Securing the Network in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

How to Disable Packet Reassembly

By default, fragments are reassembled in IP Filter. To disable this reassembly, you insert a rule at the beginning of your policy file.

Before You Begin

You must become an administrator who is assigned the IP Filter Management rights profile and the solaris.admin.edit/path-to-IPFilter-policy-file authorization. The root role has all of these rights. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

  1. Disable IP Filter.
    # svcadm disable network/ipfilter
  2. Add the following rule at the beginning of your IP Filter policy file.
    set defrag off;

    Use the pfedit command, as in:

    # pfedit /etc/ipf/myorg.ipf.conf

    This rule must precede all block and pass rules in the file. However, you can insert comments before the line, similar to the following example:

    # Disable fragment reassembly
    set defrag off;
    # Define policy
    block in all
    block out all
    other rules
  3. Enable IP Filter.
    # svcadm enable network/ipfilter
  4. Verify that packets are not being reassembled.
    # ipf -T defrag
    defrag  min 0   max 0x1 current 0

    If the value of current is 0, fragments are not being reassembled. If current is 1, fragments are being reassembled.