How to Switch Between Active and Inactive Packet Filtering <meta http-equiv="refresh" content="0;url='http://www.oracle.com/pls/topic/lookup?ctx=solaris11'"> Rule Sets (System Administration Guide: IP Services)

System Administration Guide: IP Services

How to Switch Between Active and Inactive Packet Filtering Rule Sets

Assume a role that includes the IP Filter Management rights profile, or become superuser.

You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

Switch the active and inactive rule sets.
# ipf -s
This command enables you to switch between the active and inactive rule sets in the kernel. Note that if the inactive rule set is empty, there is no packet filtering.

Example 25–8 Switching Between the Active and Inactive Packet Filtering Rule Sets

The following example shows how using the ipf -s command results in the inactive rule set becoming the active rule set and the active rule set becoming the inactive rule set.

Before running the ipf -s command, the output from the ipfstat -I -io command shows the rules in the inactive rule set. The output from the ipfstat -io command shows the rules in the active rule set.

# ipfstat -io
empty list for ipfilter(out)
block in log quick from 10.0.0.0/8 to any
block in on dmfe1 proto tcp from 10.1.1.1/32 to any
# ipfstat -I -io
pass out quick on dmfe1 all
pass in quick on dmfe1 all
block in log quick from 10.0.0.0/8 to any

After running the ipf -s command, the output from the ipfstat -I -io and the ipfstat -io command show that the content of the two rules sets have switched.

# ipf -s
Set 1 now inactive
# ipfstat -io
pass out quick on dmfe1 all
pass in quick on dmfe1 all
block in log quick from 10.0.0.0/8 to any
# ipfstat -I -io
empty list for inactive ipfilter(out)
block in log quick from 10.0.0.0/8 to any
block in on dmfe1 proto tcp from 10.1.1.1/32 to any