Category: Firewall

Jun 13

Firewalld Rich Rule

To add a so called rich rule to firewalld I did the following.

Check existing rules after a recent upgrade to Fedora 22. 55555/tcp was a custom app not Fedora default.

# firewall-cmd --get-default-zone
FedoraServer

# firewall-cmd --zone=FedoraServer --list-all
FedoraServer (default)
  interfaces:
  sources:
  services: cockpit dhcpv6-client http smtp ssh
  ports: 55555/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

Lets remove some rules.

# firewall-cmd --permanent --zone=FedoraServer --remove-port=55555/tcp
success
# firewall-cmd --permanent --zone=FedoraServer --remove-service=cockpit
success
# firewall-cmd --permanent --zone=FedoraServer --remove-service=dhcpv6-client
success

Add custom rule non-permanent.
** Note x.x.x.x is a placeholder for a real public IP. Most likely you won't need a public IP but a non-routable Class C or B on your internal network.

# firewall-cmd --zone=FedoraServer --add-rich-rule="rule family="ipv4" source address="x.x.x.x/32" port protocol="tcp" port="55555" accept"
success

Or if you need it permanently added remember to use --permanent.

Restart the firewall.

# systemctl restart firewalld.service
# firewall-cmd --zone=FedoraServer --list-all
FedoraServer (default)
  interfaces:
  sources:
  services: http smtp ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="x.x.x.x/32" port port="55555" protocol="tcp" accept

Comments Off on Firewalld Rich Rule
comments

Sep 19

Solaris Ipfilter Pools

I wasn't aware before that ipfilter (ipf) has a concept of pools.  In other words list of IP addresses etc..

I previously had this basic article on enabling ipf in Solaris and following here is a little on pools.

** Note this was a Solaris 10 LDOM so therefore NIC was vnet0. You have to check your NIC it's most likely net0 in Solaris 11.

Setup the pools you need as follow.

# pwd
/etc/ipf
# cat ippool.conf
### Pool 13 some essential static addresses
table role = ipf type = tree number = 13
{ 10.1.11.34/32, 10.2.10.6/32 };
### Pool 14 some temporary IP's
table role = ipf type = tree number = 14
{ 192.168.8.0/24, 10.200.97.82/32 };

Use the pools in your ipf.conf.

# cat ipf.conf
[...]
pass in quick on lo0 all
pass out quick on lo0 all

### Block all inbound and outbound traffic by default
block in log on vnet0 all head 100
block out log on vnet0 all head 150

### Allow inbound SSH connections
pass in quick on vnet0 proto tcp from any to 10.1.11.87 port = 22 keep state group 100

### Use /etc/ipf/ippool.conf for pools
pass in on vnet0 from pool/13 group 100
pass in on vnet0 from pool/14 group 100

### Allow my box to utilize all UDP, TCP and ICMP services
pass out quick all

Of course flush and reload from file.

# ipf -Fa -f /etc/ipf/ipf.conf

Check the running set.

# ipfstat -io
pass out quick on lo0 all
block out log on vnet0 all head 150
pass out quick all
# Group 150
pass in quick on lo0 all
block in log on vnet0 all head 100
# Group 100
pass in quick on vnet0 proto tcp from any to 10.1.11.87/32 port = ssh keep state group 100
pass in on vnet0 from pool/13 to any group 100
pass in on vnet0 from pool/14 to any group 100

Note that updating the ippools you might need to reload also.

# ippool -F; ippool -f /etc/ipf/ippool.conf

For me that did not always work so I also did.

# svcadm disable ipfilter
# svcadm refresh ipfilter
# svcadm enable ipfilter

Listing the pools will save you a lot of time root causing rules that are actually correct.

# ippool -l
table role = ipf type = tree number = 14
        { 192.168.8.0/24; 10.200.97.82/32; };
table role = ipf type = tree number = 13
        { 10.1.11.34/32; 10.2.10.6/32 };

As always with firewalls test test test.

Comments Off on Solaris Ipfilter Pools
comments

Sep 23

Solaris 11 Firewall

While trying to clone a production stack for development I got a little paranoid and added some firewall rules to avoid some accidental communication between the stacks. Mainly my concern was about the poorly documented process for cloning as well as the poor use of VLAN's in the client's environment. Below is a quick and dirty way to add some IPF rules to Solaris 11.

Check current rules:

# ipfstat -io
empty list for ipfilter(out)
empty list for ipfilter(in)

Enable a custom policy:

# svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"
# svccfg -s ipfilter:default listprop firewall_config_default/policy
firewall_config_default/policy astring     custom

Custom policy file:

# svccfg -s ipfilter:default setprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/ipf.conf"
# svccfg -s ipfilter:default listprop firewall_config_default/custom_policy_file
firewall_config_default/custom_policy_file astring /etc/ipf/ipf.conf

Run the firewall service:

# svcadm refresh ipfilter:default
# svcs -a | grep ipfilter
disabled Sep_20 svc:/network/ipfilter:default

# svcs -xv svc:/network/ipfilter:default
svc:/network/ipfilter:default (IP Filter)
 State: disabled since September 20, 2013 12:21:20 PM PDT
Reason: Disabled by an administrator.
 See: http://support.oracle.com/msg/SMF-8000-05
 See: man -M /usr/share/man -s 5 ipfilter
Impact: This service is not running.

# svcadm enable svc:/network/ipfilter:default

# svcs -xv svc:/network/ipfilter:default
svc:/network/ipfilter:default (IP Filter)
 State: online since September 23, 2013 05:46:51 AM PDT
 See: man -M /usr/share/man -s 5 ipfilter
 See: /var/svc/log/network-ipfilter:default.log
Impact: None.

Some commands to check with:

# ipfstat |grep blocked
 input packets: blocked 0 passed 176 nomatch 176 counted 0 short 0
output packets: blocked 0 passed 161 nomatch 161 counted 0 short 0
 input packets logged: blocked 0 passed 0
output packets logged: blocked 0 passed 0

# ipfstat -io |head
empty list for ipfilter(out)
empty list for ipfilter(in)

Try adding a rule:

# echo "block in on ipmp1 proto tcp from 10.200.0.0/32 to any" | ipf -f -

# ipfstat -io
empty list for ipfilter(out)
block in on ipmp1 proto tcp from 10.200.0.0/32 to any

Ok that did nothing. Lets try a better mask.

# echo "block in on ipmp1 proto tcp from 10.200.0.0/16 to any" | ipf -f -
# Timeout, server usli-dsdb-ag11.dev.asg.ad not responding.

Hmm that worked. I dropped myself out. Nice.

Get in through the LDOM console and flush the rules:

 # ipf -F a
# ipfstat -io
empty list for ipfilter(out)
empty list for ipfilter(in)

Trying a more realistic rule:

# echo "block in quick from 10.200.53.110/31 to any" | ipf -f -
# ipfstat -io
block in quick from 10.200.43.70/31 to any

Yep that worked as my ping failed...

# ping 10.200.53.110

Persistency:

# ipf -f /etc/ipf/ipf.conf

# tail /etc/ipf/ipf.conf
#
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.

I thought ipf -f should add it to the file but it did not.  So I added manually and that worked after a reboot.

# tail -2 /etc/ipf/ipf.conf
block in quick from 10.200.43.70/31 to any
block in quick from 10.200.53.110/31 to any

References:
http://docs.oracle.com/cd/E23824_01/html/821-1453/eubbd.html

http://docs.oracle.com/cd/E19253-01/816-4554/ezecx/index.html

http://docs.oracle.com/cd/E23824_01/html/821-1453/ipfilter-admin-2.html#scrolltoc

1
comments