|Skip Navigation Links|
|Exit Print View|
|Oracle Solaris Administration: IP Services Oracle Solaris 11 Information Library|
IP Filter is managed by the SMF services svc:/network/pfil and svc:/network/ipfilter. For a complete overview of SMF, see Chapter 18, Managing Services (Overview), in System Administration Guide: Basic Administration. For information on the step-by-step procedures that are associated with SMF, see Chapter 19, Managing Services (Tasks), in System Administration Guide: Basic Administration.
IP Filter requires direct editing of configuration files.
IP Filter is installed as part of Oracle Solaris. By default, IP Filter is not activated after a fresh install. To configure filtering, you must edit configuration files and manually activate IP Filter. You can activate filtering by either rebooting the system or by plumbing the interfaces using the ipadm command. For more information, see the ipadm(1M) man page. For the tasks associated with enabling IP Filter, see Configuring IP Filter.
To administer IP Filter, you must be able to assume a role that includes the IP Filter Management rights profile, or become superuser. You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
IP Network Multipathing (IPMP) supports stateless filtering only.
For IP Filter to perform stateless filtering on traffic to and from an IPMP group, you must set the ipmp_hook_emulation parameter. By default, the parameter is set to zero (0), which means that IP Filter cannot perform stateful packet inspection of traffic on physical interfaces that belong to an IPMP group. To enable IPMP packet filtering, issue the following command:
ndd -set /dev/ip ipmp_hook_emulation 1
Oracle Solaris Cluster software does not support filtering with IP Filter for scalable services, but does support IP Filter for failover services. For guidelines and restrictions when configuring IP Filter in a cluster, see Oracle Solaris OS Feature Restrictions in Oracle Solaris Cluster Software Installation Guide.
Filtering between zones is supported provided that the IP Filter rules are implemented in a zone that functions as a virtual router for the other zones on the system.