Merge pull request #3 from tmuehle/master

Blog post added on "Controlling PF rules with SMF and IPS"

Author: tanmayd1996

Blog_Supplements/Controlling_PF_Rules_with_SMF_and_IPS/README.md

@@ -0,0 +1,9 @@
+<service_bundle type='profile' name='network/firewall'>
+        <service name='network/firewall' type='service' version='1'>
+                <property_group name="firewall_stencil" type="configfile">
+                        <propval name="path" type="astring" value="/etc/firewall/pf.conf"/>
+                        <propval name="stencil" type="astring" value="firewall.stencil"/>
+                        <propval name="mode" type="astring" value="0644"/>
+                </property_group>
+        </service>
+</service_bundle>

Blog_Supplements/Controlling_PF_Rules_with_SMF_and_IPS/example_files/firewall-stencil-profile.xml

@@ -0,0 +1,7 @@
+<service_bundle type='profile' name='network/firewall'>
+        <service name='network/firewall' type='service' version='1'>
+                <property_group name='include' type='framework'>
+                        <propval name='webui' type='astring' value='/etc/firewall/pf.webui'/>
+                </property_group>
+        </service>
+</service_bundle>

Blog_Supplements/Controlling_PF_Rules_with_SMF_and_IPS/example_files/firewall-webui-profile.xml

@@ -0,0 +1,56 @@
+#
+# Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
+#
+#
+# /etc/firewall/pf.conf
+#
+#
+# This is a sample PF firewall configuration file. Solaris currently ships with
+# PF firewall alternate to current IPF. PF is meant to replace IPF in future
+# Solaris releases. We encourage customers with customized IPF configuration to
+# try to migrate their firewall rules to PF. See our release notes/documentation
+# for hints how to migrate your custom configuration.
+#
+# There is no action for you if you are using default IPF configuration (a.k.a.
+# host based firewall). See svc.ipfd(1M) to find out how to check if you are
+# affected.
+#
+
+#
+# PF does IP reassembly by default. We also use 'no-df' option on Solaris
+# to ensure IP reassembly working with broken stacks which can send packets
+# with invalid flag combination 'MF|DF'.
+#
+set reassemble yes no-df
+
+#
+# We don't want PF to filter on loopback traffic by default.
+#
+# Filtering on loopback can interfere with zone installation and other
+# operations due to Solaris loopback optimizations. See the pf.conf(5)
+# manpage for guidance on how to enable it for your application.
+set skip on lo0
+
+## block everything unless told otherwise
+## and send TCP-RST/ICMP unreachable
+## for every packet which gets blocked
+block return log
+
+## accept incoming icmp pkts e.g. ping
+pass in proto icmp from any to any
+
+## accept incoming SSH connections
+pass in proto tcp to any port 22 flags any keep state (sloppy)
+
+## accept connections for rsyslog
+pass in proto tcp from any to any port = 6514
+
+## includes
+; walk each instance and extract all properties from the config PG
+;$%/(svc:/$%s:(.*)/:properties)/{
+$%/(svc:/$%s:(.*)/:properties)/{$%/$%1/include/(.*)/{include "$%{$%1/include/$%3}"
+}}
+
+## allow all connections initiated from this system,
+## including DHCP requests
+pass out

Blog_Supplements/Controlling_PF_Rules_with_SMF_and_IPS/example_files/firewall.stencil

@@ -0,0 +1,6 @@
+set name=pkg.fmri value=pkg://vpbank/vpbank/security/[email protected]
+set name=pkg.summary value="PF FIREWALL conf /etc/firewall/pf.webui (build with 11.4 SRU 7)"
+set name=pkg.description value="This package contains the webui configuration for the pf firewall and the corresponding service."
+set name=variant.arch value=i386 value=sparc
+file etc/firewall/pf.webui path=etc/firewall/pf.webui owner=root group=sys mode=0644 refresh_fmri=svc:/network/firewall:default
+file etc/svc/profile/site/firewall-webui-profile.xml path=etc/svc/profile/site/firewall-webui-profile.xml owner=root group=sys mode=0444 restart_fmri=svc:/system/manifest-import:default

Blog_Supplements/Controlling_PF_Rules_with_SMF_and_IPS/example_files/pf-firewall-webui.p5m.4.res

@@ -0,0 +1,3 @@
+## accept connections for Solaris IPS repository
+pass in proto tcp from any to any port = 8113
+pass in proto tcp from any to any port = 8114

Blog_Supplements/Controlling_PF_Rules_with_SMF_and_IPS/example_files/pf.ips

@@ -0,0 +1,2 @@
+## accept connections for oracle puppet
+pass in proto tcp from any to any port = 8140

Blog_Supplements/Controlling_PF_Rules_with_SMF_and_IPS/example_files/pf.puppet

@@ -0,0 +1,4 @@
+K muehle@wacken % cat PF_FIREWALL_RAD/PROTO.PF_FIREWALL_RAD/etc/firewall/pf.rad                                                                                                                                                                /data/build 0
+## accept connections for oracle solaris rad:remote
+pass in proto tcp from any to any port = 12302
+pass in proto tcp from any to any port = 8102

Blog_Supplements/Controlling_PF_Rules_with_SMF_and_IPS/example_files/pf.rad

@@ -0,0 +1,3 @@
+PF_FIREWALL_WEBUI/PROTO.PF_FIREWALL_WEBUI/etc/firewall/pf.webui                                                                                                                                                          /data/build 0
+## accept connections for oracle solaris webui dashboard
+pass in proto tcp from any to any port = 6787

Blog_Supplements/Controlling_PF_Rules_with_SMF_and_IPS/example_files/pf.webui

@@ -0,0 +1,17 @@
+set name=pkg.fmri value=pkg://odev/security/[email protected]
+set name=pkg.summary value="PF FIREWALL conf /etc/firewall/pf.webui (build with st_085)"
+set name=pkg.description value="This package contains the webui configuration for the pf firewall and the corresponding service."
+set name=variant.arch value=sparc value=i386
+<transform dir path=etc$ -> drop>
+<transform dir path=etc/svc$ -> drop>
+<transform dir path=etc/svc/profile$ -> drop>
+<transform dir path=etc/svc/profile/site$ -> drop>
+<transform file path=etc/svc/profile/site/firewall-webui-profile.xml$ -> set owner root>
+<transform file path=etc/svc/profile/site/firewall-webui-profile.xml$ -> set group sys>
+<transform file path=etc/svc/profile/site/firewall-webui-profile.xml$ -> set mode 0444>
+<transform file path=etc/svc/profile/site/firewall-webui-profile.xml$ -> default restart_fmri svc:/system/manifest-import:default>
+<transform dir path=etc/firewall$ -> drop>
+<transform file path=etc/firewall/pf.webui$ -> set owner root>
+<transform file path=etc/firewall/pf.webui$ -> set group sys>
+<transform file path=etc/firewall/pf.webui$ -> set mode 0644>
+<transform file path=etc/firewall/pf.webui$ -> default refresh_fmri svc:/network/firewall:default>