IP Filter Host Based Firewall Using the Firewall Framework Author: Tim Wort

IP Filter Host Based Firewall Using the Firewall Framework Author: Tim Wort This paper explores configuring the IP Filter SMF service to use the Firewall Framework to build a Host Based Firewall. The IP Filter service can be configured using the firewall framework (called a host based firewall ) by using properties set in the IP Filter SMF service and other individual SMF services to determine the automatically generated filtering rules. A three-layer approach with different precedence levels is used. Global Default Default system-wide firewall policy. This policy is automatically inherited by all services unless services modify their firewall policy. Network Services Higher precedence than Global Default. A service's policy allows/disallows traffic to its specific ports, regardless of Global Default policy. Global Override Another system-wide policy that takes precedence over the needs of specific services in Network Services layer. The network/ipfilter:default service is responsible for two firewall policies, the Global Default and Global Override system-wide policies, it has two property groups, firewall_config_default and firewall_config_override, to store the respective system wide policies. A per-service property group, firewall_config, stores the services firewall policy configuration. Below are the properties, their possible values, and corresponding semantics: policy Defines the per service, the global and override policy. Possible values are none, deny, allow, and custom. This property can be set to one of four modes: none policy mode No access restriction. For a global policy, this mode allows all incoming traffic. For a service policy, this mode allows all incoming traffic to its service. (default)

deny policy mode More restrictive than none. This mode allows incoming traffic from all sources except those specified in the apply_to property. allow policy mode Most restrictive mode. This mode blocks incoming traffic from all sources except those specified in the apply_to property. custom policy mode The mode can be used if an existing IP Filter configuration or custom configurations that cannot be provided by the framework is required. This Global Default only policy mode allows users to supply a text file containing the complete set of IPF rules. When custom mode is selected, the specified set of IPF rules is complete and the framework will not generate IPF rules from configured firewall policies. The rules file location and name is specified by the firewall_config_default/custom_policy_file property. apply_to A multi-value property listing network entities to enforce the chosen policy mode. Entities listed in apply_to property will be denied if policy is deny and allowed if policy is allow. The syntax for possible values are: host: host:ip "host:192.168.84.14" subnet: network:ip/netmask "network:129.168.1.5/24" ippool: pool:pool number "pool:77" interface: if:interface_name "if:e1000g0" exceptions A multi-value property listing network entities to be excluded from the apply_to list. For example, when deny policy is applied to a subnet, exceptions can be made to some hosts in that subnet by specifying them in the exceptions property. This property has the same value syntax as apply_to property. open_ports For the Global Default only. Non-service program requiring allowance of its incoming traffic can request that the firewall allow traffic to its communication ports. This multi-value property contains protocol and port(s) tuple in the form: "{tcp udp}:{port PORT-PORT}" The following examples first sets a global firewall policy for the host then individual services are configured to allow access to the host, finally the global policy is overridden to block a host.

This listing displays the firewall_config_* default properties and their default values: root@anarchy:~# svccfg -s ipfilter:default listprop firewall_config_* firewall_config_default firewall_config_default/apply_to firewall_config_default/custom_policy_file firewall_config_default/exceptions firewall_config_default/open_ports firewall_config_default/value_authorization solaris.smf.value.firewall.config firewall_config_default/policy none firewall_config_default/version count 0 firewall_config_override firewall_config_override/value_authorization solaris.smf.value.firewall.config firewall_config_override/apply_to firewall_config_override/policy none The firewall_config_default/policy property defines the global IP Filter policy. First the service is enabled: root@anarchy:~# svcadm enable ipfilter:default The IP Filter service is configured for the allow mode which will block all incoming traffic except traffic that is explicitly allowed: root@anarchy:~# svccfg -s ipfilter:default svc:/network/ipfilter:default> setprop firewall_config_default/policy = allow svc:/network/ipfilter:default> refresh svc:/network/ipfilter:default> exit The custom configurations to the service are examined: root@anarchy:~# svccfg -s ipfilter:default listcust firewall_config_default/version count admin 1 firewall_config_default/policy admin allow general/enabled boolean admin true Note in the previously listing the general/enabled property is not a default and thus is listed as a customization. When the IP Filter service was refreshed a filtering rule set was automatically generated and put in place to enforce the new global policy: The first rule allows all outbound traffic and logs it (logging requires configuration, see ipfilter(5) and ipmon(1m)), the quick statement applies this rule to all matching packets and no other rules will be processed, the keep state statement will cause the connection to be added to a state table and all inbound packets that are part of the established connection will be passed through the firewall.

