[OpenIndiana-discuss] ipfilter issue

Oscar del Rio delrio at mie.utoronto.ca
Wed Oct 27 22:06:31 UTC 2010

On 10/27/10 05:28 PM, Daniel Kjar wrote:
> no matter what was in my /etc/ipf/ipf.conf.
> no amount of restarting editing changing permissions etc would fix it.
> The only way I can get it to do what I need is by telling ipfilter 
> where the ipf.conf file is...
> ipf -Fa -f /etc/ipf/ipf.conf
> then it works perfectly.  Anybody else notice this?  Might be machine 
> specific but it looks more like the default ipfilter just doesn't know 
> where to look for the conf file.

ipfilter now uses SMF properties instead of .conf file, unless you set 
"policy" to custom.

Check "svcprop ipfilter":

firewall_config_default/policy astring custom
firewall_config_default/custom_policy_file astring /etc/ipf/ipf.conf

See "man svc.ipfd":

> firewall_config_default/policy
>          Global Default policy, firewall_config property group in
>          svc:/network/ipfilter:default,  can  also be set to cus-
>          tom. Users can set policy to custom to use  prepopulated
>          IP  Filter  configuration,  for  example, an existing IP
>          Filter configuration or custom configurations that  can-
>          not  be  provided by the framework. This Global Default-
>          only policy mode allows users to supply a text file con-
>          taining  the complete set of IPF rules. When custom mode
>          is selected, the specified set of IPF rules is  complete
>          and  the framework will not generate IPF rules from con-
>          figured firewall policies.
>      firewall_config_default/custom_policy_file
>          A file path to be used when Global Default policy is set
>          to  custom.  The  file  contains a set of IPF rules that
>          provide the desired IP Filter configuration.  For  exam-
>          ple,  users with existing IPF rules in /etc/ipf/ipf.conf
>          can execute the following commands to use  the  existing
>          rules:
>              1.   Set custom policy:
>                     # svccfg -s ipfilter:default setprop \
>                     firewall_config_default/policy = astring: "custom"
>              2.   Specify custom file:
>                     # svccfg -s ipfilter:default setprop \
>                     firewall_config_default/custom_policy_file = 
> astring: \
>                     "/etc/ipf/ipf.conf"
>              3.   Refresh configuration:
>                     # svcadm refresh ipfilter:default

More information about the OpenIndiana-discuss mailing list