March 13, 2024

Configure IPFilter Firewall on OmniOSce/OpenIndiana

┌ Open a terminal and switch to root

 su -

┌ Fill in the file /etc/ipf/ipf.conf

You'll find here an assortment of standard rules.
We start by blocking dangerous flows, then allow those we want to let in at the end.
Adapt the file accordingly.
If you need examples of NAT and DNAT (redirection), you'll find them in another mail (Transforming OmniOSce in router)

### IPFILTER CONFIGURATION ### 

#Block all incoming traffic by default
block in log all

#Block all outgoing traffic by default
block out log all

#Block packets with suspicious IP options
block in log quick from any to any with ipopts

#Block malformed TCP packets
block in log quick proto tcp from any to any with short

#Allow traffic on the loopback interface
pass in quick on lo0 allpass out quick on lo0 all

#Allow and track stateful outgoing traffic
pass out quick all keep state

#Allow incoming connections that match an already established outgoing connection
pass in quick all keep state

#Explicitly allow certain incoming connections if necessary (optional)
pass in quick proto tcp from any to any port = 22 keep state # SSH
#pass in quick proto tcp from any to any port = 80 keep state # HTTP
#pass in quick proto tcp from any to any port = 443 keep state # HTTPS

┌ Enable IPFilter

svcadm enable svc:/network/ipfilter:default

┌ Load /etc/ipf/ipf.conf

ipf -Fa -f /etc/ipf/ipf.conf

┌ Display the rules loaded

ipfstat -io