Solaris ipfilter pools
wordpress meta
title: 'Solaris Ipfilter Pools'
date: '2014-09-19T08:24:12-05:00'
status: publish
permalink: /solaris-ipfilter-pools
author: admin
excerpt: ''
type: post
id: 737
category:
- Firewall
- Solaris
tag: []
post_format: []
title: 'Solaris Ipfilter Pools'
date: '2014-09-19T08:24:12-05:00'
status: publish
permalink: /solaris-ipfilter-pools
author: admin
excerpt: ''
type: post
id: 737
category:
- Firewall
- Solaris
tag: []
post_format: []
I wasn't aware before that ipfilter (ipf) has a concept of pools. In other words list of IP addresses etc..
I previously had this basic article on enabling ipf in Solaris and following here is a little on pools.
** Note this was a Solaris 10 LDOM so therefore NIC was vnet0. You have to check your NIC it's most likely net0 in Solaris 11.
Setup the pools you need as follow.
# pwd
/etc/ipf
# cat ippool.conf
### Pool 13 some essential static addresses
table role = ipf type = tree number = 13
{ 10.1.11.34/32, 10.2.10.6/32 };
### Pool 14 some temporary IP's
table role = ipf type = tree number = 14
{ 192.168.8.0/24, 10.200.97.82/32 };
Use the pools in your ipf.conf.
# cat ipf.conf
[...]
pass in quick on lo0 all
pass out quick on lo0 all
### Block all inbound and outbound traffic by default
block in log on vnet0 all head 100
block out log on vnet0 all head 150
### Allow inbound SSH connections
pass in quick on vnet0 proto tcp from any to 10.1.11.87 port = 22 keep state group 100
### Use /etc/ipf/ippool.conf for pools
pass in on vnet0 from pool/13 group 100
pass in on vnet0 from pool/14 group 100
### Allow my box to utilize all UDP, TCP and ICMP services
pass out quick all
Of course flush and reload from file.
# ipf -Fa -f /etc/ipf/ipf.conf
Check the running set.
# ipfstat -io
pass out quick on lo0 all
block out log on vnet0 all head 150
pass out quick all
# Group 150
pass in quick on lo0 all
block in log on vnet0 all head 100
# Group 100
pass in quick on vnet0 proto tcp from any to 10.1.11.87/32 port = ssh keep state group 100
pass in on vnet0 from pool/13 to any group 100
pass in on vnet0 from pool/14 to any group 100
Note that updating the ippools you might need to reload also.
# ippool -F; ippool -f /etc/ipf/ippool.conf
For me that did not always work so I also did.
# svcadm disable ipfilter
# svcadm refresh ipfilter
# svcadm enable ipfilter
Listing the pools will save you a lot of time root causing rules that are actually correct.
# ippool -l
table role = ipf type = tree number = 14
{ 192.168.8.0/24; 10.200.97.82/32; };
table role = ipf type = tree number = 13
{ 10.1.11.34/32; 10.2.10.6/32 };
As always with firewalls test test test.