To modify the IP Filter policy for an automatically configured network configuration or to use IP Filter in a manually configured network, you create configuration files, inform the service about these files, then enable the service.
Before You Begin
You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
This file contains the packet filtering rule set.
# svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"
For example, make /etc/ipf/myorg.ipf.conf the location of your packet filtering rule set.
# svccfg -s ipfilter:default \ setprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/myorg.ipf.conf"
For information about packet filtering, see Using IP Filter's Packet Filtering Feature. For examples of configuration files, see IP Filter Configuration File Examples, and the /etc/nwam/loc/NoNet/ipf.conf file.
pass in all pass out all
To filter packets over a NAT, create a file for your NAT rules with the default file name, /etc/ipf/ipnat.conf. If you use a different name, you must change the value of the config/ipnat_config_file service property, as in:
# svccfg -s ipfilter:default \ setprop config/ipnat_config_file = astring: "/etc/ipf/myorg.ipnat.conf"
For more information about NAT, see Using IP Filter's NAT Feature.
To refer to a group of addresses as a single address pool, create a file for the pool with the default file name, /etc/ipf/ippool.conf. If you use a different name, you must change the value of the config/ippool_config_file service property, as in:
# svccfg -s ipfilter:default \ setprop config/ippool_config_file = astring: "/etc/ipf/myorg.ippool.conf"
An address pool can contain any combination of IPv4 and IPv6 addresses. For more information about address pools, see Using IP Filter's Address Pools Feature.
If you intend to filter traffic between zones that are configured in your system, you must enable loopback filtering. See How to Enable Loopback Filtering. You must also define rule sets that apply to the zones.
By default, fragments are reassembled in IP Filter. To modify the default, see How to Disable Packet Reassembly.