Sun SPARC Enterprise M3000/M4000/M5000/M8000/M9000 - How to enable packet filtering on the XSCF

Asset ID:	1-71-1558849.1
Update Date:	2016-07-01
Keywords:

Solution Type Technical Instruction Sure

Solution 1558849.1 : Sun SPARC Enterprise M3000/M4000/M5000/M8000/M9000 - How to enable packet filtering on the XSCF

Applies to:

Sun SPARC Enterprise M3000 Server - Version All Versions to All Versions [Release All Releases]
Sun SPARC Enterprise M4000 Server - Version All Versions to All Versions [Release All Releases]
Sun SPARC Enterprise M5000 Server - Version All Versions to All Versions [Release All Releases]
Sun SPARC Enterprise M8000 Server - Version All Versions to All Versions [Release All Releases]
Sun SPARC Enterprise M9000-32 Server - Version All Versions to All Versions [Release All Releases]
Information in this document applies to any platform.

Goal

In XCP 1092 and above IPv4 packet filtering was introduced on the XSCF as a feature that can be enabled. This document gives various examples and command usage guidelines to setup this feature.

Solution

When setting up IPv4 packet filtering on an XSCF, it is highly recommended that the commands are run via the serial console connection to the XSCF. The reason for this is, the 'setpacketfiltering' command settings are immediate, it is very easy to accidentally lock yourself out of network access to the XSCF.

To enable IPv4 packet filtering on a Mx000 system's XSCF that is running XCP 1092 or greater, the two commands used are 'setpacketfilters' and 'showpacketfilters'. Please refer to the associated man pages for these two commands for more details, these man pages are available at the XSCF> prompt. This document is showing some of the same examples from the man page for 'setpacketfilters' along with some general tips and expanded examples.

Example 1 - Disallowing a single IPv4 network address access -

Drops the IP packet sent from the IP address 10.10.10.10.

XSCF> setpacketfilters -c add -s 10.10.10.10 -j DROP

-s 10.10.10.10/255.255.255.255 -j DROP

NOTE: applied IP packet filtering rules. Continue? [y|n] :y

XSCF>

Example 2 - Only allowing access from the XSCFs local subnet on xscf#0-lan#0, all other packets coming in from outside the subnet on the xscf#0-lan#0 interface will be dropped -

XSCF> shownetwork -a
xscf#0-lan#0
          Link encap:Ethernet HWaddr 00:21:28:A7:3F:22
          inet addr:10.145.230.80 Bcast:10.145.231.255 Mask:255.255.252.0
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:16149486 errors:0 dropped:0 overruns:0 frame:0
          TX packets:942 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1198073015 (1.1 GiB) TX bytes:89060 (86.9 KiB)
          Base address:0xe000

XSCF> setpacketfilters -c add -s 10.145.230.0/255.255.252.0 -i xscf#0-lan#0 -j ACCEPT
-s 10.145.228.0/255.255.252.0 -i xscf#0-lan#0 -j ACCEPT
NOTE: applied IP packet filtering rules.
Continue? [y|n] :y

XSCF> setpacketfilters -c add -i xscf#0-lan#0 -j DROP
-s 10.145.228.0/255.255.252.0 -i xscf#0-lan#0 -j ACCEPT
-i xscf#0-lan#0 -j DROP
NOTE: applied IP packet filtering rules.
Continue? [y|n] :y

XSCF> showpacketfilters -a
-s 10.145.228.0/255.255.252.0 -i xscf#0-lan#0 -j ACCEPT
-i xscf#0-lan#0 -j DROP

Please note - when doing this kind of packet filtering the 'DROP' command(s) should be executed last. The reason for this is the 'setpacketfilters' command adds new rules to the bottom of the rule list, and the IPv4 packet filtering mechanism reads the list from the top down. If a "drop everything" rule is used as in the above example, and it is added first, all IPv4 connections to the the particular LAN port specified will be dropped, disallowing any access to the XSCF via Ethernet to that port.

Example 3 - Deleting a single rule from an existing rule set -

XSCF> showpacketfilters -a
-s 172.16.0.0/255.255.0.0 -i xscf#0-lan#0 -j DROP
-s 10.10.10.10/255.255.255.255 -j DROP

XSCF> setpacketfilters -c del -s 10.10.10.10 -j DROP
-s 172.16.0.0/255.255.0.0 -i xscf#0-lan#0 -j DROP
NOTE: applied IP packet filtering rules.
Continue? [y|n] :y
XSCF>

Example 4 - Removing all rule sets -

XSCF> setpacketfilters -c clear
(none)
NOTE: applied IP packet filtering rules.
Continue? [y|n] :y
XSCF>

Example 5 - Allowing multiple administrative host IP addresses, denying all others on both XSCF lan ports -

XSCF> setpacketfilters -c add -s 10.10.10.10 -j ACCEPT
-s 10.10.10.10/255.255.255.255 -j ACCEPT
NOTE: applied IP packet filtering rules.
Continue? [y|n] :y

XSCF> setpacketfilters -c add -s 12.12.12.12 -j ACCEPT
-s 10.10.10.10/255.255.255.255 -j ACCEPT
-s 12.12.12.12/255.255.255.255 -j ACCEPT
NOTE: applied IP packet filtering rules.
Continue? [y|n] :y

XSCF> setpacketfilters -c add -s 14.14.14.14 -j ACCEPT
-s 10.10.10.10/255.255.255.255 -j ACCEPT
-s 12.12.12.12/255.255.255.255 -j ACCEPT
-s 14.14.14.14/255.255.255.255 -j ACCEPT
NOTE: applied IP packet filtering rules.
Continue? [y|n] :y

XSCF> setpacketfilters -c add -j DROP
-s 10.10.10.10/255.255.255.255 -j ACCEPT
-s 12.12.12.12/255.255.255.255 -j ACCEPT
-s 14.14.14.14/255.255.255.255 -j ACCEPT
-j DROP
NOTE: applied IP packet filtering rules.
Continue? [y|n] :y
XSCF>

IPv4 packet filtering can be configured in a multiple of different ways, the above examples are just some of the common scenarios to give you a feel for what can be done, and the appropriate command usage and order.

Attachments

This solution has no attachment