How to Append Rules to the Active Packet Filtering <meta http-equiv="refresh" content="0;url='http://www.oracle.com/pls/topic/lookup?ctx=solaris11'"> Rule Set (System Administration Guide: IP Services)

System Administration Guide: IP Services

How to Append Rules to the Active Packet Filtering Rule Set

Assume a role that includes the IP Filter Management rights profile, or become superuser.

You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

Use one of the following methods to append rules to the active rule set:
- Append rules to the rule set at the command line using the ipf -f - command.
  # echo "block in on dmfe1 proto tcp from 10.1.1.1/32 to any" | ipf -f -
- Perform the following commands:
  1. Create a rule set in a file of your choice.
  2. Add the rules you have created to the active rule set.
    # ipf -f filename
    The rules in filename are added to the end of the active rule set. Because Solaris IP Filter uses a “last matching rule” algorithm, the added rules determine filtering priorities, unless you use the quick keyword. If the packet matches a rule containing the quick keyword, the action for that rule is taken, and no subsequent rules are checked.

Example 25–6 Appending Rules to the Active Packet Filtering Rule Set

The following example shows how to add a rule to the active packet filtering rule set from the command line.

# ipfstat -io
empty list for ipfilter(out)
block in log quick from 10.0.0.0/8 to any
# echo "block in on dmfe1 proto tcp from 10.1.1.1/32 to any" | ipf -f -
# ipfstat -io
empty list for ipfilter(out)
block in log quick from 10.0.0.0/8 to any
block in on dmfe1 proto tcp from 10.1.1.1/32 to any