The second rule applies the global policy and disallows all packets that did not match the first rule. Individual SMF network services can be configured to allow or disallow traffic for the particular service, the Network Services configuration has a higher precedence than the global policy and overrides it. The next examples will enable telnet access from a single host and enable ssh access for all hosts on a specified subnet. The default telnet service configuration inherits the global policy from the IP Filter service. The telnet services firewall_config properties are listed below along with their default settings: root@anarchy:/# svcfg -s telnet listprop firewall_config firewall_config firewall_config/apply_to firewall_config/exceptions firewall_config/policy use_global firewall_config/value_authorization solaris.smf.value.firewall.config The telnet service is enabled and it is verified that no access to the service is allowed from the remote host chaos-gw (192.168.1.1), the service is then disabled: root@anarchy:~# inetadm -e telnet root@chaos-gw:~# telnet anarchy Trying 192.168.1.189... telnet: Unable to connect to remote host: Connection timed out root@anarchy:~# inetadm -d telnet The firewall_config/policy is set to allow. root@anarchy:~# svccfg -s telnet setprop firewall_config/policy = allow The firewall_config/apply_to properties is set to host:192.168.1.1, the apply_to property allows access from this host for the telnet service: root@anarchy:~# svccfg -s telnet setprop firewall_config/apply_to = host:192.168.1.1 The service is refreshed: root@anarchy:~# svccfg -s telnet refresh The customizations are listed: root@anarchy:~# svccfg -s telnet listcust firewall_config/policy admin allow firewall_config/apply_to admin host:192.168.1.1 The service is enabled and the generated rule set is listed: root@anarchy:~# inetadm -e telnet

pass in log quick proto tcp from 192.168.1.1/32 to any port = telnet flags S/FSRPAU block in log quick proto tcp from any to any port = telnet flags S/FSRPAU keep state keep frags Two new rules are added to the rules set, the first new rule, pass in log quick proto tcp from 192.168.1.1/32 to any port = telnet flags S/FSRPAU passes in TCP packets from 192.168.1.1 (chaos-gw). The first packet of a TCP connection will have only the SYN flag set. The S/FSRPAU statement matches packets with only the SYN flag set. The keep frags stores fragmented packets information for the connection. The second new rule blocks all other telnet packets explicitly. The new rules are verified by connecting from the chaos-gw host: root@chaos-gw:~# telnet anarchy Trying 192.168.1.189... Connected to anarchy. Escape character is '^]'. login: tim Password: Last login: Fri Jul 18 11:37:11 on term/a Oracle Corporation SunOS 5.11 11.1 March 2014 tim@anarchy:~$ The next example is enabling the ssh service from all hosts on the 192.168.1.0\24 subnet. The ssh network service is enabled by default. The firewall_config/apply_to is set to network:192.168.1.0/24 and the refresh command is sent to the service, in this example the editprop svccvfg(1m) sub command is used: root@anarchy:~# svccfg -s ssh editprop ## ## Change property values by removing the leading '#' from the ## appropriate lines and editing the values. svccfg subcommands ## such as delprop can also be added to the script. ## setprop firewall_config/policy = allow setprop firewall_config/apply_to = network:192.168.1.0/24 setprop firewall_config/exceptions = host:192.168.1.50 ## Uncomment to apply these changes to all instances of this service. refresh ~ ~ ~ (:wq!) "/tmp/svccfg-kiao_l" 11 lines, 364 characters written

The customization is verified: root@anarchy:~# svccfg -s ssh listcust firewall_config/apply_to admin network:192.168.1.0/24 firewall_config/policy admin allow firewall_config/exceptions admin host:192.168.1.50 The newly generated rule set is examined: block in log quick proto tcp from 192.168.1.50/32 to any port = ssh flags S/FSRPAU pass in log quick proto tcp from 192.168.1.0/24 to any port = ssh flags S/FSRPAU block in log quick proto tcp from any to any port = ssh flags S/FSRPAU keep state keep frags pass in log quick proto tcp from 192.168.1.1/32 to any port = telnet flags S/FSRPAU block in log quick proto tcp from any to any port = telnet flags S/FSRPAU keep state keep frags Three new rules are added, the first blocks traffic from the host with IP address 192.168.1.50 and is a result of the exceptions property. The second rule allows ssh traffic from the 192.168.1.0/24 subnet and the third rule blocks all other ssh traffic. On this network there is a wireless gateway, the wireless gateway NATs packets from wireless device to the gateways IP address 192.168.1.45. The next example adds a override property to the IP Filter service to block traffic from the gateway 192.168.1.45 from accessing the firewall host. The override properties take precedence over the Global Property of the IP Filter service and the individual network services. The firewall_config_override/policy is set to deny and the firewall_config_override/apply_to property is set to host:192.168.1.45 and the service refreshed: root@anarchy:~# svccfg -s ipfilter:default setprop firewall_config_override/apply_to = host:192.168.1.45 root@anarchy:~# svccfg -s ipfilter:default setprop firewall_config_override/policy = deny root@anarchy:~# svccfg -s ipfilter:default refresh The customizations are verified: root@anarchy:~# svccfg -s ipfilter:default listcust firewall_config_default/policy admin allow firewall_config_default/version count admin 1 firewall_config_override/apply_to admin host:192.168.1.45 firewall_config_override/policy admin deny general/enabled boolean admin true

