System Administration Guide: IP Services

ProcedureHow to Activate a NIC for Packet Filtering

Oracle Solaris IP Filter is enabled at boot time when the /etc/ipf/ipf.conf file (or the /etc/ipf/ipf6.conf file when using IPv6) exists. If you need to enable filtering on a NIC after Oracle Solaris IP Filter is enabled, use the following procedure.

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Start the file editor of your choice, and edit the /etc/ipf/pfil.ap file.

    This file contains the names of NICs on the host. By default, the names are commented out. Uncomment the device names that carry the network traffic you want to filter. If the name of the NIC for your system is not listed, add a line to specify the NIC.

    # vi /etc/ipf/pfil.ap
    # IP Filter pfil autopush setup
    # See autopush(1M) manpage for more information.
    # Format of the entries in this file is:
    #major  minor lastminor modules
    #le     -1      0       pfil
    #qe     -1      0       pfil
    hme     -1      0       pfil (Device has been uncommented for filtering)
    #qfe    -1      0       pfil
    #eri    -1      0       pfil
    #ce     -1      0       pfil
    #bge    -1      0       pfil
    #be     -1      0       pfil
    #vge    -1      0       pfil
    #ge     -1      0       pfil
    #nf     -1      0       pfil
    #fa     -1      0       pfil
    #ci     -1      0       pfil
    #el     -1      0       pfil
    #ipdptp -1      0       pfil
    #lane   -1      0       pfil
    #dmfe   -1      0       pfil
  3. Activate your changes to the /etc/ipf/pfil.ap file by restarting the network/pfil service instance.

    # svcadm restart network/pfil
  4. Enable the NIC by using one of the following methods:

    • Reboot the machine.

      # reboot

      Note –

      Rebooting is required if you cannot safely use the ifconfig unplumb and ifconfig plumb commands on the NICs.

    • Enable the NICs that you want to filter by using the ifconfig command with the unplumb and plumb options. The inet6 version of each interface must be plumbed in order to implement IPv6 packet filtering.

      # ifconfig hme0 unplumb
      # ifconfig hme0 plumb  netmask  up
      # ifconfig hme0 inet6 unplumb
      # ifconfig hme0 inet6 plumb fec3:f840::1/96 up

      For more information about the ifconfig command, see the ifconfig(1M) man page.