Perform this procedure to configure Solaris IP Filter on the global cluster.
Only use Solaris IP Filter with failover data services. The use of Solaris IP Filter with scalable data services is not supported.
NAT routing is not supported.
The use of NAT for translation of local addresses is supported. NAT translation rewrites packets on-the-wire and is therefore transparent to the cluster software.
Only stateless filtering is supported.
For more information about the Solaris IP Filter feature, see Part IV, IP Security, in System Administration Guide: IP Services.
Add filter rules to the /etc/ipf/ipf.conf file on all affected nodes.
Observe the following guidelines and requirements when you add filter rules to Sun Cluster nodes.
(Solaris 10 only) In the ipf.conf file on each node, add rules to explicitly allow cluster interconnect traffic to pass unfiltered. Rules that are not interface specific are applied to all interfaces, including cluster interconnects. Ensure that traffic on these interfaces is not blocked mistakenly.
For example, suppose the following rules are currently used:
# Default block TCP/UDP unless some later rule overrides block return-rst in proto tcp/udp from any to any # Default block ping unless some later rule overrides block return-rst in proto icmp all
To unblock cluster interconnect traffic, add the following rules. The subnets used are for example only. Derive the subnets to use by using the ifconfig interface command.
# Unblock cluster traffic on 172.16.0.128/25 subnet (physical interconnect) pass in quick proto tcp/udp from 172.16.0.128/25 to any pass out quick proto tcp/udp from 172.16.0.128/25 to any # Unblock cluster traffic on 172.16.1.0/25 subnet (physical interconnect) pass in quick proto tcp/udp from 172.16.1.0/25 to any pass out quick proto tcp/udp from 172.16.1.0/25 to any # Unblock cluster traffic on 172.16.4.0/23 (clprivnet0 subnet) pass in quick proto tcp/udp from 172.16.4.0/23 to any pass out quick proto tcp/udp from 172.16.4.0/23 to any
Sun Cluster software fails over network addresses from node to node. No special procedure or code is needed at the time of failover.
All filtering rules that reference IP addresses of logical hostname and shared address resources must be identical on all cluster nodes.
Rules on a standby node will reference a non-existent IP address. This rule is still part of the IP filter's active rule set and will become effective when the node receives the address after a failover.
All filtering rules must be the same for all NICs in the same IPMP group. In other words, if a rule is interface-specific, the same rule must also exist for all other interfaces in the same IPMP group.
For more information about Solaris IP Filter rules, see the ipf(4) man page.
Enable the ipfilter SMF service.
phys-schost# svcadm enable /network/ipfilter:default
Configure Sun Cluster software on the cluster nodes. Go to Establishing a New Global Cluster or New Global-Cluster Node.