It is good to divide incoming and outgoing traffic

in separate groups

"flags S"

matches packets with ONLY the SYN flag set

"group 200" means that the

rule must be put in group 200 instead of default group 0

"head 100" means that a

new group 100 must be created

"keep state" saves ? and allows ?

1) saves history of a packet (state)
2) allows matching similar packets go straight through rather than through an access control list individually.
* state can be saved for TCP, UDP, and ICMP

Default filter group is

0

ipf.conf notation for the IP Filter machine

0/32

Save logged packets to a file and view it (2)

1) cat /dev/ipl > /tmp/file
   ^C to stop
2) ipmon -f /tmp/file
* ipl stands for IP log

Flush packet log file

ipmon -F

View all log files combined

ipmon -a

View normal IP log file

ipmon -o I

View state log only

ipmon -o S

View NAT log only

ipmon -o N

View pfil statistics

ndd -get /dev/pfil qif_status

Display NAT statistics

ipnat -s

Per-protocol state statistics

ipfstat -s

Real-time IP Filter stats

ipfstat -t

Append rules to an address pool (2)

1) save rules in a file
2) ippool -f filename

Remove an address pool

ippool -F

View active address pools

ippool -l

Append rules to the current NAT rule set (2)

1) save rules in a file
2) ipnat -f filename

Flush all current NAT rules

ipnat -C

List active NAT rules

ipnat -l

Flush inactive rule set

ipf -I -Fa

Switch active and inactive rule sets

ipf -s

Append rules to the inactive rules set (2)

1) add rules to a file
2) ipf -I -f filename

Append rules to the active rule set (2)

1) add rules to a file
2) ipf -f filename

Activate a new rule set from /etc/ipf/ipf.conf

ipf -Fa -f /etc/ipf/ipf.conf

List inactive rule set

ipfstat -I -io

List active rule set

ipfstat -io

Deactivate all rule sets

ipf -Fa

Deactivate outgoing traffic filter rules

ipf -Fo

Deactivate incoming traffic filter rules

ipf -Fi

After enabling pfil module either

reboot
or
unplumb and plumb ifaces

To load ipf.conf from an alternative location

ipf -f filename

Does IP Filter apply filtering rules to IPv6 traffic?

no. It blocks all inet6 traffic instead

First step to enable IP Filter (2)

1) uncomment eri in /etc/ipf/pfil.ap
2) svcadm restart network/pfil
* .ap for Access Point

Address pool command

ippool

Address pool config file

/etc/ipf/ippool.conf

In addition to address translation, NAT can be used

to redirect traffic from one port to another port
* ipnat rdr command

Command to work with NAT

ipnat

Every action is followed by

1) in
or
2) out

The "magnificent seven" actions of IP Filter

PPCslab:
P : preauth
P : pass
C : count
S : skip
L : log
A : auth
B : block
* Slab of a PowerPC

Every rule begins with

an action

To view IP Filter statistics

ipfstat

To view ip packet log

ipmon

Two ways to skip checking the entire rule set

1) If a rule has a "quick" keyword, action is taken and no subsequent rules are checked
2) If a packet matches a rule with a "group" keyword, only rules tagged with the group are checked

Before passing or blocking a packet, IP Filter checks

the entire rule set

Flag for the inactive rule set

ipf -l

Two sets of packet-filtering rules

1) active rule set
2) inactive rule set

Command to configure rules

ipf

Firewall and NAT config files

firewall: /etc/ipf/ipf.conf
NAT: /etc/ipf/ipnat.conf

Default dir for IP Filter

/etc/ipf

Is IP Filter activated by default?

no (it is installed with the OS though)

Two services for IP Filter

1) IP Filter: network/ipfilter
2) packet filter: network/pfil