Block HTTP traffic on solaris 11 IP Filter firewall

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
-1
down vote

favorite












I have an http server on my Solaris 11 system and I want to block all http requests from other systems. Eventually I will allow access, but for now I cannot figure out how to block access to port 80, as nothing I do seems to work.



I have the following in my /etc/ipf/ipf.conf



# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
# block in all
block in proto tcp from any to any port = 80
block out quick proto tcp to any port = http keep state


The ipfilter service is running



root@test2:/etc/ipf# svcs ipfilter
STATE STIME FMRI
online 19:25:23 svc:/network/ipfilter:default


However, whenever I visit 192.168.1.211 in my browser, I see "It works!" The only thing that seems to work is if I put block in all in the ipf.conf file, but that blocks ALL incoming traffic (including my SSH connection). I am not sure what I am doing. Maybe my syntax is wrong.







share|improve this question























    up vote
    -1
    down vote

    favorite












    I have an http server on my Solaris 11 system and I want to block all http requests from other systems. Eventually I will allow access, but for now I cannot figure out how to block access to port 80, as nothing I do seems to work.



    I have the following in my /etc/ipf/ipf.conf



    # ipf.conf
    #
    # IP Filter rules to be loaded during startup
    #
    # See ipf(4) manpage for more information on
    # IP Filter rules syntax.
    # block in all
    block in proto tcp from any to any port = 80
    block out quick proto tcp to any port = http keep state


    The ipfilter service is running



    root@test2:/etc/ipf# svcs ipfilter
    STATE STIME FMRI
    online 19:25:23 svc:/network/ipfilter:default


    However, whenever I visit 192.168.1.211 in my browser, I see "It works!" The only thing that seems to work is if I put block in all in the ipf.conf file, but that blocks ALL incoming traffic (including my SSH connection). I am not sure what I am doing. Maybe my syntax is wrong.







    share|improve this question





















      up vote
      -1
      down vote

      favorite









      up vote
      -1
      down vote

      favorite











      I have an http server on my Solaris 11 system and I want to block all http requests from other systems. Eventually I will allow access, but for now I cannot figure out how to block access to port 80, as nothing I do seems to work.



      I have the following in my /etc/ipf/ipf.conf



      # ipf.conf
      #
      # IP Filter rules to be loaded during startup
      #
      # See ipf(4) manpage for more information on
      # IP Filter rules syntax.
      # block in all
      block in proto tcp from any to any port = 80
      block out quick proto tcp to any port = http keep state


      The ipfilter service is running



      root@test2:/etc/ipf# svcs ipfilter
      STATE STIME FMRI
      online 19:25:23 svc:/network/ipfilter:default


      However, whenever I visit 192.168.1.211 in my browser, I see "It works!" The only thing that seems to work is if I put block in all in the ipf.conf file, but that blocks ALL incoming traffic (including my SSH connection). I am not sure what I am doing. Maybe my syntax is wrong.







      share|improve this question











      I have an http server on my Solaris 11 system and I want to block all http requests from other systems. Eventually I will allow access, but for now I cannot figure out how to block access to port 80, as nothing I do seems to work.



      I have the following in my /etc/ipf/ipf.conf



      # ipf.conf
      #
      # IP Filter rules to be loaded during startup
      #
      # See ipf(4) manpage for more information on
      # IP Filter rules syntax.
      # block in all
      block in proto tcp from any to any port = 80
      block out quick proto tcp to any port = http keep state


      The ipfilter service is running



      root@test2:/etc/ipf# svcs ipfilter
      STATE STIME FMRI
      online 19:25:23 svc:/network/ipfilter:default


      However, whenever I visit 192.168.1.211 in my browser, I see "It works!" The only thing that seems to work is if I put block in all in the ipf.conf file, but that blocks ALL incoming traffic (including my SSH connection). I am not sure what I am doing. Maybe my syntax is wrong.









      share|improve this question










      share|improve this question




      share|improve this question









      asked May 7 at 23:33









      Timothy Pulliam

      981515




      981515




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          0
          down vote














          I have an http server on my Solaris 11 system and I want to block all http requests from other systems.




