Block HTTP traffic on solaris 11 IP Filter firewall
Clash Royale CLAN TAG#URR8PPP
up vote
-1
down vote
favorite
I have an http server on my Solaris 11 system and I want to block all http requests from other systems. Eventually I will allow access, but for now I cannot figure out how to block access to port 80, as nothing I do seems to work.
I have the following in my /etc/ipf/ipf.conf
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
# block in all
block in proto tcp from any to any port = 80
block out quick proto tcp to any port = http keep state
The ipfilter service is running
root@test2:/etc/ipf# svcs ipfilter
STATE STIME FMRI
online 19:25:23 svc:/network/ipfilter:default
However, whenever I visit 192.168.1.211 in my browser, I see "It works!" The only thing that seems to work is if I put block in all in the ipf.conf file, but that blocks ALL incoming traffic (including my SSH connection). I am not sure what I am doing. Maybe my syntax is wrong.
solaris firewall
asked May 7 at 23:33
Timothy Pulliam
981515
add a comment |Â
up vote
-1
down vote
favorite
I have an http server on my Solaris 11 system and I want to block all http requests from other systems. Eventually I will allow access, but for now I cannot figure out how to block access to port 80, as nothing I do seems to work.
I have the following in my /etc/ipf/ipf.conf
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
# block in all
block in proto tcp from any to any port = 80
block out quick proto tcp to any port = http keep state
The ipfilter service is running
root@test2:/etc/ipf# svcs ipfilter
STATE STIME FMRI
online 19:25:23 svc:/network/ipfilter:default
However, whenever I visit 192.168.1.211 in my browser, I see "It works!" The only thing that seems to work is if I put block in all in the ipf.conf file, but that blocks ALL incoming traffic (including my SSH connection). I am not sure what I am doing. Maybe my syntax is wrong.
solaris firewall
asked May 7 at 23:33
Timothy Pulliam
981515
add a comment |Â
up vote
-1
down vote
favorite
up vote
-1
down vote
favorite
I have an http server on my Solaris 11 system and I want to block all http requests from other systems. Eventually I will allow access, but for now I cannot figure out how to block access to port 80, as nothing I do seems to work.
I have the following in my /etc/ipf/ipf.conf
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
# block in all
block in proto tcp from any to any port = 80
block out quick proto tcp to any port = http keep state
The ipfilter service is running
root@test2:/etc/ipf# svcs ipfilter
STATE STIME FMRI
online 19:25:23 svc:/network/ipfilter:default
However, whenever I visit 192.168.1.211 in my browser, I see "It works!" The only thing that seems to work is if I put block in all in the ipf.conf file, but that blocks ALL incoming traffic (including my SSH connection). I am not sure what I am doing. Maybe my syntax is wrong.
solaris firewall
asked May 7 at 23:33
Timothy Pulliam
981515
I have an http server on my Solaris 11 system and I want to block all http requests from other systems. Eventually I will allow access, but for now I cannot figure out how to block access to port 80, as nothing I do seems to work.
I have the following in my /etc/ipf/ipf.conf
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
# block in all
block in proto tcp from any to any port = 80
block out quick proto tcp to any port = http keep state
The ipfilter service is running
root@test2:/etc/ipf# svcs ipfilter
STATE STIME FMRI
online 19:25:23 svc:/network/ipfilter:default
However, whenever I visit 192.168.1.211 in my browser, I see "It works!" The only thing that seems to work is if I put block in all in the ipf.conf file, but that blocks ALL incoming traffic (including my SSH connection). I am not sure what I am doing. Maybe my syntax is wrong.
solaris firewall
asked May 7 at 23:33
Timothy Pulliam
981515
asked May 7 at 23:33
Timothy Pulliam
981515
asked May 7 at 23:33
Timothy Pulliam
981515
asked May 7 at 23:33
Timothy Pulliam
981515
981515
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
0
down vote
I have an http server on my Solaris 11 system and I want to block all http requests from other systems.
