While trying to clone a production stack for development I got a little paranoid and added some firewall rules to avoid some accidental communication between the stacks. Mainly my concern was about the poorly documented process for cloning as well as the poor use of VLAN's in the client's environment. Below is a quick and dirty way to add some IPF rules to Solaris 11.
Check current rules:
<pre class="brush: bash; title: ; notranslate" title="">
# ipfstat -io
empty list for ipfilter(out)
empty list for ipfilter(in)Enable a custom policy:
<pre class="brush: bash; title: ; notranslate" title="">
# svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"
# svccfg -s ipfilter:default listprop firewall_config_default/policy
firewall_config_default/policy astring customCustom policy file:
<pre class="brush: bash; title: ; notranslate" title="">
# svccfg -s ipfilter:default setprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/ipf.conf"
# svccfg -s ipfilter:default listprop firewall_config_default/custom_policy_file
firewall_config_default/custom_policy_file astring /etc/ipf/ipf.confRun the firewall service:
<pre class="brush: bash; title: ; notranslate" title="">
# svcadm refresh ipfilter:default
# svcs -a | grep ipfilter
disabled Sep_20 svc:/network/ipfilter:default
# svcs -xv svc:/network/ipfilter:default
svc:/network/ipfilter:default (IP Filter)
State: disabled since September 20, 2013 12:21:20 PM PDT
Reason: Disabled by an administrator.
See: http://support.oracle.com/msg/SMF-8000-05
See: man -M /usr/share/man -s 5 ipfilter
Impact: This service is not running.
# svcadm enable svc:/network/ipfilter:default
# svcs -xv svc:/network/ipfilter:default
svc:/network/ipfilter:default (IP Filter)
State: online since September 23, 2013 05:46:51 AM PDT
See: man -M /usr/share/man -s 5 ipfilter
See: /var/svc/log/network-ipfilter:default.log
Impact: None.Some commands to check with:
<pre class="brush: bash; title: ; notranslate" title="">
# ipfstat |grep blocked
input packets: blocked 0 passed 176 nomatch 176 counted 0 short 0
output packets: blocked 0 passed 161 nomatch 161 counted 0 short 0
input packets logged: blocked 0 passed 0
output packets logged: blocked 0 passed 0
# ipfstat -io |head
empty list for ipfilter(out)
empty list for ipfilter(in)Try adding a rule:
<pre class="brush: bash; title: ; notranslate" title="">
# echo "block in on ipmp1 proto tcp from 10.200.0.0/32 to any" | ipf -f -
# ipfstat -io
empty list for ipfilter(out)
block in on ipmp1 proto tcp from 10.200.0.0/32 to anyOk that did nothing. Lets try a better mask.
<pre class="brush: bash; title: ; notranslate" title="">
# echo "block in on ipmp1 proto tcp from 10.200.0.0/16 to any" | ipf -f -
# Timeout, server usli-dsdb-ag11.dev.asg.ad not responding.Hmm that worked. I dropped myself out. Nice.
Get in through the LDOM console and flush the rules:
<pre class="brush: bash; title: ; notranslate" title=""> # ipf -F a
# ipfstat -io
empty list for ipfilter(out)
empty list for ipfilter(in)Trying a more realistic rule:
<pre class="brush: bash; title: ; notranslate" title="">
# echo "block in quick from 10.200.53.110/31 to any" | ipf -f -
# ipfstat -io
block in quick from 10.200.43.70/31 to anyYep that worked as my ping failed...
<pre class="brush: bash; title: ; notranslate" title="">
# ping 10.200.53.110Persistency:
<pre class="brush: bash; title: ; notranslate" title="">
# ipf -f /etc/ipf/ipf.conf
# tail /etc/ipf/ipf.conf
#
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.I thought ipf -f should add it to the file but it did not. So I added manually and that worked after a reboot.
<pre class="brush: bash; title: ; notranslate" title="">
# tail -2 /etc/ipf/ipf.conf
block in quick from 10.200.43.70/31 to any
block in quick from 10.200.53.110/31 to anyReferences:
http://docs.oracle.com/cd/E23824_01/html/821-1453/eubbd.html
http://docs.oracle.com/cd/E19253-01/816-4554/ezecx/index.html
http://docs.oracle.com/cd/E23824_01/html/821-1453/ipfilter-admin-2.html#scrolltoc