test

System Administration Guide: IP Services

Working With the pfil Module

This section describes how to use the pfil STREAMS module to activate or deactivate Oracle Solaris IP Filter and how to view pfil statistics. The procedures apply only to systems that run one of the followingOracle Solaris 10 releases:

The following task map identifies procedures that are associated with configuring the pfil module.

Table 26–3 Working With the pfil Module (Task Map)

Task 

Description 

For Instructions 

Enable Oracle Solaris IP Filter 

Oracle Solaris IP Filter is not enabled by default. You must either enable it manually or use the configuration files in the /etc/ipf/ directory and reboot the system.

How to Enable Oracle Solaris IP Filter in Previous Oracle Solaris 10 Releases

Activate a NIC for packet filtering 

Configure the pfil module to activate packet filtering on a NIC

How to Activate a NIC for Packet Filtering

Deactivate Oracle Solaris IP Filter on a NIC 

Remove a NIC and allow all packets to pass through the NIC. 

How to Deactivate Oracle Solaris IP Filter on a NIC

View pfil statistics.

View statistics for the pfil module to help you troubleshoot Oracle Solaris IP Filter using the ndd command.

How to View pfil Statistics for Oracle Solaris IP Filter

ProcedureHow to Enable Oracle Solaris IP Filter in Previous Oracle Solaris 10 Releases

Oracle Solaris IP Filter is installed with Oracle Solaris. However, packet filtering is not enabled by default. Use the following procedure to activate Oracle Solaris IP Filter.

Note –

If your system is running at least the Solaris 10 7/07 release, follow the procedure How to Enable Oracle Solaris IP Filter that uses packet filter hooks.

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Start the file editor of your choice, and edit the /etc/ipf/pfil.ap file.

    This file contains the names of network interface cards (NICs) on the host. By default, the names are commented out. Uncomment the device names that carry the network traffic you want to filter. If the name of the NIC for your system is not listed, add a line to specify the NIC.


    # vi /etc/ipf/pfil.ap
# IP Filter pfil autopush setup
#
# See autopush(1M) manpage for more information.
#
# Format of the entries in this file is:
#
#major  minor lastminor modules

#le     -1      0       pfil
#qe     -1      0       pfil
hme     -1      0       pfil (Device has been uncommented for filtering)
#qfe    -1      0       pfil
#eri    -1      0       pfil
#ce     -1      0       pfil
#bge    -1      0       pfil
#be     -1      0       pfil
#vge    -1      0       pfil
#ge     -1      0       pfil
#nf     -1      0       pfil
#fa     -1      0       pfil
#ci     -1      0       pfil
#el     -1      0       pfil
#ipdptp -1      0       pfil
#lane   -1      0       pfil
#dmfe   -1      0       pfil

  3. Activate your changes to the /etc/ipf/pfil.ap file by restarting the network/pfil service instance.


    # svcadm restart network/pfil

  4. Create a packet filtering rule set.

    The packet filtering rule set contains packet filtering rules that are used by Oracle Solaris IP Filter. If you want the packet filtering rules to be loaded at boot time, edit the /etc/ipf/ipf.conf file to implement IPv4 packet filtering. Use the /etc/ipf/ipf6.conf file for IPv6 packet filtering rules. If you do not want the packet filtering rules loaded at boot time, put the rules in a file of your choice, and manually activate packet filtering. For information about packet filtering, see Using Oracle Solaris IP Filter's Packet Filtering Feature. For information about working with configuration files, see Creating and Editing Oracle Solaris IP Filter Configuration Files.

  5. (Optional) Create a network address translation (NAT) configuration file.

    Note –

    Network Address Translation (NAT) does not support IPv6.

    Create an ipnat.conf file if you want to use network address translation. If you want the NAT rules to be loaded at boot time, create a file called /etc/ipf/ipnat.conf in which to put NAT rules. If you do not want the NAT rules loaded at boot time, put the ipnat.conf file in a location of your choice, and manually activate the NAT rules.

    For more information about NAT, see Using Oracle Solaris IP Filter's NAT Feature.

  6. (Optional) Create an address pool configuration file.

    Create an ipool.conf file if you want to refer to a group of addresses as a single address pool. If you want the address pool configuration file to be loaded at boot time, create a file called /etc/ipf/ippool.conf in which to put the address pool. If you do not want the address pool configuration file to be loaded at boot time, put the ippool.conf file in a location of your choice, and manually activate the rules.

    An address pool can contain only IPv4 addresses or only IPv6 addresses. It can also contain both IPv4 and IPv6 addresses.

    For more information about address pools, see Using Oracle Solaris IP Filter's Address Pools Feature.

  7. Activate Oracle Solaris IP Filter by using one of the following methods:

    • Enable IP Filter and reboot the machine.


      # svcadm enable network/ipfilter
# reboot
      Note –

      Rebooting is required if you cannot safely use the ifconfig unplumb and ifconfig plumb commands on the NICs.

    • Enable the NICs by using the ifconfig unplumb and ifconfig plumb commands. Then enable IP Filter. The inet6 version of the interface must be plumbed in order to implement IPv6 packet filtering.


      # ifconfig hme0 unplumb
# ifconfig hme0 plumb 192.168.1.20 netmask 255.255.255.0 up
# ifconfig hme0 inte6 unplumb
# ifconfig hme0 inet6 plumb fec3:f849::1/96 up
# svcadm enable network/ipfilter

      For more information about the ifconfig command, see the ifconfig(1M) man page.