Assuming your want to allow access from only the actual web server host itself, the easiest way to do that is to simply configure your web server to listen to 127.0.0.1:80 or localhost:80 instead of something like 0.0.0.0:80 or 192.168.1.211:80.
answered May 8 at 9:45
Andrew Henle
2,502911
Maybe my question is unclear. I am trying to use the firewall to block a particular port. If it helps, just substitute HTTP for SSH.
– Timothy Pulliam
May 8 at 14:34
@TimothyPulliam Why are you using a firewall to block something you don't even need to open in the first place? If you don't want your web server responding to off-host requests, don't configure your web server to answer those request then create something to block them. Why not just configure your web server so it does what you want in the first place? See en.wikipedia.org/wiki/Law_of_the_instrument
– Andrew Henle
May 8 at 15:06
add a comment |Â
up vote
0
down vote
So it seems I needed to set the IP Filter firewall config policy to "custom" and then point it to the location of the ipf.conf file before it would work. Now the changes are working.
$ svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"
$ svccfg -s ipfilter:default
setprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/ipf.conf"
Link with relevant docs. I don't know why it seemed to work before, but it is working now.
answered May 8 at 14:50
Timothy Pulliam
981515
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
I have an http server on my Solaris 11 system and I want to block all http requests from other systems.
Assuming your want to allow access from only the actual web server host itself, the easiest way to do that is to simply configure your web server to listen to 127.0.0.1:80 or localhost:80 instead of something like 0.0.0.0:80 or 192.168.1.211:80.
answered May 8 at 9:45
Andrew Henle
2,502911
Maybe my question is unclear. I am trying to use the firewall to block a particular port. If it helps, just substitute HTTP for SSH.
– Timothy Pulliam
May 8 at 14:34
@TimothyPulliam Why are you using a firewall to block something you don't even need to open in the first place? If you don't want your web server responding to off-host requests, don't configure your web server to answer those request then create something to block them. Why not just configure your web server so it does what you want in the first place? See en.wikipedia.org/wiki/Law_of_the_instrument
– Andrew Henle
May 8 at 15:06
add a comment |Â
up vote
0
down vote
I have an http server on my Solaris 11 system and I want to block all http requests from other systems.
Assuming your want to allow access from only the actual web server host itself, the easiest way to do that is to simply configure your web server to listen to 127.0.0.1:80 or localhost:80 instead of something like 0.0.0.0:80 or 192.168.1.211:80.
answered May 8 at 9:45
Andrew Henle
2,502911
Maybe my question is unclear. I am trying to use the firewall to block a particular port. If it helps, just substitute HTTP for SSH.
– Timothy Pulliam
May 8 at 14:34
@TimothyPulliam Why are you using a firewall to block something you don't even need to open in the first place? If you don't want your web server responding to off-host requests, don't configure your web server to answer those request then create something to block them. Why not just configure your web server so it does what you want in the first place? See en.wikipedia.org/wiki/Law_of_the_instrument
– Andrew Henle
May 8 at 15:06
add a comment |Â
up vote
0
down vote
up vote
0
down vote
I have an http server on my Solaris 11 system and I want to block all http requests from other systems.
Assuming your want to allow access from only the actual web server host itself, the easiest way to do that is to simply configure your web server to listen to 127.0.0.1:80 or localhost:80 instead of something like 0.0.0.0:80 or 192.168.1.211:80.
answered May 8 at 9:45
Andrew Henle
2,502911
I have an http server on my Solaris 11 system and I want to block all http requests from other systems.
Assuming your want to allow access from only the actual web server host itself, the easiest way to do that is to simply configure your web server to listen to 127.0.0.1:80 or localhost:80 instead of something like 0.0.0.0:80 or 192.168.1.211:80.
answered May 8 at 9:45
Andrew Henle
2,502911
answered May 8 at 9:45
Andrew Henle
2,502911
answered May 8 at 9:45
Andrew Henle
2,502911
answered May 8 at 9:45
Andrew Henle
2,502911
2,502911
Maybe my question is unclear. I am trying to use the firewall to block a particular port. If it helps, just substitute HTTP for SSH.
