[rescue] Putting an insecure machine on a network

Mike F lists at ibrew.net
Tue Mar 21 15:38:25 CST 2006

Sheldon T. Hall wrote:
>  Mike F says ...
>> Sheldon T. Hall wrote:
>>> In any case, adding the SUNW packages let me build IPFilter, even 
>>> though two of Mike F's listed packages don't seem to be 
>>> part of Solaris 7.
>>> However, the doco for ip_fil3.4.35 indicates that running "make 
>>> package" will build a package (maybe it does, no error messages 
>>> anyway) and kick off pkgadd to install it.  It certainly 
>>> doesn't do the 
>>> latter, and I can't figure out which of the zillion files 
>>> and directories holds or _is_ the alledged package.
>> The package should be somewhere under the directory in which 
>> you built it; it'll be something like "ipf.pkg".
>> pkgadd -d  `find ./ -name *.pkg`  should do what you need.
> ... And it does!
> Hot damn.  You da man.
> Now, just one more little question....
> The box on which you just solved my ipfilter installation issues has two NICs.
> The built-in le0 is on my network, with a gateway of
> providing access to the internet.
> I want to use the hme0 add-in NIC to provide access for the insecure laptop.
> I'd like for it to be in some completely different subnet (say,
> and to have access through the Solaris box _only_ to  No access
> to th Solaris box itself, and no access to the rest of my
> network.

Should be doable.

You'll want to do `ndd -set /dev/tcp ip_forwarding 1` to set forwarding
between the 2 interfaces (and maybe put it in an init script to persist
between reboots.)

Then you'll have to write your ipf.conf. This should be easy because
your needs are pretty simple :-)


# Start with default-deny rules
block in all
block out all
#Allow traffic on internal interface hme0 from internal host to
internet gateway with destination port xx
pass in quick on hme0 proto tcp from to port = xx
keep state
pass out quick on le0 proto tcp from to port = xx
keep state

That should do what you want to do. Let me know how it goes (or if it
doesn't :)

> I _thought_ I knew how to do this, but it seems I don't.  Can you endure
> giving me a tad more help on this?
> Thanks.
> -Shel
I've been looking at iptables a little lately, and I can tell you
ipfilter and pf are an absolute joy compared to iptables. Talk about

- Mike

More information about the rescue mailing list