IPfilter is disabled by default. You need to use svcadm to enable, disable, start or stop the service. For initial setup of the service:
svccfg -s network/ipfilter:defaultsetprop firewall_config_default/policy = astring: customsvccfg -s network/ipfilter:defaultsetprop firewall_config_default/custom_policy_file = astring:"/etc/ipf/ipf.conf"svcadm refresh ipfiltersvcadm enable ipfilter
Starting and Stopping IPfilter
svcadm enable ipfiltersvcs -a | grep ipfilteronline20:49:27svc:/network/ipfilter:default
Adding your own rules
#
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# pass out as if we were a single internet client
pass out log quick on localvnic0 proto tcp from dst_ip_addr/32 to any keep state
pass out log quick on localvnic0 proto udp from dst_ip_addr/32 to any keep state
pass out log quick on localvnic0 proto icmp from dst_ip_addr/32 to any keep state
#
# By default, block and log everything.
block in log quick all with short
block in log on localvnic0 all
#
pass in log quick on localvnic0 from src_ip to dst_ip/23 port = 22 keep state
pass in log quick on localvnic0 proto icmp from src_ip to dst_ip/23
#
pass in log quick on localvnic0 from src_ip to dst_ip_net/23 port = 22 keep state
pass in log quick on localvnic0 proto icmp from src_ip to dst_ip
Activating a new ipfilter rule
ipf -Fa -f /etc/ipf/ipf.conf
Testing IPF rule
ipfstat -io
Reference
http://wiki.joyent.com/wiki/display/jpc2/Using+IPFilter+Rules#UsingIPFilterRules-AllowinboundtrafficicmponlyfromaspecificIPaddress