Solaris x86 firewall using IP Filter

[juan]

Solaris x86 firewall using IP Filter
by:
Thang T. Mai
Hoang Q. Tran

It is really easy to make a Solaris gateway for a private network. When installing, choose to install the Core System Support component.

Lock down the box
Setup network interfaces in the Solaris box
Enable packet forwarding, dhcp, firewall and network address translation
Configure machines behind NAT
Familiarize with IPFilter
IPsec
References
1. Lock down the box
The first step to lock down a box for NAT/firewall is to disable all running services that are part of Core System Support installation that and we don't need.
1. Disable inetd and its /etc/inetd.conf configuration file:

Edit /etc/inetd.conf and make sure everything is commented out. Then disable inetd daemon by:

# vi /etc/init.d/inetsvc

and comment out the inetd daemon:
#
# Run inetd in "standalone" mode (-s flag) so that it doesn't have
# to submit to the will of SAF. Why did we ever let them change inetd?
#
# /usr/sbin/inetd -s &

2. Disable:
NFS and friends:

# mv /etc/rc2.d/S73nfs.client /etc/rc2.d/s73nfs.client
# mv /etc/rc2.d/S73cachefs.daemon /etc/rc2.d/s73cachefs.daemon
# mv /etc/rc2.d/S74autofs /etc/rc2.d/s74autofs
# mv /etc/rc2.d/S93cacheos.finish /etc/rc2.d/s93cacheos.finish
# mv /etc/rc3.d/S15nfs.server /etc/rc3.d/s15nfs.server

Sendmail:
# mv /etc/rc2.d/S88sendmail /etc/rc2.d/s88sendmail

RPC and friend:
# mv /etc/rc2.d/S71rpc /etc/rc2.d/s71rpc
# mv /etc/rc2.d/S76nscd /etc/rc2.d/s76nscd

Solaris auto-configuration services:
# mv /etc/rc2.d/S30sysid.net /etc/rc2.d/s30sysid.net
# mv /etc/rc2.d/S71sysid.sys /etc/rc2.d/s71sysid.sys
# mv /etc/rc2.d/S72autoinstall /etc/rc2.d/s72autoinstall

Expreserve service:
# mv /etc/rc2.d/S80PRESERVE /etc/rc2.d/s80PRESERVE

Once you disabled unnecessary services, go to unixcircle.com portscan to remotely port scan your own box from the outside. Be careful when you do this behind a NAT/firewall box as the port scan script will scan the NAT/firewall instead. If you have another box, use nmap to scan the box from the inside. The output from nmap should show no listen services.
3. Add necessary helper packages in order to make, compile IPFilter and run dhcp client later:

Required helper packages:

SUNWarc (Archive Libraries)
SUNWbtool (CCS tools bundled with SunOS)
SUNWdhcsu (BOOTP/DHCP Server Services, (Usr))
SUNWhea (SunOS Header Files)
SUNWlibm (Sun WorkShop Bundled libm)
SUNWsprot (Solaris Bundled tools)
SUNWtoo (Programming Tools)

All packages are in Solaris 8 Software CD 2/2 except for SUNWtoo (Programming Tools) which is in Solaris 8 Software CD 1/2.
Insert Solaris 8 Software CD 1/2 and add SUNWtoo to the system:

Mount cdrom (on 2nd IDE controller) and copy packages to /tmp:

# mount -F hsfs /dev/dsk/c1t0d0p0 /mnt
# cd /mnt/Solaris_8/Product
# cp -R SUNWtoo /tmp
# cd /tmp
# pkgadd -d .
# umount /mnt

Insert Solaris 8 Software CD 2/2 and add remaining required packages to the system:
# mount -F hsfs /dev/dsk/c1t0d0s0 /mnt
# cd /mnt/Solaris_8/Product
# cp -R SUNWarc /tmp
...
# cp -R SUNWsprot /tmp
# cd /tmp
# pkgadd -d .

