Previous
How to View the Inactive Packet Filtering Rule Set
Assume a role that includes the IP Filter Management rights profile, or become superuser.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see "Configuring RBAC (Task Map)" in System Administration Guide: Security Services.
View the inactive packet filtering rule set.
# ipfstat -I -io
Example 26-2 Viewing the Inactive Packet Filtering Rule Set
The following example shows output from the inactive packet filtering rule set.
# ipfstat -I -io pass out quick on dmfe1 all pass in quick on dmfe1 all |
How to Activate a Different or Updated Packet Filtering
Rule Set
Use the following procedure if you want to perform either of the following tasks:
Activate a packet filtering rule set other than the one that is currently in use by Solaris IP Filter.
Reload the same filtering rule set that has been newly updated.
Assume a role that includes the IP Filter Management rights profile, or become superuser.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see "Configuring RBAC (Task Map)" in System Administration Guide: Security Services.
Choose one of the following steps:
Create a new rule set in a separate file of your choice if you want to activate an entirely different rule set.
Update the current rule set by editing the configuration file that contains that rule set.
Remove the current rule set and load the new rule set.
# ipf -Fa -f filename
The filename can either be the new file with the new rule set or the updated file that contains the active rule set.
The active rule set is removed from the kernel. The rules in the filename file become the active rule set.
Note - You still need to issue the command even if you are reloading the current configuration file. Otherwise, the old rule set continues to be operative, and the modified rule set in the updated configuration file is not applied.
Do not use commands such as ipf -D or svcadm restart to load the updated rule set. Such commands expose your network by disabling the firewall first before loading the new rule set.
Example 26-3 Activating a Different Packet Filtering Rule Set
The following example shows how to replace one packet filtering rule set with another packet filtering rule set in a separate configuration file, /etc/ipf/ipf.conf.
# ipfstat -io empty list for ipfilter(out) pass in quick on dmfe all # ipf -Fa -f /etc/ipf/ipf.conf # ipfstat -io empty list for ipfilter(out) block in log quick from 10.0.0.0/8 to any |
Example 26-4 Reloading an Updated Packet Filtering Rule Set
The following example shows how to reload a packet filtering rule set that is currently active and which is then updated. In this example, the file in use is /etc/ipf/ipf.conf.
# ipfstat -io (Optional) empty list for ipfilter (out) block in log quick from 10.0.0.0/8 to any (Edit the /etc/ipf/ipf.conf configuration file.) # ip -Fa -f /etc/ipf/ipf.conf # ipfstat -io (Optional) empty list for ipfilter (out) block in log quick from 10.0.0.0/8 to any block in quick on elx10 from 192.168.0.0/12 to any |
How to Remove a Packet Filtering Rule Set
Assume a role that includes the IP Filter Management rights profile, or become superuser.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see "Configuring RBAC (Task Map)" in System Administration Guide: Security Services.
Remove the rule set.
# ipf -F [a|i|o]
-a
Removes all filtering rules from the rule set.
-i
Removes the filtering rules for incoming packets.
-o
Removes the filtering rules for outgoing packets.
Example 26-5 Removing a Packet Filtering Rule Set
The following example shows how to remove all filtering rules from the active filtering rule set.
# ipfstat -io block out log on dmf0 all block in log quick from 10.0.0.0/8 to any # ipf -Fa # ipfstat -io empty list for ipfilter(out) empty list for ipfilter(in) |
How to Append Rules to the Active Packet Filtering
Rule Set
Assume a role that includes the IP Filter Management rights profile, or become superuser.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see "Configuring RBAC (Task Map)" in System Administration Guide: Security Services.
Use one of the following methods to append rules to the active rule set:
Append rules to the rule set at the command line using the ipf -f - command.
# echo "block in on dmfe1 proto tcp from 10.1.1.1/32 to any" | ipf -f -
Perform the following commands:
Create a rule set in a file of your choice.
Add the rules you have created to the active rule set.
# ipf -f filename
The rules in filename are added to the end of the active rule set. Because Solaris IP Filter uses a "last matching rule" algorithm, the added rules determine filtering priorities, unless you use the quick keyword. If the packet matches a rule containing the quick keyword, the action for that rule is taken, and no subsequent rules are checked.
Example 26-6 Appending Rules to the Active Packet Filtering Rule Set
The following example shows how to add a rule to the active packet filtering rule set from the command line.
# ipfstat -io empty list for ipfilter(out) block in log quick from 10.0.0.0/8 to any # echo "block in on dmfe1 proto tcp from 10.1.1.1/32 to any" | ipf -f - # ipfstat -io empty list for ipfilter(out) block in log quick from 10.0.0.0/8 to any block in on dmfe1 proto tcp from 10.1.1.1/32 to any |