Solaris x86 firewall using IP Filter

by:

Thang T. Mai
Hoang Q. Tran

It is really easy to make a Solaris gateway for a private network. When installing, choose to install the Core System Support component.

• Lock down the box
• Setup network interfaces in the Solaris box
• Enable packet forwarding, dhcp, firewall and network address translation
• Configure machines behind NAT
• Familiarize with IPFilter
• IPsec
• References

1. Lock down the box

The first step to lock down a box for NAT/firewall is to disable all running services that are part of Core System Support installation that and we don't need.

1. Disable inetd and its /etc/inetd.conf configuration file:

Edit /etc/inetd.conf and make sure everything is commented out. Then disable inetd daemon by:

# vi /etc/init.d/inetsvc

and comment out the inetd daemon:

#
# Run inetd in "standalone" mode (-s flag) so that it doesn't have
# to submit to the will of SAF.  Why did we ever let them change inetd?
#
# /usr/sbin/inetd -s &

2. Disable sendmail, sunrpc, nscd, lockd and sometimes-rpc11-13:

# mv /etc/rc2.d/S88sendmail /etc/rc2.d/s88sendmail
# mv /etc/rc2.d/S71rpc /etc/rc2.d/s71rpc
# mv /etc/rc2.d/S73nfs.client /etc/rc2.d/s73nfs.client
# mv /etc/rc2.d/S76nscd /etc/rc2.d/s76nscd
# mv /etc/rc3.d/S15nfs.server /etc/rc3.d/s15nfs.server

Once you disabled unnecessary services, go to unixcircle.com portscan to remotely port scan your own box from the outside. Be careful when you do this behind a NAT/firewall box as the port scan script will scan the NAT/firewall instead. If you have another box, use nmap to scan the box from the inside. The output from nmap should show no listen services.

3. Add necessary helper packages in order to make, compile IPFilter and run dhcp client later:

Required helper packages:

SUNWarc (Archive Libraries)
SUNWbtool (CCS tools bundled with SunOS)
SUNWdhcsu (BOOTP/DHCP Server Services, (Usr))
SUNWhea (SunOS Header Files)
SUNWlibm (Sun WorkShop Bundled libm)
SUNWsprot (Solaris Bundled tools)
SUNWtoo (Programming Tools)

All packages are in Solaris 8 Software CD 2/2 except for SUNWtoo (Programming Tools) which is in Solaris 8 Software CD 1/2.

Insert Solaris 8 Software CD 1/2 and add SUNWtoo to the system:

Mount cdrom (on 2nd IDE controller) and copy packages to /tmp:

# mount -F hsfs /dev/dsk/c1t0d0p0 /mnt
# cd /mnt/Solaris_8/Product
# cp -R SUNWtoo /tmp
# cd /tmp
# pkgadd -d .
# umount /mnt

Insert Solaris 8 Software CD 2/2 and add remaining required packages to the system:

# mount -F hsfs /dev/dsk/c1t0d0s0 /mnt
# cd /mnt/Solaris_8/Product
# cp -R SUNWarc /tmp
...
# cp -R SUNWsprot /tmp
# pkgadd -d .

4. Update the system with latest recommended x86 patch cluster:

Enable gateway to go access outside world:

# route add default 

# ftp sunsolve.sun.com
login: ftp
passwd: ftp

ftp> cd /pub/patches
ftp> bin
ftp> hash
ftp> get 8_x86_Recommended.zip
ftp> bye

# unzip 8_x86_Recommended.zip
( packages unzipping... )
# cd 8_x86_Recommended
# ./install_cluster
( updating packages... )
# reboot

5. More hardening:

Increase initial sequence number generation to have unique-per-connection-ID according to rfc1948.