4. Update the system with latest recommended x86 patch cluster:
Enable gateway to go access outside world:

# route add default

# ftp sunsolve.sun.com
login: ftp
passwd: ftp

ftp> cd /pub/patches
ftp> bin
ftp> hash
ftp> get 8_x86_Recommended.zip
ftp> bye

# unzip 8_x86_Recommended.zip
( packages unzipping... )
# cd 8_x86_Recommended
# ./install_cluster
( updating packages... )
# reboot

5. More hardening:
Increase initial sequence number generation to have unique-per-connection-ID according to rfc1948.

# vi /etc/default/inetinit and change from TCP_STRONG_ISS=1 to TCP_STRONG_ISS=2

Prevent against possible buffer overflow attacks, add the following two parameters to /etc/system:
set noexec_user_stack=1
set noexec_user_stack_log=1

Tightening up IP by editing /etc/init.d/inetinit script and add these to the end:
/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0
/usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 0
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
/usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
/usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1

For more information on security vulnerabilities, read SANS's The Twenty Most Critical Internet Security Vulnerabilities (Updated)

2. Setup network interfaces in the Solaris box
Assume this box has 2 Intel EtherExpress Pro 10/100 network cards and their Solaris driver are named as iprb0 and iprb1 for first and second card. First network card will use the non-routable private address according to rfc1918. The second will be assigned either static or dynamic via DHCP IP address.
Non-routable IP addresses for private networks:

10.0.0.1 - 10.255.255.254 netmask 255.0.0.0
172.16.0.1 - 172.31.255.254 netmask 255.240.0.0
192.168.0.1 - 192.168.255.254 netmask 255.255.0.0

Assume you choose 192.168.0.1 range, and already configured during install for the first interface.
If the second network card has static IP, routable.ip.address and netmask netmask.ip.address:

# vi /etc/inet/hosts
routable.ip.address hostname
# vi /etc/inet/netmasks
routable.ip.address netmask.ip.address
# vi /etc/hostname.iprb1
hostname

Be sure to indicate a correct IP address and netmask for both interfaces. Once you have chosen a private network address range for your inside machines, stay with that same range. The first network card will be the default Solaris gateway IP address.

3. Enable packet forwarding, dhcp, firewall and network address translation
To enable packet forwarding:
Create a startup script /etc/init.d/ipforwarding

#!/sbin/sh
case "$1" in
start)
/usr/sbin/ndd -set /dev/ip ip_forwarding 1
/usr/sbin/ndd -set /dev/ip ip6_forwarding 1
;;
stop)
/usr/sbin/ndd -set /dev/ip ip_forwarding 0
/usr/sbin/ndd -set /dev/ip ip6_forwarding 0
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
exit 0

Make it root executable:
# chmod 744 /etc/init.d/ipforwarding

Copy it to /etc/rc2.d:
# cp /etc/init.d/ipforwarding /etc/rc2.d/S69ipforwarding

/etc/init.d/ipforwarding must run after /etc/init.d/ipfboot & /etc/init.d/inetinit
DHCP client:

And if you receive your public address assignment dynamically through DHCP:

# touch /etc/hostname.iprb1
# touch /etc/dhcp.iprb1

Request necessary information from DHCP server:
# vi /etc/default/dhcpagent

RELEASE_ON_SIGTERM=yes
CLIENT_ID=crxxxxxx-a
PARAM_REQUEST_LIST=1,3,6,28

According to DHCP Options and BOOTP Vendor Extensions, code 1,3,6,28 are subnet mask, routers, dns servers and broadcast address.
[ With ISC dhclient, requesting DNS will automatically create /etc/resolv.conf. It seems dhcpagent doesn't so you have to manually create /etc/resolv.conf. ]

Using DHCP will reset the hostname to ``unknown''. Reset the hostname to the box hostname with a simple script:

# vi /etc/init.d/resetnodename

#!/sbin/sh
uname -S `cat /etc/nodename`

# chmod 744 /etc/init.d/resetnodename
# cp /etc/init.d/resetnodename /etc/rc2.d/S70resetnodename

Compile and install IPFilter:
Solaris doesn't come with a C compiler. Download a free GNU C compiler from sunfreeware. You also need gzip to gunzip the GNU C compiler tar ball.

