I asked about this at the meeting last week, but nobody present was familiar with ipfilter, so I thought I'd ask here in hopes of finding a Solaris and/or Mac guru familiar with firewall configuration on these platforms...
I've been using the Linux kernel's Netfilter/iptables configuration for some time now, to handle firewalling for each of our Internet-connected Linux hosts, and I'd like to do the same for our Solaris and Mac OS X hosts as well. I've found some reasonable tutorials and FAQ's online to help with the basic setup, but I'm stuck with a few issues surrounding connection tracking.
With iptables, you can load kernel modules to do connection tracking that is application-layer-specific. I use 3 such modules:
- ip_conntrack_amanda, to handle Amanda backup requests - ip_conntrack_ftp, to support FTP server data connections - ip_conntrack_netbios_ns, to support NetBIOS name services (e.g. in Samba)
I haven't found an equivalent mechanism in either ipfilter or ipfw to allow for this, and their state-table mechanisms aren't powerful enough. For example, for NetBIOS name services, the request goes out as a broadcast, but replies come back directly, so they don't match the state of the requests. (I can work around this by allowing all NMB replies from the local net, but this is uglier.)
Amanda backup support is even trickier, for two reasons: First of all, replies to requests can come back much later, after the state table entries will have expired (whereas with ip_conntrack_amanda, you can set a longer delay if needed), and secondly, there will be related, follow-up connections on other ports, which need to be tracked. (Again, I can work around this by allowing replies from the amanda port for hosts on the local net, using a separate rule, as well as opening up entire ranges of other ports for the local net. Again, this is uglier.)
Supporting an FTP server is even more problematic, particularly if I want to open it up to connections from outside of the local net, without opening up an entire port range to the outside world as well.
Any suggestions for clean, secure ways to implement firewall support for these services using ipfilter or ipfw?