Opensolaris IPFilter compared to IPtables

Posted by Dark Training on March 19, 2010 tags: | solaris | security

One of the first things you'll likely encounter when migrating from Linux to Opensolaris is, eh, where is IPTABLES?

Well, in Opensolaris the firewall is is called IPFILTER (IPF). Much like IPtables there is a significant amount that it can do, however to outline every possibility is not in the scope of this article. Instead, I wanted to provide a crash course on how to get the basic's of IPF working similar to IPtables.

For this example we are going to assume that the version of IPtables that we want to emulate in IPF looks like this:

# Generated by iptables-save v1.3.3 on Fri Aug 24 16:35:55 2007
*filter\n
:INPUT ACCEPT [1337:132496]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [463:45732]

#Allow the localhost to opertate without restriction
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT

#Allow SSH access from VPN clients
-A INPUT -s 192.168.0.64 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.69 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -j  REJECT --reject-with icmp-host-prohibited

#Send ssh traffic only to our subnet
-A OUTPUT -p tcp --sport 22 -d 192.168.0.64 -j ACCEPT
-A OUTPUT -p tcp --sport 22 -d 192.168.0.69 -j ACCEPT
-A OUTPUT -p tcp --sport 22 -j REJECT

COMMIT

This is a very simple firewall that is allowing access to the machine from 192.168.0.69 and 192.168.0.64 on port 22 (ssh), dropping all of the rest of the traffic.

Here is that same functionality using IPF:

#
# ipf.conf
#

# Allow all traffic on loopback.
pass in quick on lo0 all
pass out quick on lo0 all

pass in quick on rge0 proto tcp from 192.168.0.64 to any port = 22 S keep state
pass in quick on rge0 proto tcp from 192.168.0.69 to any port = 22 S keep state


#Network -  Block everything not explicitly allowed.
block in  on rge0 all
block out on rge0 all

Here is the break down of what the different switches are doing.

In the example above we start by allowing (pass) inbound traffic (in) on the loop back adapter (lo0) to everything (all)

Then we do the same thing but on the output of the loop back (out).

Next we allow (pass) inbound (in) on ethernet device rge0 (reg0) (you can find the devices using the same ifconfig -a as linux), using TCP traffic (TCP) from the clients IP address (192.168.0.69) to any adapter on this machine on port 22.

Below is a break down of the options for the switches:

ACTION IN-OUT OPTIONS SELECTION STATEFUL PROTO SRC_ADDR,DST_ADDR OBJECT PORT_NUM TCP_FLAG STATEFUL

ACTION = block | pass
IN-OUT = in | out
OPTIONS = log | quick | on interface-name
SELECTION = proto value | source/destination IP | port = number | flags flag-value
PROTO = tcp/udp | udp | tcp | icmp
SRC_ADD,DST_ADDR = all | from object to object
OBJECT = IP address | any
PORT_NUM = port number
TCP_FLAG = S
STATEFUL = keep state

To get a more meaningful understanding of how IPF works, check out freebsd.org IPF page and also read the man page

man ipf

I wanted to keep this tutorial on the short side but if you need more details please ask below and i'll respond back.