test

System Administration Guide: IP Services

ProcedureHow to Enable Oracle Solaris IP Filter

Use this procedure to enable Oracle Solaris IP Filter on a system that is running at least Solaris 10 7/07 OS. To enable Oracle Solaris IP Filters if your system is running Oracle Solaris 10 previous to Solaris 10 7/07 OS, see Working With the pfil Module.

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Create a packet filtering rule set.

    The packet filtering rule set contains packet filtering rules that are used by Oracle Solaris IP Filter. If you want the packet filtering rules to be loaded at boot time, edit the /etc/ipf/ipf.conf file to implement IPv4 packet filtering. Use the /etc/ipf/ipf6.conf file for IPv6 packet filtering rules. If you do not want the packet filtering rules loaded at boot time, put the rules in a file of your choice, and manually activate packet filtering. For information about packet filtering, see Using Oracle Solaris IP Filter's Packet Filtering Feature. For information about working with configuration files, see Creating and Editing Oracle Solaris IP Filter Configuration Files.

  3. (Optional) Create a network address translation (NAT) configuration file.

    Note –

    Network Address Translation (NAT) does not support IPv6.

    Create an ipnat.conf file if you want to use network address translation. If you want the NAT rules to be loaded at boot time, create a file called /etc/ipf/ipnat.conf in which to put NAT rules. If you do not want the NAT rules loaded at boot time, put the ipnat.conf file in a location of your choice, and manually activate the NAT rules.

    For more information about NAT, see Using Oracle Solaris IP Filter's NAT Feature.

  4. (Optional) Create an address pool configuration file.

    Create an ipool.conf file if you want to refer to a group of addresses as a single address pool. If you want the address pool configuration file to be loaded at boot time, create a file called /etc/ipf/ippool.conf in which to put the address pool. If you do not want the address pool configuration file to be loaded at boot time, put the ippool.conf file in a location of your choice, and manually activate the rules.

    An address pool can contain only IPv4 addresses or only IPv6 addresses. It can also contain both IPv4 and IPv6 addresses.

    For more information about address pools, see Using Oracle Solaris IP Filter's Address Pools Feature.

  5. (Optional) Enable filtering of loopback traffic.

    If you intend to filter traffic between zones that are configured in your system, you must enable loopback filtering. See How to Enable Loopback Filtering. Make sure that you also define the appropriate rule sets that apply to the zones.

  6. Activate Oracle Solaris IP Filter.


    # svcadm enable network/ipfilter