For people running older versions of Solaris, like 8/9, the firewall of choice to install was
ipfilter. Now, with Solaris 10 it has become the default, built-in with the OS. I wanted to do a short post about adding configuration settings for ipv6 and plan to cover ipv4 in detail in a later post.
One thing to note is that
ipfilter must run it’s ipv6 rules under a separate file. In Solaris 10, the default location for the filter rules is in
/etc/ipf and the firewall rules are located in the files
ipf6.conf for ipv4 and ipv6 respectfully. Here is a sample of the current file on one of my servers,
# IPv6 Filter rules to be loaded during startup
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
pass in all
pass in from ::1/128 to ::1/128
pass out quick on vnet0 proto tcp from any to any keep state
pass out quick on vnet0 proto udp from any to any keep state
# PASS IN
pass in quick on vnet0 proto tcp from 2600:5000:3::/64 to 2600:5000:3::92
block in quick on vnet0 proto tcp from any to 2600:5000:3::92
The current file is expected to allow all local traffic from the localhost address while also allowing all tcp/udp traffic out. Then the configuration allows all traffic from within our local ipv6 server farm and excludes all tcp traffic from any other address to the ipv6 interface on 2600:5000:3::92.
Flush and reload rules in the
ipf6.conf file into the active firewall,
# ipf -v -6 -Fa -f /etc/ipf/ipf6.conf
Display a summary of the input/output list using the
# ipfstat -io
Now you can test your rule set from another machine while monitoring the state table with the
# ipmon -s S
ipmon command can also run as a daemon as well as be used to output results to a file or to syslog.