32. OpenSolaris IP Filter pg 32
firewall_config_default/open_ports
rule に依存せず、任意の port をオープン
firewall_config_default/open_ports にオープンす
るポートを指定 ( 複数指定可能 )
DHCP(tcp/68) と ssh(tcp/22) をオープンに
# svccfg -s ipfilter:default addpropvalue firewall_config_default/open_ports tcp:22
# svccfg -s ipfilter:default addpropvalue firewall_config_default/open_ports udp:68
# svccfg -s ipfilter:default listprop firewall_config_default/open_ports
firewall_config_default/open_ports astring "" "tcp:22" "udp:68" "udp:546"
# svcadm refresh ipfilter
pass in log quick proto tcp from any to any port = 22
pass in log quick proto udp from any to any port = 68
pass out log quick all keep state
block in log all
生成される rule
33. OpenSolaris IP Filter pg 33
svc://network/ipfilter:default
firewall_config_default/exceptions
34. OpenSolaris IP Filter pg 34
firewall_config_default/exceptions
policy に依存する例外を指定可能
firewall_config_default/exceptions に例外とする要素を指定
値は apply_to と同様の値となる ( 複数指定可能 )
policy = deny 時、 192.168.7.0/24 の network address を持つ
network と 192.168.99.100 を持つホストからのパケットを通過
# svccfg -s ipfilter:default setprop firewall_config_default/policy = deny
# svccfg -s ipfilter:default addpropvalue
firewall_config_default/exceptions "network:192.168.7.0/24"
# svccfg -s ipfilter:default addpropvalue
firewall_config_default/exceptions = "host:192.168.99.100"
# svcadm refresh ipfilter
pass in log quick from 192.168.99.100 to any
pass in log quick from 192.168.7.0/24 to any
pass out log quick all keep state
生成される rule policy = allow 時は、 exceptions に
登録されたものは block になります。
使いどころがないのかなぁと。。。
41. OpenSolaris IP Filter pg 41
各サービスの svc://FMRI
「 firewall_config 」 プロパティ NEW!
svc://network/ipfilter:default で設定した global
default Policy と同一の設定内容
policy
パケットフィルタリングのポリシーを設定
“allow” or “deny” or “none"
apply_to
条件を適用させる要素を設定
host, subnet, ippol, interface
policy の設定により適用条件が変わる
唯一異なる点は、 global default Policy より優先順位が高いという
点
42. OpenSolaris IP Filter pg 42
firewall_config/policy
firewall_config_default/policy = allow 設定時、特定の network
からの ssh packet は通過させる
# svccfg -s network/ipfilter:default setprop
firewall_config_default/policy = allow
# svccfg -s ssh setprop firewall_config/policy = allow
# svccfg -s ssh setprop firewall_config/apply_to = network:192.168.99.0/24
# svcadm refresh ssh
# svcadm refresh ipfilter
192.168.99.0/24 の network からのアクセスは ssh のみ通過
下記の rule が生成される
[/usr/tmp/svc_network_ssh_default.ipf]
pass in log quick proto tcp from 192.168.99.0/24 to any port = 22 flags S keep state keep frags
block in log quick proto tcp from any to any port = 22 flags S keep state keep frags
[/usr/tmp/ipf.conf]
pass out log quick all keep state
block in log all
49. OpenSolaris IP Filter pg 49
filtering rule の確認
現在の filtering rule を確認 ( ipfstat -i )
# ipfstat -i
pass in log quick proto tcp from 192.168.99.254/32 to any port = ftp flags S/FSRPAU keep state keep frags
block in log quick proto tcp from any to any port = ftp flags S/FSRPAU keep state keep frags
pass in log quick proto tcp from 192.168.99.254/32 to any port = ftp-data flags S/FSRPAU keep state keep frags
block in log quick proto tcp from any to any port = ftp-data flags S/FSRPAU keep state keep frags
pass in log quick proto icmp from any to any icmp-type routersol
pass in log quick proto icmp from any to any icmp-type routerad
pass in log quick proto tcp from any to any port = ssh
pass in log quick proto udp from any to any port = bootpc
pass in log quick proto udp from any to any port = dhcpv6-client
block in log all
現在の incoming filtering rule を確認 ( ipfstat -ni)
# ipfstat -ni
@1 pass in log quick proto tcp from 192.168.99.254/32 to any port = ftp flags S/FSRPAU keep state keep frags
@2 block in log quick proto tcp from any to any port = ftp flags S/FSRPAU keep state keep frags
@3 pass in log quick proto tcp from 192.168.99.254/32 to any port = ftp-data flags S/FSRPAU keep state keep frags
@4 block in log quick proto tcp from any to any port = ftp-data flags S/FSRPAU keep state keep frags
@5 pass in log quick proto icmp from any to any icmp-type routersol
@6 pass in log quick proto icmp from any to any icmp-type routerad
