5

I'm trying to get IP Filter to work on Solaris 11.1.

I'm following the official Solaris 11.1 guide.

When the host is booted it doesn't pick up the ipf.conf that I expect. Here's the contents of svccfg -s ipfilter:default listprop:

config                                        application
config/ipf6_config_file                      astring     /etc/ipf/ipf6.conf
config/ipnat_config_file                     astring     /etc/ipf/ipnat.conf
config/ippool_config_file                    astring     /etc/ipf/ippool.conf
firewall_config_default                       com.sun,fw_configuration
firewall_config_default/apply_to             astring
firewall_config_default/exceptions           astring
firewall_config_default/open_ports           astring
firewall_config_default/value_authorization  astring     solaris.smf.value.firewall.config
firewall_config_default/version              count       1
firewall_config_default/policy               astring     custom
firewall_config_default/custom_policy_file   astring     /etc/ipf/ipf.conf
firewall_config_override                      com.sun,fw_configuration
firewall_config_override/apply_to            astring
firewall_config_override/policy              astring     none
firewall_config_override/value_authorization astring     solaris.smf.value.firewall.config
general                                       framework
general/complete                             astring
general/enabled                              boolean     true
restarter                                     framework                 NONPERSISTENT
restarter/logfile                            astring     /var/svc/log/network-ipfilter:default.log
restarter/contract                           count       7951
restarter/start_pid                          count       4031
restarter/start_method_timestamp             time        1354809979.642008000
restarter/start_method_waitstatus            integer     0
restarter/auxiliary_state                    astring     dependencies_satisfied
restarter/next_state                         astring     none
restarter/state                              astring     online
restarter/state_timestamp                    time        1354809979.645753000

From the above I'm expecting that it will pick up /etc/ipf/ipf.conf and use that. It doesn't! Instead it use an empty rule set.

After boot I have:

$ svcs network/ipfilter
STATE          STIME    FMRI
online         17:06:19 svc:/network/ipfilter:default
$ ipfstat -io
empty list for ipfilter(out)
empty list for ipfilter(in)

I can enable my config file manually with ipf -Fa -f /etc/ipf/ipf.conf and that works fine so it is solely the SMF stuff I cannot get to work as I expect.

I've been trying to read and also look trough the script that SMF executes with respect to IPFilter. But I'm stuck. It is far more complex than what I can comprehend.

Perhaps it has something to do with Solaris' automatic network configuration feature?

It would have been great if the fairly complex SMF script would make some output to console (and thus to SMF logfile) as to the choices it is making. Unfortunately it doesn't.

My host is a non-global zone with exclusive IP stack.

What have I overlooked?

Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
peterh
  • 924
  • 1
  • 8
  • 17

2 Answers2

4

I made it work !

It turns out there's an error in the official Solaris documentation for Solaris 11.1.

It tells you to do:

$ svccfg -s ipfilter:default setprop firewall_config_default/policy = astring:"custom"
$ svccfg -s ipfilter:default setprop firewall_config_default/custom_policy_file = astring:"/etc/ipf/myorg.ipf.conf"

but if you look closely you can see that there's an error in that statement: there's no space between 'atring:' and the actual value!

svccfg will not complain about this. Take care !

In short what I did initially was this (my config file is simply /etc/ipf/ipf.conf as that seems most natural to me):

$ svccfg -s ipfilter:default setprop firewall_config_default/policy = astring:"custom"
$ svccfg -s ipfilter:default setprop firewall_config_default/custom_policy_file = astring:"/etc/ipf/ipf.conf"

Then I realized that there was a missing space so then I did this:

$ svccfg -s ipfilter:default setprop firewall_config_default/policy = "custom"
$ svccfg -s ipfilter:default setprop firewall_config_default/custom_policy_file = "/etc/ipf/ipf.conf"

Then I posted my question. As you can see the output from svccfg -s ipfilter:default listprop looked kinda right even at that time. Yet it did not work. Can't explain why.

I finally did:

$ svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"
$ svccfg -s ipfilter:default setprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/ipf.conf"

... and that seemed to make all the difference.

peterh
  • 924
  • 1
  • 8
  • 17
2

It's possible to use:

$ svccfg -s ipfilter:default setprop \
            config/ipf_config_file = astring: "/etc/ipf/ipf.conf"
Mat
  • 51,578
  • 10
  • 158
  • 140
Eric
  • 21
  • 1