JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Administration: IP Services     Oracle Solaris 11 Information Library
search filter icon
search icon

Document Information

Preface

Part I TCP/IP Administration

1.  Planning the Network Deployment

2.  Considerations When Using IPv6 Addresses

3.  Configuring an IPv4 Network

4.  Enabling IPv6 on the Network

5.  Administering a TCP/IP Network

6.  Configuring IP Tunnels

7.  Troubleshooting Network Problems

8.  IPv4 Reference

9.  IPv6 Reference

Part II DHCP

10.  About DHCP (Overview)

11.  Administering the ISC DHCP Service

12.  Configuring and Administering the DHCP Client

13.  DHCP Commands and Files (Reference)

Part III IP Security

14.  IP Security Architecture (Overview)

15.  Configuring IPsec (Tasks)

16.  IP Security Architecture (Reference)

17.  Internet Key Exchange (Overview)

18.  Configuring IKE (Tasks)

19.  Internet Key Exchange (Reference)

20.  IP Filter in Oracle Solaris (Overview)

21.  IP Filter (Tasks)

Configuring IP Filter

How to Enable IP Filter

How to Re-Enable IP Filter

How to Enable Loopback Filtering

Deactivating and Disabling IP Filter

How to Deactivate Packet Filtering

How to Deactivate NAT

How to Disable Packet Filtering

Working With IP Filter Rule Sets

Managing Packet Filtering Rule Sets for IP Filter

How to View the Active Packet Filtering Rule Set

How to View the Inactive Packet Filtering Rule Set

How to Activate a Different or Updated Packet Filtering Rule Set

How to Remove a Packet Filtering Rule Set

How to Append Rules to the Active Packet Filtering Rule Set

How to Append Rules to the Inactive Packet Filtering Rule Set

How to Switch Between Active and Inactive Packet Filtering Rule Sets

How to Remove an Inactive Packet Filtering Rule Set From the Kernel

Managing NAT Rules for IP Filter

How to View Active NAT Rules

How to Remove NAT Rules

How to Append Rules to the NAT Rules

Managing Address Pools for IP Filter

How to View Active Address Pools

How to Remove an Address Pool

How to Append Rules to an Address Pool

Displaying Statistics and Information for IP Filter

How to View State Tables for IP Filter

How to View State Statistics for IP Filter

How to View NAT Statistics for IP Filter

How to View Address Pool Statistics for IP Filter

Working With Log Files for IP Filter

How to Set Up a Log File for IP Filter

How to View IP Filter Log Files

How to Flush the Packet Log File

How to Save Logged Packets to a File

Creating and Editing IP Filter Configuration Files

How to Create a Configuration File for IP Filter

IP Filter Configuration File Examples

Part IV Networking Performance

22.  Integrated Load Balancer Overview

23.  Configuration of Integrated Load Balancer (Tasks)

24.  Virtual Router Redundancy Protocol (Overview)

25.  VRRP Configuration (Tasks)

26.  Implementing Congestion Control

Part V IP Quality of Service (IPQoS)

27.  Introducing IPQoS (Overview)

28.  Planning for an IPQoS-Enabled Network (Tasks)

29.  Creating the IPQoS Configuration File (Tasks)

30.  Starting and Maintaining IPQoS (Tasks)

31.  Using Flow Accounting and Statistics Gathering (Tasks)

32.  IPQoS in Detail (Reference)

Glossary

Index

Working With IP Filter Rule Sets

The following task map identifies the procedures associated with IP Filter rule sets.

Table 21-3 Working With IP Filter Rule Sets (Task Map)

Task
Description
For Instructions
Manage, view and modify IP Filter packet filtering rule sets.
View an active packet filtering rule set.
View an inactive packet filtering rule set.
Activate a different active rule set.
Remove a rule set.
Add rules to the rule sets.
Move between active and inactive rule sets.
Delete an inactive rule set from the kernel.
Manage, view and modify IP Filter NAT rules.
View active NAT rules.
Remove NAT rules.
Add additional rules to NAT rules.
Manage, view and modify IP Filter address pools.
View active address pools.
Remove an address pool.
Add additional rules to an address pool.

Managing Packet Filtering Rule Sets for IP Filter

When is enabled, both active and inactive packet filtering rule sets can reside in the kernel. The active rule set determines what filtering is being done on incoming packets and outgoing packets. The inactive rule set also stores rules. These rules are not used unless you make the inactive rule set the active rule set. You can manage, view, and modify both active and inactive packet filtering rule sets.

How to View the Active Packet Filtering Rule Set

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. View the active packet filtering rule set that is loaded in the kernel.
    # ipfstat -io

Example 21-1 Viewing the Active Packet Filtering Rule Set

The following example shows output from the active packet filtering rule set that is loaded in the kernel.

# ipfstat -io
empty list for ipfilter(out)
pass in quick on dmfe1 from 192.168.1.0/24 to any
pass in all
block in on dmfe1 from 192.168.1.10/32 to any

How to View the Inactive Packet Filtering Rule Set

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. View the inactive packet filtering rule set.
    # ipfstat -I -io

Example 21-2 Viewing the Inactive Packet Filtering Rule Set

The following example shows output from the inactive packet filtering rule set.

