1. Enable/disable IPFilter:
# svcs -a | grep ipf
# svcadm enable network/ipfilter
# svcadm disable network/ipfilter
2. Config IPFilter:
- Sample configuration:
# ls -la /usr/share/ipfilter/examples/*
-rw-r--r-- 1 root bin 1613 Jan 22 2005 /usr/share/ipfilter/examples/BASIC.NAT
-rw-r--r-- 1 root bin 4013 Jan 22 2005 /usr/share/ipfilter/examples/BASIC_1.FW
-rw-r--r-- 1 root bin 2571 Jan 22 2005 /usr/share/ipfilter/examples/BASIC_2.FW
-rw-r--r-- 1 root bin 133 Jan 22 2005 /usr/share/ipfilter/examples/example.1
-rw-r--r-- 1 root bin 431 Jan 22 2005 /usr/share/ipfilter/examples/example.10
-rw-r--r-- 1 root bin 820 Jan 22 2005 /usr/share/ipfilter/examples/example.11
-rw-r--r-- 1 root bin 376 Jan 22 2005 /usr/share/ipfilter/examples/example.12
-rw-r--r-- 1 root bin 468 Jan 22 2005 /usr/share/ipfilter/examples/example.13
-rw-r--r-- 1 root bin 149 Jan 22 2005 /usr/share/ipfilter/examples/example.2
-rw-r--r-- 1 root bin 990 Jan 22 2005 /usr/share/ipfilter/examples/example.3
-rw-r--r-- 1 root bin 66 Jan 22 2005 /usr/share/ipfilter/examples/example.4
-rw-r--r-- 1 root bin 689 Jan 22 2005 /usr/share/ipfilter/examples/example.5
-rw-r--r-- 1 root bin 186 Jan 22 2005 /usr/share/ipfilter/examples/example.6
-rw-r--r-- 1 root bin 362 Jan 22 2005 /usr/share/ipfilter/examples/example.7
-rw-r--r-- 1 root bin 326 Jan 22 2005 /usr/share/ipfilter/examples/example.8
-rw-r--r-- 1 root bin 291 Jan 22 2005 /usr/share/ipfilter/examples/example.9
-rw-r--r-- 1 root bin 2086 Jan 22 2005 /usr/share/ipfilter/examples/example.sr
-rw-r--r-- 1 root bin 1535 Jan 22 2005 /usr/share/ipfilter/examples/firewall
-rw-r--r-- 1 root bin 1269 Jan 22 2005 /usr/share/ipfilter/examples/ftp-proxy
-rw-r--r-- 1 root bin 272 Jan 22 2005 /usr/share/ipfilter/examples/ftppxy
-rw-r--r-- 1 root bin 76 Jan 22 2005 /usr/share/ipfilter/examples/ip_rules
-rwxr-xr-x 1 root bin 2685 Jan 22 2005 /usr/share/ipfilter/examples/mkfilters
-rw-r--r-- 1 root bin 2851 Jan 22 2005 /usr/share/ipfilter/examples/nat-setup
-rw-r--r-- 1 root bin 596 Jan 22 2005 /usr/share/ipfilter/examples/nat.eg
-rw-r--r-- 1 root bin 161 Jan 22 2005 /usr/share/ipfilter/examples/pool.conf
-rw-r--r-- 1 root bin 472 Jan 22 2005 /usr/share/ipfilter/examples/server
-rw-r--r-- 1 root bin 453 Jan 22 2005 /usr/share/ipfilter/examples/tcpstate
# vi /etc/ipf/ipf.conf
# block all inbound packets.
#
block in log from any to any
#
pass in from any to 192.168.86.137 port=22
pass in from 192.168.86.1 to 192.168.86.137 port 20:21
# block all outbound packets.
#
block out log from any to any
#
pass out from 192.168.86.137 port=22 to any
pass out from 192.168.86.137 port=20:21 to 192.168.86.1
Ip address and port format:
src_addr, dst_addr
The source/destination address in the IP header. Addresses can be specified as:
○ A single IPv4 or IPv6 address.
○ A CIDR network block.
○ A fully qualified domain name that will be resolved via DNS when the ruleset is loaded. All resulting IP addresses will be substituted into the rule.
○ The name of a network interface or group. Any IP addresses assigned to the interface will be substituted into the rule.
○ The name of a network interface followed by /netmask (i.e., /24). Each IP address on the interface is combined with the netmask to form a CIDR network block which is substituted into the rule.
○ The name of a network interface or group in parentheses ( ). This tells PF to update the rule if the IP address(es) on the named interface change. This is useful on an interface that gets its IP address via DHCP or dial-up as the ruleset doesn't have to be reloaded each time the address changes.
○ The name of a network interface followed by any one of these modifiers:
§ :network - substitutes the CIDR network block (e.g., 192.168.0.0/24)
§ :broadcast - substitutes the network broadcast address (e.g., 192.168.0.255)
§ :peer - substitutes the peer's IP address on a point-to-point link
In addition, the :0 modifier can be appended to either an interface name or to any of the above modifiers to indicate that PF should not include aliased IP addresses in the substitution. These modifiers can also be used when the interface is contained in parentheses. Example: fxp0:network:0
○ A table.
○ The keyword urpf-failed can be used for the source address to indicate that it should be run through the uRPF check.
○ Any of the above but negated using the ! ("not") modifier.
○ A set of addresses using a list.
○ The keyword any meaning all addresses
○ The keyword all which is short for from any to any.
src_port, dst_port
The source/destination port in the Layer 4 packet header. Ports can be specified as:
○ A number between 1 and 65535
○ A valid service name from /etc/services
○ A set of ports using a list
○ A range:
§ != (not equal)
§ < (less than)
§ > (greater than)
§ <= (less than or equal)
§ >= (greater than or equal)
§ >< (range)
§ <> (inverse range)
The last two are binary operators (they take two arguments) and do not include the arguments in the range.
§ : (inclusive range)
The inclusive range operator is also a binary operator and does include the arguments in the range.
From <https://www.openbsd.org/faq/pf/filter.html>
3. Enable/disable rule:
- Disable:
# ipf -E
- Enable:
# ipf -E
# ipf -f /etc/ipf/ipf.conf
- Check rule:
# ipfstat -io
4. Config log:
# vi /etc/syslog.conf
### Luu y su dung 1 tab giua 2 cot, khong dung space hoac nhieu hon 1 tab
local0.debug /var/log/ipmon.log
# touch /var/log/ipmon.log
# svcadm restart system/system-log
4. Monitor log:
# tail -100f /var/log/ipmon.log
5. Tham khảo:
http://www.nl.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html
https://www.openbsd.org/faq/pf/filter.html
https://www.openbsd.org/faq/pf/macros.html#lists