# vi /etc/default/inetinit and change from TCP_STRONG_ISS=1 to TCP_STRONG_ISS=2

Prevent against possible buffer overflow attacks, add the following two parameters to /etc/system:

set noexec_user_stack=1
set noexec_user_stack_log=1

Tightening up IP by editing /etc/init.d/inetinit script and add these to the end:

/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0
/usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 0
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
/usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
/usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1

For more information on security vulnerabilities, read SANS's The Twenty Most Critical Internet Security Vulnerabilities (Updated)

2. Setup network interfaces in the Solaris box

Assume this box has 2 Intel EtherExpress Pro 10/100 network cards and their Solaris driver are named as iprb0 and iprb1 for first and second card. First network card will use the non-routable private address according to rfc1918. The second will be assigned either static or dynamic via DHCP IP address.

Non-routable IP addresses for private networks:

10.0.0.1 - 10.255.255.254      netmask 255.0.0.0
172.16.0.1 - 172.31.255.254    netmask 255.240.0.0
192.168.0.1 - 192.168.255.254  netmask 255.255.0.0

Assume you choose 192.168.0.1 range, and already configured during install for the first interface.

If the second network card has static IP, routable.ip.address and netmask netmask.ip.address:

# vi /etc/inet/hosts
routable.ip.address		hostname
# vi /etc/inet/netmasks
routable.ip.address		netmask.ip.address
# vi /etc/hostname.iprb1
hostname

Be sure to indicate a correct IP address and netmask for both interfaces. Once you have chosen a private network address range for your inside machines, stay with that same range. The first network card will be the default Solaris gateway IP address.

3. Enable packet forwarding, dhcp, firewall and network address translation

To enable packet forwarding:

Create a startup script /etc/init.d/ipforwarding

#!/sbin/sh
case "$1" in
	start)
	 	/usr/sbin/ndd -set /dev/ip ip_forwarding 1
	 	/usr/sbin/ndd -set /dev/ip ip6_forwarding 1
	 	;;
	stop)
		/usr/sbin/ndd -set /dev/ip ip_forwarding 0
		/usr/sbin/ndd -set /dev/ip ip6_forwarding 0
		;;
	*)
		echo "Usage: $0 { start | stop }"
		exit 1
		;;
	esac
exit 0

Make it root executable:

# chmod 744 /etc/init.d/ipforwarding

Copy it to /etc/rc2.d:

# cp /etc/init.d/ipforwarding /etc/rc2.d/S69ipforwarding

/etc/init.d/ipforwarding must run after /etc/init.d/ipfboot & /etc/init.d/inetinit

DHCP client:

And if you receive your public address assignment dynamically through DHCP:

# touch /etc/hostname.iprb1
# touch /etc/dhcp.iprb1

Request necessary information from DHCP server:

# vi /etc/default/dhcpagent

RELEASE_ON_SIGTERM=yes
CLIENT_ID=crxxxxxx-a
PARAM_REQUEST_LIST=1,3,6,28

According to rfc2132, code 1,3,6,28 are subnet mask, routers, dns servers and broadcast address.

[ With ISC dhclient, requesting DNS will automatically create /etc/resolv.conf. It seems dhcpagent doesn't so you have to manually create /etc/resolv.conf. ]

Using DHCP will reset the hostname to ``unknown''. Reset the hostname to the box hostname with a simple script:

# vi /etc/init.d/resetnodename

#!/sbin/sh
uname -S `cat /etc/nodename`

# chmod 744 /etc/init.d/resetnodename
# cp /etc/init.d/resetnodename /etc/rc2.d/S70resetnodename

Compile and install IPFilter:

Solaris doesn't come with a C compiler. Download a free GNU C compiler from sunfreeware. You also need gzip to gunzip the GNU C compiler tar ball.

