SmartMachines include crossbow networking and access to the virtual NIC by default. This means you have full control over the networking stack of your machine. A security best practice is to configure back-end services behind a load balancer (such as Stingray), through a bastion host, or VPN server. You can assign IPFilter rules that ensure secure communication between services and your SmartMachine, making it easier for your SmartMachines to pass security audits. For example, you can setup rules that only allow SSH from your static IP or a block of IPs in use by your ISP. You can only connect to your system through the IP addresses you specify. The following briefly describes how to assign IPFilter rules to your SmartMachine. In this topic: Starting and Stopping IPfilter Sample IPfilter rules Allow inbound traffic from a specific IP address Allow inbound traffic from a specific IP address to a specific port Allow inbound traffic icmp only from a specific IP address Allow outbound traffic from SmartMachine to anyone Block traffic from a specific IP address Block traffic from a specific range Block traffic from anyone to a specific IP Block icmp only from a specific IP Block a specific port from anyone Setup a default deny policy, block all ports except 443 and 80 Testing IPF rules Debugging what ipfilter is doing

At a Glance Using and setting up IPFilter.

More information on using IPF can be found in this Oracle IPF Documentation

Starting and Stopping IPfilter

The IPfilter process is configured to run under the Service Management Facility.

IPfilter is disabled by default. You need to use svcadm to enable, disable, start or stop the service. For initial setup of the service:

Use restart to restart the service:

Use this to check the status of the service. Notice the use of grep:

Sample IPfilter rules

IPfilter rules are contained in /etc/ipf/ipf.conf:

• src.ip.addr specifies the source.
• dest.ip.addr specifies the destination.

Allow inbound traffic from a specific IP address

Allow inbound traffic from a specific IP address to a specific port

Allow inbound traffic icmp only from a specific IP address

Allow outbound traffic from SmartMachine to anyone

Block traffic from a specific IP address

Block traffic from a specific range

Block traffic from anyone to a specific IP

Block icmp only from a specific IP

Block a specific port from anyone

(Use proto tcp to block only on TCP. Otherwise, it blocks both TCP and UDP.

Setup a default deny policy, block all ports except 443 and 80

Ranges can apply to any rule, just use x.x.x.x/xx instead of a specific IP.

Testing IPF rules

You can use this command to test active IP packet filtering:

ipfstat -io 

Debugging what ipfilter is doing

You can use ipmon to write data to a logfile and then tail the logfile:

ipmon -aD /var/log/ipmon.log

More information for IPF can be found in this Oracle documentation