|
IP Filter on Solaris
Ron McCarty
If you are responsible for host or network security within your organization, then you should consider adding ipf to your network tool kit. IP filter, or ipf (http://coombs.anu.edu.au/~avalon/ip-filter.html), is an advanced packet filter with an easy to understand configuration, but it has some nuisances that may seem strange to those who have used other packet filtering systems. However, ipf should not be avoided because of its "quirks", since they can easily be overcome. This article will give you an introduction to ipf and its rule sets, as well as its logging and administration capabilities. Ipf can also act as a Network Address Translator (NAT), but that isn't covered in this article.
Ipf supports filtering on incoming and outgoing packets. Incoming packets are packets that are destined for the packet filters interface, and outbound packets are packets that have received a routing decision by the node where the packet filter is running, and would normally be placed on the outgoing interface destined to some other node.
I usually prefer to filter incoming packets. The major advantage to filtering on incoming packets is increased performance. Packets that are dropped at the incoming interface do not create additional load by making a routing decision before the packet is dropped, whereas a packet that is dropped by an outgoing rule has unnecessarily used CPU processes to determine the proper interface out of which to route the packet.
However, there are environments where filtering outgoing packets makes sense, such as using ipf to harden hosts that are not multi-homed, such as Web servers or workstations connected directly to the Internet. This is becoming more common with the availability of broadband in small office and home office environments.<>
|
