Sun Cluster supports Solaris IP Filtering with the following restrictions:
Only failover data services are supported.
Sun Cluster does not support IP Filtering with scalable data services.
Only stateless filtering is supported.
NAT routing is not supported.
Use of NAT for translation of local addresses is supported. NAT translation rewrites packets on-the-wire and is therefore transparent to the cluster software.
In the /etc/iu.ap file, modify the public NIC entries to list clhbsndr pfil as the module list.
The pfil must be the last module in the list.
If you have the same type of adapter for private and public network, your edits to the /etc/iu.ap file will push pfil to the private network streams. However, the cluster transport module will automatically remove all unwanted modules at stream creation, so pfil will be removed from the private network streams.
To ensure that the IP filter works in non-cluster mode, update the /etc/ipf/pfil.ap file.
Updates to the /etc/iu.ap file are slightly different. See the IP Filter documentation for more information.
Reboot all affected nodes.
You can boot the nodes in a rolling fashion.
Add filter rules to the /etc/ipf/ipf.conf file on all affected nodes. For information on IP filter rules syntax, see ipf(4)
Keep in mind the following guidelines and requirements when you add filter rules to Sun Cluster nodes.
Sun Cluster fails over network addresses from node to node. No special procedure or code is needed at the time of failover.
All filtering rules that reference IP addresses of logical hostname and shared address resources must be identical on all cluster nodes.
Rules on a standby node will reference a non-existent IP address. This rule is still part of the IP filter's active rule set and will become effective when the node receives the address after a failover.
All filtering rules must be the same for all NICs in the same IPMP group. In other words, if a rule is interface-specific, the same rule must also exist for all other interfaces in the same IPMP group.
Enable the ipfilter SMF service.
# svcadm enable /network/ipfilter:default