This is how to setup ipfilter in Solaris 10
1. Create configuration files in /etc/ipf and enable ipfilter service
# vi /etc/ipf/ippool.conf
table role=ipf type=tree number=10 { 0.0.0.0/8; 10.0.0.0/8; 127.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.0.2.0/24; 192.168.0.0/16; 204.152.64.0/23; 224.0.0.0/3; };
# vi /etc/ipf/ipf.conf
#### set intercept_loopback false;
#set intercept_loopback true;
#### Let's define our interfaces, pools, networks and even hosts
#### see /etc/ipf/ippool.conf for the definition of $ext_pool and $forbidden_net
int1_if = "bge0";
int2_if = "bge1";
ext_if = "bge2";
int1_net = "1.2.3.0/25";
int2_net = "2.3.4.0/27";
ext_net = "4.5.6.0/27";
host1 = "1.2.3.1/32";
host2 = "2.3.4.2/32";
host3 = "4.5.6.3/32";
forbidden_net = "pool/10";
# This is the default rules - block everything
## Let's group in and out traffic in separate groups:
#### "in" - group 1, "out" - group 2
block in quick all head 1
block out quick all head 2
## Let's further divide firewall processing using groups:
#### GROUP 1 (in)
block in quick log first on $int1_if all head 10 group 1
block in quick log first on $int2_if all head 15 group 1
block in quick log first on $ext_if all head 20 group 1
#### GROUP 2 (out)
block out quick log first on $int1_if all head 30 group 2
block out quick log first on $int2_if all head 35 group 2
block out quick log first on $ext_if all head 40 group 2
## GROUP 10 (in on $int1_if)
#### Anti-spoofing
block in quick log first on $int1_if from $ext_net to any group 10
block in quick log first on $int1_if from $int2_net to any group 10
#### Minimum restrictions for internal interface
pass in quick log first proto tcp/udp from $int1_net to any keep state keep frags group 10
pass in quick log first proto icmp from $int1_net to any keep state keep frags group 10
## GROUP 15 (in on $hiteco_if)
#### Anti-spoofing
block in quick log first on $int2_if from $ext_net to any group 15
block in quick log first on $int2_if from $int1_net to any group 15
#### Minimum restrictions for internal interface
pass in quick log first proto tcp/udp from $int2_net to any keep state keep frags group 15
pass in quick log first proto icmp from $int2_net to any keep state keep frags group 15
## GROUP 20 (in on $ext_if)
#### Anti-spoofing
block in quick log first from $int_pool to any group 20
block in quick log first from $forbidden_net to any group 20
#### Allow icmp packets in for the machine but not the clients for now
pass in quick log first proto icmp from any to $ext_ip keep state keep frags group 20
#pass in quick log first proto icmp from any to $int_pool keep state keep frags group 20
#### SSH access
pass in quick log first proto tcp from $x_net to $int_pool port = 22 flags S keep state keep frags group 20
#### HTTP/HTTPS access
pass in quick log first proto tcp from any to $web_server port = 80 flags S keep state keep frags group 20
pass in quick log first proto tcp from any to $web_server port = 443 flags S keep state keep frags group 20
#### Mail Access
pass in quick log first proto tcp from any to $mail_pool port = 25 flags S keep state keep frags group 20
pass in quick log first proto tcp from any to $smb port = 110 flags S keep state keep frags group 20
pass in quick log first proto tcp from any to $smb port = 143 flags S keep state keep frags group 20
pass in quick log first proto tcp from any to $mail_pool port = 993 flags S keep state keep frags group 20
pass in quick log first proto tcp from any to $mail_pool port = 995 flags S keep state keep frags group 20
#### DNS Access
pass in quick log first proto udp from any to $smb port = 53 keep state keep frags group 20
pass in quick log first proto tcp from $dns_peers to $smb port = 53 flags S keep state keep frags group 20
## GROUP 30 (out on $int1_if)
#### Minimum restrictions for internal interface
pass out quick log first proto tcp/udp from any to $int1_net keep state keep frags group 30
pass out quick log first proto icmp from any to $int1_net keep state keep frags group 30
## GROUP 35 (out on $int2_if)
#### Minimum restrictions for internal interface
pass out quick log first proto tcp/udp from any to $int2_net keep state keep frags group 35
pass out quick log first proto icmp from any to $int2_net keep state keep frags group 35
## GROUP 40 (out on $ext_if)
#### Let clients behind the firewall send out to the Internet and keep state
pass out quick log first proto tcp from $int_pool to any flags S keep state keep frags group 40
pass out quick log first proto udp from $int_pool to any port = 123 keep state keep frags group 40
pass out quick log first proto icmp from $int_pool to any keep state keep frags group 40
#### Let this machine to send out packets as well
pass out quick log first proto tcp from $ext_ip to any flags S keep state keep frags group 40
pass out quick log first proto udp from $ext_ip to any port = 123 keep state keep frags group 40
pass out quick log first proto icmp from $ext_ip to any keep state keep frags group 40
# vi /etc/ipf/ipnat.conf
#### Let's define our interfaces
int_if = "bge0";
ext_if = "bge2";
#### Address MAP section
map $ext_if 10.1.1.6/32 -> 4.5.6.2/32
map $ext_if 10.1.1.17/32 -> 4.5.6.3/32
map $ext_if 10.1.1.22/32 -> 4.5.6.4/32
#### nat rules first match
map $ext_if 10.1.1.0/24 -> 4.5.6.1/32
#### Ports Redirection Section
rdr $ext_if 4.5.6.2/32 port 22 -> 10.1.1.6 port 22 tcp
rdr $ext_if 4.5.6.2/32 port 80 -> 10.1.1.16 port 80 tcp
rdr $ext_if 4.5.6.3/32 port 443 -> 10.1.1.17 port 443 tcp
rdr $ext_if 4.5.6.4/32 port 8980 -> 10.1.1.22 port 8980 tcp
# vi /lib/svc/method/ipfilter
load_ipf() {
# Increase the state table size fr_statesize to 100003 from 5737
# (must be prime number) and fr_statemax from 4013 to 70000
# (should be 0.7 * fr_statesize)
ipf -T fr_statemax=70000
ipf -D -T fr_statesize=100003 -E
# routeadm -e ipv4-forwarding -u
# svcadm enable ipfilter
# ipf -T fr_statemax=70000
# ipf -D -T fr_statesize=100003 -E
# ippool -l /etc/ipf/ippool.conf
# ipf -n -f /etc/ipf/ipf.conf
# ipf -Fa -f /etc/ipf/ipf.conf
# vi /etc/syslog.conf
local0.info /var/log/ipmon.log
# vi /etc/logadm/conf
/var/log/ipmon.log -C 30 -a 'kill -HUP `cat /var/run/syslog.pid`' -p 1d -s 1b -z 0