ipfilter(5) Standards, Environments, and Macros ipfilter(5)
ipfilter - IP packet filtering software
IP Filter is software that provides packet filtering capabilities on a Solaris system. On
a properly setup system, it can be used to build a firewall.
Solaris IP Filter is installed with the Solaris operating system. However, packet filter-
ing is not enabled by default. See ipf(1M) for a procedure to enable and activate the IP
To simplify IP Filter configuration management, a firewall framework is created to allow
users to configure IP Filter by expressing firewall policy at system and service level.
Given the user-defined firewall policy, the framework generates a set of IP Filter rules
to enforce the desired system behavior. Users specify system and service firewall policies
that allow or deny network traffic from certain hosts, subnets, and interface(s). The
policies are translated into a set of active IPF rules to enforce the specified firewall
Users can still specify their own ipf rule file if they choose not to take advantage of
the framework. See ipf(1M) and ipf(4).
This section describes the host-based firewall framework. See svc.ipfd(1M) for details on
how to configure firewall policies.
A three-layer approach with different precedence levels helps the user achieve the desired
Global Default - Default system-wide firewall policy. This policy is automatically
inherited by all services unless services modify their firewall policy.
Higher precedence than Global Default. A service's policy allows/disallows traffic to
its specific ports, regardless of Global Default policy.
Another system-wide policy that takes precedence over the needs of specific services
in Network Services layer.
A firewall policy includes a firewall mode and an optional set of network sources. Network
sources are IP addresses, subnets, and local network interfaces, from all of which a sys-
tem can receive incoming traffic. The basic set of firewall modes are:
No firewall, allow all incoming traffic.
Allow all incoming traffic but deny from specified source(s).
Deny all incoming traffic but allow from specified source(s).
Layers in Detail
The first system-wide layer, Global Default, defines a firewall policy that applies to any
incoming traffic, for example, allowing or blocking all traffic from an IP address. This
makes it simple to have a policy that blocks all incoming traffic or all incoming traffic
from unwanted source(s).
The Network Services layer contains firewall policies for local programs that provide ser-
vice to remote clients, for example, telnetd, sshd, and httpd. Each of these programs, a
network service, has its own firewall policy that controls access to its service. Ini-
tially, a service's policy is set to inherit Global Default policy, a "Use Global Default"
mode. This makes it simple to set a single policy, at the Global Default layer, that can
be inherited by all services.
When a service's policy is different from Global Default policy, the service's policy has
higher precedence. If Global Default policy is set to block all traffic from a subnet, the
SSH service could be configured to allow access from certain hosts in that subnet. The set
of all policies for all network services comprises the Network Service layer.
The second system-wide layer, Global Override, has a firewall policy that also applies to
any incoming network traffic. This policy has highest precedence and overrides policies in
the other layers, specifically overriding the needs of network services. The example is
when it is desirable to block known malicious source(s) regardless of services' policies.
This framework leverages IP Filter functionality and is active only when svc:/net-
work/ipfilter is enabled and inactive when network/ipfilter is disabled. Similarly, a net-
work service's firewall policy is only active when that service is enabled and inactive
when the service is disabled. A system with an active firewall has IP Filter rules for
each running/enabled network service and system-wide policy(s) whose firewall mode is not
A user configures a firewall by setting the system-wide policies and policy for each net-
work service. See svc.ipfd(1M) on how to configure a firewall policy.
The firewall framework composes of policy configuration and a mechanism to generate IP
Filter rules from the policy and applying those rules to get the desired IP Filter config-
uration. A quick summary of the design and user interaction:
o system-wide policy(s) are stored in network/ipfilter
o network services' policies are stored in each SMF service
o a user activates a firewall by enabling network/ipfilter (see ipf(1M))
o a user activates/deactivate a service's firewall by enabling/disabling that
o changes to system-wide or per-service firewall policy results in an update to
the system's firewall rules
See attributes(5) for a description of the following attributes:
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|Interface Stability |Committed |
svcs(1), ipf(1M), ipnat(1M), svcadm(1M), svc.ipfd(1M), ipf(4), ipnat(4), attributes(5),
System Administration Guide: IP Services
The nfsd service is managed by the service management facility, smf(5), under the service
Administrative actions on this service, such as enabling, disabling, or requesting
restart, can be performed using svcadm(1M). The service's status can be queried using the
IP Filter startup configuration files are stored in /etc/ipf.
SunOS 5.11 18 Feb 2009 ipfilter(5)