Previous
How to Append Rules to the Inactive Packet Filtering
Rule Set
Assume a role that includes the IP Filter Management rights profile, or become superuser.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see "Configuring RBAC (Task Map)" in System Administration Guide: Security Services.
Create a rule set in a file of your choice.
Add the rules you have created to the inactive rule set.
# ipf -I -f filename
The rules in filename are added to the end of the inactive rule set. Because Solaris IP Filter uses a "last matching rule" algorithm, the added rules determine filtering priorities, unless you use the quick keyword. If the packet matches a rule containing the quick keyword, the action for that rule is taken, and no subsequent rules are checked.
Example 26-7 Appending Rules to the Inactive Rule Set
The following example shows how to add a rule to the inactive rule set from a file.
# ipfstat -I -io pass out quick on dmfe1 all pass in quick on dmfe1 all # ipf -I -f /etc/ipf/ipf.conf # ipfstat -I -io pass out quick on dmfe1 all pass in quick on dmfe1 all block in log quick from 10.0.0.0/8 to any |
How to Switch Between Active and Inactive Packet Filtering
Rule Sets
Assume a role that includes the IP Filter Management rights profile, or become superuser.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see "Configuring RBAC (Task Map)" in System Administration Guide: Security Services.
Switch the active and inactive rule sets.
# ipf -s
This command enables you to switch between the active and inactive rule sets in the kernel. Note that if the inactive rule set is empty, there is no packet filtering.
Example 26-8 Switching Between the Active and Inactive Packet Filtering Rule Sets
The following example shows how using the ipf -s command results in the inactive rule set becoming the active rule set and the active rule set becoming the inactive rule set.
Before running the ipf -s command, the output from the ipfstat -I -io command shows the rules in the inactive rule set. The output from the ipfstat -io command shows the rules in the active rule set.
# ipfstat -io empty list for ipfilter(out) block in log quick from 10.0.0.0/8 to any block in on dmfe1 proto tcp from 10.1.1.1/32 to any # ipfstat -I -io pass out quick on dmfe1 all pass in quick on dmfe1 all block in log quick from 10.0.0.0/8 to any
After running the ipf -s command, the output from the ipfstat -I -io and the ipfstat -io command show that the content of the two rules sets have switched.
# ipf -s Set 1 now inactive # ipfstat -io pass out quick on dmfe1 all pass in quick on dmfe1 all block in log quick from 10.0.0.0/8 to any # ipfstat -I -io empty list for inactive ipfilter(out) block in log quick from 10.0.0.0/8 to any block in on dmfe1 proto tcp from 10.1.1.1/32 to any
How to Remove an Inactive Packet Filtering Rule Set
From the Kernel
Assume a role that includes the IP Filter Management rights profile, or become superuser.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see "Configuring RBAC (Task Map)" in System Administration Guide: Security Services.
Specify the inactive rule set in the "flush all" command.
# ipf -I -Fa
This command flushes the inactive rule set from the kernel.
Note - If you subsequently run ipf -s, the empty inactive rule set will become the active rule set. An empty active rule set means that no filtering will be done.
Example 26-9 Removing an Inactive Packet Filtering Rule Set From the Kernel
The following example shows how to flush the inactive packet filtering rule set so that all rules have been removed.
# ipfstat -I -io empty list for inactive ipfilter(out) block in log quick from 10.0.0.0/8 to any block in on dmfe1 proto tcp from 10.1.1.1/32 to any # ipf -I -Fa # ipfstat -I -io empty list for inactive ipfilter(out) empty list for inactive ipfilter(in) |
Managing NAT Rules for Solaris IP Filter
Use the following procedures to manage, view, and modify NAT rules.
How to View Active NAT Rules
Assume a role that includes the IP Filter Management rights profile, or become superuser.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see "Configuring RBAC (Task Map)" in System Administration Guide: Security Services.
View the active NAT rules.
# ipnat -l
Example 26-10 Viewing Active NAT Rules
The following example shows the output from the active NAT rules set.
# ipnat -l List of active MAP/Redirect filters: map dmfe0 192.168.1.0/24 -> 20.20.20.1/32 List of active sessions: |
How to Remove NAT Rules
Assume a role that includes the IP Filter Management rights profile, or become superuser.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see "Configuring RBAC (Task Map)" in System Administration Guide: Security Services.
Remove the current NAT rules.
# ipnat -C
Example 26-11 Removing NAT Rules
The following example shows how to remove the entries in the current NAT rules.
# ipnat -l List of active MAP/Redirect filters: map dmfe0 192.168.1.0/24 -> 20.20.20.1/32 List of active sessions: # ipnat -C 1 entries flushed from NAT list # ipnat -l List of active MAP/Redirect filters: List of active sessions: |