How to Disable Packet Reassembly - Securing the Network in Oracle® Solaris 11.2

Securing the Network in Oracle^® Solaris 11.2

Exit Print View

» ...Documentation Home » Oracle Solaris 11.2 Information Library » Securing the Network in Oracle^® ... » Configuring IP Filter » Configuring the IP Filter Service » How to Disable Packet Reassembly

Updated: August 2014

Securing the Network in Oracle^® Solaris 11.2

Document Information

Using This Documentation

Chapter 1 Using Link Protection in Virtualized Environments

Chapter 2 Tuning Your Network

Chapter 3 Web Servers and the Secure Sockets Layer Protocol

Chapter 4 About IP Filter in Oracle Solaris

Chapter 5 Configuring IP Filter

Configuring the IP Filter Service

How to Display IP Filter Service Defaults

How to Create IP Filter Configuration Files

How to Enable and Refresh IP Filter

How to Disable Packet Reassembly

How to Enable Loopback Filtering

How to Disable Packet Filtering

Working With IP Filter Rule Sets

Managing Packet Filtering Rule Sets for IP Filter

Managing NAT Rules for IP Filter

Managing Address Pools for IP Filter

Displaying Statistics and Information for IP Filter

How to View State Tables for IP Filter

How to View State Statistics for IP Filter

How to View IP Filter Tunable Parameters

How to View NAT Statistics for IP Filter

How to View Address Pool Statistics for IP Filter

Working With Log Files for IP Filter

How to Set Up a Log File for IP Filter

How to View IP Filter Log Files

How to Flush the Packet Log Buffer

How to Save Logged Packets to a File

IP Filter Configuration File Examples

Chapter 6 About IP Security Architecture

Chapter 7 Configuring IPsec

Chapter 8 About Internet Key Exchange

Chapter 9 Configuring IKEv2

Chapter 10 Configuring IKEv1

Chapter 11 Troubleshooting IPsec and Its Key Management Services

Chapter 12 IPsec and Key Management Reference

Network Security Glossary

Language:

How to Disable Packet Reassembly

By default, fragments are reassembled in IP Filter. To disable this reassembly, you insert a rule at the beginning of your policy file.

Before You Begin

You must become an administrator who is assigned the IP Filter Management rights profile and the solaris.admin.edit/path-to-IPFilter-policy-file authorization. The root role has all of these rights. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

Disable IP Filter.
```
# svcadm disable network/ipfilter
```
Add the following rule at the beginning of your IP Filter policy file.
```
set defrag off;
```
Use the pfedit command, as in:
```
# pfedit /etc/ipf/myorg.ipf.conf
```
This rule must precede all block and pass rules in the file. However, you can insert comments before the line, similar to the following example:
```
# Disable fragment reassembly
#
set defrag off;
# Define policy
#
block in all
block out all
other rules
```
Enable IP Filter.
```
# svcadm enable network/ipfilter
```
Verify that packets are not being reassembled.
```
# ipf -T defrag
defrag  min 0   max 0x1 current 0
```
If the value of current is 0, fragments are not being reassembled. If current is 1, fragments are being reassembled.

Copyright © 1999, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices