test

System Administration Guide: IP Services

ProcedureHow to Enable Oracle Solaris IP Filter in Previous Oracle Solaris 10 Releases

Oracle Solaris IP Filter is installed with Oracle Solaris. However, packet filtering is not enabled by default. Use the following procedure to activate Oracle Solaris IP Filter.

Note –

If your system is running at least the Solaris 10 7/07 release, follow the procedure How to Enable Oracle Solaris IP Filter that uses packet filter hooks.

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Start the file editor of your choice, and edit the /etc/ipf/pfil.ap file.

    This file contains the names of network interface cards (NICs) on the host. By default, the names are commented out. Uncomment the device names that carry the network traffic you want to filter. If the name of the NIC for your system is not listed, add a line to specify the NIC.


    # vi /etc/ipf/pfil.ap
# IP Filter pfil autopush setup
#
# See autopush(1M) manpage for more information.
#
# Format of the entries in this file is:
#
#major  minor lastminor modules

#le     -1      0       pfil
#qe     -1      0       pfil
hme     -1      0       pfil (Device has been uncommented for filtering)
#qfe    -1      0       pfil
#eri    -1      0       pfil
#ce     -1      0       pfil
#bge    -1      0       pfil
#be     -1      0       pfil
#vge    -1      0       pfil
#ge     -1      0       pfil
#nf     -1      0       pfil
#fa     -1      0       pfil
#ci     -1      0       pfil
#el     -1      0       pfil
#ipdptp -1      0       pfil
#lane   -1      0       pfil
#dmfe   -1      0       pfil

  3. Activate your changes to the /etc/ipf/pfil.ap file by restarting the network/pfil service instance.


    # svcadm restart network/pfil

  4. Create a packet filtering rule set.

    The packet filtering rule set contains packet filtering rules that are used by Oracle Solaris IP Filter. If you want the packet filtering rules to be loaded at boot time, edit the /etc/ipf/ipf.conf file to implement IPv4 packet filtering. Use the /etc/ipf/ipf6.conf file for IPv6 packet filtering rules. If you do not want the packet filtering rules loaded at boot time, put the rules in a file of your choice, and manually activate packet filtering. For information about packet filtering, see Using Oracle Solaris IP Filter's Packet Filtering Feature. For information about working with configuration files, see Creating and Editing Oracle Solaris IP Filter Configuration Files.

  5. (Optional) Create a network address translation (NAT) configuration file.

    Note –

    Network Address Translation (NAT) does not support IPv6.

    Create an ipnat.conf file if you want to use network address translation. If you want the NAT rules to be loaded at boot time, create a file called /etc/ipf/ipnat.conf in which to put NAT rules. If you do not want the NAT rules loaded at boot time, put the ipnat.conf file in a location of your choice, and manually activate the NAT rules.

    For more information about NAT, see Using Oracle Solaris IP Filter's NAT Feature.

  6. (Optional) Create an address pool configuration file.

    Create an ipool.conf file if you want to refer to a group of addresses as a single address pool. If you want the address pool configuration file to be loaded at boot time, create a file called /etc/ipf/ippool.conf in which to put the address pool. If you do not want the address pool configuration file to be loaded at boot time, put the ippool.conf file in a location of your choice, and manually activate the rules.

    An address pool can contain only IPv4 addresses or only IPv6 addresses. It can also contain both IPv4 and IPv6 addresses.

    For more information about address pools, see Using Oracle Solaris IP Filter's Address Pools Feature.

  7. Activate Oracle Solaris IP Filter by using one of the following methods:

    • Enable IP Filter and reboot the machine.


      # svcadm enable network/ipfilter
# reboot
      Note –

      Rebooting is required if you cannot safely use the ifconfig unplumb and ifconfig plumb commands on the NICs.

    • Enable the NICs by using the ifconfig unplumb and ifconfig plumb commands. Then enable IP Filter. The inet6 version of the interface must be plumbed in order to implement IPv6 packet filtering.


      # ifconfig hme0 unplumb
# ifconfig hme0 plumb 192.168.1.20 netmask 255.255.255.0 up
# ifconfig hme0 inte6 unplumb
# ifconfig hme0 inet6 plumb fec3:f849::1/96 up
# svcadm enable network/ipfilter

      For more information about the ifconfig command, see the ifconfig(1M) man page.