[OpenIndiana-discuss] How to tell nwam to use the firewall rules in /etc/ipf/ipf.conf ?
Udo Grabowski (IMK)
udo.grabowski at kit.edu
Mon Feb 28 13:22:22 UTC 2022
See /lib/svc/method/net-nwam, it should take the ipfilter-config-file
from the activated IP firewall service:
# IPFilter, IPsec, and IKE
ipf_file=`nwam_get_loc_prop Legacy ipfilter-config-file`
ipf6_file=`nwam_get_loc_prop Legacy ipfilter-v6-config-file`
ipnat_file=`nwam_get_loc_prop Legacy ipnat-config-file`
ippool_file=`nwam_get_loc_prop Legacy ippool-config-file`
ike_file=`nwam_get_loc_prop Legacy ike-config-file`
pol_file=`nwam_get_loc_prop Legacy ipsecpolicy-config-file`
if [ -n "$ike_file" ]; then
copy_from_legacy_loc $ike_file
set_smf_prop $IPSEC_IKE_FMRI config/config_file $ike_file
$SVCADM refresh $IPSEC_IKE_FMRI
$SVCADM enable $IPSEC_IKE_FMRI
else
set_smf_prop $IPSEC_IKE_FMRI config/config_file \
$IPSEC_IKE_DEFAULT_CONFIG_FILE
$SVCADM disable $IPSEC_IKE_FMRI
fi
if [ -n "$pol_file" ]; then
copy_from_legacy_loc $pol_file
set_smf_prop $IPSEC_POLICY_FMRI config/config_file
$pol_file
$SVCADM refresh $IPSEC_POLICY_FMRI
$SVCADM enable $IPSEC_POLICY_FMRI
else
set_smf_prop $IPSEC_POLICY_FMRI config/config_file \
$IPSEC_POLICY_DEFAULT_CONFIG_FILE
$SVCADM disable $IPSEC_POLICY_FMRI
fi
refresh_ipf=false
if [ -n "$ipf_file" ]; then
# change /none, /allow, and /deny to firewall policy
if [ "$ipf_file" = "/none" -o "$ipf_file" = "/allow" \
-o "$ipf_file" = "/deny" ]; then
policy=`echo "$ipf_file" | $NAWK 'FS="/" {
print $2 }'`
set_smf_prop $IPFILTER_FMRI \
firewall_config_default/policy $policy
# no need to clear custom_policy_file as it
isn't "custom"
else
copy_from_legacy_loc $ipf_file
set_smf_prop $IPFILTER_FMRI \
firewall_config_default/policy "custom"
set_smf_prop $IPFILTER_FMRI \
firewall_config_default/custom_policy_file
$ipf_file
fi
refresh_ipf=true
fi
if [ -n "$ipf6_file" ]; then
copy_from_legacy_loc $ipf6_file
set_smf_prop $IPFILTER_FMRI config/ipf6_config_file
$ipf6_file
refresh_ipf=true
else
set_smf_prop $IPFILTER_FMRI config/ipf6_config_file \
$IPF6_DEFAULT_CONFIG_FILE
fi
On 28/02/2022 12:51, Udo Grabowski (IMK) wrote:
>
>
> On 28/02/2022 12:44, Udo Grabowski (IMK) wrote:
>>
>>
>> On 28/02/2022 12:32, Marc Lobelle wrote:
>>> Hello,
>>>
>>> I defined firewall rules for ipfilter in /etc/ipf/ipf.conf.
>>>
>>> However, I use nwam and, at boot time, nwam wipes out all firewall
>>> rules and imposes its own: block everything excpt dhcp in the NoNet
>>> situation and no rules at all when a network interface is active.
>>>
>>> The NoNet rules can be replaced by my own rules by copying
>>> /etc/ipf/ipf.conf in /etc/nwam/loc/NoNet/ipf.conf, but this is
>>> useless because it is replaced by nothing at all when a network
>>> interface is activated. Therefore I removed this change.
>>>
>>> I tried to add to /etc/nwam/loc/create_loc_auto a line "set
>>> ipfilter-config-file=/etc/ipf/ipf.conf" similar to the line in
>>> create_loc_NoNet: "set
>>> ipfilter-config-file=/etc/nwam/loc/NoNet/ipf.conf"
>>>
>>> But this does not change the behaviour.
>>>
>>> How can I tell nwam to use ipf.conf ?
>>>
>>> Thanks for your help.
>> > ...
>>
>> In illumos-gate/usr/src/lib/libnwam/common/libnwam.h, I see
>> #define NWAM_LOC_PROP_IPFILTER_CONFIG_FILE "ipfilter-config-file"
>> #define NWAM_LOC_PROP_IPFILTER_V6_CONFIG_FILE
>> "ipfilter-v6-config-file"
>
> Wild guess: These are probably defineable in the nwam_netcfg group
> of the svcprop entries via svccfg.
>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
More information about the openindiana-discuss
mailing list