@7 pass in log quick proto tcp from any to any port = ssh
@8 pass in log quick proto udp from any to any port = bootpc
@9 pass in log quick proto udp from any to any port = dhcpv6-client
@10 block in log all # ipfstat -no
@1 pass out log quick all keep state
現在の outgoing filtering
rule を確認 ( ipfstat -no)
50. OpenSolaris IP Filter pg 50
ipmon でログ内容を表示
ログ表示(リアルタイム
@ の後ろにある 「 p 」 or 「 b 」で action を判断
p = pass
b = block
# ipmon
06/07/2009 17:54:28.584603 zonevnic100 @0:5 b 192.168.99.254,41792 -> 192.168.99.100,21 PR tcp len 20 52 -S IN NAT
06/07/2009 17:54:38.734900 zonevnic100 @0:5 b 192.168.99.254,41792 -> 192.168.99.100,21 PR tcp len 20 52 -S IN NAT
06/07/2009 17:56:48.699310 zonevnic100 @0:5 b 192.168.99.254 -> 192.168.99.100 PR icmp len 20 84 icmp echo/0 IN
06/07/2009 17:56:49.694910 zonevnic100 @0:5 b 192.168.99.254 -> 192.168.99.100 PR icmp len 20 84 icmp echo/0 IN
06/07/2009 17:56:50.694942 zonevnic100 @0:5 b 192.168.99.254 -> 192.168.99.100 PR icmp len 20 84 icmp echo/0 IN
06/07/2009 17:56:51.694922 zonevnic100 @0:5 b 192.168.99.254 -> 192.168.99.100 PR icmp len 20 84 icmp echo/0 IN
06/07/2009 17:57:34.554894 zonevnic100 @0:1 p 192.168.99.254,35076 -> 192.168.99.100,22 PR tcp len 20 40 -A K-S K-F IN
06/07/2009 17:57:37.561499 zonevnic100 @0:1 p 192.168.99.254,35076 -> 192.168.99.100,22 PR tcp len 20 120 -AP K-S K-F IN
06/07/2009 17:57:37.584836 zonevnic100 @0:1 p 192.168.99.100,22 -> 192.168.99.254,35076 PR tcp len 20 136 -AP K-S K-F OUT
06/07/2009 17:57:37.584972 zonevnic100 @0:1 p 192.168.99.254,35076 -> 192.168.99.100,22 PR tcp len 20 136 -AP K-S K-F IN
06/07/2009 17:57:37.586107 zonevnic100 @0:1 p 192.168.99.100,22 -> 192.168.99.254,35076 PR tcp len 20 104 -AP K-S K-F OUT
06/07/2009 17:57:37.654883 zonevnic100 @0:1 p 192.168.99.254,35076 -> 192.168.99.100,22 PR tcp len 20 40 -A K-S K-F IN
61. OpenSolaris IP Filter pg 61
参考情報
DHCP クライアントとして構成されている場合
は、自動的に port 68, 546 を通過させる rule
が作成される
pass in log quick from any to any port = 68 # bootpc
pass in log quick from any to any port = 546 # dhcpv6-client
/sbin/netstrategy コマンドで判別しているが
wifi などは対象外となるため、 Default Global
Policy の open_ports で対応しておくのもあり
pass in log quick from any to any port = 68 # bootpc
pass in log quick from any to any port = 546 # dhcpv6-client
# /sbin/netstrategy
zfs nge0 dhcp #dhcp を key に DHCP クライアントと認識
pass in log quick from any to any port = 68 # bootpc
pass in log quick from any to any port = 546 # dhcpv6-client
67. OpenSolaris IP Filter pg 67
router を作成してみる
or
non-global zone
VirtualBox
The INTERNET
出来上がったもの
※イメージです
nge0
vboxnic254
vboxstub0
vboxnic0
vboxnic0
router
68. OpenSolaris IP Filter pg 68
NAT の設定
/etc/ipf/ipnat.conf の設定
map nge0 192.168.99.0/24 -> 0/32 proxy port ftp ftp/tcp
map nge0 192.168.99.0/24 -> 0/32 portmap tcp/udp auto
map nge0 192.168.99.0/24 -> 0/32
※nge0 は利用する nic 名に変更
NAT の有効化
# svcadm enable ipfilter
# ipnat -l
List of active MAP/Redirect filters:
rdr * 0.0.0.0/0 port 21 -> 0.0.0.0/32 port 21 tcp proxy ftp
map nge0 192.168.99.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map nge0 192.168.99.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map nge0 192.168.99.0/24 -> 0.0.0.0/32
69. OpenSolaris IP Filter pg 69
non-global zone の作成
non-global zone の作成
# zonecfg -z testzone
testzone: そのような構成済みゾーンはありません
'create' を使用して、新しいゾーンの構成を開始してください。
zonecfg:testzone> create
zonecfg:testzone> set zonepath=/rpool/testzone
zonecfg:testzone> set ip-type=exclusive
zonecfg:testzone> set autoboot=true
zonecfg:testzone> add net
zonecfg:testzone:net> set physical=zonevnic110
zonecfg:testzone:net> end
zonecfg:testzone> verify
zonecfg:testzone> commit
zonecfg:testzone>
# zoneadm -z testzone install
# zoneadm -z testzone boot
# zlogin -C testzone testzone に割り当てる IP は 192.168.99.100
gateway は、 192.168.99.254
DNS を利用できるよう /etc/resolv.conf および
/etc/nsswitch.conf の設定も忘れずに
70. OpenSolaris IP Filter pg 70
router を作成してみる
or
non-global zone
VirtualBox
The INTERNET
出来上がったもの
※イメージです
nge0
vboxnic254
vboxstub0
vboxnic0
vboxnic0
router
192.168.99.254
192.168.99.1/24
192.168.99.1/24
NAT