Retrieve the latest IPFilter from http://www.ipfilter.org/ and compile it:

# /usr/local/bin/gunzip ip-fil3.4.20.tar.gz
# /usr/sbin/tar xvf ip-fil3.4.20.tar
# cd ip_fil3.4.20

Enable default block all policy. Edit Makefile and change:

POLICY=-DIPF_DEFAULT_PASS=FR_PASS
 to :
POLICY=-DIPF_DEFAULT_PASS=FR_BLOCK

Enable ``top'' like output when issuing ipfstat -t:

STATETOP_CFLAGS=-DSTATETOP
STATETOP_INC=-I/usr/include
STATETOP_LIB=-L/lib -lcurses

Enable IPv6 filtering:

INET6=-DUSE_INET6

Populate /usr/local/bin and /usr/ccs/bin paths to find gcc and make:

# PATH=$PATH:/usr/local/bin:/usr/ccs/bin
# export PATH

Compile IPFilter:

# make solaris
# cd SunOS5
# make package

Filter rule: Since you don't know what to block yet, you need to open up ingress and outgress traffic to flow through. Edit /etc/opt/ipf/ipf.conf and add:

pass in all
pass out all

An example of a working /etc/opt/ipf/ipf.conf

Network Address Translation rule:

For NAT and ftp clients behind NAT to work, add the following to /etc/opt/ipf/ipnat.conf:

# Use ipfilter ftp proxy for ftp client transfers mode: active
map iprb1 192.168.1.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp

# Map all tcp and udp connections from 192.168.1.0/24 to external IP address,
# changing the source port number to something between 40,000 and 60,000 inclusive
map iprb1 192.168.1.0/24 -> 0.0.0.0/32 portmap tcp/udp 40000:60000

# For all other IP packets, map to the external IP address
map iprb1 192.168.1.0/24 -> 0.0.0.0/32

Make sure all the `proxy' lines are before any generic `portmap' lines, as the first match always wins.

An example of a working /etc/opt/ipf/ipnat.conf

Filter logging:

Add -D and -n to ipmon. Edit /etc/init.d/ipfboot on line 60, change from ipmon -s & to ipmon -Dsn &

-D: Cause ipmon to turn itself into a daemon.
-n: IP addresses and port numbers will be mapped, where possible, back into hostnames and service names.
-s: Packet information read in will be sent through syslogd rather than saved to a file.

To have ipmon log information to a local file, add the following to /etc/syslog.conf:

#
# Log to a file
#
local0.info;local0.err;local0.debug   /var/log/ipflog

To a log server:

#
# Log to a dedicated syslog server
#
local0.info;local0.err;local0.debug     ifdef('LOGHOST', /var/log/ipflog, @loghost)

Create log file /var/log/ipflog and restart syslog daemon:

# touch /var/log/ipflog && /etc/init.d/syslog stop && /etc/init.d/syslog start

Transparent proxy:

If there's a mail server as 192.168.1.2 inside the private network , use ``rdr'' to transparent proxying. Since NAT happens before ``rdr'', a ``pass in'' is required in /etc/ipf.conf for the translated packets to flow into the mail server.

/etc/opt/ipf/ipnat.conf:

# Redirect incoming smtp traffic to mail server behind NAT
rdr iprb1 0.0.0.0/0 port 25 -> 192.168.1.2 port 25

[ and the minimum mappings described above ]

/etc/opt/ipf/ipf.conf:

# Allow the translated packets with fragment and SYN flag to flow in. Keep state the connection.
pass in quick on iprb1 proto tcp from any to any port = 25 flags S keep state keep frags

Load balancing:

To load balancing a farm of 6 webservers behind NAT, use ``round-robin'' statement. IPFilter will distribute the load using round robin method. IPFilter will distribute the load even if one of the webservers is down. l4check which is part of IPFilter and can deal with this scenario.

rdr iprb1 0.0.0.0/0 port 80 -> 192.168.1.1,192.168.1.2 port 80 tcp round-robin
rdr iprb1 0.0.0.0/0 port 80 -> 192.168.1.3,192.168.1.4 port 80 tcp round-robin
rdr iprb1 0.0.0.0/0 port 80 -> 192.168.1.5,192.168.1.6 port 80 tcp round-robin

Improve performance features:

To enable high performance data transfers on hosts according to Enabling High Performance Data Transfers on Hosts, add the following in addition to ip forwarding to /etc/default/inetinit:

