附录:Solaris IP 过滤器配置文件示例

    以下示例说明了在过滤配置中使用的包过滤规则。示例显示具有 elxl 网络接口的主机上的配置。

    # pass and log everything by default
    pass in log on elxl0 all
    pass out log on elxl0 all
    # block, but don''t log, incoming packets from other reserved addresses

    block in quick on elxl0 from 10.0.0.0/8 to any
    block in quick on elxl0 from 172.16.0.0/12 to any

    # block and log untrusted internal IPs. 0/32 is notation that replaces
    # address of the machine running Solaris IP Filter.
    block in log quick from 192.168.1.15 to 0/32
    block in log quick from 192.168.1.43 to 0/32

    # block and log X11 (port 5555) and remote procedure call and portmapper (port 121) attempts
    block in log quick on elxl0 proto tcp from any to 0/32 port = 5555 keep state
    block in log quick on elxl0 proto tcp/udp from any to 0/32 port = 121 keep state

    说明：此规则集以两个无限制规则开始，分别允许将任何内容传入和传出 elxl 接口。第二个规则集阻止从专用地址空间 10.0.0.0 和 172.16.0.0 传入的任何包进入防火墙。下一个规则集阻止来自主机的特定内部地址。最后一个规则集阻止从端口 5555 和端口 121 上传入的包。