Solaris ipfilter broken by Patch 125503-02

We recently installed a number of patches onto a T1000 server running Solaris 10 U3, only to discover that the ipfilter service was broken thereafter. The service itself appeared to be configured correctly with no visible signs of error but we discovered that many ports that we had configured to be blocked from certain sources were not.

After some careful analysis of the patches applied, we discovered that Patch 125503-02 had replaced a number of the files associated with the SUNWipfilter package, resulting in the main network interface for our system no longer being plumbed for use with the pfil driver.

Here is how we recovered from this situation:

1. Back out the patch and reboot

# smpatch remove –i 125503-02
# reboot

2. Replumb the appropriate network interface

# ifconfig bge0 modinsert pfil@2
# autopush -f /etc/ipf/pfil.ap
# ifconfig bge0 unplumb
# ifconfig bge0 plumb

Note: Replace bge0 with e1000g0 for a T2000 and ensure your pfil.ap has the correct entry in it.

Thanks to derkeiler.com for assistance.