System Administration Guide: IP Services
Previous Next

Solaris IP Filter Packet Processing

Solaris IP Filter executes a sequence of steps as a packet is processed. The following diagram illustrates the steps of packet processing and how filtering integrates with the TCP/IP protocol stack.

Figure 25-1 Packet Processing Sequence
Shows the sequence of steps associated with Solaris IP Filter packet processing.

The packet processing sequence includes the following:

  • Network Address Translation (NAT)

    The translation of a private IP address to a different public address, or the aliasing of multiple private addresses to a single public one. NAT allows an organization to resolve the problem of IP address depletion when the organization has existing networks and needs to access the Internet.

  • IP Accounting

    Input and output rules can be separately set up, recording the number of bytes that pass through. Each time a rule match occurs, the byte count of the packet is added to the rule and allows for collection of cascading statistics.

  • Fragment Cache Check

    If the next packet in the current traffic is a fragment and the previous packet was allowed, the packet fragment is also allowed, bypassing state table and rule checking.

  • Packet State Check

    If keep state is included in a rule, all packets in a specified session are passed or blocked automatically, depending on whether the rule says pass or block.

  • Firewall Check

    Input and output rules can be separately set up, determining whether or not a packet will be allowed through Solaris IP Filter, into the kernel's TCP/IP routines, or out onto the network.

  • Groups

    Groups allow you to write your rule set in a tree fashion.

  • Function

    A function is the action to be taken. Possible functions include block, pass, literal, and send ICMP response.

  • Fast-route

    Fast-route signals Solaris IP Filter to not pass the packet into the UNIX IP stack for routing, which results in a TTL decrement.

  • IP Authentication

    Packets that are authenticated are only passed through the firewall loops once to prevent double-processing.

Previous Next