1- Start by check ipfilter status if it’s running you can go ahead and configure rules
-bash-3.00$ svcs -a|grep -i ipfil
online 10:29:37 svc:/network/ipfilter:default
if it’s disabled enable it
#svcadm enable ipfilter
2- Display rules
#bash-3.00ipfstat -io
block out all
pass out quick on lo0 all
pass out quick on eri0 proto tcp/udp from eri0/32 to any port = domain with keep state
pass out quick on eri0 proto tcp from eri0/32 to any port = http keep state
pass out quick on eri0 proto icmp from 192.168.1.0/24 to 192.168.1.0/24
block in all
pass in quick on lo0 all
pass in quick on eri0 proto icmp from 192.168.1.0/24 to 192.168.1.0/24
pass in quick on eri0 proto tcp from any to eri0/32 port = http keep state
pass in quick on eri0 proto tcp/udp from any to eri0/32 port = domain with keep state
3- Edit rules
under
/etc/ipf/ipf.conf
#vi /etc/ipf/ipf.conf
#
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
####
set intercept_loopback true;
block in all
block out all
### inbound traffic ###
pass in quick on lo0 all
pass in quick on eri0 proto icmp from 192.168.1.0/24 to 192.168.1.0/24
pass in quick on eri0 proto tcp from any to eri0/32 port = http keep state
pass in quick on eri0 proto tcp/udp from any to eri0/32 port = domain keep statepass out quick on lo0 all
pass out quick on eri0 proto tcp/udp from eri0/32 to any port = 53 keep state
pass out quick on eri0 proto tcp from eri0/32 to any port = http keep state
pass out quick on eri0 proto icmp from 192.168.1.0/24 to 192.168.1.0/24
Recent Comments