IP Filter Host Based Firewall Using the Firewall Framework
Author: Tim Wort
This paper explores configuring the IP Filter SMF service to use the “Firewall Framework” to build a
Host Based Firewall.
The IP Filter service can be configured using the firewall framework (called a “host based firewall”) by
using properties set in the IP Filter SMF service and other individual SMF services to determine the
automatically generated filtering rules.
A three-layer approach with different precedence levels is used.
Global Default
Default system-wide firewall policy. This policy is automatically inherited by
all services unless services modify their firewall policy.
Network Services
Higher precedence than Global Default. A service's policy allows/disallows traffic to its
specific ports, regardless of Global Default policy.
Global Override
Another system-wide policy that takes precedence over the needs of specific services in
Network Services layer.
The
network/ipfilter:defaultservice is responsible for two firewall policies, the Global Default
and Global Override system-wide policies, it has two property groups,
firewall_config_defaultand
firewall_config_override, to store the respective system wide policies.
A per-service property group,
firewall_config, stores the services firewall policy configuration.
Below are the properties, their possible values, and corresponding semantics:
policy
Defines the per service, the global and override policy. Possible values are
none,
deny,
allow,
and
custom.
This property can be set to one of four modes:
none
policy mode
No access restriction. For a global policy, this mode allows all incoming traffic. For a service
policy, this mode allows all incoming traffic to its service. (default)
deny
policy mode
More restrictive than none. This mode allows incoming traffic from all sources except those
specified in the
apply_toproperty.
allow
policy mode
Most restrictive mode. This mode blocks incoming traffic from all sources except those
specified in the
apply_toproperty.
custom
policy mode
The mode can be used if an existing IP Filter configuration or custom configurations that cannot
be provided by the framework is required. This Global Default only policy mode allows users to
supply a text file containing the complete set of IPF rules. When custom mode is selected, the
specified set of IPF rules is complete and the framework will not generate IPF rules from
configured firewall policies. The rules file location and name is specified by the
firewall_config_default/custom_policy_file
property.
apply_toA multi-value property listing network entities to enforce the chosen policy mode. Entities
listed in
apply_toproperty will be denied if policy is
denyand allowed if policy is
allow. The
syntax for possible values are:
host: host:IP "host:192.168.84.14" subnet: network:IP/netmask "network:129.168.1.5/24" ippool: pool:pool number "pool:77"
interface: if:interface_name "if:e1000g0" exceptions
A multi-value property listing network entities to be excluded from the
apply_tolist. For
example, when
denypolicy is applied to a subnet, exceptions can be made to some hosts in that
subnet by specifying them in the
exceptionsproperty. This property has the same value syntax
as
apply_toproperty.
open_portsFor the Global Default only. Non-service program requiring allowance of its incoming traffic
can request that the firewall allow traffic to its communication ports. This multi-value property
contains protocol and port(s) tuple in the form:
"{tcp | udp}:{PORT | PORT-PORT}"
The following examples first sets a global firewall policy for the host then individual services are
configured to allow access to the host, finally the global policy is overridden to block a host.
This listing displays the
firewall_config_*default properties and their default values:
root@anarchy:~# svccfg -s ipfilter:default listprop firewall_config_*firewall_config_default com.sun,fw_configuration firewall_config_default/apply_to astring firewall_config_default/custom_policy_file astring firewall_config_default/exceptions astring firewall_config_default/open_ports astring firewall_config_default/value_authorization astring solaris.smf.value.firewall.config
firewall_config_default/policy astring none firewall_config_default/version count 0
firewall_config_override com.sun,fw_configuration firewall_config_override/value_authorization astring
solaris.smf.value.firewall.config
firewall_config_override/apply_to astring
firewall_config_override/policy astring none
The
firewall_config_default/policyproperty defines the global IP Filter policy.
