Previous
Example 26-26 Solaris IP Filter Router Configuration
This example shows a configuration for a router that has an internal interface, ce0, and an external interface, ce1.
# internal interface is ce0 at 192.168.1.1 # external interface is ce1 IP obtained via DHCP # block all packets and allow specific services *** NAT *** *** POOLS *** # Short packets which are fragmented too short to be real. block in log quick all with short # By default, block and log everything. block in log on ce0 all block in log on ce1 all block out log on ce0 all block out log on ce1 all # Packets going in/out of network interfaces that aren't on the loopback # interface should not exist. block in log quick on ce0 from 127.0.0.0/8 to any block in log quick on ce0 from any to 127.0.0.0/8 block in log quick on ce1 from 127.0.0.0/8 to any block in log quick on ce1 from any to 127.0.0.0/8 # Deny reserved addresses. block in quick on ce1 from 10.0.0.0/8 to any block in quick on ce1 from 172.16.0.0/12 to any block in log quick on ce1 from 192.168.1.0/24 to any block in quick on ce1 from 192.168.0.0/16 to any # Allow internal traffic pass in quick on ce0 from 192.168.1.0/24 to 192.168.1.0/24 pass out quick on ce0 from 192.168.1.0/24 to 192.168.1.0/24 # Allow outgoing DNS requests from our servers on .1, .2, and .3 pass out quick on ce1 proto tcp/udp from ce1/32 to any port = domain keep state pass in quick on ce0 proto tcp/udp from 192.168.1.2 to any port = domain keep state pass in quick on ce0 proto tcp/udp from 192.168.1.3 to any port = domain keep state # Allow NTP from any internal hosts to any external NTP server. pass in quick on ce0 proto udp from 192.168.1.0/24 to any port = 123 keep state pass out quick on ce1 proto udp from any to any port = 123 keep state # Allow incoming mail pass in quick on ce1 proto tcp from any to ce1/32 port = smtp keep state pass in quick on ce1 proto tcp from any to ce1/32 port = smtp keep state pass out quick on ce1 proto tcp from 192.168.1.0/24 to any port = smtp keep state # Allow outgoing connections: SSH, WWW, NNTP, mail, whois pass in quick on ce0 proto tcp from 192.168.1.0/24 to any port = 22 keep state pass out quick on ce1 proto tcp from 192.168.1.0/24 to any port = 22 keep state pass in quick on ce0 proto tcp from 192.168.1.0/24 to any port = 80 keep state pass out quick on ce1 proto tcp from 192.168.1.0/24 to any port = 80 keep state pass in quick on ce0 proto tcp from 192.168.1.0/24 to any port = 443 keep state pass out quick on ce1 proto tcp from 192.168.1.0/24 to any port = 443 keep state pass in quick on ce0 proto tcp from 192.168.1.0/24 to any port = nntp keep state block in quick on ce1 proto tcp from any to any port = nntp keep state pass out quick on ce1 proto tcp from 192.168.1.0/24 to any port = nntp keep state pass in quick on ce0 proto tcp from 192.168.1.0/24 to any port = smtp keep state pass in quick on ce0 proto tcp from 192.168.1.0/24 to any port = whois keep state pass out quick on ce1 proto tcp from any to any port = whois keep state # Allow ssh from offsite pass in quick on ce1 proto tcp from any to ce1/32 port = 22 keep state # Allow ping out pass in quick on ce0 proto icmp all keep state pass out quick on ce1 proto icmp all keep state # allow auth out pass out quick on ce1 proto tcp from ce1/32 to any port = 113 keep state pass out quick on ce1 proto tcp from ce1/32 port = 113 to any keep state # return rst for incoming auth block return-rst in quick on ce1 proto tcp from any to any port = 113 flags S/SA # log and return reset for any TCP packets with S/SA block return-rst in log on ce1 proto tcp from any to any flags S/SA # return ICMP error packets for invalid UDP packets block return-icmp(net-unr) in proto udp all |