Apologies if this is the wrong sort of thing to ask here.
I'm using the ipfilter which ships with Solaris 10u2, I'm not sure of
the exact version. I'm trying to set up a firewall/router box which
will sit in front of some machines we don't trust (basically
development platforms we've got from people which we don't really
want on our main network). It has two interfaces, and after some
poring over the manuals I've structured the rules by interface, with
4 groups, basically like:
block in quick on elxl0 any head 10
... rules here which belong to group 10 and may allow access in on
elxl0
block out quick on elxl0 any head 11
... rules here which belong to group 11
... and similarly for the other interface.
Is that a reasonable approach to structuring rules? Performance is
not particularly critical, but I want to make sure that whoever
follows me doesn't look at it and think `what a weird way of doing
things'. I couldn't really find any style guidance on the net.
A more important question is DHCP. This box is a DHCP server for
it's untrusted network, and I spent a long time trying variations of
a rule like:
pass in quick on elxl1 proto udp from any port = bootpc
to any port = bootps keep state group 20
(group 20 is the elxl1 inwards rules in my scheme, and elxl1 is the
interface onto the untrusted network).
This fails: the machine gets the DHCP request, but the reply never
gets out. And I think that this is because keep state doesn't have a
hope in hell of working for DHCP unless there is complete magic in
there. The request comes from either 255.255.255.255 or perhaps
0.0.0.0 and is aimed at 255.255.255.255, and the DHCP server then
sends out a reply from its own address (obviously) aimed at
255.255.255.255 (I think). So unless the system has explicit
knowledge of DHCP I think any attempt to infer the reverse rule
temporarily is doomed. What I ended up doing is putting in both
halves of the rule explicitly, so I had another one:
pass out quick on elxl1 proto udp from any port = bootps
to any port = bootpc group 21
Is that the right approach to doing DHCP, or is there something I'm
missing?
Thanks
--tim
