openSolaris 2008 - Deactivating and Disabling Solaris IP Filter - System Administration Guide: IP Services

Deactivating and Disabling Solaris IP Filter

You might want to deactivate or disable packet filtering and NAT under the following circumstances:

For testing purposes
To troubleshoot system problems when you think the problems are caused by Solaris IP Filter

The following task map identifies the procedures associated with deactivating or disabling Solaris IP Filter features.

Table 26-2 Deactivating and Disabling Solaris IP Filter (Task Map)

Task	Description	For Instructions
Deactivate packet filtering.	Deactivate packet filtering using the `ipf` command.	How to Deactivate Packet Filtering
Deactivate NAT.	Deactivate NAT using the `ipnat` command.	How to Deactivate NAT
Disable packet filtering and NAT.	Disable packet filtering and NAT using the `ipf` command.	How to Disable Packet Filtering

How to Deactivate Packet Filtering

The following procedure deactivates Solaris IP Filter packet filtering by flushing the packet filtering rules from the active filtering rule set. The procedure does not disable Solaris IP Filter. You can reactivate Solaris IP Filter by adding rules to the rule set.

Assume a role that includes the IP Filter Management rights profile, or become superuser.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Use one of the following methods to deactivate Solaris IP Filter rules:
- Remove the active rule set from the kernel.
```
# ipf -Fa
```
  This command deactivates all packet filtering rules.
- Remove incoming packet filtering rules.
```
# ipf -Fi
```
  This command deactivates packet filtering rules for incoming packets.
- Remove outgoing packet filtering rules.
```
# ipf -Fo
```
  This command deactivates packet filtering rules for outgoing packets.

How to Deactivate NAT

The following procedure deactivates Solaris IP Filter NAT rules by flushing the NAT rules from the active NAT rules set. The procedure does not disable Solaris IP Filter. You can reactivate Solaris IP Filter by adding rules to the rule set.

Assume a role that includes the IP Filter Management rights profile, or become superuser.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Remove NAT from the kernel.
```
# ipnat -FC
```
The -C option removes all entries in the current NAT rule listing. The -F option removes all active entries in the current NAT translation table, which shows the currently active NAT mappings.

How to Disable Packet Filtering

When you run this procedure, both packet filtering and NAT are removed from the kernel. If you use this procedure, you must re-enable Solaris IP Filter in order to reactivate packet filtering and NAT. For more information, see How to Re-Enable Solaris IP Filter.

Assume a role that includes the IP Filter Management rights profile, or become superuser.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Disable packet filtering and allow all packets to pass into the network.
```
# ipf –D
```
Note - The ipf -D command flushes the rules from the rule set. When you re-enable filtering, you must add rules to the rule set.