Deactivating and Disabling Solaris IP Filter
You might want to deactivate or disable packet filtering and NAT under the following circumstances:
For testing purposes
To troubleshoot system problems when you think the problems are caused by Solaris IP Filter
The following task map identifies the procedures associated with deactivating or disabling Solaris IP Filter features.
Table 26-2 Deactivating and Disabling Solaris IP Filter (Task Map)
Task | Description | For Instructions |
---|---|---|
Deactivate packet filtering. | Deactivate packet filtering using the ipf command. | |
Deactivate NAT. | Deactivate NAT using the ipnat command. | |
Disable packet filtering and NAT. | Disable packet filtering and NAT using the ipf command. |
How to Deactivate Packet Filtering
The following procedure deactivates Solaris IP Filter packet filtering by flushing the packet filtering rules from the active filtering rule set. The procedure does not disable Solaris IP Filter. You can reactivate Solaris IP Filter by adding rules to the rule set.
Assume a role that includes the IP Filter Management rights profile, or become superuser.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see "Configuring RBAC (Task Map)" in System Administration Guide: Security Services.
Use one of the following methods to deactivate Solaris IP Filter rules:
Remove the active rule set from the kernel.
# ipf -Fa
This command deactivates all packet filtering rules.
Remove incoming packet filtering rules.
# ipf -Fi
This command deactivates packet filtering rules for incoming packets.
Remove outgoing packet filtering rules.
# ipf -Fo
This command deactivates packet filtering rules for outgoing packets.
How to Deactivate NAT
The following procedure deactivates Solaris IP Filter NAT rules by flushing the NAT rules from the active NAT rules set. The procedure does not disable Solaris IP Filter. You can reactivate Solaris IP Filter by adding rules to the rule set.
Assume a role that includes the IP Filter Management rights profile, or become superuser.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see "Configuring RBAC (Task Map)" in System Administration Guide: Security Services.
Remove NAT from the kernel.
# ipnat -FC
The -C option removes all entries in the current NAT rule listing. The -F option removes all active entries in the current NAT translation table, which shows the currently active NAT mappings.
How to Disable Packet Filtering
When you run this procedure, both packet filtering and NAT are removed from the kernel. If you use this procedure, you must re-enable Solaris IP Filter in order to reactivate packet filtering and NAT. For more information, see How to Re-Enable Solaris IP Filter.
Assume a role that includes the IP Filter Management rights profile, or become superuser.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see "Configuring RBAC (Task Map)" in System Administration Guide: Security Services.
Disable packet filtering and allow all packets to pass into the network.
# ipf -D
Note - The ipf -D command flushes the rules from the rule set. When you re-enable filtering, you must add rules to the rule set.
Working With Solaris IP Filter Rule Sets
The following task map identifies the procedures associated with Solaris IP Filter rule sets.
Table 26-3 Working With Solaris IP Filter Rule Sets (Task Map)
Task | Description | For Instructions |
---|---|---|
Manage, view and modify Solaris IP Filter packet filtering rule sets. | ||
View an active packet filtering rule set. | ||
View an inactive packet filtering rule set. | ||
Activate a different active rule set. | How to Activate a Different or Updated Packet Filtering Rule Set | |
Remove a rule set. | ||
Add rules to the rule sets. | How to Append Rules to the Active Packet Filtering Rule Set How to Append Rules to the Inactive Packet Filtering Rule Set | |
Move between active and inactive rule sets. | How to Switch Between Active and Inactive Packet Filtering Rule Sets | |
Delete an inactive rule set from the kernel. | How to Remove an Inactive Packet Filtering Rule Set From the Kernel | |
Manage, view and modify Solaris IP Filter NAT rules. | ||
View active NAT rules. | ||
Remove NAT rules. | ||
Add additional rules to NAT rules. | ||
Manage, view and modify Solaris IP Filter address pools. | ||
View active address pools. | ||
Remove an address pool. | ||
Add additional rules to an address pool. |
Managing Packet Filtering Rule Sets for Solaris IP Filter
When Solaris IP Filter is enabled, both active and inactive packet filtering rule sets can reside in the kernel. The active rule set determines what filtering is being done on incoming packets and outgoing packets. The inactive rule set also stores rules. These rules are not used unless you make the inactive rule set the active rule set. You can manage, view, and modify both active and inactive packet filtering rule sets.
How to View the Active Packet Filtering Rule Set
Assume a role that includes the IP Filter Management rights profile, or become superuser.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see "Configuring RBAC (Task Map)" in System Administration Guide: Security Services.
View the active packet filtering rule set that is loaded in the kernel.
# ipfstat -io
Example 26-1 Viewing the Active Packet Filtering Rule Set
The following example shows output from the active packet filtering rule set that is loaded in the kernel.
# ipfstat -io empty list for ipfilter(out) pass in quick on dmfe1 from 192.168.1.0/24 to any pass in all block in on dmfe1 from 192.168.1.10/32 to any |