ProcedureHow to Activate a NIC for Packet Filtering

Oracle Solaris IP Filter is enabled at boot time when the /etc/ipf/ipf.conf file (or the /etc/ipf/ipf6.conf file when using IPv6) exists. If you need to enable filtering on a NIC after Oracle Solaris IP Filter is enabled, use the following procedure.

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Start the file editor of your choice, and edit the /etc/ipf/pfil.ap file.

    This file contains the names of NICs on the host. By default, the names are commented out. Uncomment the device names that carry the network traffic you want to filter. If the name of the NIC for your system is not listed, add a line to specify the NIC.


    # vi /etc/ipf/pfil.ap
# IP Filter pfil autopush setup
#
# See autopush(1M) manpage for more information.
#
# Format of the entries in this file is:
#
#major  minor lastminor modules

#le     -1      0       pfil
#qe     -1      0       pfil
hme     -1      0       pfil (Device has been uncommented for filtering)
#qfe    -1      0       pfil
#eri    -1      0       pfil
#ce     -1      0       pfil
#bge    -1      0       pfil
#be     -1      0       pfil
#vge    -1      0       pfil
#ge     -1      0       pfil
#nf     -1      0       pfil
#fa     -1      0       pfil
#ci     -1      0       pfil
#el     -1      0       pfil
#ipdptp -1      0       pfil
#lane   -1      0       pfil
#dmfe   -1      0       pfil

  3. Activate your changes to the /etc/ipf/pfil.ap file by restarting the network/pfil service instance.


    # svcadm restart network/pfil

  4. Enable the NIC by using one of the following methods:

    • Reboot the machine.


      # reboot
      Note –

      Rebooting is required if you cannot safely use the ifconfig unplumb and ifconfig plumb commands on the NICs.

    • Enable the NICs that you want to filter by using the ifconfig command with the unplumb and plumb options. The inet6 version of each interface must be plumbed in order to implement IPv6 packet filtering.


      # ifconfig hme0 unplumb
# ifconfig hme0 plumb 192.168.1.20  netmask 255.255.255.0  up
# ifconfig hme0 inet6 unplumb
# ifconfig hme0 inet6 plumb fec3:f840::1/96 up

      For more information about the ifconfig command, see the ifconfig(1M) man page.

ProcedureHow to Deactivate Oracle Solaris IP Filter on a NIC

If you need to stop filtering packets on a NIC, use the following procedure.

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Start the file editor of your choice, and edit the /etc/ipf/pfil.ap file.

    This file contains the names of NICs on the host. The NICs that have been used to filter network traffic are uncommented. Comment out the device names that you no longer want to use to filter network traffic.


    # vi /etc/ipf/pfil.ap
# IP Filter pfil autopush setup
#
# See autopush(1M) manpage for more information.
#
# Format of the entries in this file is:
#
#major  minor lastminor modules

#le     -1      0       pfil
#qe     -1      0       pfil
#hme    -1      0       pfil (Commented-out device no longer filters network traffic)
#qfe    -1      0       pfil
#eri    -1      0       pfil
#ce     -1      0       pfil
#bge    -1      0       pfil
#be     -1      0       pfil
#vge    -1      0       pfil
#ge     -1      0       pfil
#nf     -1      0       pfil
#fa     -1      0       pfil
#ci     -1      0       pfil
#el     -1      0       pfil
#ipdptp -1      0       pfil
#lane   -1      0       pfil
#dmfe   -1      0       pfil

  3. Deactivate the NIC by using one of the following methods:

    • Reboot the machine.


      # reboot
      Note –

      Rebooting is required if you cannot safely use the ifconfig unplumb and ifconfig plumb commands on the NICs.

    • Deactivate the NICs by using the ifconfig command with the unplumb and plumb options. The inet6 version of each interface must be unplumbed in order to deactivate IPv6 packet filtering. Perform the following steps. The sample device in the system is hme:

      1. Identify the major number for the device you are deactivating.


        # grep hme /etc/name_to_major
hme 7

      2. Display the current autopush configuration for hme0. 


        # autopush -g -M 7 -m 0
   Major     Minor     Lastminor       Modules
       7      ALL          -           pfil

      3. Remove the autopush configuration.


        # autopush -r -M 7 -m 0

      4. Open the device and assign IP addresses to the device.


        # ifconfig hme0 unplumb
# ifconfig hme0 plumb 192.168.1.20  netmask 255.255.255.0  up
# ifconfig hme0 inet6 unplumb
# ifconfig hme0 inet6 plumb fec3:f840::1/96 up

        For more information about the ifconfig command, see the ifconfig(1M) man page.

ProcedureHow to View pfil Statistics for Oracle Solaris IP Filter

You can view pfil statistics when you are troubleshooting Oracle Solaris IP Filter.

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. View pfil statistics.


    # ndd -get /dev/pfil qif_status
Example 26–1 Viewing pfil Statistics for Oracle Solaris IP Filter

The following example shows how to view pfil statistics.


# ndd -get /dev/pfil qif_status
ifname ill q OTHERQ num sap hl nr nw bad copy copyfail drop notip nodata
   notdata
QIF6 0 300011247b8 300011248b0 6 806 0 4 9 0 0 0 0 0 0 0
dmfe1 3000200a018 30002162a50 30002162b48 5 800 14 171 13681 0 0 0 0 0 0 0