# 1. Path MTU discovery: enabled by default
# 2. TCP Extension (RFC1323): enabled by default
# 3. Increase TCP Window size for increase in network performance
TCP_XMIT_HIWAT=65535
TCP_RECV_HIWAT=65535
# 4. SACK (RFC2018): enabled by default

Edit /etc/init.d/inetinit and add:

#
# Increase send TCP Window size for increase in network performance
#

# Get value of TCP_XMIT_HIWAT
[ -f /etc/default/inetinit ] && . /etc/default/inetinit
if [ $TCP_XMIT_HIWAT ]; then
        /usr/sbin/ndd -set /dev/tcp tcp_xmit_hiwat $TCP_XMIT_HIWAT
fi

#
# Increase receive TCP Window size for increase in network performance
#

# Get value of TCP_RECV_HIWAT
[ -f /etc/default/inetinit ] && . /etc/default/inetinit
if [ $TCP_RECV_HIWAT ]; then
        /usr/sbin/ndd -set /dev/tcp tcp_recv_hiwat $TCP_RECV_HIWAT
fi

4. Configure machines behind NAT

All the machines on the private network should be configured to use the address of the private interface of the Solaris box as the default gateway.

To set the internal boxes to the default Solaris gateway on various operating systems:

Assume the Solaris box NAT/firewall has IP address: 192.168.1.1

AIX: edit /etc/rc.net and add /usr/sbin/route add 192.168.1.1 gateway >>$LOGFILE 2>&1
Solaris: edit /etc/rc.conf and add defaultrouter="192.168.1.1"
HP-UX: edit /etc/rc.config.d/netconf and add ROUTE_GATEWAY[0]="192.168.1.1"
Linux Redhat: edit /etc/sysconfig/network and add GATEWAY=192.168.1.1
NetBSD:  echo "192.168.1.1" > /etc/mygate
OpenBSD: echo "192.168.1.1" > /etc/mygate
Solaris: echo "192.168.1.1" > /etc/defaultrouter
Win2k: Start-Settings->Control Panel->Network and Dial-up Connections->Local Area Network->
       Properties->Internet Protocol (TCP/IP)->Default Gateway->192.168.1.1

If you don't want to reboot to pick up the IP address for the default gateway, use ``route'' to manually add the default route.

AIX: route add 0 192.168.1.1

HP-UX: route add 192.168.1.1

Solaris,NetBSD,OpenBSD,Solaris: route add default 192.168.1.1

Linux Redhat: route add default gw 192.168.1.1

5. Familiarize with IPFilter

Once your NAT/firewall is online, you should start to read the IPFILTER-HOWTO at http://www.unixcircle.com/ipf/ and add more blocking/passing rules to /etc/opt/ipf/ipf.conf. Some other useful links can be found on the www.ipfilter.org home page.

Each time /etc/opt/ipf/ipf.conf or /etc/opt/ipf/ipnat.conf is modified, you have to them as follow. Reloading these rules will flush all current active connections.

# /sbin/ipf -Fa -f /etc/opt/ipf/ipf.conf
# /sbin/ipnat -CF -f /etc/opt/ipf/ipnat.conf

You can use ipfstat to display firewall statistics a la ``top" command:

# /sbin/ipfstat -t

           firewall.muine.org - IP Filter: v3.4.20 - state top           23:01:10

Src = 0.0.0.0  Dest = 0.0.0.0  Proto = any  Sorted by = # bytes

Source IP             Destination IP         ST   PR   #pkts    #bytes       ttl
192.168.1.200,1415    65.92.100.89,6699     4/4  tcp    8245   6923504  42:14:06
23.234.234.2,24064    208.31.160.30,22      4/4  tcp     576    199843 119:59:59
192.168.1.200,2091    64.124.41.191,8888    4/4  tcp     157    118770  51:36:40
192.168.1.200,1094    64.124.41.161,8888    4/4  tcp     125     94190  46:37:34

To find out the ipfilter version:

# /sbin/ipf -V
ipf: IP Filter: v3.4.20 (244)
Kernel: IP Filter: v3.4.20
Running: yes
Log Flags: 0 = none set
Default: block all, Logging: available
Active list: 1

Notice the ``block all" setting from our options IPFILTER_DEFAULT_BLOCK in the kernel.

