article <\/a>on enabling ipf in Solaris and following here is a little on pools.<\/p>\n** Note this was a Solaris 10 LDOM so therefore NIC was vnet0. You have to check your NIC it's most likely net0 in Solaris 11.<\/p>\n
Setup the pools you need as follow.<\/p>\n
\r\n# pwd\r\n\/etc\/ipf\r\n# cat ippool.conf\r\n### Pool 13 some essential static addresses\r\ntable role = ipf type = tree number = 13\r\n{ 10.1.11.34\/32, 10.2.10.6\/32 };\r\n### Pool 14 some temporary IP's\r\ntable role = ipf type = tree number = 14\r\n{ 192.168.8.0\/24, 10.200.97.82\/32 };\r\n<\/pre>\nUse the pools in your ipf.conf.<\/p>\n
\r\n# cat ipf.conf\r\n[...]\r\npass in quick on lo0 all\r\npass out quick on lo0 all\r\n\r\n### Block all inbound and outbound traffic by default\r\nblock in log on vnet0 all head 100\r\nblock out log on vnet0 all head 150\r\n\r\n### Allow inbound SSH connections\r\npass in quick on vnet0 proto tcp from any to 10.1.11.87 port = 22 keep state group 100\r\n\r\n### Use \/etc\/ipf\/ippool.conf for pools\r\npass in on vnet0 from pool\/13 group 100\r\npass in on vnet0 from pool\/14 group 100\r\n\r\n### Allow my box to utilize all UDP, TCP and ICMP services\r\npass out quick all\r\n<\/pre>\nOf course flush and reload from file.<\/p>\n
\r\n# ipf -Fa -f \/etc\/ipf\/ipf.conf\r\n<\/pre>\nCheck the running set.<\/p>\n
\r\n# ipfstat -io\r\npass out quick on lo0 all\r\nblock out log on vnet0 all head 150\r\npass out quick all\r\n# Group 150\r\npass in quick on lo0 all\r\nblock in log on vnet0 all head 100\r\n# Group 100\r\npass in quick on vnet0 proto tcp from any to 10.1.11.87\/32 port = ssh keep state group 100\r\npass in on vnet0 from pool\/13 to any group 100\r\npass in on vnet0 from pool\/14 to any group 100\r\n<\/pre>\nNote that updating the ippools you might need to reload also.<\/p>\n
\r\n# ippool -F; ippool -f \/etc\/ipf\/ippool.conf\r\n<\/pre>\nFor me that did not always work so I also did.<\/p>\n
\r\n# svcadm disable ipfilter\r\n# svcadm refresh ipfilter\r\n# svcadm enable ipfilter\r\n<\/pre>\nListing the pools will save you a lot of time root causing rules that are actually correct.<\/p>\n
\r\n# ippool -l\r\ntable role = ipf type = tree number = 14\r\n { 192.168.8.0\/24; 10.200.97.82\/32; };\r\ntable role = ipf type = tree number = 13\r\n { 10.1.11.34\/32; 10.2.10.6\/32 };\r\n<\/pre>\nAs always with firewalls test test test.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"I wasn’t aware before that ipfilter (ipf) has a concept of pools.\u00a0 In other words list of IP addresses etc..<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35,14],"tags":[],"class_list":["post-737","post","type-post","status-publish","format-standard","hentry","category-firewall","category-solaris"],"_links":{"self":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/737","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/comments?post=737"}],"version-history":[{"count":0,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/737\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/media?parent=737"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/categories?post=737"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/tags?post=737"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}