Link to home
Start Free TrialLog in
Avatar of sunhux

asked on

exact syntax to permit ipfilter rules in Solaris 10 x86

I have many tenants in our cloud using RHEL 5.x/6.x & Solaris x86:
some tenants enable/use iptables while some disable/don't;
similarly for Solaris x86 tenants.

I have a common service which I need to permit rules in iptables
(for RHEL VMs) regardless of whether the tenant is currently
using iptables or not (ie just leave the rules there & if one day
the tenant decides to enable/use iptables, the rules to allow the
common service will have been there).

a) permit a rule to allow Tcp4120 from current tenant VM to 172.21.3.a
b) permit a rule to allow Tcp4118 from 172.21.3.a to the current tenant VM

By "current tenant VM", it needs to be applied on all the network interfaces.

Are the commands below correct?
# /sbin/iptables -A RH-Firewall-1-OUTPUT -p tcp --dport 4120 -d 172.21.a.b -j ACCEPT
# /sbin/iptables -A RH-Firewall-1-INPUT -p tcp --dport 4118 -d localhost -j ACCEPT
# /sbin/service iptables save   <== this creates /etc/sysconfig/iptables if it's absent?


Sorry this is off-topic for Solaris iptables but appreciate anyone who can help:

I refer to examples in links below but I'm still confused:

So do I just add the following lines to the top (not the bottom, right? )  of /etc/ipf/ipf.conf  ?
  pass in log (quick) on "all_interfaces" proto tcp from 172.21.a.b to "all_interfaces" port = 4118 keep state
 pass out log (quick) on "all_interfaces" proto tcp from "all_interfaces"  to 172.21.a.b port = 4120 keep state

What's the the purpose of "quick" in the above rules?  What's the difference if it's absent or

As our Solaris x86 VMs has about four interfaces, can someone substitute "all_interfaces" in the
above rules with actual global value: I reckon there must be an actual Solaris implementation
value that refers to "all interfaces";  if there's none, let me know so that I can repeat it four times
for all the four interfaces

What's the purpose of "keep state"?  is it needed in my case?

if ipf.conf is not present in /etc/ipf  folder, does this mean ipfilter (as given by 'svcs -a |grep -i ipfilter') is offline?

if it's offline & I just create the absent ipf.conf file anyway so that one day if ipfilter is onlined/used,
the rules will already be there?  If ipfilter is offline, no harm creating ipf.conf, right?
Did I miss out anything in my assumptions?
Avatar of sunhux

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial