啟動客制policy: (指定ipf執行時參照的設定檔,如果沒有設定此部份,必須每次手動啟動設定擋
客制policy 檔案:
Run the firewall service:
# svcadm refresh ipfilter:default # svcs -a | grep ipfilter disabled Sep_20 svc: /network/ipfilter :default # svcs -xv svc:/network/ipfilter:default svc: /network/ipfilter :default (IP Filter) State: disabled since September 20, 2013 12:21:20 PM PDT Reason: Disabled by an administrator. See: http: //support .oracle.com /msg/SMF-8000-05 See: man -M /usr/share/man -s 5 ipfilter Impact: This service is not running. # svcadm enable svc:/network/ipfilter:default # svcs -xv svc:/network/ipfilter:default svc: /network/ipfilter :default (IP Filter) State: online since September 23, 2013 05:46:51 AM PDT See: man -M /usr/share/man -s 5 ipfilter See: /var/svc/log/network-ipfilter :default.log Impact: None. |
啟動 IP Filter服務
關閉封包過濾及允許所有的網路上的封包.
啟動 IP Filter.
Activate packet filtering.
(Optional) Activate NAT.
可以由複製/etc/nwam/loc/NoNet/ipf.conf 範例
移除kernel中啟動的rule.
這個指令會將所有的封包過濾rule 停用.
移除流入封包過濾rule.
這個指令會將所有流入的封包過濾rule 停用.
移除流出封包過濾
這個指令會將所有流出的封包過濾rule 停用.
Some Commonly used ipf commands ================================== ipf -E : Enable ipfilter when running : for the first time. : (Needed for ipf on Tru64) ipf -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file : into the active firewall. ipf -Fa -f /etc/ipf/ipf.conf : Flush all rules, then load rules in : /etc/ipf/ipf.conf into active firwall. ipf -Fi : Flush all input rules. ipf -I -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file : into inactive firewall. ipf -V : Show version info and active list. ipf -s : Swap active and inactive firewalls. ipfstat : Show summary ipfstat -i : Show input list ipfstat -o : Show output list ipfstat -hio : Show hits against all rules ipfstat -t -T 5 : Monitor the state table and refresh every : 5 seconds. Output is similiar to : 'top' monitoring the process table. Monitoring ============= ipmon -s S : Watch state table. ipmon -sn : Write logged entries to syslog, and : convert back to hostnames and servicenames. ipmon -s [file] : Write logged entries to some file. ipmon -Ds : Run ipmon as a daemon, and log to : default location. : (/var/adm/messages for Solaris , maybe.) : (/var/log/syslog for Tru64)
參考文件:
http://blog.ls-al.com/solaris-ipfilter-pools/
http://blog.ls-al.com/solaris-11-firewall/