# ipfstat -I -io
pass out quick on dmfe1 all
pass in quick on dmfe1 all

How to Activate a Different or Updated Packet Filtering Rule Set

Use the following procedure if you want to perform either of the following tasks:

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Choose one of the following steps:
    • Create a new rule set in a separate file of your choice if you want to activate an entirely different rule set.

    • Update the current rule set by editing the configuration file that contains that rule set.

  3. Remove the current rule set and load the new rule set.
    # ipf -Fa -f filename

    The filename can either be the new file with the new rule set or the updated file that contains the active rule set.

    The active rule set is removed from the kernel. The rules in the filename file become the active rule set.


    Note - You still need to issue the command even if you are reloading the current configuration file. Otherwise, the old rule set continues to be operative, and the modified rule set in the updated configuration file is not applied.

    Do not use commands such as ipf -D or svcadm restart to load the updated rule set. Such commands expose your network by disabling the firewall first before loading the new rule set.


Example 21-3 Activating a Different Packet Filtering Rule Set

The following example shows how to replace one packet filtering rule set with another packet filtering rule set in a separate configuration file, /etc/ipf/ipf.conf.

# ipfstat -io
empty list for ipfilter(out)
pass in quick on dmfe all
# ipf -Fa -f /etc/ipf/ipf.conf
# ipfstat -io
empty list for ipfilter(out)
block in log quick from 10.0.0.0/8 to any

Example 21-4 Reloading an Updated Packet Filtering Rule Set

The following example shows how to reload a packet filtering rule set that is currently active and which is then updated. In this example, the file in use is /etc/ipf/ipf.conf.

# ipfstat -io (Optional)
empty list for ipfilter (out)
block in log quick from 10.0.0.0/8 to any

(Edit the /etc/ipf/ipf.conf configuration file.)

# ipf -Fa -f /etc/ipf/ipf.conf
# ipfstat -io (Optional)
empty list for ipfilter (out)
block in log quick from 10.0.0.0/8 to any
block in quick on elx10 from 192.168.0.0/12 to any

How to Remove a Packet Filtering Rule Set

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Remove the rule set.
    # ipf -F [a|i|o]
    -a

    Removes all filtering rules from the rule set.

    -i

    Removes the filtering rules for incoming packets.

    -o

    Removes the filtering rules for outgoing packets.

Example 21-5 Removing a Packet Filtering Rule Set

The following example shows how to remove all filtering rules from the active filtering rule set.

# ipfstat -io
block out log on dmf0 all
block in log quick from 10.0.0.0/8 to any
# ipf -Fa
# ipfstat -io
empty list for ipfilter(out)
empty list for ipfilter(in)

How to Append Rules to the Active Packet Filtering Rule Set

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Use one of the following methods to append rules to the active rule set:
    • Append rules to the rule set at the command line using the ipf -f - command.

      # echo "block in on dmfe1 proto tcp from 10.1.1.1/32 to any" | ipf -f -
    • Perform the following commands:

      1. Create a rule set in a file of your choice.

      2. Add the rules you have created to the active rule set.

        # ipf -f filename

        The rules in filename are added to the end of the active rule set. Because IP Filter uses a “last matching rule” algorithm, the added rules determine filtering priorities, unless you use the quick keyword. If the packet matches a rule containing the quick keyword, the action for that rule is taken, and no subsequent rules are checked.

Example 21-6 Appending Rules to the Active Packet Filtering Rule Set

The following example shows how to add a rule to the active packet filtering rule set from the command line.

# ipfstat -io
empty list for ipfilter(out)
block in log quick from 10.0.0.0/8 to any
# echo "block in on dmfe1 proto tcp from 10.1.1.1/32 to any" | ipf -f -
# ipfstat -io
empty list for ipfilter(out)
block in log quick from 10.0.0.0/8 to any
block in on dmfe1 proto tcp from 10.1.1.1/32 to any

How to Append Rules to the Inactive Packet Filtering Rule Set

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Create a rule set in a file of your choice.
  3. Add the rules you have created to the inactive rule set.
    # ipf -I -f filename

    The rules in filename are added to the end of the inactive rule set. Because IP Filter uses a “last matching rule” algorithm, the added rules determine filtering priorities, unless you use the quick keyword. If the packet matches a rule containing the quick keyword, the action for that rule is taken, and no subsequent rules are checked.

Example 21-7 Appending Rules to the Inactive Rule Set

The following example shows how to add a rule to the inactive rule set from a file.

# ipfstat -I -io
pass out quick on dmfe1 all
pass in quick on dmfe1 all
# ipf -I -f /etc/ipf/ipf.conf
# ipfstat -I -io
pass out quick on dmfe1 all
pass in quick on dmfe1 all
block in log quick from 10.0.0.0/8 to any

How to Switch Between Active and Inactive Packet Filtering Rule Sets

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Switch the active and inactive rule sets.
    # ipf -s

    This command enables you to switch between the active and inactive rule sets in the kernel. Note that if the inactive rule set is empty, there is no packet filtering.

Example 21-8 Switching Between the Active and Inactive Packet Filtering Rule Sets

The following example shows how using the ipf -s command results in the inactive rule set becoming the active rule set and the active rule set becoming the inactive rule set.

How to Remove an Inactive Packet Filtering Rule Set From the Kernel

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Specify the inactive rule set in the “flush all” command.
    # ipf -I -Fa

    This command flushes the inactive rule set from the kernel.


    Note - If you subsequently run ipf -s, the empty inactive rule set will become the active rule set. An empty active rule set means that no filtering will be done.


Example 21-9 Removing an Inactive Packet Filtering Rule Set From the Kernel

The following example shows how to flush the inactive packet filtering rule set so that all rules have been removed.

# ipfstat -I -io
empty list for inactive ipfilter(out)
block in log quick from 10.0.0.0/8 to any
block in on dmfe1 proto tcp from 10.1.1.1/32 to any
# ipf -I -Fa
# ipfstat -I -io
empty list for inactive ipfilter(out)
empty list for inactive ipfilter(in)

Managing NAT Rules for IP Filter

Use the following procedures to manage, view, and modify NAT rules.

How to View Active NAT Rules

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. View the active NAT rules.
    # ipnat -l

Example 21-10 Viewing Active NAT Rules

The following example shows the output from the active NAT rules set.

# ipnat -l
List of active MAP/Redirect filters:
map dmfe0 192.168.1.0/24 -> 20.20.20.1/32

List of active sessions:

How to Remove NAT Rules

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Remove the current NAT rules.
    # ipnat -C

Example 21-11 Removing NAT Rules

The following example shows how to remove the entries in the current NAT rules.

# ipnat -l
List of active MAP/Redirect filters:
map dmfe0 192.168.1.0/24 -> 20.20.20.1/32

List of active sessions:
# ipnat -C
1 entries flushed from NAT list
# ipnat -l
List of active MAP/Redirect filters:

List of active sessions:

How to Append Rules to the NAT Rules

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Use one of the following methods to append rules to the active rule set:
    • Append rules to the NAT rule set at the command line using the ipnat -f - command.

      # echo "map dmfe0 192.168.1.0/24 -> 20.20.20.1/32" | ipnat -f -
    • Perform the following commands:

      1. Create additional NAT rules in a file of your choice.

      2. Add the rules you have created to the active NAT rules.

        # ipnat -f filename

        The rules in filename are added to the end of the NAT rules.

Example 21-12 Appending Rules to the NAT Rule Set

The following example shows how to add a rule to the NAT rule set from the command line.

# ipnat -l
List of active MAP/Redirect filters:

List of active sessions:
# echo "map dmfe0 192.168.1.0/24 -> 20.20.20.1/32" | ipnat -f -
# ipnat -l
List of active MAP/Redirect filters:
map dmfe0 192.168.1.0/24 -> 20.20.20.1/32

List of active sessions:

Managing Address Pools for IP Filter

Use the following procedures to manage, view, and modify address pools.

How to View Active Address Pools

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. View the active address pool.
    # ippool -l

Example 21-13 Viewing the Active Address Pool

The following example shows how to view the contents of the active address pool.

# ippool -l
table role = ipf type = tree number = 13
        { 10.1.1.1/32, 10.1.1.2/32, 192.168.1.0/24; };

How to Remove an Address Pool

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Remove the entries in the current address pool.
    # ippool -F

Example 21-14 Removing an Address Pool

The following example shows how to remove an address pool.

# ippool -l
table role = ipf type = tree number = 13
        { 10.1.1.1/32, 10.1.1.2/32, 192.168.1.0/24; };
# ippool -F
1 object flushed
# ippool -l

How to Append Rules to an Address Pool

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Use one of the following methods to append rules to the active rule set:
    • Append rules to the rule set at the command line using the ippool -f - command.

      # echo "table role = ipf type = tree number = 13 {10.1.1.1/32, 10.1.1.2/32, 192.168.1.0/24};" | ippool -f -
    • Perform the following commands:

      1. Create additional address pools in a file of your choice.

      2. Add the rules you have created to the active address pool.

        # ippool -f filename

        The rules in filename are added to the end of the active address pool.

Example 21-15 Appending Rules to an Address Pool

The following example shows how to add an address pool to the address pool rule set from the command line.

# ippool -l
table role = ipf type = tree number = 13
        { 10.1.1.1/32, 10.1.1.2/32, 192.168.1.0/24; };
# echo "table role = ipf type = tree number = 100 {10.0.0.0/32, 172.16.1.2/32, 192.168.1.0/24};" | ippool -f -
# ippool -l
table role = ipf type = tree number = 100
        { 10.0.0.0/32, 172.16.1.2/32, 192.168.1.0/24; };
table role = ipf type = tree number = 13
        { 10.1.1.1/32, 10.1.1.2/32, 192.168.1.0/24; };