Configuring Solaris IP Filter
The following task map identifies the procedures associated with configuring Solaris IP Filter.
Table 26-1 Configuring Solaris IP Filter (Task Map)
Task |
Description |
For
Instructions |
Initially enable Solaris IP Filter. |
Solaris IP Filter is not enabled by default.
You must either enable it manually or use the configuration files in the
/etc/ipf/ directory and reboot the system. Beginning with Solaris Express, Developer Edition 2/07 release, packet
filter hooks replaced the pfil module to enable Solaris IP filter. |
How to Enable Solaris IP Filter |
Re-enable Solaris IP
Filter. |
If Solaris IP Filter is deactivated or disabled, you can re-enable Solaris IP
Filter either by rebooting the system or by using the ipf command. |
How to Re-Enable Solaris IP Filter |
Enable
loopback filtering |
As an option, you can enable loopback filtering, for example, to
filter traffic between zones. |
How to Enable Loopback Filtering |
How to Enable Solaris IP Filter
Use this procedure to enable Solaris IP Filter on a system that
is running at least Solaris Express, Developer Edition 2/07 OS.
- Assume a role that includes the IP Filter Management rights profile, or become
superuser.
You can assign the IP Filter Management rights profile to a role that
you create. To create the role and assign the role to a user,
see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
- Create a packet filtering rule set.
The packet filtering rule set contains packet filtering rules that are used by
Solaris IP Filter. If you want the packet filtering rules to be loaded
at boot time, edit the /etc/ipf/ipf.conf file to implement IPv4 packet filtering. Use
the /etc/ipf/ipf6.conf file for IPv6 packet filtering rules. If you do not want
the packet filtering rules loaded at boot time, put the rules in a
file of your choice, and manually activate packet filtering. For information about packet
filtering, see Using Solaris IP Filter's Packet Filtering Feature. For information about working with configuration files, see Creating and Editing Solaris IP Filter Configuration Files.
- (Optional) Create a network address translation (NAT) configuration file.
Note - Network Address Translation (NAT) does not support IPv6.
Create an ipnat.conf file if you want to use network address translation.
If you want the NAT rules to be loaded at boot time, create
a file called /etc/ipf/ipnat.conf in which to put NAT rules. If you
do not want the NAT rules loaded at boot time, put the ipnat.conf
file in a location of your choice, and manually activate the NAT rules.
For more information about NAT, see Using Solaris IP Filter's NAT Feature.
- (Optional) Create an address pool configuration file.
Create an ipool.conf file if you want to refer to a group of addresses
as a single address pool. If you want the address pool configuration file
to be loaded at boot time, create a file called /etc/ipf/ippool.conf in
which to put the address pool. If you do not want the
address pool configuration file to be loaded at boot time, put the ippool.conf
file in a location of your choice, and manually activate the rules.
An address pool can contain only IPv4 addresses or only IPv6 addresses.
It can also contain both IPv4 and IPv6 addresses.
For more information about address pools, see Using Solaris IP Filter's Address Pools Feature.
- (Optional) Enable filtering of loopback traffic.
If you intend to filter traffic between zones that are configured in your
system, you must enable loopback filtering. See How to Enable Loopback Filtering. Make sure that you also
define the appropriate rule sets that apply to the zones.
- Activate Solaris IP Filter.
# svcadm enable network/ipfilter
How to Re-Enable Solaris IP Filter
You can re-enable packet filtering after it has been temporarily disabled.
- Assume a role that includes the IP Filter Management rights profile, or become
superuser.
You can assign the IP Filter Management rights profile to a role that
you create. To create the role and assign the role to a user,
see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
- Enable Solaris IP Filter and activate filtering using one of the following methods:
Reboot the machine.
# reboot
Note - When IP Filter is enabled, after a reboot the following files are loaded if they are present: the /etc/ipf/ipf.conf file, the /etc/ipf/ipf6.conf file when using IPv6, or the /etc/ipf/ipnat.conf.
Perform the following series of commands to enable Solaris IP Filter and activate filtering:
Enable Solaris IP Filter.
# ipf -E
Activate packet filtering.
# ipf -f filename
(Optional) Activate NAT.
# ipnat -f filename
Note - Network Address Translation (NAT) does not support IPv6.
How to Enable Loopback Filtering
Note - You can filter loopback traffic only if your system is running at least
Solaris Express, Developer Edition 2/07 release. In previous Solaris 10 releases, loopback filtering
is not supported.
- Assume a role that includes the IP Filter Management rights profile, or become
superuser.
You can assign the IP Filter Management rights profile to a role that
you create. To create the role and assign the role to a user,
see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
- Stop Solaris IP Filter if it is running.
# svcadm disable network/ipfilter
- Edit the /etc/ipf.conf or /etc/ipf6.conf file by adding the following line at
the beginning of the file:
set intercept_loopback true;
This line must precede all the IP filter rules that are defined
in the file. However, you can insert comments before the line, similar to
the following example:
#
# Enable loopback filtering to filter between zones
#
set intercept_loopback true;
#
# Define policy
#
block in all
block out all
<other rules>
...
- Start the Solaris IP filter.
# svcadm enable network/ipfilter
- To verify the status of loopback filtering, use the following command:
# ipf —T ipf_loopback
ipf_loopback min 0 max 0x1 current 1
#
If loopback filtering is disabled, the command would generate the following output:
ipf_loopback min 0 max 0x1 current 0