Skip Navigation Links | |
Exit Print View | |
Oracle Solaris Administration: IP Services Oracle Solaris 11 Information Library |
1. Planning the Network Deployment
2. Considerations When Using IPv6 Addresses
3. Configuring an IPv4 Network
4. Enabling IPv6 on the Network
5. Administering a TCP/IP Network
7. Troubleshooting Network Problems
11. Administering the ISC DHCP Service
12. Configuring and Administering the DHCP Client
13. DHCP Commands and Files (Reference)
14. IP Security Architecture (Overview)
16. IP Security Architecture (Reference)
17. Internet Key Exchange (Overview)
19. Internet Key Exchange (Reference)
20. IP Filter in Oracle Solaris (Overview)
Deactivating and Disabling IP Filter
How to Deactivate Packet Filtering
How to Disable Packet Filtering
Working With IP Filter Rule Sets
Managing Packet Filtering Rule Sets for IP Filter
How to View the Active Packet Filtering Rule Set
How to View the Inactive Packet Filtering Rule Set
How to Activate a Different or Updated Packet Filtering Rule Set
How to Remove a Packet Filtering Rule Set
How to Append Rules to the Active Packet Filtering Rule Set
How to Append Rules to the Inactive Packet Filtering Rule Set
How to Switch Between Active and Inactive Packet Filtering Rule Sets
How to Remove an Inactive Packet Filtering Rule Set From the Kernel
Managing NAT Rules for IP Filter
How to Append Rules to the NAT Rules
Managing Address Pools for IP Filter
How to View Active Address Pools
How to Append Rules to an Address Pool
Displaying Statistics and Information for IP Filter
How to View State Tables for IP Filter
How to View State Statistics for IP Filter
How to View NAT Statistics for IP Filter
How to View Address Pool Statistics for IP Filter
Working With Log Files for IP Filter
How to Set Up a Log File for IP Filter
How to View IP Filter Log Files
How to Flush the Packet Log File
How to Save Logged Packets to a File
Creating and Editing IP Filter Configuration Files
How to Create a Configuration File for IP Filter
IP Filter Configuration File Examples
Part IV Networking Performance
22. Integrated Load Balancer Overview
23. Configuration of Integrated Load Balancer (Tasks)
24. Virtual Router Redundancy Protocol (Overview)
25. VRRP Configuration (Tasks)
26. Implementing Congestion Control
Part V IP Quality of Service (IPQoS)
27. Introducing IPQoS (Overview)
28. Planning for an IPQoS-Enabled Network (Tasks)
29. Creating the IPQoS Configuration File (Tasks)
30. Starting and Maintaining IPQoS (Tasks)
31. Using Flow Accounting and Statistics Gathering (Tasks)
The following task map identifies the procedures associated with configuring IP Filter.
Table 21-1 Configuring IP Filter (Task Map)
|
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
The packet filtering rule set contains packet filtering rules that are used by IP Filter. If you want the packet filtering rules to be loaded at boot time, edit the /etc/ipf/ipf.conf file to implement IPv4 packet filtering. Use the /etc/ipf/ipf6.conf file for IPv6 packet filtering rules. If you do not want the packet filtering rules loaded at boot time, put the rules in a file of your choice, and manually activate packet filtering. For information about packet filtering, see Using IP Filter's Packet Filtering Feature. For information about working with configuration files, see Creating and Editing IP Filter Configuration Files.
Note - Network Address Translation (NAT) does not support IPv6.
Create an ipnat.conf file if you want to use network address translation. If you want the NAT rules to be loaded at boot time, create a file called /etc/ipf/ipnat.conf in which to put NAT rules. If you do not want the NAT rules loaded at boot time, put the ipnat.conf file in a location of your choice, and manually activate the NAT rules.
For more information about NAT, see Using IP Filter's NAT Feature.
Create an ipool.conf file if you want to refer to a group of addresses as a single address pool. If you want the address pool configuration file to be loaded at boot time, create a file called /etc/ipf/ippool.conf in which to put the address pool. If you do not want the address pool configuration file to be loaded at boot time, put the ippool.conf file in a location of your choice, and manually activate the rules.
An address pool can contain only IPv4 addresses or only IPv6 addresses. It can also contain both IPv4 and IPv6 addresses.
For more information about address pools, see Using IP Filter's Address Pools Feature.
If you intend to filter traffic between zones that are configured in your system, you must enable loopback filtering. See How to Enable Loopback Filtering. Make sure that you also define the appropriate rule sets that apply to the zones.
# svcadm enable network/ipfilter
You can re-enable packet filtering after it has been temporarily disabled.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Reboot the machine.
# reboot
Note - When IP Filter is enabled, after a reboot the following files are loaded if they are present: the /etc/ipf/ipf.conf file, the /etc/ipf/ipf6.conf file when using IPv6, or the /etc/ipf/ipnat.conf.
Perform the following series of commands to enable IP Filter and activate filtering:
Enable IP Filter.
# ipf -E
Activate packet filtering.
# ipf -f filename
(Optional) Activate NAT.
# ipnat -f filename
Note - Network Address Translation (NAT) does not support IPv6.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
# svcadm disable network/ipfilter
set intercept_loopback true;
This line must precede all the IP Filter rules that are defined in the file. However, you can insert comments before the line, similar to the following example:
# # Enable loopback filtering to filter between zones # set intercept_loopback true; # # Define policy # block in all block out all <other rules> ...
# svcadm enable network/ipfilter
# ipf -T ipf_loopback ipf_loopback min 0 max 0x1 current 1 #
If loopback filtering is disabled, the command would generate the following output:
ipf_loopback min 0 max 0x1 current 0