sunhux
asked on
exact syntax to permit ipfilter rules in Solaris 10 x86
I have many tenants in our cloud using RHEL 5.x/6.x & Solaris x86:
some tenants enable/use iptables while some disable/don't;
similarly for Solaris x86 tenants.
I have a common service which I need to permit rules in iptables
(for RHEL VMs) regardless of whether the tenant is currently
using iptables or not (ie just leave the rules there & if one day
the tenant decides to enable/use iptables, the rules to allow the
common service will have been there).
Requirements:
==========
a) permit a rule to allow Tcp4120 from current tenant VM to 172.21.3.a
b) permit a rule to allow Tcp4118 from 172.21.3.a to the current tenant VM
By "current tenant VM", it needs to be applied on all the network interfaces.
Are the commands below correct?
# /sbin/iptables -A RH-Firewall-1-OUTPUT -p tcp --dport 4120 -d 172.21.a.b -j ACCEPT
# /sbin/iptables -A RH-Firewall-1-INPUT -p tcp --dport 4118 -d localhost -j ACCEPT
# /sbin/service iptables save <== this creates /etc/sysconfig/iptables if it's absent?
**************************
Sorry this is off-topic for Solaris iptables but appreciate anyone who can help:
I refer to examples in links below but I'm still confused:
http://docs.oracle.com/cd/E23824_01/html/821-1453/ipfilter-admin-2.html
http://docs.oracle.com/cd/E23824_01/html/821-1453/eubbd.html
Q1:
So do I just add the following lines to the top (not the bottom, right? ) of /etc/ipf/ipf.conf ?
pass in log (quick) on "all_interfaces" proto tcp from 172.21.a.b to "all_interfaces" port = 4118 keep state
pass out log (quick) on "all_interfaces" proto tcp from "all_interfaces" to 172.21.a.b port = 4120 keep state
Q2:
What's the the purpose of "quick" in the above rules? What's the difference if it's absent or
present?
Q3:
As our Solaris x86 VMs has about four interfaces, can someone substitute "all_interfaces" in the
above rules with actual global value: I reckon there must be an actual Solaris implementation
value that refers to "all interfaces"; if there's none, let me know so that I can repeat it four times
for all the four interfaces
Q4:
What's the purpose of "keep state"? is it needed in my case?
Q5:
if ipf.conf is not present in /etc/ipf folder, does this mean ipfilter (as given by 'svcs -a |grep -i ipfilter') is offline?
Q6:
if it's offline & I just create the absent ipf.conf file anyway so that one day if ipfilter is onlined/used,
the rules will already be there? If ipfilter is offline, no harm creating ipf.conf, right?
Did I miss out anything in my assumptions?
some tenants enable/use iptables while some disable/don't;
similarly for Solaris x86 tenants.
I have a common service which I need to permit rules in iptables
(for RHEL VMs) regardless of whether the tenant is currently
using iptables or not (ie just leave the rules there & if one day
the tenant decides to enable/use iptables, the rules to allow the
common service will have been there).
Requirements:
==========
a) permit a rule to allow Tcp4120 from current tenant VM to 172.21.3.a
b) permit a rule to allow Tcp4118 from 172.21.3.a to the current tenant VM
By "current tenant VM", it needs to be applied on all the network interfaces.
Are the commands below correct?
# /sbin/iptables -A RH-Firewall-1-OUTPUT -p tcp --dport 4120 -d 172.21.a.b -j ACCEPT
# /sbin/iptables -A RH-Firewall-1-INPUT -p tcp --dport 4118 -d localhost -j ACCEPT
# /sbin/service iptables save <== this creates /etc/sysconfig/iptables if it's absent?
**************************
Sorry this is off-topic for Solaris iptables but appreciate anyone who can help:
I refer to examples in links below but I'm still confused:
http://docs.oracle.com/cd/E23824_01/html/821-1453/ipfilter-admin-2.html
http://docs.oracle.com/cd/E23824_01/html/821-1453/eubbd.html
Q1:
So do I just add the following lines to the top (not the bottom, right? ) of /etc/ipf/ipf.conf ?
pass in log (quick) on "all_interfaces" proto tcp from 172.21.a.b to "all_interfaces" port = 4118 keep state
pass out log (quick) on "all_interfaces" proto tcp from "all_interfaces" to 172.21.a.b port = 4120 keep state
Q2:
What's the the purpose of "quick" in the above rules? What's the difference if it's absent or
present?
Q3:
As our Solaris x86 VMs has about four interfaces, can someone substitute "all_interfaces" in the
above rules with actual global value: I reckon there must be an actual Solaris implementation
value that refers to "all interfaces"; if there's none, let me know so that I can repeat it four times
for all the four interfaces
Q4:
What's the purpose of "keep state"? is it needed in my case?
Q5:
if ipf.conf is not present in /etc/ipf folder, does this mean ipfilter (as given by 'svcs -a |grep -i ipfilter') is offline?
Q6:
if it's offline & I just create the absent ipf.conf file anyway so that one day if ipfilter is onlined/used,
the rules will already be there? If ipfilter is offline, no harm creating ipf.conf, right?
Did I miss out anything in my assumptions?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.