Oracle® Solaris Cluster Software Installation Guide

Exit Print View

 
Updated: September 2014, E39580-02
 
 

How to Configure IP Filter

Perform this procedure to configure the IP Filter feature of Oracle Solaris software on the global cluster.

Note -  Only use IP Filter with failover data services. The use of IP Filter with scalable data services is not supported.

For more information about the IP Filter feature, see Chapter 4, About IP Filter in Oracle Solaris, in Securing the Network in Oracle Solaris 11.2 .

Before You Begin

Read the guidelines and restrictions to follow when you configure IP Filter in a cluster. See the “IP Filter” bullet item in Oracle Solaris OS Feature Requirements and Restrictions.

  1. Assume the root role.
  2. Add filter rules to the /etc/ipf/ipf.conf file on all affected nodes.

    Observe the following guidelines and requirements when you add filter rules to Oracle Solaris Cluster nodes.

    • In the ipf.conf file on each node, add rules to explicitly allow cluster interconnect traffic to pass unfiltered. Rules that are not interface specific are applied to all interfaces, including cluster interconnects. Ensure that traffic on these interfaces is not blocked mistakenly. If interconnect traffic is blocked, the IP Filter configuration interferes with cluster handshakes and infrastructure operations.

      For example, suppose the following rules are currently used:

      # Default block TCP/UDP unless some later rule overrides
block return-rst in proto tcp/udp from any to any

# Default block ping unless some later rule overrides
block return-rst in proto icmp all

      To unblock cluster interconnect traffic, add the following rules. The subnets used are for example only. Derive the subnets to use by using the ifconfig show-addr | grep interface command.

      # Unblock cluster traffic on 172.16.0.128/25 subnet (physical interconnect)
pass in quick proto tcp/udp from 172.16.0.128/25 to any
pass out quick proto tcp/udp from 172.16.0.128/25 to any

# Unblock cluster traffic on 172.16.1.0/25 subnet (physical interconnect)
pass in quick proto tcp/udp from 172.16.1.0/25 to any
pass out quick proto tcp/udp from 172.16.1.0/25 to any

# Unblock cluster traffic on 172.16.4.0/23 (clprivnet0 subnet)
pass in quick proto tcp/udp from 172.16.4.0/23 to any
pass out quick proto tcp/udp from 172.16.4.0/23 to any

    • You can specify either the adapter name or the IP address for a cluster private network. For example, the following rule specifies a cluster private network by its adapter's name:

      # Allow all traffic on cluster private networks.
pass in quick on net1 all
…

    • Oracle Solaris Cluster software fails over network addresses from node to node. No special procedure or code is needed at the time of failover.

    • All filtering rules that reference IP addresses of logical hostname and shared address resources must be identical on all cluster nodes.

    • Rules on a standby node will reference a nonexistent IP address. This rule is still part of the IP filter's active rule set and will become effective when the node receives the address after a failover.

    • All filtering rules must be the same for all NICs in the same IPMP group. In other words, if a rule is interface-specific, the same rule must also exist for all other interfaces in the same IPMP group.

    For more information about IP Filter rules, see the ipf (4) man page.

  3. Enable the ipfilter SMF service. 
    phys-schost# svcadm enable /network/ipfilter:default

Next Steps

Configure Oracle Solaris Cluster software on the cluster nodes. Go to Establishing a New Global Cluster or New Global-Cluster Node.

Copyright © 2000, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous
Next