Securing the Network in Oracle® Solaris 11.2

Exit Print View

 
Updated: August 2014
 
 

How to Create IP Filter Configuration Files

To modify the IP Filter policy for an automatically configured network configuration or to use IP Filter in a manually configured network, you create configuration files, inform the service about these files, then enable the service.

Before You Begin

You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

  1. Specify the file location of the policy file for the IP Filter service.

    This file contains the packet filtering rule set.

    1. First. you set the policy file to custom. 
      # svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"
    2. Then, you specify the location.

      For example, make /etc/ipf/myorg.ipf.conf the location of your packet filtering rule set.

      # svccfg -s ipfilter:default \
setprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/myorg.ipf.conf"
  2. Create your packet filtering rule set.

    For information about packet filtering, see Using IP Filter's Packet Filtering Feature. For examples of configuration files, see IP Filter Configuration File Examples, and the /etc/nwam/loc/NoNet/ipf.conf file.

    Note -  If your specified policy file is empty, no filtering occurs. An empty packet filtering file is the same as having a rule set that reads: 
    pass in all
pass out all
  3. (Optional) Create a network address translation (NAT) configuration file for IP Filter.

    To filter packets over a NAT, create a file for your NAT rules with the default file name, /etc/ipf/ipnat.conf. If you use a different name, you must change the value of the config/ipnat_config_file service property, as in:

    # svccfg -s ipfilter:default \
setprop config/ipnat_config_file = astring: "/etc/ipf/myorg.ipnat.conf"

    For more information about NAT, see Using IP Filter's NAT Feature.

  4. (Optional) Create an address pool configuration file.

    To refer to a group of addresses as a single address pool, create a file for the pool with the default file name, /etc/ipf/ippool.conf. If you use a different name, you must change the value of the config/ippool_config_file service property, as in:

    # svccfg -s ipfilter:default \
setprop config/ippool_config_file = astring: "/etc/ipf/myorg.ippool.conf"

    An address pool can contain any combination of IPv4 and IPv6 addresses. For more information about address pools, see Using IP Filter's Address Pools Feature.

  5. (Optional) Enable filtering of loopback traffic.

    If you intend to filter traffic between zones that are configured in your system, you must enable loopback filtering. See How to Enable Loopback Filtering. You must also define rule sets that apply to the zones.

  6. (Optional) Disable the reassembly of fragmented packets.

    By default, fragments are reassembled in IP Filter. To modify the default, see How to Disable Packet Reassembly.

Copyright © 1999, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous
Next