First the service is enabled:
root@anarchy:~# svcadm enable ipfilter:default
The IP Filter service is configured for the allow mode which will block all incoming traffic except
traffic that is explicitly allowed:
root@anarchy:~# svccfg -s ipfilter:default
svc:/network/ipfilter:default> setprop firewall_config_default/policy = allow
svc:/network/ipfilter:default> refresh
svc:/network/ipfilter:default> exit
The custom configurations to the service are examined:
root@anarchy:~# svccfg -s ipfilter:default listcust
firewall_config_default/version count admin 1 firewall_config_default/policy astring admin allow general/enabled boolean admin true
Note in the previously listing the
general/enabledproperty is not a default and thus is listed as a
customization.
When the IP Filter service was refreshed a filtering rule set was automatically generated and put in
place to enforce the new global policy:
root@anarchy:~# ipfstat -io
pass out log quick all keep state block in log all
The first rule “
pass out log quick all keep state” allows all outbound traffic and logs it
(logging requires configuration, see ipfilter(5) and ipmon(1M)), the
quickstatement applies this rule to
all matching packets and no other rules will be processed, the
keep statestatement will cause the
connection to be added to a state table and all inbound packets that are part of the established
connection will be passed through the firewall.
The second rule “
block in log all” applies the global policy and disallows all packets that did not
match the first rule.
Individual SMF network services can be configured to allow or disallow traffic for the particular
service, the Network Services configuration has a higher precedence than the global policy and
overrides it.
The next examples will enable telnet access from a single host and enable ssh access for all hosts on a
specified subnet.
The default telnet service configuration inherits the global policy from the IP Filter service. The telnet
services
firewall_configproperties are listed below along with their default settings:
root@anarchy:/# svcfg -s telnet listprop firewall_config
firewall_config com.sun,fw_configuration firewall_config/apply_to astring
firewall_config/exceptions astring
firewall_config/policy astring use_global
firewall_config/value_authorization astring solaris.smf.value.firewall.config
The telnet service is enabled and it is verified that no access to the service is allowed from the remote
host
chaos-gw (192.168.1.1), the service is then disabled:
root@anarchy:~# inetadm -e telnet
root@chaos-gw:~# telnet anarchy
Trying 192.168.1.189...
telnet: Unable to connect to remote host: Connection timed out root@anarchy:~# inetadm -d telnet
The
firewall_config/policyis set to
allow.root@anarchy:~# svccfg -s telnet setprop firewall_config/policy = allow
The
firewall_config/apply_toproperties is set to
host:192.168.1.1, the
apply_toproperty
“allows” access from this host for the telnet service:
root@anarchy:~# svccfg -s telnet setprop firewall_config/apply_to = host:192.168.1.1
The service is refreshed:
root@anarchy:~# svccfg -s telnet refresh
The customizations are listed:
root@anarchy:~# svccfg -s telnet listcust
firewall_config/policy astring admin allow
firewall_config/apply_to astring admin host:192.168.1.1
The service is enabled and the generated rule set is listed:
root@anarchy:~# ipfstat -io
pass out log quick all keep state
pass in log quick proto tcp from 192.168.1.1/32 to any port = telnet flags S/FSRPAU keep state keep frags
block in log quick proto tcp from any to any port = telnet flags S/FSRPAU keep state keep frags
block in log all
Two new rules are added to the rules set, the first new rule, “
pass in log quick proto tcp from 192.168.1.1/32 to any port = telnet flags S/FSRPAU keep state keep frags” passes in
TCP packets from
192.168.1.1(chaos-gw).
The first packet of a TCP connection will have only the SYN flag set. The
S/FSRPAUstatement matches
packets with only the SYN flag set.
The
keep fragsstores fragmented packets information for the connection.
The second new rule blocks all other telnet packets explicitly.
The new rules are verified by connecting from the
chaos-gwhost:
root@chaos-gw:~# telnet anarchyTrying 192.168.1.189... Connected to anarchy. Escape character is '^]'. login: tim
Password:
Last login: Fri Jul 18 11:37:11 on term/a
Oracle Corporation SunOS 5.11 11.1 March 2014 tim@anarchy:~$
The next example is enabling the ssh service from all hosts on the
192.168.1.0\24subnet.
The ssh network service is enabled by default. The
firewall_config/apply_tois set to
network:192.168.1.0/24and the
refreshcommand is sent to the service, in this example the
editpropsvccvfg(1M) sub command is used:
root@anarchy:~# svccfg -s ssh editprop
##
## Change property values by removing the leading '#' from the ## appropriate lines and editing the values. svccfg subcommands ## such as delprop can also be added to the script.
##
setprop firewall_config/policy = allow
setprop firewall_config/apply_to = network:192.168.1.0/24 setprop firewall_config/exceptions = host:192.168.1.50
## Uncomment to apply these changes to all instances of this service. refresh
~ ~ ~ (:wq!)
The customization is verified:
root@anarchy:~# svccfg -s ssh listcust
firewall_config/apply_to astring admin network:192.168.1.0/24 firewall_config/policy astring admin allow
firewall_config/exceptions astring admin host:192.168.1.50
The newly generated rule set is examined:
root@anarchy:~# ipfstat -io
pass out log quick all keep state
block in log quick proto tcp from 192.168.1.50/32 to any port = ssh flags S/FSRPAU keep state keep frags
pass in log quick proto tcp from 192.168.1.0/24 to any port = ssh flags S/FSRPAU keep state keep frags
block in log quick proto tcp from any to any port = ssh flags S/FSRPAU keep state keep frags
pass in log quick proto tcp from 192.168.1.1/32 to any port = telnet flags S/FSRPAU keep state keep frags
block in log quick proto tcp from any to any port = telnet flags S/FSRPAU keep state keep frags
block in log all
Three new rules are added, the first blocks traffic from the host with IP address
192.168.1.50and is a
result of the
exceptionsproperty.
The second rule allows
sshtraffic from the
192.168.1.0/24subnet and the third rule blocks all other
sshtraffic.
On this network there is a wireless gateway, the wireless gateway NATs packets from wireless device to
the gateways IP address
192.168.1.45. The next example adds a
overrideproperty to the IP Filter
service to block traffic from the gateway
192.168.1.45from accessing the firewall host. The
overrideproperties take precedence over the Global Property of the IP Filter service and the
individual network services.
The
firewall_config_override/policyis set to
denyand the
firewall_config_override/apply_to
property is set to
host:192.168.1.45and the service
refreshed:
root@anarchy:~# svccfg -s ipfilter:default setprop firewall_config_override/apply_to = host:192.168.1.45
root@anarchy:~# svccfg -s ipfilter:default setprop firewall_config_override/policy = deny
root@anarchy:~# svccfg -s ipfilter:default refresh
The customizations are verified:
root@anarchy:~# svccfg -s ipfilter:default listcust
firewall_config_default/policy astring admin allow firewall_config_default/version count admin 1
firewall_config_override/apply_to astring admin host:192.168.1.45 firewall_config_override/policy astring admin deny
The new rule set is examined:
root@anarchy:~# ipfstat -io
pass out log quick all keep state
block in log quick from 192.168.1.45/32 to any
block in log quick proto tcp from 192.168.1.50/32 to any port = ssh flags S/FSRPAU keep state keep frags
pass in log quick proto tcp from 192.168.1.0/24 to any port = ssh flags S/FSRPAU keep state keep frags
block in log quick proto tcp from any to any port = ssh flags S/FSRPAU keep state keep frags
pass in log quick proto tcp from 192.168.1.1/32 to any port = telnet flags S/FSRPAU keep state keep frags
block in log quick proto tcp from any to any port = telnet flags S/FSRPAU keep state keep frags