To display the current list of active MAP/Redirect filters and active sessions:

# /sbin/ipnat -l

To find out the ``hit" statistic for each individual rule in /etc/opt/ipf/ipf.conf:

# /sbin/ipfstat -hio

See also ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(8), ipfstat(8), ipmon(8), ipnat(8) for details.

6. IPsec

IPsec component is an extension and is not available in any of the Solaris 8 CDs. You will need to download Solaris 8 Data Encryption as individual packages or the ISO image for both SPARC or Intel. Steps below is for ISO image download.

Mount the cdrom and add the required packages into the system:

# mount -F hsfs /dev/dsk/c1t0d0s0 /mnt
# cd /mnt/Encryption_8/i386/Packages
# ls
NSCPcomdo  SUNWamid   SUNWcry    SUNWk5pk
NSCPfrcdo  SUNWcrman  SUNWcryr   SUNWk5pu
# pkgadd -d .

The following packages are available:
  1  NSCPcomdo     Netscape Communicator
                   (i386) 20.4.70,REV=1999.10.13.18.09
  2  NSCPfrcdo     French Netscape Communicator (U.S. security)
                   (i386) 20.4.70,REV=1999.11.05.13.44
  3  SUNWamid      Authentication Management Infrastructure (domestic version)
                   (i386) 11.8.0,REV=1999.12.07.03.31
  4  SUNWcrman     Encryption Kit On-Line Manual Pages
                   (i386) 6.0,REV=1
  5  SUNWcry       Crypt Utilities
                   (i386) 11.8.0,REV=1999.12.07.03.31
  6  SUNWcryr      Solaris Root Crypto
                   (i386) 11.8.0,REV=1999.12.07.03.31
  7  SUNWk5pk      kernel Kerberos V5 plug-in w/auth+privacy (32-bit)
                   (i386) 11.8.0,REV=1999.12.07.03.31
  8  SUNWk5pu      user Kerberos V5 gss mechanism w/auth+privacy (32-bit)
                   (i386) 11.8.0,REV=1999.12.07.03.31

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:

Add package 3,4,5 and 6 only.

Enable IPSec modules load at boot time:

There should be a file /etc/inet/ipsecinit.sample added by IPSec packages. Copy this file to /etc/inet/ipsecinit.conf. Otherwise, touch /etc/inet/ipsecinit.conf

# cp /etc/inet/ipsecinit.sample /etc/inet/ipsecinit.conf

Solaris 8 currently only supports manual keying. IKE implementation is not available. In order to have IPSec between 2 hosts, you will need to setup a security association and security policy on each gateway.

Data:

hostA: 192.168.1.1
hostB: 192.168.1.2

/etc/hosts on both host A and B has the following entries:

192.168.1.1	hostA	hostA.muine.org
192.168.1.2	hostA	hostB.muine.org

1. Setup Security Association:

Add the following to /etc/ipsecsa.conf to host A:

#!/bin/sh
#
# Host A: hostA.muine.org
# Host B: hostB.muine.org
#
# From A to B using:
#  Security Parameter Index (SPI): 0x4444
#  Authentication algorithm: MD5
#  Authentication key: 1234567890abcdef1234567890abcdef
#  Encryption algorithm: DES
#  Encryption key: 1234567890abcdef
# From B to A using:
#  Security Parameter Index (SPI): 0x5555
#  Authentication algorithm: MD5
#  Authentication key: 1234567890abcdef1234567890abcdef
#  Encryption algorithm: DES
#  Encryption key: 1234567890abcdef
#
add esp spi 0x4444 src hostA.muine.org dst hostB.muine.org auth_alg md5 encr_alg des authkey 1234567890abcdef1234567890abcdef encrkey 1234567890abcdef
add esp spi 0x5555 src hostB.muine.org dst hostA.muine.org auth_alg md5 encr_alg des authkey 1234567890abcdef1234567890abcdef encrkey 1234567890abcdef

