Guidelines for Using IP Filter

• IP Filter is managed by the SMF service svc:/network/ipfilter. For a complete overview of SMF, see Chapter 1, Managing Services (Overview), in Managing Services and Faults in Oracle Solaris 11.1. For information on the step-by-step procedures that are associated with SMF, see Chapter 2, Managing Services (Tasks), in Managing Services and Faults in Oracle Solaris 11.1.

• IP Filter requires direct editing of configuration files.

• IP Filter is installed as part of Oracle Solaris. By default, the IP Filter service is enabled when your system is configured to use automatic networking. The automatic network profile, as described on the nwam(5) and netadm(1M) man pages, enables this firewall. For a custom configuration on an automatically networked system, the IP Filter service is not enabled. For the tasks associated with enabling the service, see Configuring IP Filter.

• To administer IP Filter, you must assume the root role or able to assume a role that includes the IP Filter Management rights profile. You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Initially Configuring RBAC (Task Map) in Oracle Solaris 11.1 Administration: Security Services.

• Oracle Solaris Cluster software does not support filtering with IP Filter for scalable services, but does support IP Filter for failover services. For guidelines and restrictions when configuring IP Filter in a cluster, see “Oracle Solaris OS Feature Restrictions” in Oracle Solaris Cluster Software Installation Guide.

• Filtering between zones is supported provided that the IP Filter rules are implemented in a zone that functions as a virtual router for the other zones on the system.