System Administration Guide: IP Services

Configuring Packet Filtering Rules

Use the following syntax to create packet filtering rules:

action [in|out] option keyword, keyword...

  1. Each rule begins with an action. Oracle Solaris IP Filter applies the action to the packet if the packet matches the rule. The following list includes the commonly used actions applied to a packet.


    Prevents the packet from passing through the filter.


    Allows the packet through the filter.


    Logs the packet but does not determine if the packet is blocked or passed. Use the ipmon command to view the log.


    Includes the packet in the filter statistics. Use the ipfstat command to view the statistics.

    skip number

    Makes the filter skip over number filtering rules.


    Requests that packet authentication be performed by a user program that validates packet information. The program determines whether the packet is passed or blocked.


    Requests that the filter look at a pre-authenticated list to determine what to do with the packet.

  2. Following the action, the next word must be either in or out. Your choice determines whether the packet filtering rule is applied to an incoming packet or to an outgoing packet.

  3. Next, you can choose from a list of options. If you use more than one option, they must be in the order shown here.


    Logs the packet if the rule is the last matching rule. Use the ipmon command to view the log.


    Executes the rule containing the quick option if there is a packet match. All further rule checking stops.

    on interface-name

    Applies the rule only if the packet is moving in or out of the specified interface.

    dup-to interface-name

    Copies the packet and sends the duplicate out on interface-name to an optionally specified IP address.

    to interface-name

    Moves the packet to an outbound queue on interface-name.

  4. After specifying the options, you can choose from a variety of keywords that determine whether the packet matches the rule. The following keywords must be used in the order shown here.

    Note –

    By default, any packet that does not match any rule in the configuration file is passed through the filter.


    Filters the packet based on the type-of-service value expressed as either a hexadecimal or a decimal integer.


    Matches the packet based on its time-to-live value. The time-to-live value stored in a packet indicates the length of time a packet can be on the network before being discarded.


    Matches a specific protocol. You can use any of the protocol names specified in the /etc/protocols file, or use a decimal number to represent the protocol. The keyword tcp/udp can be used to match either a TCP or a UDP packet.


    Matches any or all of the following: the source IP address, the destination IP address, and the port number. The all keyword is used to accept packets from all sources and to all destinations.


    Matches specified attributes associated with the packet. Insert either the word not or the word no in front of the keyword in order to match the packet only if the option is not present.


    Used for TCP to filter based on TCP flags that are set. For more information on the TCP flags, see the ipf(4) man page.


    Filters according to ICMP type. This keyword is used only when the proto option is set to icmp and is not used if the flags option is used.

    keep keep-options

    Determines the information that is kept for a packet. The keep-options available include the state option and the frags option. The state option keeps information about the session and can be kept on TCP, UDP, and ICMP packets. The frags option keeps information on packet fragments and applies the information to later fragments. The keep-options allow matching packets to pass without going through the access control list.

    head number

    Creates a new group for filtering rules, which is denoted by the number number.

    group number

    Adds the rule to group number number instead of the default group. All filtering rules are placed in group 0 if no other group is specified.

The following example illustrates how to put together the packet filtering rule syntax to create a rule. To block incoming traffic from the IP address, you would include the following rule in the rule list:

block in quick from to any

For the complete grammar and syntax used to write packet filtering rules, see the ipf(4) man page. For tasks associated with packet filtering, see Managing Packet Filtering Rule Sets for Oracle Solaris IP Filter. For an explanation of the IP address scheme ( shown in the example, see Chapter 2, Planning Your TCP/IP Network (Tasks).