How to Configure Solaris IP Filter (Sun Cluster Software Installation Guide for Solaris OS)

Sun Cluster Software Installation Guide for Solaris OS

How to Configure Solaris IP Filter

Perform this procedure to configure Solaris IP Filter on the global cluster.

Note –

Only use Solaris IP Filter with failover data services. The use of Solaris IP Filter with scalable data services is not supported.

Observe the following guidelines:

NAT routing is not supported.
The use of NAT for translation of local addresses is supported. NAT translation rewrites packets on-the-wire and is therefore transparent to the cluster software.
Only stateless filtering is supported.

For more information about the Solaris IP Filter feature, see Part IV, IP Security, in System Administration Guide: IP Services.

(Solaris 10 11/06 only) Modify entries in the /etc/iu.ap file to ensure that the IP filter works in noncluster mode
1. Modify the public NIC entries to list clhbsndr pfil as the module list.
  
  The pfil must be the last module in the list.
  
  Note –
  If you have the same type of adapter for private and public network, your edits to the /etc/iu.ap file will push pfil to the private network streams. However, the cluster transport module will automatically remove all unwanted modules at stream creation, so pfil will be removed from the private network streams.
2. Add public-network interfaces to the /etc/ipf/pfil.ap file.
  
  See Chapter 26, Solaris IP Filter (Tasks), in System Administration Guide: IP Services for more information.
3. Reboot all affected nodes.
  
  You can boot the nodes in a rolling fashion.

Add filter rules to the /etc/ipf/ipf.conf file on all affected nodes.

Observe the following guidelines and requirements when you add filter rules to Sun Cluster nodes.

(Solaris 10 8/07 only) In the ipf.conf file on each node, add rules to explicitly allow cluster interconnect traffic to pass unfiltered. Rules that are not interface specific are applied to all interfaces, including cluster interconnects. Ensure that traffic on these interfaces is not blocked mistakenly. For example, suppose the following rules are currently used:

# Default block TCP/UDP unless some later rule overrides
block return-rst in proto tcp/udp from any to any

# Default block ping unless some later rule overrides
block return-rst in proto icmp all

To unblock cluster interconnect traffic, add the following rules. The subnets used are for example only. Derive the subnets to use by using the ifconfig interface command.

# Unblock cluster traffic on 172.16.0.128/25 subnet (physical interconnect)
pass in quick proto tcp/udp from 172.16.0.128/25 to any
pass out quick proto tcp/udp from 172.16.0.128/25 to any

# Unblock cluster traffic on 172.16.1.0/25 subnet (physical interconnect)
pass in quick proto tcp/udp from 172.16.1.0/25 to any
pass out quick proto tcp/udp from 172.16.1.0/25 to any

# Unblock cluster traffic on 172.16.4.0/23 (clprivnet0 subnet)
pass in quick proto tcp/udp from 172.16.4.0/23 to any
pass out quick proto tcp/udp from 172.16.4.0/23 to any

Sun Cluster software fails over network addresses from node to node. No special procedure or code is needed at the time of failover.
All filtering rules that reference IP addresses of logical hostname and shared address resources must be identical on all cluster nodes.
Rules on a standby node will reference a non-existent IP address. This rule is still part of the IP filter's active rule set and will become effective when the node receives the address after a failover.
All filtering rules must be the same for all NICs in the same IPMP group. In other words, if a rule is interface-specific, the same rule must also exist for all other interfaces in the same IPMP group.

For more information about Solaris IP Filter rules, see the ipf(4) man page.

Enable the ipfilter SMF service.

phys-schost# svcadm enable /network/ipfilter:default

Next Steps

Configure Sun Cluster software on the cluster nodes. Go to Establishing a New Global Cluster or New Global-Cluster Node.