Solaris / OpenSolarisThis forum is for the discussion of Solaris, OpenSolaris, OpenIndiana, and illumos.
General Sun, SunOS and Sparc related questions also go here. Any Solaris fork or distribution is welcome.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Thanks for your reply. I'll use ANY then... sounds abit less scaring than all!
I do not understand why they talk about the "ALL" keyword in the Sun docu though: http://docs.sun.com/app/docs/doc/816...aoq0245?a=view
from/to/all/any
Matches any or all of the following: the source IP address, the destination IP address, and the port number. The all keyword is used to accept packets from all sources and to all destinations
Is there a mistake here or didn't I understand something correctly?
Distribution: Solaris 11.4, Oracle Linux, Mint, Debian/WSL
Posts: 9,789
Rep:
Quote:
Originally Posted by xpucto
Thanks for your reply. I'll use ANY then... sounds abit less scaring than all!
I do not understand why they talk about the "ALL" keyword in the Sun docu though: http://docs.sun.com/app/docs/doc/816...aoq0245?a=view
from/to/all/any
Matches any or all of the following: the source IP address, the destination IP address, and the port number. The all keyword is used to accept packets from all sources and to all destinations
Is there a mistake here or didn't I understand something correctly?
Better to look at the manual page which is clear (man -s 4 ipf):
The all keyword is essentially a synonym for "from any to any" with no other match parameters.
pass in quick on bge0 proto tcp from any to any port = http flags S keep state group 100
pass in quick on bge0 proto tcp from any to any port = https flags S keep state group 100
in ipf.conf and doing
Quote:
ipf -Fa -f /etc/ipf/ipf.conf
I got the error message that http and https are unknown! Do I have to define them in some other file?
I took those lines from a tutorial but I aktually do not understand why it wasn't written:
Quote:
pass in quick on bge0 proto tcp from any to any port = 80 flags S keep state group 100
Yes, the standard Unix file to define tcp and udp service names is /etc/services.
By default, http is not there, at least under Solaris.
Why is /etc/services (/etc/inet/services) in read-only modus actually?
It seems strange to me especially when such protocolls like http and htpps aren't listen in it.
Should I put it back into read-only modus?
# block short packets which are packets fragmented too short to be real.
block in log quick all with short
# block and log inbound and outbound by default, group by destination
block in log on bge0 from any to any head 100
block out log on bge0 from any to any head 200
# web rules that get hit most often
pass in quick on bge0 proto tcp from any to any port = 80 flags S keep state group 100
pass in quick on bge0 proto tcp from any to any port = 443 flags S keep state group 100
# inbound traffic - ssh, auth
pass in quick on bge0 proto tcp from any to any port = 22 flags S keep state group 100
pass in log quick on bge0 proto tcp from any to any port = 113 flags S keep state group 100
pass in log quick on bge0 proto tcp from any port = 113 to any flags S keep state group 100
# outbound traffic - DNS, auth, NTP, ssh, WWW, smtp
pass out quick on bge0 proto tcp/udp from any to any port = domain flags S keep state group 200
pass in quick on bge0 proto udp from any port = domain to any group 100
pass out quick on bge0 proto tcp from any to any port = 113 flags S keep state group 200
pass out quick on bge0 proto tcp from any port = 113 to any flags S keep state group 200
pass out quick on bge0 proto udp from any to any port = ntp group 200
pass in quick on bge0 proto udp from any port = ntp to any port = ntp group 100
pass out quick on bge0 proto tcp from any to any port = ssh flags S keep state group 200
pass out quick on bge0 proto tcp from any to any port = 80 flags S keep state group 200
pass out quick on bge0 proto tcp from any to any port = 443 flags S keep state group 200
pass out quick on bge0 proto tcp from any to any port = smtp flags S keep state group 200
# pass icmp packets in and out
#pass in quick on bge0 proto icmp from any to any keep state group 100
#pass out quick on bge0 proto icmp from any to any keep state group 200
# block and ignore NETBIOS packets
block in quick on bge0 proto tcp from any to any port = 135 flags S keep state group 100
block in quick on bge0 proto tcp from any port = 137 to any flags S keep state group 100
block in quick on bge0 proto udp from any to any port = 137 group 100
block in quick on bge0 proto udp from any port = 137 to any group 100
block in quick on bge0 proto tcp from any port = 138 to any flags S keep state group 100
block in quick on bge0 proto udp from any port = 138 to any group 100
block in quick on bge0 proto tcp from any port = 139 to any flags S keep state group 100
block in quick on bge0 proto udp from any port = 139 to any group 100
This time I didn't get any error message, but then I can't connect through SSH anymore!
Why? Where is my mistake?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.