ipfilter and ipv6

For people running older versions of Solaris, like 8/9, the firewall of choice to install was ipfilter. Now, with Solaris 10 it has become the default, built-in with the OS. I wanted to do a short post about adding configuration settings for ipv6 and plan to cover ipv4 in detail in a later post.

One thing to note is that ipfilter must run it’s ipv6 rules under a separate file. In Solaris 10, the default location for the filter rules is in /etc/ipf and the firewall rules are located in the files ipf.conf and ipf6.conf for ipv4 and ipv6 respectfully. Here is a sample of the current file on one of my servers,

# ipf6.conf
# IPv6 Filter rules to be loaded during startup
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
pass in all
pass in from ::1/128 to ::1/128
pass out quick on vnet0 proto tcp from any to any keep state
pass out quick on vnet0 proto udp from any to any keep state
pass in quick on vnet0 proto tcp from 2600:5000:3::/64 to 2600:5000:3::92
block in quick on vnet0 proto tcp from any to 2600:5000:3::92

The current file is expected to allow all local traffic from the localhost address while also allowing all tcp/udp traffic out. Then the configuration allows all traffic from within our local ipv6 server farm and excludes all tcp traffic from any other address to the ipv6 interface on 2600:5000:3::92.

Flush and reload rules in the ipf6.conf file into the active firewall,

# ipf -v -6 -Fa -f /etc/ipf/ipf6.conf

Display a summary of the input/output list using the ipfstat command,

# ipfstat -io

Now you can test your rule set from another machine while monitoring  the state table with the ipmon command,

# ipmon -s S

The ipmon command can also run as a daemon as well as be used to output results to a file or to syslog.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s