exact syntax to permit ipfilter rules in Solaris 10 x86

I have many tenants in our cloud using RHEL 5.x/6.x & Solaris x86:
some tenants enable/use iptables while some disable/don't;
similarly for Solaris x86 tenants.

I have a common service which I need to permit rules in iptables
(for RHEL VMs) regardless of whether the tenant is currently
using iptables or not (ie just leave the rules there & if one day
the tenant decides to enable/use iptables, the rules to allow the
common service will have been there).

a) permit a rule to allow Tcp4120 from current tenant VM to 172.21.3.a
b) permit a rule to allow Tcp4118 from 172.21.3.a to the current tenant VM

By "current tenant VM", it needs to be applied on all the network interfaces.

Are the commands below correct?
# /sbin/iptables -A RH-Firewall-1-OUTPUT -p tcp --dport 4120 -d 172.21.a.b -j ACCEPT
# /sbin/iptables -A RH-Firewall-1-INPUT -p tcp --dport 4118 -d localhost -j ACCEPT
# /sbin/service iptables save   <== this creates /etc/sysconfig/iptables if it's absent?


Sorry this is off-topic for Solaris iptables but appreciate anyone who can help:

I refer to examples in links below but I'm still confused:

So do I just add the following lines to the top (not the bottom, right? )  of /etc/ipf/ipf.conf  ?
  pass in log (quick) on "all_interfaces" proto tcp from 172.21.a.b to "all_interfaces" port = 4118 keep state
 pass out log (quick) on "all_interfaces" proto tcp from "all_interfaces"  to 172.21.a.b port = 4120 keep state

What's the the purpose of "quick" in the above rules?  What's the difference if it's absent or

As our Solaris x86 VMs has about four interfaces, can someone substitute "all_interfaces" in the
above rules with actual global value: I reckon there must be an actual Solaris implementation
value that refers to "all interfaces";  if there's none, let me know so that I can repeat it four times
for all the four interfaces

What's the purpose of "keep state"?  is it needed in my case?

if ipf.conf is not present in /etc/ipf  folder, does this mean ipfilter (as given by 'svcs -a |grep -i ipfilter') is offline?

if it's offline & I just create the absent ipf.conf file anyway so that one day if ipfilter is onlined/used,
the rules will already be there?  If ipfilter is offline, no harm creating ipf.conf, right?
Did I miss out anything in my assumptions?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunhuxAuthor Commented:
As there's no equiv iptables distro for Solaris, I'll either turn ipfilter off or refer to:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.