| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Solaris Administration: IP Services Oracle Solaris 10 1/13 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Solaris Administration: IP Services Oracle Solaris 10 1/13 Information Library |
Part I Introducing System Administration: IP Services
1. Oracle Solaris TCP/IP Protocol Suite (Overview)
2. Planning Your TCP/IP Network (Tasks)
3. Introducing IPv6 (Overview)
4. Planning an IPv6 Network (Tasks)
5. Configuring TCP/IP Network Services and IPv4 Addressing (Tasks)
6. Administering Network Interfaces (Tasks)
7. Configuring an IPv6 Network (Tasks)
8. Administering a TCP/IP Network (Tasks)
9. Troubleshooting Network Problems (Tasks)
10. TCP/IP and IPv4 in Depth (Reference)
13. Planning for DHCP Service (Tasks)
14. Configuring the DHCP Service (Tasks)
15. Administering DHCP (Tasks)
16. Configuring and Administering the DHCP Client
17. Troubleshooting DHCP (Reference)
18. DHCP Commands and Files (Reference)
19. IP Security Architecture (Overview)
21. IP Security Architecture (Reference)
22. Internet Key Exchange (Overview)
24. Internet Key Exchange (Reference)
25. IP Filter in Oracle Solaris (Overview)
How to Enable Loopback Filtering
Deactivating and Disabling IP Filter
How to Deactivate Packet Filtering
How to Disable Packet Filtering
How to Enable IP Filter in Previous Solaris Releases
How to Activate a NIC for Packet Filtering
Working With IP Filter Rule Sets
Managing Packet Filtering Rule Sets for IP Filter
How to View the Active Packet Filtering Rule Set
How to View the Inactive Packet Filtering Rule Set
How to Activate a Different or Updated Packet Filtering Rule Set
How to Remove a Packet Filtering Rule Set
How to Append Rules to the Active Packet Filtering Rule Set
How to Append Rules to the Inactive Packet Filtering Rule Set
How to Switch Between Active and Inactive Packet Filtering Rule Sets
How to Remove an Inactive Packet Filtering Rule Set From the Kernel
Managing NAT Rules for IP Filter
How to Append Rules to the NAT Rules
Managing Address Pools for IP Filter
How to View Active Address Pools
How to Append Rules to an Address Pool
Displaying Statistics and Information for IP Filter
How to View State Tables for IP Filter
How to View State Statistics for IP Filter
How to View NAT Statistics for IP Filter
How to View Address Pool Statistics for IP Filter
Working With Log Files for IP Filter
How to Set Up a Log File for IP Filter
How to View IP Filter Log Files
How to Flush the Packet Log File
How to Save Logged Packets to a File
Creating and Editing IP Filter Configuration Files
How to Create a Configuration File for IP Filter
IP Filter Configuration File Examples
27. Introducing IPMP (Overview)
28. Administering IPMP (Tasks)
Part VI IP Quality of Service (IPQoS)
29. Introducing IPQoS (Overview)
30. Planning for an IPQoS-Enabled Network (Tasks)
31. Creating the IPQoS Configuration File (Tasks)
32. Starting and Maintaining IPQoS (Tasks)
33. Using Flow Accounting and Statistics Gathering (Tasks)
This section describes how to use the pfil STREAMS module to activate or deactivate IP Filter and how to view pfil statistics. The procedures apply only to systems that run one of the following Solaris releases:
Solaris 10 3/05 release
Solaris 10 1/06 release
Solaris 10 6/06 release
Solaris 10 11/06 release
The following task map identifies procedures that are associated with configuring the pfil module.
Table 26-3 Working With the pfil Module (Task Map)
|
IP Filter is installed with Oracle Solaris. However, packet filtering is not enabled by default. Use the following procedure to activate IP Filter.
Note - If your system is running at least the Solaris 10 7/07 release, follow the procedure How to Enable IP Filter that uses packet filter hooks.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
This file contains the names of network interface cards (NICs) on the host. By default, the names are commented out. Uncomment the device names that carry the network traffic you want to filter. If the name of the NIC for your system is not listed, add a line to specify the NIC.
# vi /etc/ipf/pfil.ap # IP Filter pfil autopush setup # # See autopush(1M) manpage for more information. # # Format of the entries in this file is: # #major minor lastminor modules #le -1 0 pfil #qe -1 0 pfil hme -1 0 pfil (Device has been uncommented for filtering) #qfe -1 0 pfil #eri -1 0 pfil #ce -1 0 pfil #bge -1 0 pfil #be -1 0 pfil #vge -1 0 pfil #ge -1 0 pfil #nf -1 0 pfil #fa -1 0 pfil #ci -1 0 pfil #el -1 0 pfil #ipdptp -1 0 pfil #lane -1 0 pfil #dmfe -1 0 pfil
# svcadm restart network/pfil
The packet filtering rule set contains packet filtering rules that are used by IP Filter. If you want the packet filtering rules to be loaded at boot time, edit the /etc/ipf/ipf.conf file to implement IPv4 packet filtering. Use the /etc/ipf/ipf6.conf file for IPv6 packet filtering rules. If you do not want the packet filtering rules loaded at boot time, put the rules in a file of your choice, and manually activate packet filtering. For information about packet filtering, see Using IP Filter's Packet Filtering Feature. For information about working with configuration files, see Creating and Editing IP Filter Configuration Files.
Note - Network Address Translation (NAT) does not support IPv6.
Create an ipnat.conf file if you want to use network address translation. If you want the NAT rules to be loaded at boot time, create a file called /etc/ipf/ipnat.conf in which to put NAT rules. If you do not want the NAT rules loaded at boot time, put the ipnat.conf file in a location of your choice, and manually activate the NAT rules.
For more information about NAT, see Using IP Filter's NAT Feature.
Create an ipool.conf file if you want to refer to a group of addresses as a single address pool. If you want the address pool configuration file to be loaded at boot time, create a file called /etc/ipf/ippool.conf in which to put the address pool. If you do not want the address pool configuration file to be loaded at boot time, put the ippool.conf file in a location of your choice, and manually activate the rules.
An address pool can contain only IPv4 addresses or only IPv6 addresses. It can also contain both IPv4 and IPv6 addresses.
For more information about address pools, see Using IP Filter's Address Pools Feature.
Enable IP Filter and reboot the machine.
# svcadm enable network/ipfilter # reboot
Note - Rebooting is required if you cannot safely use the ifconfig unplumb and ifconfig plumb commands on the NICs.
Enable the NICs by using the ifconfig unplumb and ifconfig plumb commands. Then enable IP Filter. The inet6 version of the interface must be plumbed in order to implement IPv6 packet filtering.
# ifconfig hme0 unplumb # ifconfig hme0 plumb 192.168.1.20 netmask 255.255.255.0 up # ifconfig hme0 inte6 unplumb # ifconfig hme0 inet6 plumb fec3:f849::1/96 up # svcadm enable network/ipfilter
For more information about the ifconfig command, see the ifconfig(1M) man page.
IP Filter is enabled at boot time when the /etc/ipf/ipf.conf file (or the /etc/ipf/ipf6.conf file when using IPv6) exists. If you need to enable filtering on a NIC after IP Filter is enabled, use the following procedure.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
This file contains the names of NICs on the host. By default, the names are commented out. Uncomment the device names that carry the network traffic you want to filter. If the name of the NIC for your system is not listed, add a line to specify the NIC.
# vi /etc/ipf/pfil.ap # IP Filter pfil autopush setup # # See autopush(1M) manpage for more information. # # Format of the entries in this file is: # #major minor lastminor modules #le -1 0 pfil #qe -1 0 pfil hme -1 0 pfil (Device has been uncommented for filtering) #qfe -1 0 pfil #eri -1 0 pfil #ce -1 0 pfil #bge -1 0 pfil #be -1 0 pfil #vge -1 0 pfil #ge -1 0 pfil #nf -1 0 pfil #fa -1 0 pfil #ci -1 0 pfil #el -1 0 pfil #ipdptp -1 0 pfil #lane -1 0 pfil #dmfe -1 0 pfil
# svcadm restart network/pfil
Reboot the machine.
# reboot
Note - Rebooting is required if you cannot safely use the ifconfig unplumb and ifconfig plumb commands on the NICs.
Enable the NICs that you want to filter by using the ifconfig command with the unplumb and plumb options. The inet6 version of each interface must be plumbed in order to implement IPv6 packet filtering.
# ifconfig hme0 unplumb # ifconfig hme0 plumb 192.168.1.20 netmask 255.255.255.0 up # ifconfig hme0 inet6 unplumb # ifconfig hme0 inet6 plumb fec3:f840::1/96 up
For more information about the ifconfig command, see the ifconfig(1M) man page.
If you need to stop filtering packets on a NIC, use the following procedure.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
This file contains the names of NICs on the host. The NICs that have been used to filter network traffic are uncommented. Comment out the device names that you no longer want to use to filter network traffic.
# vi /etc/ipf/pfil.ap # IP Filter pfil autopush setup # # See autopush(1M) manpage for more information. # # Format of the entries in this file is: # #major minor lastminor modules #le -1 0 pfil #qe -1 0 pfil #hme -1 0 pfil (Commented-out device no longer filters network traffic) #qfe -1 0 pfil #eri -1 0 pfil #ce -1 0 pfil #bge -1 0 pfil #be -1 0 pfil #vge -1 0 pfil #ge -1 0 pfil #nf -1 0 pfil #fa -1 0 pfil #ci -1 0 pfil #el -1 0 pfil #ipdptp -1 0 pfil #lane -1 0 pfil #dmfe -1 0 pfil
Reboot the machine.
# reboot
Note - Rebooting is required if you cannot safely use the ifconfig unplumb and ifconfig plumb commands on the NICs.
Deactivate the NICs by using the ifconfig command with the unplumb and plumb options. The inet6 version of each interface must be unplumbed in order to deactivate IPv6 packet filtering. Perform the following steps. The sample device in the system is hme:
Identify the major number for the device you are deactivating.
# grep hme /etc/name_to_major hme 7
Display the current autopush configuration for hme0.
# autopush -g -M 7 -m 0
Major Minor Lastminor Modules
7 ALL - pfilRemove the autopush configuration.
# autopush -r -M 7 -m 0
Open the device and assign IP addresses to the device.
# ifconfig hme0 unplumb # ifconfig hme0 plumb 192.168.1.20 netmask 255.255.255.0 up # ifconfig hme0 inet6 unplumb # ifconfig hme0 inet6 plumb fec3:f840::1/96 up
For more information about the ifconfig command, see the ifconfig(1M) man page.
You can view pfil statistics when you are troubleshooting IP Filter.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
# ndd -get /dev/pfil qif_status
Example 26-1 Viewing pfil Statistics for IP Filter
The following example shows how to view pfil statistics.
# ndd -get /dev/pfil qif_status ifname ill q OTHERQ num sap hl nr nw bad copy copyfail drop notip nodata notdata QIF6 0 300011247b8 300011248b0 6 806 0 4 9 0 0 0 0 0 0 0 dmfe1 3000200a018 30002162a50 30002162b48 5 800 14 171 13681 0 0 0 0 0 0 0
|