Retrieve the latest IPFilter from http://www.ipfilter.org/ and compile it:

# /usr/local/bin/gunzip ip-fil3.4.20.tar.gz
# /usr/sbin/tar xvf ip-fil3.4.20.tar
# cd ip_fil3.4.20

Enable default block all policy. Edit Makefile and change:
POLICY=-DIPF_DEFAULT_PASS=FR_PASS
to :
POLICY=-DIPF_DEFAULT_PASS=FR_BLOCK

Enable ``top'' like output when issuing ipfstat -t:
STATETOP_CFLAGS=-DSTATETOP
STATETOP_INC=-I/usr/include
STATETOP_LIB=-L/lib -lcurses

Populate /usr/local/bin and /usr/ccs/bin paths to find gcc and make:
# PATH=$PATH:/usr/local/bin:/usr/ccs/bin; export PATH

Compile IPFilter:
# make solaris
# cd SunOS5
# make package

Filter rule: Since you don't know what to block yet, you need to open up ingress and outgress traffic to flow through. Edit /etc/opt/ipf/ipf.conf and add:
pass in all
pass out all

An example of a working /etc/opt/ipf/ipf.conf
Network Address Translation rule:

For NAT and ftp clients behind NAT to work, add the following to /etc/opt/ipf/ipnat.conf:

# Use ipfilter ftp proxy for ftp client transfers mode: active
map iprb1 192.168.1.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp

# Map all tcp and udp connections from 192.168.1.0/24 to external IP address,
# changing the source port number to something between 40,000 and 60,000 inclusive
map iprb1 192.168.1.0/24 -> 0.0.0.0/32 portmap tcp/udp 40000:60000

# For all other IP packets, map to the external IP address
map iprb1 192.168.1.0/24 -> 0.0.0.0/32

Make sure all the `proxy' lines are before any generic `portmap' lines, as the first match always wins.
An example of a working /etc/opt/ipf/ipnat.conf

Filter logging:

Add -D and -n to ipmon. Edit /etc/init.d/ipfboot on line 60, change from ipmon -s & to ipmon -Dsn &

-D: Cause ipmon to turn itself into a daemon.
-n: IP addresses and port numbers will be mapped, where possible, back into hostnames and service names.
-s: Packet information read in will be sent through syslogd rather than saved to a file.

To have ipmon log information to a local file, add the following to /etc/syslog.conf:
#
# Log to a file
#
local0.info;local0.err;local0.debug /var/log/ipflog

Create log file /var/log/ipflog and restart syslog daemon:
# touch /var/log/ipflog && /etc/init.d/syslog stop && /etc/init.d/syslog start

Transparent proxy:
If there's a mail server as 192.168.1.2 inside the private network , use ``rdr'' to transparent proxying. Since NAT happens before ``rdr'', a ``pass in'' is required in /etc/ipf.conf for the translated packets to flow into the mail server.

/etc/opt/ipf/ipnat.conf:

# Redirect incoming smtp traffic to mail server behind NAT
rdr iprb1 0.0.0.0/0 port 25 -> 192.168.1.2 port 25

[ and the minimum mappings described above ]
/etc/opt/ipf/ipf.conf:

# Allow the translated packets with fragment and SYN flag to flow in. Keep state the connection.
pass in quick on iprb1 proto tcp from any to any port = 25 flags S keep state keep frags

Load balancing:
To load balancing a farm of 6 webservers behind NAT, use ``round-robin'' statement. IPFilter will distribute the load using round robin method. IPFilter will distribute the load even if one of the webservers is down. l4check which is part of IPFilter and can deal with this scenario.

