By default, fragments are reassembled in IP Filter. To disable this reassembly, you insert a rule at the beginning of your policy file.
Before You Begin
You must become an administrator who is assigned the IP Filter Management rights profile and the solaris.admin.edit/path-to-IPFilter-policy-file authorization. The root role has all of these rights. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
# svcadm disable network/ipfilter
set defrag off;
Use the pfedit command, as in:
# pfedit /etc/ipf/myorg.ipf.conf
This rule must precede all block and pass rules in the file. However, you can insert comments before the line, similar to the following example:
# Disable fragment reassembly # set defrag off; # Define policy # block in all block out all other rules
# svcadm enable network/ipfilter
# ipf -T defrag defrag min 0 max 0x1 current 0
If the value of current is 0, fragments are not being reassembled. If current is 1, fragments are being reassembled.