Since /etc/ipsecsa.conf contains secret keys, nobody should be able to view it besides root:

# chmod 600 /etc/ipsecsa.conf

Add the following to /etc/ipsecsa.conf to host B:

#!/bin/sh
#
# Host A: hostA.muine.org
# Host B: hostB.muine.org
#
# From A to B using:
#  Security Parameter Index (SPI): 0x4444
#  Authentication algorithm: MD5
#  Authentication key: 1234567890abcdef1234567890abcdef
#  Encryption algorithm: DES
#  Encryption key: 1234567890abcdef
# From B to A using:
#  Security Parameter Index (SPI): 0x5555
#  Authentication algorithm: MD5
#  Authentication key: 1234567890abcdef1234567890abcdef
#  Encryption algorithm: DES
#  Encryption key: 1234567890abcdef
#
add esp spi 0x4444 src hostA.muine.org dst hostB.muine.org auth_alg md5 encr_alg des authkey 1234567890abcdef1234567890abcdef encrkey 1234567890abcdef
add esp spi 0x5555 src hostB.muine.org dst hostA.muine.org auth_alg md5 encr_alg des authkey 1234567890abcdef1234567890abcdef encrkey 1234567890abcdef

Since /etc/ipsecsa.conf contains secret keys, nobody should be able to view it besides root:

# chmod 600 /etc/ipsecsa.conf

Note: For security association, host A and B should have the identical /etc/ipsecsa.conf

2. Setup Security Policies:

Host A /etc/ipsecsp.conf:

{
 saddr hostA.muine.org
 daddr hostB.muine.org
 ulp tcp
}

apply {
 encr_algs des
 encr_auth_algs md5 sa shared
}

{
 saddr hostB.muine.org
 daddr hostA.muine.org
 ulp tcp
}

permit {
 encr_algs des
 encr_auth_algs md5
}

Host B /etc/ipsecsp.conf:

{
 saddr hostB.muine.org
 daddr hostA.muine.org
 ulp tcp
}

apply {
 encr_algs des
 encr_auth_algs md5 sa shared
}

{
 saddr hostA.muine.org
 daddr hostB.muine.org
 ulp tcp
}

permit {
 encr_algs des
 encr_auth_algs md5
}

3. Load security association and policy:

On host A:

Load security assocation:

# ipseckey -f /etc/ipsecsa.conf

Load security policy:

# ipsecconf -a /etc/ipsecsp.conf
        WARNING : New policy entries that are being added may
        affect the existing connections. Existing connections
        that are not subjected to policy constraints, may be
        subjected to policy constraints because of the new
        policy. This can disrupt the communication of the
        existing connections.

Above warning is informative and is indicating security policy is successfully loaded.

Similarly on host B:

# ipseckey -f /etc/ipsecsa.conf
# ipsecconf -a /etc/ipsecsp.conf

Test it out:

snoop on gateway A: snoop host hostA
telnet from gateway B to gateway A: telnet hostA
Observe snoop output on gateway A:

  hostB -> hostA    ESP SPI=0x5555 Replay=8
   hostA -> hostB   ESP SPI=0x4444 Replay=8
  hostB -> hostA    ESP SPI=0x5555 Replay=9
   hostA -> hostB   ESP SPI=0x4444 Replay=9
  hostB -> hostA    ESP SPI=0x5555 Replay=10

Then dump the SAD entries on the host A and the output should look similar to:

# ipseckey dump
Base message (version 2) type DUMP, SA type ESP.
Message length 152 bytes, seq=1, pid=3212.
SA: SADB_ASSOC spi=0x4444, replay=0, state=MATURE
SA: Authentication algorithm = HMAC-MD5
SA: Encryption algorithm = DES-CBC
SA: flags=0x80000000 < X_USED >
SRC: Source address (proto=0/)
SRC: AF_INET:  port = 0, 192.168.1.1 (hostA).
DST: Destination address (proto=0/)
DST: AF_INET:  port = 0, 192.168.1.2 (hostB).
AKY: Authentication key.
AKY: 1234567890abcdef1234567890abcdef/128
EKY: Encryption key.
EKY: 1334577991abcdef/64
 LT: Lifetime information
CLT: 7936 bytes protected, 0 allocations used.
CLT: SA added at time Mon Sep 24 19:40:08 2001
CLT: SA first used at time Mon Sep 24 19:40:39 2001
CLT: Time now is Mon Sep 24 19:42:21 2001