rdr iprb1 0.0.0.0/0 port 80 -> 192.168.1.1,192.168.1.2 port 80 tcp round-robin
rdr iprb1 0.0.0.0/0 port 80 -> 192.168.1.3,192.168.1.4 port 80 tcp round-robin
rdr iprb1 0.0.0.0/0 port 80 -> 192.168.1.5,192.168.1.6 port 80 tcp round-robin

Improve performance features:
To enable high performance data transfers on hosts according to Enabling High Performance Data Transfers on Hosts, add the following in addition to ip forwarding to /etc/default/inetinit:

# 1. Path MTU discovery: enabled by default
# 2. TCP Extension (RFC1323): enabled by default
# 3. Increase TCP Window size for increase in network performance
TCP_XMIT_HIWAT=65535
TCP_RECV_HIWAT=65535
# 4. SACK (RFC2018): enabled by default

Edit /etc/init.d/inetinit and add:
#
# Increase send TCP Window size for increase in network performance
#

# Get value of TCP_XMIT_HIWAT
[ -f /etc/default/inetinit ] && . /etc/default/inetinit
if [ $TCP_XMIT_HIWAT ]; then
/usr/sbin/ndd -set /dev/tcp tcp_xmit_hiwat $TCP_XMIT_HIWAT
fi

#
# Increase receive TCP Window size for increase in network performance
#

# Get value of TCP_RECV_HIWAT
[ -f /etc/default/inetinit ] && . /etc/default/inetinit
if [ $TCP_RECV_HIWAT ]; then
/usr/sbin/ndd -set /dev/tcp tcp_recv_hiwat $TCP_RECV_HIWAT
fi

4. Configure machines behind NAT
All the machines on the private network should be configured to use the address of the private interface of the Solaris box as the default gateway.
To set the internal boxes to the default Solaris gateway on various operating systems:

Assume the Solaris box NAT/firewall has IP address: 192.168.1.1

AIX: edit /etc/rc.net and add /usr/sbin/route add 192.168.1.1 gateway >>$LOGFILE 2>&1
Solaris: edit /etc/rc.conf and add defaultrouter="192.168.1.1"
HP-UX: edit /etc/rc.config.d/netconf and add ROUTE_GATEWAY[0]="192.168.1.1"
Linux Redhat: edit /etc/sysconfig/network and add GATEWAY=192.168.1.1
NetBSD: echo 192.168.1.1 > /etc/mygate
OpenBSD: echo 192.168.1.1 > /etc/mygate
Solaris: echo 192.168.1.1 > /etc/defaultrouter
Win2k: Start-Settings->Control Panel->Network and Dial-up Connections->Local Area Network->
Properties->Internet Protocol (TCP/IP)->Default Gateway->192.168.1.1

If you don't want to reboot to pick up the IP address for the default gateway, use ``route'' to manually add the default route.
AIX: route add 0 192.168.1.1

HP-UX: route add 192.168.1.1

Solaris,NetBSD,OpenBSD,Solaris: route add default 192.168.1.1

Linux Redhat: route add default gw 192.168.1.1


5. Familiarize with IPFilter
Once your NAT/firewall is online, you should start to read IP Filter Howto and add more blocking/passing rules to /etc/opt/ipf/ipf.conf. Some other useful links can be found on the www.ipfilter.org home page.
Each time /etc/opt/ipf/ipf.conf or /etc/opt/ipf/ipnat.conf is modified, you have to them as follow. Reloading these rules will flush all current active connections.

# /sbin/ipf -Fa -f /etc/opt/ipf/ipf.conf
# /sbin/ipnat -CF -f /etc/opt/ipf/ipnat.conf

You can use ipfstat to display firewall statistics a la ``top" command:
# /sbin/ipfstat -t

firewall.muine.org - IP Filter: v3.4.20 - state top 23:01:10

Src = 0.0.0.0 Dest = 0.0.0.0 Proto = any Sorted by = # bytes

Source IP Destination IP ST PR #pkts #bytes ttl
192.168.1.200,1415 65.92.100.89,6699 4/4 tcp 8245 6923504 42:14:06
23.234.234.2,24064 208.31.160.30,22 4/4 tcp 576 199843 119:59:59
192.168.1.200,2091 64.124.41.191,8888 4/4 tcp 157 118770 51:36:40
192.168.1.200,1094 64.124.41.161,8888 4/4 tcp 125 94190 46:37:34