          Assuming your want to allow access from only the actual web server host itself, the easiest way to do that is to simply configure your web server to listen to 127.0.0.1:80 or localhost:80 instead of something like 0.0.0.0:80 or 192.168.1.211:80.






          share|improve this answer





















          • Maybe my question is unclear. I am trying to use the firewall to block a particular port. If it helps, just substitute HTTP for SSH.
            – Timothy Pulliam
            May 8 at 14:34










          • @TimothyPulliam Why are you using a firewall to block something you don't even need to open in the first place? If you don't want your web server responding to off-host requests, don't configure your web server to answer those request then create something to block them. Why not just configure your web server so it does what you want in the first place? See en.wikipedia.org/wiki/Law_of_the_instrument
            – Andrew Henle
            May 8 at 15:06


















          up vote
          0
          down vote













          So it seems I needed to set the IP Filter firewall config policy to "custom" and then point it to the location of the ipf.conf file before it would work. Now the changes are working.



          $ svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"
          $ svccfg -s ipfilter:default
          setprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/ipf.conf"


          Link with relevant docs. I don't know why it seemed to work before, but it is working now.






          share|improve this answer





















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );








             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f442426%2fblock-http-traffic-on-solaris-11-ip-filter-firewall%23new-answer', 'question_page');

            );

            Post as a guest






























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote














            I have an http server on my Solaris 11 system and I want to block all http requests from other systems.




            Assuming your want to allow access from only the actual web server host itself, the easiest way to do that is to simply configure your web server to listen to 127.0.0.1:80 or localhost:80 instead of something like 0.0.0.0:80 or 192.168.1.211:80.






            share|improve this answer





















            • Maybe my question is unclear. I am trying to use the firewall to block a particular port. If it helps, just substitute HTTP for SSH.
              – Timothy Pulliam
              May 8 at 14:34










            • @TimothyPulliam Why are you using a firewall to block something you don't even need to open in the first place? If you don't want your web server responding to off-host requests, don't configure your web server to answer those request then create something to block them. Why not just configure your web server so it does what you want in the first place? See en.wikipedia.org/wiki/Law_of_the_instrument
              – Andrew Henle
              May 8 at 15:06















            up vote
            0
            down vote














            I have an http server on my Solaris 11 system and I want to block all http requests from other systems.




            Assuming your want to allow access from only the actual web server host itself, the easiest way to do that is to simply configure your web server to listen to 127.0.0.1:80 or localhost:80 instead of something like 0.0.0.0:80 or 192.168.1.211:80.






            share|improve this answer





















            • Maybe my question is unclear. I am trying to use the firewall to block a particular port. If it helps, just substitute HTTP for SSH.
              – Timothy Pulliam
              May 8 at 14:34










            • @TimothyPulliam Why are you using a firewall to block something you don't even need to open in the first place? If you don't want your web server responding to off-host requests, don't configure your web server to answer those request then create something to block them. Why not just configure your web server so it does what you want in the first place? See en.wikipedia.org/wiki/Law_of_the_instrument
              – Andrew Henle
              May 8 at 15:06













            up vote
            0
            down vote










            up vote
            0
            down vote










            I have an http server on my Solaris 11 system and I want to block all http requests from other systems.




            Assuming your want to allow access from only the actual web server host itself, the easiest way to do that is to simply configure your web server to listen to 127.0.0.1:80 or localhost:80 instead of something like 0.0.0.0:80 or 192.168.1.211:80.






            share|improve this answer














            I have an http server on my Solaris 11 system and I want to block all http requests from other systems.




