Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: April 2019
 
 

Managing Address Pools for IP Filter

The following procedures manage, view, and modify address pools.

How to View Active Address Pools

Before You Begin

You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  • View the active address pool.

    The following example shows how to view the contents of the active address pool.

    # ippool -l
    table role = ipf type = tree number = 13
            { 192.0.2.64/27, 192.0.2.0/27, 198.51.100.0/27; };

How to Remove an Address Pool

Before You Begin

You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  • Remove the entries in the current address pool.
    # ippool -F
Example 18  Removing an Address Pool

The following example shows how to remove an address pool.

# ippool -l
table role = ipf type = tree number = 13
        { 192.0.2.64/27, 192.0.2.0/27, 198.51.100.0/27; };
# ippool -F
1 object flushed
# ippool -l

How to Append Rules to an Address Pool

Appending rules to an existing rule set can be useful when testing or troubleshooting. The IP Filter service remains enabled when the rules are added. However, when the service is refreshed, restarted, or enabled, the address pool rules are lost, unless they exist in a file that is a property of the IP Filter service.

Before You Begin

You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. Use one of the following methods to append rules to the active rule set:
    • Append rules to the rule set at the command line using the ippool -f - command.

      # echo "table role = ipf type = tree number = 13 
      {192.0.2.64/27, 192.0.2.0/27, 198.51.100.0/27};" | ippool -f -

      These appended rules are not part of IP Filter configuration when the service is refreshed, restarted, or enabled.

    • Perform the following commands:

      1. Create additional address pools in a file of your choice.

      2. Add the rules that you have created to the active address pool.

        # ippool -f filename

        The rules in filename are added to the end of the active address pool.

  2. If the rules contain pools that are not in the original rule set, perform the following steps:
    1. Add the pools to a new packet filtering rule.
    2. Append the new packet filtering rule to the current rule set.

      Follow the instructions in How to Append Rules to the Active Packet Filtering Rule Set.


      Note -  Do not refresh or restart the IP Filter service. You will lose your added address pool rules.
Example 19  Appending Rules to an Address Pool

The following example shows how to add an address pool to the address pool rule set from the command line.

# ippool -l
table role = ipf type = tree number = 13
        { 192.0.2.64/27, 192.0.2.0/27, 198.51.100.0/27; };
# echo "table role = ipf type = tree number = 100
 {192.0.2.0/27, 203.0.113.2/32, 198.51.100.0/27};" | ippool -f -
# ippool -l
table role = ipf type = tree number = 100
        { 192.0.2.0/27, 203.0.113.2/32, 198.51.100.0/27; };
table role = ipf type = tree number = 13
        { 192.0.2.64/27, 192.0.2.0/27, 198.51.100.0/27; };