Base message (version 2) type DUMP, SA type ESP.
Message length 152 bytes, seq=1, pid=3212.
SA: SADB_ASSOC spi=0x5555, replay=0, state=MATURE
SA: Authentication algorithm = HMAC-MD5
SA: Encryption algorithm = DES-CBC
SA: flags=0x80000000 < X_USED >
SRC: Source address (proto=0/)
SRC: AF_INET:  port = 0, 192.168.1.2 (hostB).
DST: Destination address (proto=0/)
DST: AF_INET:  port = 0, 192.168.1.1 (hostA).
AKY: Authentication key.
AKY: 1234567890abcdef1234567890abcdef/128
EKY: Encryption key.
EKY: 1334577991abcdef/64
 LT: Lifetime information
CLT: 2848 bytes protected, 0 allocations used.
CLT: SA added at time Mon Sep 24 19:40:08 2001
CLT: SA first used at time Mon Sep 24 19:40:39 2001
CLT: Time now is Mon Sep 24 19:42:21 2001

Dump succeeded for SA type 0.

To unload the security association in the system:

# ipseckey flush

To flush all the policies in the system:

# ipsecconf -f

To enable security policy at boot time, create /etc/init.d/ipsec

#!/sbin/sh
case "$1" in
	start)
	 	/usr/sbin/ipseckey -f /etc/ipsecsa.conf
	 	/usr/sbin/ipsecconf -a /etc/ipsecsp.conf
	 	;;
	stop)
		/usr/sbin/ipseckey flush
		/usr/sbin/ipsecconf -f
		;;
	*)
		echo "Usage: $0 { start | stop }"
		exit 1
		;;
	esac
exit 0

# chmod 744 ipsec
# cp ipsec /etc/rc2.d/S99ipsec

Other information regarding man pages: ipsecconf(1M), ipseckey(1M), authmd5h(7M),authsha1(7M), encrdes(7M), encr3des(7M), inet(7P),ip(7P),ipsec(7P),ipsecah(7P),ipsecesp(7P),pf_key(7P)

7. References

IPFilter home page:
   http://www.ipfilter.org
Inspiration for this howto:
   http://www.unixcircle.com/features/BuildingSolarisFW.php
IPFilter examples:
   http://coombs.anu.edu.au/~avalon/examples.html
IPFilter how-to:
   http://www.unixcircle.com/ipf/
IPFilter mailing list archive:
   http://false.net/ipfilter
Guido van Rooij has written some real nice IPFilter papers:
   http://www.madison-gurkha.com/all_publications.shtml
Address Allocation for Private Internets:
   http://www.muine.org/rfc/rfc1918.txt
The IP Network Address Translator (NAT):
   http://www.muine.org/rfc/rfc1631.txt
Traditional IP Network Address Translator (Traditional NAT)
   http://www.muine.org/rfc/rfc3022.txt
DHCP Options and BOOTP Vendor Extensions
   http://www.muine.org/rfc/rfc2132.txt
Implementing IPSec on Sun Solaris (IPv4)
   ftp://www.zamanetworks.com/pub/knowledgebase/techdocs/Implementing%20IPSEC_IPv4_ZD1007.pdf
Overview of IPsec
   http://docs.sun.com/ab2/coll.47.11/SYSADV3/@Ab2PageView/22211?Dweb
The Twenty Most Critical Internet Security Vulnerabilities (Updated)
   http://66.129.1.101/top20.htm

Hoang Q. Tran loves all unix flavours but prefers *bsd over anything else. Feedbacks are welcome and should send to hoang@muine.org

last update: Nov 28, 2001