewall, only an in-zone
firewall. For inbound traffic (from an external source to the global
zone), the traffic flow therefore looks like the following diagram.

External Source
|
|
In-Zone Firewall
|
|
Zone

For outbound traffic (from the global zone to an external destination),
the traffic flow looks like the following diagram.

Zone
|
|
In-Zone Firewall
|
|
External Destination

ATTRIBUTES

NOTES

The ipfilter service is managed by the service management facility,
smf(7), under the service identifier:

svc:/network/ipfilter:default

Administrative actions on this service, such as enabling, disabling, or
requesting restart, can be performed using svcadm(8). The service's
status can be queried using the svcs(1) command.

IP Filter startup configuration files are stored in /etc/ipf.

October 7, 2014 IPFILTER(7)