exact syntax to permit ipfilter rules in Solaris 10 x86

sunhux
sunhux used Ask the Experts™
on
I have many tenants in our cloud using RHEL 5.x/6.x & Solaris x86:
some tenants enable/use iptables while some disable/don't;
similarly for Solaris x86 tenants.

I have a common service which I need to permit rules in iptables
(for RHEL VMs) regardless of whether the tenant is currently
using iptables or not (ie just leave the rules there & if one day
the tenant decides to enable/use iptables, the rules to allow the
common service will have been there).

Requirements:
==========
a) permit a rule to allow Tcp4120 from current tenant VM to 172.21.3.a
b) permit a rule to allow Tcp4118 from 172.21.3.a to the current tenant VM

By "current tenant VM", it needs to be applied on all the network interfaces.

Are the commands below correct?
# /sbin/iptables -A RH-Firewall-1-OUTPUT -p tcp --dport 4120 -d 172.21.a.b -j ACCEPT
# /sbin/iptables -A RH-Firewall-1-INPUT -p tcp --dport 4118 -d localhost -j ACCEPT
# /sbin/service iptables save   <== this creates /etc/sysconfig/iptables if it's absent?


******************************************************************************************

Sorry this is off-topic for Solaris iptables but appreciate anyone who can help:

I refer to examples in links below but I'm still confused:
  http://docs.oracle.com/cd/E23824_01/html/821-1453/ipfilter-admin-2.html
  http://docs.oracle.com/cd/E23824_01/html/821-1453/eubbd.html


Q1:
So do I just add the following lines to the top (not the bottom, right? )  of /etc/ipf/ipf.conf  ?
  pass in log (quick) on "all_interfaces" proto tcp from 172.21.a.b to "all_interfaces" port = 4118 keep state
 pass out log (quick) on "all_interfaces" proto tcp from "all_interfaces"  to 172.21.a.b port = 4120 keep state

Q2:
What's the the purpose of "quick" in the above rules?  What's the difference if it's absent or
present?

Q3:
As our Solaris x86 VMs has about four interfaces, can someone substitute "all_interfaces" in the
above rules with actual global value: I reckon there must be an actual Solaris implementation
value that refers to "all interfaces";  if there's none, let me know so that I can repeat it four times
for all the four interfaces

Q4:
What's the purpose of "keep state"?  is it needed in my case?

Q5:
if ipf.conf is not present in /etc/ipf  folder, does this mean ipfilter (as given by 'svcs -a |grep -i ipfilter') is offline?

Q6:
if it's offline & I just create the absent ipf.conf file anyway so that one day if ipfilter is onlined/used,
the rules will already be there?  If ipfilter is offline, no harm creating ipf.conf, right?
Did I miss out anything in my assumptions?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
As there's no equiv iptables distro for Solaris, I'll either turn ipfilter off or refer to:
http://www.linuxquestions.org/questions/solaris-opensolaris-20/solaris-10-and-iptables-611225/

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial