ipfilter man page on SmartOS

Man page or keyword search:  
man Server   16655 pages
apropos Keyword Search (all sections)
Output format
SmartOS logo
[printable version]

IPFILTER(5)							   IPFILTER(5)

       ipfilter - IP packet filtering software

       IP  Filter is software that provides packet filtering capabilities on a
       Solaris system. On a properly setup system, it can be used to  build  a

       Solaris	IP Filter is installed with the Solaris operating system. How‐
       ever, packet filtering is not enabled by default.  See  ipf(1M)	for  a
       procedure to enable and activate the IP Filter feature.

       To simplify IP Filter configuration management, a firewall framework is
       created to allow users to configure IP Filter  by  expressing  firewall
       policy  at  system  and	service level. Given the user-defined firewall
       policy, the framework generates a set of IP Filter rules to enforce the
       desired	system	behavior.   Users  specify system and service firewall
       policies that allow or deny network traffic from	 certain  hosts,  sub‐
       nets,  and  interface(s).  The  policies	 are  translated into a set of
       active IPF rules to enforce the specified firewall policies.

       Note -

	 Users can still specify their own ipf rule file if they choose not to
	 take advantage of the framework. See ipf(1M) and ipf(4).

       This   section	describes   the	 host-based  firewall  framework.  See
       svc.ipfd(1M) for details on how to configure firewall policies.

       A three-layer approach with different precedence levels helps the  user
       achieve the desired behaviors.

       Global Default

	   Global  Default  - Default system-wide firewall policy. This policy
	   is automatically inherited by all services unless  services	modify
	   their firewall policy.

       Network Services

	   Higher   precedence	 than	Global	Default.  A  service's	policy
	   allows/disallows traffic  to	 its  specific	ports,	regardless  of
	   Global Default policy.

       Global Override

	   Another  system-wide policy that takes precedence over the needs of
	   specific services in Network Services layer.

	 Global Override
	 Network Services
	 Global Default

       A firewall policy includes a firewall mode and an optional set of  net‐
       work sources. Network sources are IP addresses, subnets, and local net‐
       work interfaces, from all of which a system can receive incoming	 traf‐
       fic. The basic set of firewall modes are:


	   No firewall, allow all incoming traffic.


	   Allow all incoming traffic but deny from specified source(s).


	   Deny all incoming traffic but allow from specified source(s).

   Layers in Detail
       The  first system-wide layer, Global Default, defines a firewall policy
       that applies to any incoming traffic, for example, allowing or blocking
       all  traffic  from an IP address. This makes it simple to have a policy
       that blocks all incoming traffic or all incoming traffic from  unwanted

       The  Network  Services  layer contains firewall policies for local pro‐
       grams that provide service to remote  clients,  for  example,  telnetd,
       sshd, and httpd. Each of these programs, a network service, has its own
       firewall policy that controls access to its service. Initially, a  ser‐
       vice's  policy  is  set to inherit Global Default policy, a "Use Global
       Default" mode. This makes it simple to set  a  single  policy,  at  the
       Global Default layer, that can be inherited by all services.

       When  a	service's  policy is different from Global Default policy, the
       service's policy has higher precedence. If Global Default policy is set
       to block all traffic from a subnet, the SSH service could be configured
       to allow access from certain hosts in that subnet. The set of all poli‐
       cies for all network services comprises the Network Service layer.

       The  second  system-wide	 layer, Global Override, has a firewall policy
       that also applies to any incoming  network  traffic.  This  policy  has
       highest precedence and overrides policies in the other layers, specifi‐
       cally overriding the needs of network services. The example is when  it
       is desirable to block known malicious source(s) regardless of services'

   User Interaction
       This framework leverages IP Filter functionality	 and  is  active  only
       when  svc:/network/ipfilter is enabled and inactive when network/ipfil‐
       ter is disabled. Similarly, a network service's firewall policy is only
       active  when  that  service is enabled and inactive when the service is
       disabled. A system with an active firewall has IP Filter rules for each
       running/enabled	network	 service and system-wide policy(s) whose fire‐
       wall mode is not None.

       A user configures a firewall by setting the  system-wide	 policies  and
       policy for each network service. See svc.ipfd(1M) on how to configure a
       firewall policy.

       The firewall framework composes of policy configuration and a mechanism
       to generate IP Filter rules from the policy and applying those rules to
       get the desired IP Filter configuration. A quick summary of the	design
       and user interaction:

	   o	  system-wide policy(s) are stored in network/ipfilter

	   o	  network services' policies are stored in each SMF service

	   o	  a  user  activates  a	 firewall by enabling network/ipfilter
		  (see ipf(1M))

	   o	  a  user  activates/deactivate	 a   service's	 firewall   by
		  enabling/disabling that network service

	   o	  changes   to	system-wide  or	 per-service  firewall	policy
		  results in an update to the system's firewall rules

       See attributes(5) for a description of the following attributes:

       │Interface Stability │ Committed	      │

       svcs(1),	 ipf(1M),   ipnat(1M),	 svcadm(1M),   svc.ipfd(1M),   ipf(4),
       ipnat(4), attributes(5), smf(5)

       System Administration Guide: IP Services

       The  ipfilter  service  is  managed by the service management facility,
       smf(5), under the service identifier:


       Administrative actions on this service, such as enabling, disabling, or
       requesting  restart,  can  be performed using svcadm(1M). The service's
       status can be queried using the svcs(1) command.

       IP Filter startup configuration files are stored in /etc/ipf.

				 May 20, 2009			   IPFILTER(5)

List of man pages available for SmartOS

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
Vote for polarhome
Free Shell Accounts :: the biggest list on the net