IPFilter: A Unix Host-Based Firewall

With the advent of TCP wrappers and dedicated firewalling hardware, host-based firewall packages for unix operating systems have fallen by the wayside. Daemons such as inetd, xinetd, and tcpd allow hosts to effectively limit outside connections to an out-of-the-box unix distribution, and as such, many users seldom consider using a third party firewall package. IPFilter is one such host-based firewall. It provides several useful security features which are lacking in stock unix installs, such as the ability to filter egressing traffic, protocol/packet state filtering, and true stateful firewalling. This paper will explain the benefits of using IPFilter on a unix host by detailing its configuration and implementation on a Solaris 8 SPARC box, and providing examples users can follow to safeguard their machines against some of the more popular remote exploits.