To find out the ipfilter version:
# /sbin/ipf -V
ipf: IP Filter: v3.4.20 (244)
Kernel: IP Filter: v3.4.20
Running: yes
Log Flags: 0 = none set
Default: block all, Logging: available
Active list: 1

Notice the ``block all" setting from our options IPFILTER_DEFAULT_BLOCK in the kernel.
To display the current list of active MAP/Redirect filters and active sessions:

# /sbin/ipnat -l

To find out the ``hit" statistic for each individual rule in /etc/opt/ipf/ipf.conf:
# /sbin/ipfstat -hio

See also ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(, ipfstat(, ipmon(, ipnat( for details.
6. IPsec
IPsec component is an extension and is not available in any of the Solaris 8 CDs. You will need to download Solaris 8 Data Encryption as individual packages or the ISO image for both SPARC or Intel. Steps below is for ISO image download.
Mount the cdrom and add the required packages into the system:

# mount -F hsfs /dev/dsk/c1t0d0s0 /mnt
# cd /mnt/Encryption_8/i386/Packages
# ls
NSCPcomdo SUNWamid SUNWcry SUNWk5pk
NSCPfrcdo SUNWcrman SUNWcryr SUNWk5pu
# pkgadd -d .

The following packages are available:
1 NSCPcomdo Netscape Communicator
(i386) 20.4.70,REV=1999.10.13.18.09
2 NSCPfrcdo French Netscape Communicator (U.S. security)
(i386) 20.4.70,REV=1999.11.05.13.44
3 SUNWamid Authentication Management Infrastructure (domestic version)
(i386) 11.8.0,REV=1999.12.07.03.31
4 SUNWcrman Encryption Kit On-Line Manual Pages
(i386) 6.0,REV=1
5 SUNWcry Crypt Utilities
(i386) 11.8.0,REV=1999.12.07.03.31
6 SUNWcryr Solaris Root Crypto
(i386) 11.8.0,REV=1999.12.07.03.31
7 SUNWk5pk kernel Kerberos V5 plug-in w/auth+privacy (32-bit)
(i386) 11.8.0,REV=1999.12.07.03.31
8 SUNWk5pu user Kerberos V5 gss mechanism w/auth+privacy (32-bit)
(i386) 11.8.0,REV=1999.12.07.03.31

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:

Add package 3,4,5 and 6 only.
Enable IPSec modules load at boot time:

There should be a file /etc/inet/ipsecinit.sample added by IPSec packages. Copy this file to /etc/inet/ipsecinit.conf. Otherwise, touch /etc/inet/ipsecinit.conf

# cp /etc/inet/ipsecinit.sample /etc/inet/ipsecinit.conf

Solaris 8 currently only supports manual keying. IKE implementation is not available. In order to have IPSec between 2 hosts, you will need to setup a security association and security policy on each gateway.
Data:

hostA: 192.168.1.1
hostB: 192.168.1.2

/etc/hosts on both host A and B has the following entries:
192.168.1.1 hostA hostA.muine.org
192.168.1.2 hostA hostB.muine.org

1. Setup Security Association:
Add the following to /etc/ipsecsa.conf to host A:

#!/bin/sh
#
# Host A: hostA.muine.org
# Host B: hostB.muine.org
#
# From A to B using:
# Security Parameter Index (SPI): 0x4444
# Authentication algorithm: MD5
# Authentication key: 1234567890abcdef1234567890abcdef
# Encryption algorithm: DES
# Encryption key: 1234567890abcdef
# From B to A using:
# Security Parameter Index (SPI): 0x5555
# Authentication algorithm: MD5
# Authentication key: 1234567890abcdef1234567890abcdef
# Encryption algorithm: DES
# Encryption key: 1234567890abcdef
#
add esp spi 0x4444 src hostA.muine.org dst hostB.muine.org auth_alg md5 encr_alg des authkey 1234567890abcdef1234567890abcdef encrkey 1234567890abcdef
add esp spi 0x5555 src hostB.muine.org dst hostA.muine.org auth_alg md5 encr_alg des authkey 1234567890abcdef1234567890abcdef encrkey 1234567890abcdef