The new rule set is examined: block in log quick from 192.168.1.45/32 to any block in log quick proto tcp from 192.168.1.50/32 to any port = ssh flags S/FSRPAU pass in log quick proto tcp from 192.168.1.0/24 to any port = ssh flags S/FSRPAU block in log quick proto tcp from any to any port = ssh flags S/FSRPAU keep state keep frags pass in log quick proto tcp from 192.168.1.1/32 to any port = telnet flags S/FSRPAU block in log quick proto tcp from any to any port = telnet flags S/FSRPAU keep state keep frags Note the new block rule (second rule entry) is added. When a service is disabled the rules are regenerated by the IP Filter service, to remove the individual network service customizations and restore the services defaults the svccfg(1m) delcust sub command can be used: root@anarchy:~# svccfg -s telnet delcust Deleting customizations for service: network/telnet root@anarchy:~# svccfg -s telnet listcust root@anarchy:~# svccfg -s telnet listprop firewall_config firewall_config firewall_config/value_authorization solaris.smf.value.firewall.config firewall_config/exceptions firewall_config/apply_to firewall_config/policy use_global The default for the telnet service is to be disabled: root@anarchy:~# svcs telnet STATE STIME FMRI disabled 13:32:57 svc:/network/telnet:default The steps are repeated for the ssh network service: root@anarchy:~# svccfg -s ssh delcust Deleting customizations for service: network/ssh The default for the ssh service is to be enabled: root@anarchy:~# svcs ssh STATE STIME FMRI online 13:06:55 svc:/network/ssh:default root@anarchy:~# svccfg -s ssh listprop firewall_config firewall_config firewall_config/value_authorization solaris.smf.value.firewall.config firewall_config/apply_to firewall_config/policy use_global firewall_config/exceptions

The svccfg(1m) delcust sub command is used to clear the IP Filter service as well: root@anarchy:~# svccfg -s ipfilter:default delcust Deleting customizations for instance: default root@anarchy:~# svcs ipfilter:default STATE STIME FMRI disabled 13:39:07 svc:/network/ipfilter:default empty list for ipfilter(out) empty list for ipfilter(in) In the last example a service that does not contain the firewall_config property group is configured to use the firewall framework. The network service svc:/application/x11/xvnc-inetd:default does not have a firewall_config property group as shown by the first svccfg(1m) listprop sub command. The scvcfg command is used to add the property group and define the properties: root@anarchy:~# svccfg -s xvnc-inetd:default svc:/application/x11/xvnc-inetd:default> listprop firewall_config svc:/application/x11/xvnc-inetd:default> addpg firewall_config svc:/application/x11/xvnc-inetd:default> setprop firewall_config/value_authorization = : solaris.smf.value.firewall.config svc:/application/x11/xvnc-inetd:default> setprop firewall_config/policy = : allow svc:/application/x11/xvnc-inetd:default> setprop firewall_config/apply_to = : network:192.168.1.0/24 svc:/application/x11/xvnc-inetd:default> listcust general/enabled boolean admin true inetd_start method admin inetd_start/exec admin "/usr/bin/xvnc -geometry 1280x720 -inetd -query localhost -once securitytypes=none" firewall_config admin firewall_config/value_authorization admin solaris.smf.value.firewall.config firewall_config/policy admin allow firewall_config/apply_to admin network:192.168.1.0/24 svc:/application/x11/xvnc-inetd:default> refresh svc:/application/x11/xvnc-inetd:default> exit The service must be restarted to read the new property group: root@anarchy:~# svcadm restart svc:/application/x11/xvnc-inetd:default

The updated rules are displayed: pass in log quick proto tcp from 192.168.1.0/24 to any port = vnc-server flags S/FSRPAU block in log quick proto tcp from any to any port = vnc-server flags S/FSRPAU keep state keep frags block in log quick proto tcp from 192.168.1.50/32 to any port = ssh flags S/FSRPAU pass in log quick proto tcp from 192.168.1.0/24 to any port = ssh flags S/FSRPAU block in log quick proto tcp from any to any port = ssh flags S/FSRPAU keep state keep frags (Note: In this example the telnet service was not configured nor was the firewall_config_override property set.)