block in log all
Note the new block rule (second rule entry) is added. When a service is disabled the rules are
regenerated by the IP Filter service, to remove the individual network service customizations and
restore the services defaults the svccfg(1M)
delcustsub command can be used:
root@anarchy:~# svccfg -s telnet delcust
Deleting customizations for service: network/telnet root@anarchy:~# svccfg -s telnet listcust
root@anarchy:~# svccfg -s telnet listprop firewall_config
firewall_config com.sun,fw_configuration
firewall_config/value_authorization astring solaris.smf.value.firewall.config firewall_config/exceptions astring
firewall_config/apply_to astring
firewall_config/policy astring use_global
The default for the telnet service is to be disabled:
root@anarchy:~# svcs telnet
STATE STIME FMRI
disabled 13:32:57 svc:/network/telnet:default
The steps are repeated for the
sshnetwork service:
root@anarchy:~# svccfg -s ssh delcustDeleting customizations for service: network/ssh
The default for the
sshservice is to be enabled:
root@anarchy:~# svcs sshSTATE STIME FMRI
online 13:06:55 svc:/network/ssh:default
root@anarchy:~# svccfg -s ssh listprop firewall_config
firewall_config com.sun,fw_configuration
firewall_config/value_authorization astring solaris.smf.value.firewall.config firewall_config/apply_to astring
firewall_config/policy astring use_global firewall_config/exceptions astring
The svccfg(1M)
delcustsub command is used to clear the IP Filter service as well:
root@anarchy:~# svccfg -s ipfilter:default delcustDeleting customizations for instance: default root@anarchy:~# svcs ipfilter:default
STATE STIME FMRI
disabled 13:39:07 svc:/network/ipfilter:default root@anarchy:~# ipfstat -io
empty list for ipfilter(out) empty list for ipfilter(in)
In the last example a service that does not contain the
firewall_configproperty group is configured
to use the firewall framework.
The network service
svc:/application/x11/xvnc-inetd:defaultdoes not have a
firewall_config
property group as shown by the first svccfg(1M)
listpropsub command.
The
scvcfgcommand is used to add the property group and define the properties:
root@anarchy:~# svccfg -s xvnc-inetd:defaultsvc:/application/x11/xvnc-inetd:default> listprop firewall_config
svc:/application/x11/xvnc-inetd:default> addpg firewall_config com.sun,fw_configuration
svc:/application/x11/xvnc-inetd:default> setprop
firewall_config/value_authorization = astring: solaris.smf.value.firewall.config
svc:/application/x11/xvnc-inetd:default> setprop firewall_config/policy = astring: allow
svc:/application/x11/xvnc-inetd:default> setprop firewall_config/apply_to = astring: network:192.168.1.0/24
svc:/application/x11/xvnc-inetd:default> listcust
general/enabled boolean admin true inetd_start method admin
inetd_start/exec astring admin "/usr/bin/Xvnc -geometry 1280x720 -inetd -query localhost -once securitytypes=none"
firewall_config com.sun,fw_configuration admin firewall_config/value_authorization astring admin
solaris.smf.value.firewall.config
firewall_config/policy astring admin allow
firewall_config/apply_to astring admin network:192.168.1.0/24 svc:/application/x11/xvnc-inetd:default> refresh
svc:/application/x11/xvnc-inetd:default> exit
The service must be restarted to read the new property group:
The updated rules are displayed:
root@anarchy:~# ipfstat -io
pass out log quick all keep state
pass in log quick proto tcp from 192.168.1.0/24 to any port = vnc-server flags S/FSRPAU keep state keep frags
block in log quick proto tcp from any to any port = vnc-server flags S/FSRPAU keep state keep frags
block in log quick proto tcp from 192.168.1.50/32 to any port = ssh flags S/FSRPAU keep state keep frags
pass in log quick proto tcp from 192.168.1.0/24 to any port = ssh flags S/FSRPAU keep state keep frags
block in log quick proto tcp from any to any port = ssh flags S/FSRPAU keep state keep frags
block in log all