Since /etc/ipsecsa.conf contains secret keys, nobody should be able to view it besides root:
# chmod 600 /etc/ipsecsa.conf

Add the following to /etc/ipsecsa.conf to host B:
#!/bin/sh
#
# Host A: hostA.muine.org
# Host B: hostB.muine.org
#
# From A to B using:
# Security Parameter Index (SPI): 0x4444
# Authentication algorithm: MD5
# Authentication key: 1234567890abcdef1234567890abcdef
# Encryption algorithm: DES
# Encryption key: 1234567890abcdef
# From B to A using:
# Security Parameter Index (SPI): 0x5555
# Authentication algorithm: MD5
# Authentication key: 1234567890abcdef1234567890abcdef
# Encryption algorithm: DES
# Encryption key: 1234567890abcdef
#
add esp spi 0x4444 src hostA.muine.org dst hostB.muine.org auth_alg md5 encr_alg des authkey 1234567890abcdef1234567890abcdef encrkey 1234567890abcdef
add esp spi 0x5555 src hostB.muine.org dst hostA.muine.org auth_alg md5 encr_alg des authkey 1234567890abcdef1234567890abcdef encrkey 1234567890abcdef

Since /etc/ipsecsa.conf contains secret keys, nobody should be able to view it besides root:
# chmod 600 /etc/ipsecsa.conf

Note: For security association, host A and B should have the identical /etc/ipsecsa.conf
2. Setup Security Policies:

Host A /etc/ipsecsp.conf:

{
saddr hostA.muine.org
daddr hostB.muine.org
ulp tcp
}

apply {
encr_algs des
encr_auth_algs md5 sa shared
}

{
saddr hostB.muine.org
daddr hostA.muine.org
ulp tcp
}

permit {
encr_algs des
encr_auth_algs md5
}

Host B /etc/ipsecsp.conf:
{
saddr hostB.muine.org
daddr hostA.muine.org
ulp tcp
}

apply {
encr_algs des
encr_auth_algs md5 sa shared
}

{
saddr hostA.muine.org
daddr hostB.muine.org
ulp tcp
}

permit {
encr_algs des
encr_auth_algs md5
}

3. Load security association and policy:
On host A:

Load security assocation:

# ipseckey -f /etc/ipsecsa.conf

Load security policy:
# ipsecconf -a /etc/ipsecsp.conf
WARNING : New policy entries that are being added may
affect the existing connections. Existing connections
that are not subjected to policy constraints, may be
subjected to policy constraints because of the new
policy. This can disrupt the communication of the
existing connections.

Above warning is informative and is indicating security policy is successfully loaded.
Similarly on host B:

# ipseckey -f /etc/ipsecsa.conf
# ipsecconf -a /etc/ipsecsp.conf

Test it out:
snoop on gateway A: snoop host hostA
telnet from gateway B to gateway A: telnet hostA
Observe snoop output on gateway A:


hostB -> hostA ESP SPI=0x5555 Replay=8
hostA -> hostB ESP SPI=0x4444 Replay=8
hostB -> hostA ESP SPI=0x5555 Replay=9
hostA -> hostB ESP SPI=0x4444 Replay=9
hostB -> hostA ESP SPI=0x5555 Replay=10

