[OpenIndiana-discuss] How to tell nwam to use the firewall rules in /etc/ipf/ipf.conf ?
Udo Grabowski (IMK)
udo.grabowski at kit.edu
Mon Feb 28 13:46:36 UTC 2022
And this part probably determines if the custom policy is preserved:
#
# IPFilter
#
# If the firewall policy is "custom", simply copy the
# custom_policy_file. If the firewall policy is "none", "allow" or
# "deny", save the value as "/<value>". When reverting back to the
# Legacy location, these values will have to be treated as special.
#
# For all configuration files, copy them to the Legacy directory.
# Use the respective properties to remember the original locations
# of the files so that they can be copied back there when NWAM is
# stopped.
#
if service_is_enabled $IPFILTER_FMRI; then
FIREWALL_POLICY=`get_smf_prop $IPFILTER_FMRI \
firewall_config_default/policy`
if [ "$FIREWALL_POLICY" = "custom" ]; then
IPF_CONFIG_FILE=`get_smf_prop $IPFILTER_FMRI \
firewall_config_default/custom_policy_file`
copy_to_legacy_loc $IPF_CONFIG_FILE
else
# save value as /none, /allow, or /deny
IPF_CONFIG_FILE="/$FIREWALL_POLICY"
fi
IPF6_CONFIG_FILE=`get_smf_prop $IPFILTER_FMRI \
config/ipf6_config_file`
copy_to_legacy_loc $IPF6_CONFIG_FILE
On 28/02/2022 14:22, Udo Grabowski (IMK) wrote:
> See /lib/svc/method/net-nwam, it should take the ipfilter-config-file
> from the activated IP firewall service:
>
>
> # IPFilter, IPsec, and IKE
> ipf_file=`nwam_get_loc_prop Legacy ipfilter-config-file`
> ipf6_file=`nwam_get_loc_prop Legacy ipfilter-v6-config-file`
> ipnat_file=`nwam_get_loc_prop Legacy ipnat-config-file`
> ippool_file=`nwam_get_loc_prop Legacy ippool-config-file`
> ike_file=`nwam_get_loc_prop Legacy ike-config-file`
> pol_file=`nwam_get_loc_prop Legacy ipsecpolicy-config-file`
>
> if [ -n "$ike_file" ]; then
> copy_from_legacy_loc $ike_file
> set_smf_prop $IPSEC_IKE_FMRI config/config_file $ike_file
> $SVCADM refresh $IPSEC_IKE_FMRI
> $SVCADM enable $IPSEC_IKE_FMRI
> else
> set_smf_prop $IPSEC_IKE_FMRI config/config_file \
> $IPSEC_IKE_DEFAULT_CONFIG_FILE
> $SVCADM disable $IPSEC_IKE_FMRI
> fi
> if [ -n "$pol_file" ]; then
> copy_from_legacy_loc $pol_file
> set_smf_prop $IPSEC_POLICY_FMRI config/config_file
> $pol_file
> $SVCADM refresh $IPSEC_POLICY_FMRI
> $SVCADM enable $IPSEC_POLICY_FMRI
> else
> set_smf_prop $IPSEC_POLICY_FMRI config/config_file \
> $IPSEC_POLICY_DEFAULT_CONFIG_FILE
> $SVCADM disable $IPSEC_POLICY_FMRI
> fi
>
> refresh_ipf=false
> if [ -n "$ipf_file" ]; then
> # change /none, /allow, and /deny to firewall policy
> if [ "$ipf_file" = "/none" -o "$ipf_file" = "/allow" \
> -o "$ipf_file" = "/deny" ]; then
> policy=`echo "$ipf_file" | $NAWK 'FS="/" {
> print $2 }'`
> set_smf_prop $IPFILTER_FMRI \
> firewall_config_default/policy $policy
> # no need to clear custom_policy_file as it
> isn't "custom"
> else
> copy_from_legacy_loc $ipf_file
> set_smf_prop $IPFILTER_FMRI \
> firewall_config_default/policy "custom"
> set_smf_prop $IPFILTER_FMRI \
> firewall_config_default/custom_policy_file
> $ipf_file
> fi
> refresh_ipf=true
> fi
> if [ -n "$ipf6_file" ]; then
> copy_from_legacy_loc $ipf6_file
> set_smf_prop $IPFILTER_FMRI config/ipf6_config_file
> $ipf6_file
> refresh_ipf=true
> else
> set_smf_prop $IPFILTER_FMRI config/ipf6_config_file \
> $IPF6_DEFAULT_CONFIG_FILE
> fi
>
> On 28/02/2022 12:51, Udo Grabowski (IMK) wrote:
>>
>>
>> On 28/02/2022 12:44, Udo Grabowski (IMK) wrote:
>>>
>>>
>>> On 28/02/2022 12:32, Marc Lobelle wrote:
>>>> Hello,
>>>>
>>>> I defined firewall rules for ipfilter in /etc/ipf/ipf.conf.
>>>>
>>>> However, I use nwam and, at boot time, nwam wipes out all firewall
>>>> rules and imposes its own: block everything excpt dhcp in the NoNet
>>>> situation and no rules at all when a network interface is active.
>>>>
>>>> The NoNet rules can be replaced by my own rules by copying
>>>> /etc/ipf/ipf.conf in /etc/nwam/loc/NoNet/ipf.conf, but this is
>>>> useless because it is replaced by nothing at all when a network
>>>> interface is activated. Therefore I removed this change.
>>>>
>>>> I tried to add to /etc/nwam/loc/create_loc_auto a line "set
>>>> ipfilter-config-file=/etc/ipf/ipf.conf" similar to the line in
>>>> create_loc_NoNet: "set
>>>> ipfilter-config-file=/etc/nwam/loc/NoNet/ipf.conf"
>>>>
>>>> But this does not change the behaviour.
>>>>
>>>> How can I tell nwam to use ipf.conf ?
>>>>
>>>> Thanks for your help.
>>> > ...
>>>
>>> In illumos-gate/usr/src/lib/libnwam/common/libnwam.h, I see
>>> #define NWAM_LOC_PROP_IPFILTER_CONFIG_FILE "ipfilter-config-file"
>>> #define NWAM_LOC_PROP_IPFILTER_V6_CONFIG_FILE
>>> "ipfilter-v6-config-file"
>>
>> Wild guess: These are probably defineable in the nwam_netcfg group
>> of the svcprop entries via svccfg.
>>
>> _______________________________________________
>> openindiana-discuss mailing list
>> openindiana-discuss at openindiana.org
>> https://openindiana.org/mailman/listinfo/openindiana-discuss
>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
More information about the openindiana-discuss
mailing list