– Timothy Pulliam
May 8 at 14:34
@TimothyPulliam Why are you using a firewall to block something you don't even need to open in the first place? If you don't want your web server responding to off-host requests, don't configure your web server to answer those request then create something to block them. Why not just configure your web server so it does what you want in the first place? See en.wikipedia.org/wiki/Law_of_the_instrument
– Andrew Henle
May 8 at 15:06
add a comment |Â
Maybe my question is unclear. I am trying to use the firewall to block a particular port. If it helps, just substitute HTTP for SSH.
– Timothy Pulliam
May 8 at 14:34
@TimothyPulliam Why are you using a firewall to block something you don't even need to open in the first place? If you don't want your web server responding to off-host requests, don't configure your web server to answer those request then create something to block them. Why not just configure your web server so it does what you want in the first place? See en.wikipedia.org/wiki/Law_of_the_instrument
– Andrew Henle
May 8 at 15:06
Maybe my question is unclear. I am trying to use the firewall to block a particular port. If it helps, just substitute HTTP for SSH.
– Timothy Pulliam
May 8 at 14:34
Maybe my question is unclear. I am trying to use the firewall to block a particular port. If it helps, just substitute HTTP for SSH.
– Timothy Pulliam
May 8 at 14:34
@TimothyPulliam Why are you using a firewall to block something you don't even need to open in the first place? If you don't want your web server responding to off-host requests, don't configure your web server to answer those request then create something to block them. Why not just configure your web server so it does what you want in the first place? See en.wikipedia.org/wiki/Law_of_the_instrument
– Andrew Henle
May 8 at 15:06
@TimothyPulliam Why are you using a firewall to block something you don't even need to open in the first place? If you don't want your web server responding to off-host requests, don't configure your web server to answer those request then create something to block them. Why not just configure your web server so it does what you want in the first place? See en.wikipedia.org/wiki/Law_of_the_instrument
– Andrew Henle
May 8 at 15:06
add a comment |Â
up vote
0
down vote
So it seems I needed to set the IP Filter firewall config policy to "custom" and then point it to the location of the ipf.conf file before it would work. Now the changes are working.
$ svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"
$ svccfg -s ipfilter:default
setprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/ipf.conf"
Link with relevant docs. I don't know why it seemed to work before, but it is working now.
answered May 8 at 14:50
Timothy Pulliam
981515
add a comment |Â
up vote
0
down vote
So it seems I needed to set the IP Filter firewall config policy to "custom" and then point it to the location of the ipf.conf file before it would work. Now the changes are working.
$ svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"
$ svccfg -s ipfilter:default
setprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/ipf.conf"
Link with relevant docs. I don't know why it seemed to work before, but it is working now.
answered May 8 at 14:50
Timothy Pulliam
981515
add a comment |Â
up vote
0
down vote
up vote
0
down vote
So it seems I needed to set the IP Filter firewall config policy to "custom" and then point it to the location of the ipf.conf file before it would work. Now the changes are working.
$ svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"
$ svccfg -s ipfilter:default
setprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/ipf.conf"
Link with relevant docs. I don't know why it seemed to work before, but it is working now.
answered May 8 at 14:50
Timothy Pulliam
981515
So it seems I needed to set the IP Filter firewall config policy to "custom" and then point it to the location of the ipf.conf file before it would work. Now the changes are working.
$ svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"
$ svccfg -s ipfilter:default
setprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/ipf.conf"
Link with relevant docs. I don't know why it seemed to work before, but it is working now.
answered May 8 at 14:50
Timothy Pulliam
981515
answered May 8 at 14:50
Timothy Pulliam
981515
answered May 8 at 14:50
Timothy Pulliam
981515
answered May 8 at 14:50
Timothy Pulliam
981515
981515
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f442426%2fblock-http-traffic-on-solaris-11-ip-filter-firewall%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
