Solaris IP Filter (Tasks)
This chapter provides step-by-step instructions for Solaris IP Filter tasks. For overview information about Solaris IP Filter, see Chapter 25, Solaris IP Filter (Overview).
This chapter contains the following information:
Configuring Solaris IP Filter
The following task map identifies the procedures associated with configuring Solaris IP Filter.
Table 26-1 Configuring Solaris IP Filter (Task Map)
Task | Description | For Instructions |
---|---|---|
Initially enable Solaris IP Filter. | Solaris IP Filter is not enabled by default. You must either enable it manually or use the configuration files in the /etc/ipf/ directory and reboot the system. Beginning with Solaris Express, Developer Edition 2/07 release, packet filter hooks replaced the pfil module to enable Solaris IP filter. | |
Re-enable Solaris IP Filter. | If Solaris IP Filter is deactivated or disabled, you can re-enable Solaris IP Filter either by rebooting the system or by using the ipf command. | |
Enable loopback filtering | As an option, you can enable loopback filtering, for example, to filter traffic between zones. |
How to Enable Solaris IP Filter
Use this procedure to enable Solaris IP Filter on a system that is running at least Solaris Express, Developer Edition 2/07 OS.
Assume a role that includes the IP Filter Management rights profile, or become superuser.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see "Configuring RBAC (Task Map)" in System Administration Guide: Security Services.
Create a packet filtering rule set.
The packet filtering rule set contains packet filtering rules that are used by Solaris IP Filter. If you want the packet filtering rules to be loaded at boot time, edit the /etc/ipf/ipf.conf file to implement IPv4 packet filtering. Use the /etc/ipf/ipf6.conf file for IPv6 packet filtering rules. If you do not want the packet filtering rules loaded at boot time, put the rules in a file of your choice, and manually activate packet filtering. For information about packet filtering, see Using Solaris IP Filter's Packet Filtering Feature. For information about working with configuration files, see Creating and Editing Solaris IP Filter Configuration Files.
(Optional) Create a network address translation (NAT) configuration file.
Note - Network Address Translation (NAT) does not support IPv6.
Create an ipnat.conf file if you want to use network address translation. If you want the NAT rules to be loaded at boot time, create a file called /etc/ipf/ipnat.conf in which to put NAT rules. If you do not want the NAT rules loaded at boot time, put the ipnat.conf file in a location of your choice, and manually activate the NAT rules.
For more information about NAT, see Using Solaris IP Filter's NAT Feature.
(Optional) Create an address pool configuration file.
Create an ipool.conf file if you want to refer to a group of addresses as a single address pool. If you want the address pool configuration file to be loaded at boot time, create a file called /etc/ipf/ippool.conf in which to put the address pool. If you do not want the address pool configuration file to be loaded at boot time, put the ippool.conf file in a location of your choice, and manually activate the rules.
An address pool can contain only IPv4 addresses or only IPv6 addresses. It can also contain both IPv4 and IPv6 addresses.
For more information about address pools, see Using Solaris IP Filter's Address Pools Feature.
(Optional) Enable filtering of loopback traffic.
If you intend to filter traffic between zones that are configured in your system, you must enable loopback filtering. See How to Enable Loopback Filtering. Make sure that you also define the appropriate rule sets that apply to the zones.
Activate Solaris IP Filter.
# svcadm enable network/ipfilter
How to Re-Enable Solaris IP Filter
You can re-enable packet filtering after it has been temporarily disabled.
Assume a role that includes the IP Filter Management rights profile, or become superuser.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see "Configuring RBAC (Task Map)" in System Administration Guide: Security Services.
Enable Solaris IP Filter and activate filtering using one of the following methods:
Reboot the machine.
# reboot
Note - When IP Filter is enabled, after a reboot the following files are loaded if they are present: the /etc/ipf/ipf.conf file, the /etc/ipf/ipf6.conf file when using IPv6, or the /etc/ipf/ipnat.conf.
Perform the following series of commands to enable Solaris IP Filter and activate filtering:
Enable Solaris IP Filter.
# ipf -E
Activate packet filtering.
# ipf -f filename
(Optional) Activate NAT.
# ipnat -f filename
Note - Network Address Translation (NAT) does not support IPv6.
How to Enable Loopback Filtering
Note - You can filter loopback traffic only if your system is running at least Solaris Express, Developer Edition 2/07 release. In previous Solaris 10 releases, loopback filtering is not supported.
Assume a role that includes the IP Filter Management rights profile, or become superuser.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see "Configuring RBAC (Task Map)" in System Administration Guide: Security Services.
Stop Solaris IP Filter if it is running.
# svcadm disable network/ipfilter
Edit the /etc/ipf.conf or /etc/ipf6.conf file by adding the following line at the beginning of the file:
set intercept_loopback true;
This line must precede all the IP filter rules that are defined in the file. However, you can insert comments before the line, similar to the following example:
# # Enable loopback filtering to filter between zones # set intercept_loopback true; # # Define policy # block in all block out all <other rules> ...
Start the Solaris IP filter.
# svcadm enable network/ipfilter
To verify the status of loopback filtering, use the following command:
# ipf --T ipf_loopback ipf_loopback min 0 max 0x1 current 1 #
If loopback filtering is disabled, the command would generate the following output:
ipf_loopback min 0 max 0x1 current 0