            Assuming your want to allow access from only the actual web server host itself, the easiest way to do that is to simply configure your web server to listen to 127.0.0.1:80 or localhost:80 instead of something like 0.0.0.0:80 or 192.168.1.211:80.







            share|improve this answer













            share|improve this answer



            share|improve this answer











            answered May 8 at 9:45









            Andrew Henle

            2,502911




            2,502911











            • Maybe my question is unclear. I am trying to use the firewall to block a particular port. If it helps, just substitute HTTP for SSH.
              – Timothy Pulliam
              May 8 at 14:34










            • @TimothyPulliam Why are you using a firewall to block something you don't even need to open in the first place? If you don't want your web server responding to off-host requests, don't configure your web server to answer those request then create something to block them. Why not just configure your web server so it does what you want in the first place? See en.wikipedia.org/wiki/Law_of_the_instrument
              – Andrew Henle
              May 8 at 15:06

















            • Maybe my question is unclear. I am trying to use the firewall to block a particular port. If it helps, just substitute HTTP for SSH.
              – Timothy Pulliam
              May 8 at 14:34










            • @TimothyPulliam Why are you using a firewall to block something you don't even need to open in the first place? If you don't want your web server responding to off-host requests, don't configure your web server to answer those request then create something to block them. Why not just configure your web server so it does what you want in the first place? See en.wikipedia.org/wiki/Law_of_the_instrument
              – Andrew Henle
              May 8 at 15:06
















            Maybe my question is unclear. I am trying to use the firewall to block a particular port. If it helps, just substitute HTTP for SSH.
            – Timothy Pulliam
            May 8 at 14:34




            Maybe my question is unclear. I am trying to use the firewall to block a particular port. If it helps, just substitute HTTP for SSH.
            – Timothy Pulliam
            May 8 at 14:34












            @TimothyPulliam Why are you using a firewall to block something you don't even need to open in the first place? If you don't want your web server responding to off-host requests, don't configure your web server to answer those request then create something to block them. Why not just configure your web server so it does what you want in the first place? See en.wikipedia.org/wiki/Law_of_the_instrument
            – Andrew Henle
            May 8 at 15:06





            @TimothyPulliam Why are you using a firewall to block something you don't even need to open in the first place? If you don't want your web server responding to off-host requests, don't configure your web server to answer those request then create something to block them. Why not just configure your web server so it does what you want in the first place? See en.wikipedia.org/wiki/Law_of_the_instrument
            – Andrew Henle
            May 8 at 15:06













            up vote
            0
            down vote













            So it seems I needed to set the IP Filter firewall config policy to "custom" and then point it to the location of the ipf.conf file before it would work. Now the changes are working.



            $ svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"
            $ svccfg -s ipfilter:default
            setprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/ipf.conf"


            Link with relevant docs. I don't know why it seemed to work before, but it is working now.






            share|improve this answer

























              up vote
              0
              down vote













              So it seems I needed to set the IP Filter firewall config policy to "custom" and then point it to the location of the ipf.conf file before it would work. Now the changes are working.



              $ svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"
              $ svccfg -s ipfilter:default
              setprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/ipf.conf"


              Link with relevant docs. I don't know why it seemed to work before, but it is working now.






              share|improve this answer























                up vote
                0
                down vote










                up vote
                0
                down vote









                So it seems I needed to set the IP Filter firewall config policy to "custom" and then point it to the location of the ipf.conf file before it would work. Now the changes are working.



                $ svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"
                $ svccfg -s ipfilter:default
                setprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/ipf.conf"


                Link with relevant docs. I don't know why it seemed to work before, but it is working now.






                share|improve this answer













                So it seems I needed to set the IP Filter firewall config policy to "custom" and then point it to the location of the ipf.conf file before it would work. Now the changes are working.



                $ svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"
                $ svccfg -s ipfilter:default
                setprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/ipf.conf"


                Link with relevant docs. I don't know why it seemed to work before, but it is working now.







                share|improve this answer













                share|improve this answer



                share|improve this answer











                answered May 8 at 14:50









                Timothy Pulliam

                981515




                981515






















                     

                    draft saved


                    draft discarded


























                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f442426%2fblock-http-traffic-on-solaris-11-ip-filter-firewall%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?