Re: [osol-discuss] System Firewall - how to enable

Mon, 22 Nov 2010 12:49:01 -0800 

On 11/22/10 03:17 PM, Gary wrote:

Please provide a copy of your ipf.conf. In the mean time, have you
looked at other ipfilter resources to check your rule syntax? q.v. the
config file's man page at
http://docs.sun.com/app/docs/doc/819-2251/ipf-4?l=all&a=view, this
sysadmin guide entry at
http://docs.sun.com/app/docs/doc/819-3000/eupsq?l=en&a=view, this FAQ
at http://www.phildev.net/ipf, and some of the resources listed here:
http://en.wikipedia.org/wiki/Ipfilter

-Gary
_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org


Hi Gary,

  I am more concern about not been able to enable the firewall via the GUI.

Here is my /etc/ipf/ipf.conf file, some IPs have been masked.

I know the file work, see the output from ipfstat.

r...@xxx:/etc/ipf# ipfstat -i
block in log quick from any to any with short
block in log from any to any with ipopts
pass in quick on lo0 all
block in on e1000g0 all
pass in log quick on e1000g0 proto tcp from 130.xx.xx.0/24 to any
pass in log quick on e1000g0 proto tcp from 130.xx.xx.0/24 to any
pass in log quick on e1000g0 proto tcp from 130.xx.xx.0/24 to any
pass in log quick on e1000g0 proto tcp from 130.xx.xx.0/24 to any
r...@pxxxx:/etc/ipf# ipfstat -o
pass out quick on lo0 all
block out on el000g0 all
pass out quick on e1000g0 proto icmp from any to any keep state
pass out quick on e1000g0 proto tcp/udp from any to any keep state


#
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
# Block any packets which are too short to be real
block in log quick all with short

# drop and log any IP packets with options set in them.
block in log all with ipopts

# Allow all traffic on loopback.
pass in quick on lo0 all
pass out quick on lo0 all

block in  on e1000g0 all
block out on el000g0 all

# Allow pings out.
pass out quick on e1000g0 proto icmp all keep state

# Allow outbound state related packets
pass out quick on e1000g0 proto tcp/udp from any to any keep state

# Allow these subnets
pass in log quick on e1000g0 proto tcp from 130.xx.xx.0/24
pass in log quick on e1000g0 proto tcp from 130.xx.xx.0/24
pass in log quick on e1000g0 proto tcp from 130.xx.xx.0/24
pass in log quick on e1000g0 proto tcp from 130.xx.xx.0/24

Thanks
Paul
_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org

Reply via email to