Then dump the SAD entries on the host A and the output should look similar to:
# ipseckey dump
Base message (version 2) type DUMP, SA type ESP.
Message length 152 bytes, seq=1, pid=3212.
SA: SADB_ASSOC spi=0x4444, replay=0, state=MATURE
SA: Authentication algorithm = HMAC-MD5
SA: Encryption algorithm = DES-CBC
SA: flags=0x80000000 < X_USED >
SRC: Source address (proto=0/)
SRC: AF_INET: port = 0, 192.168.1.1 (hostA).
DST: Destination address (proto=0/)
DST: AF_INET: port = 0, 192.168.1.2 (hostB).
AKY: Authentication key.
AKY: 1234567890abcdef1234567890abcdef/128
EKY: Encryption key.
EKY: 1334577991abcdef/64
LT: Lifetime information
CLT: 7936 bytes protected, 0 allocations used.
CLT: SA added at time Mon Sep 24 19:40:08 2001
CLT: SA first used at time Mon Sep 24 19:40:39 2001
CLT: Time now is Mon Sep 24 19:42:21 2001

Base message (version 2) type DUMP, SA type ESP.
Message length 152 bytes, seq=1, pid=3212.
SA: SADB_ASSOC spi=0x5555, replay=0, state=MATURE
SA: Authentication algorithm = HMAC-MD5
SA: Encryption algorithm = DES-CBC
SA: flags=0x80000000 < X_USED >
SRC: Source address (proto=0/)
SRC: AF_INET: port = 0, 192.168.1.2 (hostB).
DST: Destination address (proto=0/)
DST: AF_INET: port = 0, 192.168.1.1 (hostA).
AKY: Authentication key.
AKY: 1234567890abcdef1234567890abcdef/128
EKY: Encryption key.
EKY: 1334577991abcdef/64
LT: Lifetime information
CLT: 2848 bytes protected, 0 allocations used.
CLT: SA added at time Mon Sep 24 19:40:08 2001
CLT: SA first used at time Mon Sep 24 19:40:39 2001
CLT: Time now is Mon Sep 24 19:42:21 2001

Dump succeeded for SA type 0.
To unload the security association in the system:

# ipseckey flush

To flush all the policies in the system:
# ipsecconf -f

To enable security policy at boot time, create /etc/init.d/ipsec
#!/sbin/sh
case "$1" in
start)
/usr/sbin/ipseckey -f /etc/ipsecsa.conf
/usr/sbin/ipsecconf -a /etc/ipsecsp.conf
;;
stop)
/usr/sbin/ipseckey flush
/usr/sbin/ipsecconf -f
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
exit 0

# chmod 744 ipsec
# cp ipsec /etc/rc2.d/S99ipsec

Other information regarding man pages: ipsecconf(1M), ipseckey(1M), authmd5h(7M),authsha1(7M), encrdes(7M), encr3des(7M), inet(7P),ip(7P),ipsec(7P),ipsecah(7P),ipsecesp(7P),pf_key(7P)

7. References
IPFilter home page:
http://www.ipfilter.org
Inspiration for this howto:
http://www.unixcircle.com/features/BuildingSolarisFW.php
IPFilter how-to:
http://www.unixcircle.com/ipf/
Guido van Rooij has written some real nice IPFilter papers:
http://www.madison-gurkha.com/all_publications.shtml
Address Allocation for Private Internets:
http://www.muine.org/rfc/rfc1918.txt
The IP Network Address Translator (NAT):
http://www.muine.org/rfc/rfc1631.txt
Traditional IP Network Address Translator (Traditional NAT)
http://www.muine.org/rfc/rfc3022.txt
DHCP Options and BOOTP Vendor Extensions
http://www.muine.org/rfc/rfc2132.txt
Implementing IPSec on Sun Solaris (IPv4)
ftp://www.zamanetworks.com/pub/knowledgebase/techdocs/Implementing%20IPSEC_IPv4_ZD1007.pdf
Overview of IPsec
http://docs.sun.com/ab2/coll.47.11/SYSADV3/@Ab2PageView/22211?Dweb
The Twenty Most Critical Internet Security Vulnerabilities (Updated)
http://66.129.1.101/top20.htm


last update: Oct 19, 2002