Hi all,
I experimented with Ipfilter last weekend.
Sort of trying one service at a time and slowly building up a IP filter table that allows
a Sun Ray to talk to its server through the firewall.
Only looking to identify the port numbers. The From and To Ipnetwork numbers in the Ipf.conf
will be different in all locations anyway,
The server is running Solaris 10u5 with the latest incarnation of IP filter. ( solaris10u4 and newer )
The server has IP 192.168.1.50/24 and has a Nvida Gigabit ethernet ( nge )
An external DHCP server is serving addresses to the Sun Ray on the 192.168.1.0 network.
This is intended for a server with only on IP interface at this point.
The philosophy is to only allow the listed ports entry into the server .
And use the keepstate mechanism to allow return traffic back to the server on
connections initiated in the server end.
Has just been tested between one server and one Sun Ray at this point.
Use At you own Peril , expect Trial and HOrror.
Anyway I am hopefull that the community can improve this attempt to secure a Sun Ray server
Please Contribute.
#
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
#
# IN Comming Rules
# BLOCK well known public networks , Omit the network we are using ourselvs.
#------------------------------------------------------
# first public network allowed as this is the internal net
#-----------------------------------------------------
#block in quick on nge0 from 192.168.0.0/16 to any
#-----------------------------------------------------
#
block in quick on nge0 from 172.16.0.0/12 to any
block in quick on nge0 from 10.0.0.0/8 to any
block in quick on nge0 from 169.254.0.0/16 to any
block in quick on nge0 from 192.0.2.0/24 to any
block in quick on nge0 from 204.152.64.0/23 to any
#----------------------------------------------------------------------------------
#
# Dont block Multicasts by default, SRSS is probably using 224.101.101.101
in a FOG
#
#block in quick on nge0 from 224.0.0.0/3 to any
#
#----------------------------------------------------------------------------------
#
pass in quick on nge0 proto icmp from any to any
#
pass in quick on nge0 proto tcp from any to any port=22
pass in quick on nge0 proto tcp from any to any port=25
pass in quick on nge0 proto tcp from any to any port=80
pass in quick on nge0 proto tcp from any to any port=443
pass in quick on nge0 proto tcp from any to any port=1600
pass in quick on nge0 proto tcp from any to any port=1800
pass in quick on nge0 proto tcp from any to any port=1661
pass in quick on nge0 proto tcp from any to any port=1801
#
# Sun Ray
#
pass in quick on nge0 proto udp from any to any port=69
pass in quick on nge0 proto udp from any to any port=514
pass in quick on nge0 proto udp from any to any port=7007
pass in quick on nge0 proto udp from any to any port=7008
pass in quick on nge0 proto udp from any to any port=7009
pass in quick on nge0 proto udp from any to any port=7010
pass in quick on nge0 proto udp from any to any port=7011
pass in quick on nge0 proto udp from any to any port=7012
pass in quick on nge0 proto udp from any to any port=7013
pass in quick on nge0 proto udp from 192.168.1.0/24 to any port
32767><65536
pass in quick on nge0 proto tcp from any to any port=7007
pass in quick on nge0 proto tcp from any to any port=7008
pass in quick on nge0 proto tcp from any to any port=7009
pass in quick on nge0 proto tcp from any to any port=7010
pass in quick on nge0 proto tcp from any to any port=7011
pass in quick on nge0 proto tcp from any to any port=7012
pass in quick on nge0 proto tcp from any to any port=7013
pass in quick on nge0 proto tcp from any to any port=7777
#
block in quick on nge0 all
#
# OUT Bound Rules ( Basically needed to keep a connection open for the return packets )
#
pass out quick on nge0 proto udp from any to any port=53 keep state
pass out quick on nge0 proto tcp from any to any port=53 flags S keep
state
pass out quick on nge0 proto tcp from any to any port=80 flags S keep
state
pass out quick on nge0 proto tcp from any to any port=443 flags S keep
state
#
# Sun Ray
#
pass out quick on nge0 proto udp from any to any port=69 keep state
pass out quick on nge0 proto udp from any to any port=514 keep state
pass out quick on nge0 proto udp from any to any port=7007 keep state
pass out quick on nge0 proto udp from any to any port=7008 keep state
pass out quick on nge0 proto udp from any to any port=7009 keep state
pass out quick on nge0 proto udp from any to any port=7010 keep state
pass out quick on nge0 proto udp from any to any port=7011 keep state
pass out quick on nge0 proto udp from any to any port=7012 keep state
pass out quick on nge0 proto udp from any to any port=7013 keep state
pass out quick on nge0 proto udp from any to 192.168.1.0/24 port
32767><65536 keep state
pass out quick on nge0 proto tcp from any to any port=7007 flags S keep
state
pass out quick on nge0 proto tcp from any to any port=7008 flags S keep
state
pass out quick on nge0 proto tcp from any to any port=7009 flags S keep
state
pass out quick on nge0 proto tcp from any to any port=7010 flags S keep
state
pass out quick on nge0 proto tcp from any to any port=7011 flags S keep
state
pass out quick on nge0 proto tcp from any to any port=7012 flags S keep
state
pass out quick on nge0 proto tcp from any to any port=7013 flags S keep
state
pass out quick on nge0 proto tcp from any to any port=7777 flags S keep
state
#
pass out quick on nge0 all
#
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
