JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Administration: IP Services     Oracle Solaris 11 Information Library
search filter icon
search icon

Document Information

Preface

Part I TCP/IP Administration

1.  Planning the Network Deployment

2.  Considerations When Using IPv6 Addresses

3.  Configuring an IPv4 Network

4.  Enabling IPv6 on the Network

5.  Administering a TCP/IP Network

6.  Configuring IP Tunnels

7.  Troubleshooting Network Problems

8.  IPv4 Reference

9.  IPv6 Reference

Part II DHCP

10.  About DHCP (Overview)

11.  Administering the ISC DHCP Service

12.  Configuring and Administering the DHCP Client

13.  DHCP Commands and Files (Reference)

Part III IP Security

14.  IP Security Architecture (Overview)

15.  Configuring IPsec (Tasks)

16.  IP Security Architecture (Reference)

17.  Internet Key Exchange (Overview)

18.  Configuring IKE (Tasks)

19.  Internet Key Exchange (Reference)

20.  IP Filter in Oracle Solaris (Overview)

21.  IP Filter (Tasks)

Configuring IP Filter

How to Enable IP Filter

How to Re-Enable IP Filter

How to Enable Loopback Filtering

Deactivating and Disabling IP Filter

How to Deactivate Packet Filtering

How to Deactivate NAT

How to Disable Packet Filtering

Working With IP Filter Rule Sets

Managing Packet Filtering Rule Sets for IP Filter

How to View the Active Packet Filtering Rule Set

How to View the Inactive Packet Filtering Rule Set

How to Activate a Different or Updated Packet Filtering Rule Set

How to Remove a Packet Filtering Rule Set

How to Append Rules to the Active Packet Filtering Rule Set

How to Append Rules to the Inactive Packet Filtering Rule Set

How to Switch Between Active and Inactive Packet Filtering Rule Sets

How to Remove an Inactive Packet Filtering Rule Set From the Kernel

Managing NAT Rules for IP Filter

How to View Active NAT Rules

How to Remove NAT Rules

How to Append Rules to the NAT Rules

Managing Address Pools for IP Filter

How to View Active Address Pools

How to Remove an Address Pool

How to Append Rules to an Address Pool

Displaying Statistics and Information for IP Filter

How to View State Tables for IP Filter

How to View State Statistics for IP Filter

How to View NAT Statistics for IP Filter

How to View Address Pool Statistics for IP Filter

Working With Log Files for IP Filter

How to Set Up a Log File for IP Filter

How to View IP Filter Log Files

How to Flush the Packet Log File

How to Save Logged Packets to a File

Creating and Editing IP Filter Configuration Files

How to Create a Configuration File for IP Filter

IP Filter Configuration File Examples

Part IV Networking Performance

22.  Integrated Load Balancer Overview

23.  Configuration of Integrated Load Balancer (Tasks)

24.  Virtual Router Redundancy Protocol (Overview)

25.  VRRP Configuration (Tasks)

26.  Implementing Congestion Control

Part V IP Quality of Service (IPQoS)

27.  Introducing IPQoS (Overview)

28.  Planning for an IPQoS-Enabled Network (Tasks)

29.  Creating the IPQoS Configuration File (Tasks)

30.  Starting and Maintaining IPQoS (Tasks)

31.  Using Flow Accounting and Statistics Gathering (Tasks)

32.  IPQoS in Detail (Reference)

Glossary

Index

Configuring IP Filter

The following task map identifies the procedures associated with configuring IP Filter.

Table 21-1 Configuring IP Filter (Task Map)

Task
Description
For Instructions
Initially enable IP Filter.
IP Filter is not enabled by default. You must either enable it manually or use the configuration files in the /etc/ipf/ directory and reboot the system. Packet filter hooks replace the pfil module to enable IP Filter.
Re-enable IP Filter.
If IP Filter is deactivated or disabled, you can re-enable IP Filter either by rebooting the system or by using the ipf command.
Enable loopback filtering
As an option, you can enable loopback filtering, for example, to filter traffic between zones.

How to Enable IP Filter

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Create a packet filtering rule set.

    The packet filtering rule set contains packet filtering rules that are used by IP Filter. If you want the packet filtering rules to be loaded at boot time, edit the /etc/ipf/ipf.conf file to implement IPv4 packet filtering. Use the /etc/ipf/ipf6.conf file for IPv6 packet filtering rules. If you do not want the packet filtering rules loaded at boot time, put the rules in a file of your choice, and manually activate packet filtering. For information about packet filtering, see Using IP Filter's Packet Filtering Feature. For information about working with configuration files, see Creating and Editing IP Filter Configuration Files.

  3. (Optional) Create a network address translation (NAT) configuration file.

    Note - Network Address Translation (NAT) does not support IPv6.


    Create an ipnat.conf file if you want to use network address translation. If you want the NAT rules to be loaded at boot time, create a file called /etc/ipf/ipnat.conf in which to put NAT rules. If you do not want the NAT rules loaded at boot time, put the ipnat.conf file in a location of your choice, and manually activate the NAT rules.

    For more information about NAT, see Using IP Filter's NAT Feature.

  4. (Optional) Create an address pool configuration file.

    Create an ipool.conf file if you want to refer to a group of addresses as a single address pool. If you want the address pool configuration file to be loaded at boot time, create a file called /etc/ipf/ippool.conf in which to put the address pool. If you do not want the address pool configuration file to be loaded at boot time, put the ippool.conf file in a location of your choice, and manually activate the rules.

    An address pool can contain only IPv4 addresses or only IPv6 addresses. It can also contain both IPv4 and IPv6 addresses.

    For more information about address pools, see Using IP Filter's Address Pools Feature.

  5. (Optional) Enable filtering of loopback traffic.

    If you intend to filter traffic between zones that are configured in your system, you must enable loopback filtering. See How to Enable Loopback Filtering. Make sure that you also define the appropriate rule sets that apply to the zones.

  6. Activate IP Filter.
    # svcadm enable network/ipfilter

How to Re-Enable IP Filter

You can re-enable packet filtering after it has been temporarily disabled.

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Enable IP Filter and activate filtering using one of the following methods:
    • Reboot the machine.

      # reboot

      Note - When IP Filter is enabled, after a reboot the following files are loaded if they are present: the /etc/ipf/ipf.conf file, the /etc/ipf/ipf6.conf file when using IPv6, or the /etc/ipf/ipnat.conf.


    • Perform the following series of commands to enable IP Filter and activate filtering:

      1. Enable IP Filter.

        # ipf -E
      2. Activate packet filtering.

        # ipf -f filename
      3. (Optional) Activate NAT.

        # ipnat -f filename

        Note - Network Address Translation (NAT) does not support IPv6.


How to Enable Loopback Filtering

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Stop IP Filter if it is running.
    # svcadm disable network/ipfilter
  3. Edit the /etc/ipf.conf or /etc/ipf6.conf file by adding the following line at the beginning of the file:
    set intercept_loopback true;

    This line must precede all the IP Filter rules that are defined in the file. However, you can insert comments before the line, similar to the following example:

    # 
    # Enable loopback filtering to filter between zones 
    # 
    set intercept_loopback true; 
    # 
    # Define policy 
    # 
    block in all 
    block out all 
    <other rules>
    ...
  4. Start the IP Filter.
    # svcadm enable network/ipfilter
  5. To verify the status of loopback filtering, use the following command:
    # ipf -T ipf_loopback
    ipf_loopback    min 0   max 0x1 current 1
    #

    If loopback filtering is disabled, the command would generate the following output:

    ipf_loopback    min 0   max 0x1 current 0