[OpenIndiana-discuss] How to tell nwam to use the firewall rules in /etc/ipf/ipf.conf ?
Marc Lobelle
marc.lobelle at uclouvain.be
Tue Mar 1 15:37:54 UTC 2022
Dear Udo, I finally found how to tell nwam to usefirewall rules
/etc/ipf/ipf.conf .
Actually, when nwam starts, the configurations of all the current
services are saved by the startup script (/lib/svc/method/net-nwam) when
nwam is enabled and restored when network/physical:nwam is disabled.
nwam uses its own ipf.conf files: if the loc is nonet, it uses
/etc/nwam/loc/NoNet/ipf.conf, but nothing if the loc is automatic.
What nwam does in each location is defined in /etc/nwam/loc.conf
Here is this file modified to use /etc/ipf/ipf.conf in automatic loc.
What I added is in bold.
------------------------/etc/nwam/loc.conf---------------------------------
Automatic
enabled=boolean,false;activation-mode=uint64,1;nameservices=uint64,0;nameservices-config-file=string,/etc/nsswitch.dns;dns-nameservice-configsrc=uint64,1;*ipfilter-config-file=string,/etc/ipf/ipf.conf;*
NoNet
enabled=boolean,false;dns-nameservice-configsrc=uint64,1;activation-mode=uint64,1;nameservices=uint64,1;nameservices-config-file=string,/etc/nsswitch.files;ipfilter-config-file=string,/etc/nwam/loc/NoNet/ipf.conf;ipfilter-v6-config-file=string,/etc/nwam/loc/NoNet/ipf6.conf;
User
enabled=boolean,false;nameservices=uint64,0;dns-nameservice-configsrc=uint64,1;activation-mode=uint64,0;nameservices-config-file=string,/etc/svc/volatile/nwam/User/nsswitch.conf;
Legacy
enabled=boolean,false;activation-mode=uint64,1;nameservices=uint64,0;nameservices-config-file=string,/etc/svc/volatile/nwam/Legacy/nsswitch.conf;dns-nameservice-configsrc=uint64,0;dns-nameservice-domain=string,fritz.box;dns-nameservice-servers=string,130.104.230.254;dns-nameservice-search=string,fritz.box;ipfilter-config-file=string,/etc/ipf/ipf.conf;
------------------------------------------------------
Thanks for your help and best regards
Marc
On 2/28/22 14:46, Udo Grabowski (IMK) wrote:
> And this part probably determines if the custom policy is preserved:
>
> #
> # IPFilter
> #
> # If the firewall policy is "custom", simply copy the
> # custom_policy_file. If the firewall policy is "none",
> "allow" or
> # "deny", save the value as "/<value>". When reverting back
> to the
> # Legacy location, these values will have to be treated as
> special.
> #
> # For all configuration files, copy them to the Legacy directory.
> # Use the respective properties to remember the original
> locations
> # of the files so that they can be copied back there when NWAM is
> # stopped.
> #
> if service_is_enabled $IPFILTER_FMRI; then
> FIREWALL_POLICY=`get_smf_prop $IPFILTER_FMRI \
> firewall_config_default/policy`
> if [ "$FIREWALL_POLICY" = "custom" ]; then
> IPF_CONFIG_FILE=`get_smf_prop $IPFILTER_FMRI \
> firewall_config_default/custom_policy_file`
> copy_to_legacy_loc $IPF_CONFIG_FILE
> else
> # save value as /none, /allow, or /deny
> IPF_CONFIG_FILE="/$FIREWALL_POLICY"
> fi
> IPF6_CONFIG_FILE=`get_smf_prop $IPFILTER_FMRI \
> config/ipf6_config_file`
> copy_to_legacy_loc $IPF6_CONFIG_FILE
>
>
> On 28/02/2022 14:22, Udo Grabowski (IMK) wrote:
>> See /lib/svc/method/net-nwam, it should take the ipfilter-config-file
>> from the activated IP firewall service:
>>
>>
>> # IPFilter, IPsec, and IKE
>> ipf_file=`nwam_get_loc_prop Legacy ipfilter-config-file`
>> ipf6_file=`nwam_get_loc_prop Legacy ipfilter-v6-config-file`
>> ipnat_file=`nwam_get_loc_prop Legacy ipnat-config-file`
>> ippool_file=`nwam_get_loc_prop Legacy ippool-config-file`
>> ike_file=`nwam_get_loc_prop Legacy ike-config-file`
>> pol_file=`nwam_get_loc_prop Legacy ipsecpolicy-config-file`
>>
>> if [ -n "$ike_file" ]; then
>> copy_from_legacy_loc $ike_file
>> set_smf_prop $IPSEC_IKE_FMRI config/config_file
>> $ike_file
>> $SVCADM refresh $IPSEC_IKE_FMRI
>> $SVCADM enable $IPSEC_IKE_FMRI
>> else
>> set_smf_prop $IPSEC_IKE_FMRI config/config_file \
>> $IPSEC_IKE_DEFAULT_CONFIG_FILE
>> $SVCADM disable $IPSEC_IKE_FMRI
>> fi
>> if [ -n "$pol_file" ]; then
>> copy_from_legacy_loc $pol_file
>> set_smf_prop $IPSEC_POLICY_FMRI config/config_file
>> $pol_file
>> $SVCADM refresh $IPSEC_POLICY_FMRI
>> $SVCADM enable $IPSEC_POLICY_FMRI
>> else
>> set_smf_prop $IPSEC_POLICY_FMRI config/config_file \
>> $IPSEC_POLICY_DEFAULT_CONFIG_FILE
>> $SVCADM disable $IPSEC_POLICY_FMRI
>> fi
>>
>> refresh_ipf=false
>> if [ -n "$ipf_file" ]; then
>> # change /none, /allow, and /deny to firewall policy
>> if [ "$ipf_file" = "/none" -o "$ipf_file" = "/allow" \
>> -o "$ipf_file" = "/deny" ]; then
>> policy=`echo "$ipf_file" | $NAWK 'FS="/" {
>> print $2 }'`
>> set_smf_prop $IPFILTER_FMRI \
>> firewall_config_default/policy $policy
>> # no need to clear custom_policy_file as it
>> isn't "custom"
>> else
>> copy_from_legacy_loc $ipf_file
>> set_smf_prop $IPFILTER_FMRI \
>> firewall_config_default/policy "custom"
>> set_smf_prop $IPFILTER_FMRI \
>> firewall_config_default/custom_policy_file $ipf_file
>> fi
>> refresh_ipf=true
>> fi
>> if [ -n "$ipf6_file" ]; then
>> copy_from_legacy_loc $ipf6_file
>> set_smf_prop $IPFILTER_FMRI config/ipf6_config_file
>> $ipf6_file
>> refresh_ipf=true
>> else
>> set_smf_prop $IPFILTER_FMRI config/ipf6_config_file \
>> $IPF6_DEFAULT_CONFIG_FILE
>> fi
>>
>> On 28/02/2022 12:51, Udo Grabowski (IMK) wrote:
>>>
>>>
>>> On 28/02/2022 12:44, Udo Grabowski (IMK) wrote:
>>>>
>>>>
>>>> On 28/02/2022 12:32, Marc Lobelle wrote:
>>>>> Hello,
>>>>>
>>>>> I defined firewall rules for ipfilter in /etc/ipf/ipf.conf.
>>>>>
>>>>> However, I use nwam and, at boot time, nwam wipes out all firewall
>>>>> rules and imposes its own: block everything excpt dhcp in the
>>>>> NoNet situation and no rules at all when a network interface is
>>>>> active.
>>>>>
>>>>> The NoNet rules can be replaced by my own rules by copying
>>>>> /etc/ipf/ipf.conf in /etc/nwam/loc/NoNet/ipf.conf, but this is
>>>>> useless because it is replaced by nothing at all when a network
>>>>> interface is activated. Therefore I removed this change.
>>>>>
>>>>> I tried to add to /etc/nwam/loc/create_loc_auto a line "set
>>>>> ipfilter-config-file=/etc/ipf/ipf.conf" similar to the line in
>>>>> create_loc_NoNet: "set
>>>>> ipfilter-config-file=/etc/nwam/loc/NoNet/ipf.conf"
>>>>>
>>>>> But this does not change the behaviour.
>>>>>
>>>>> How can I tell nwam to use ipf.conf ?
>>>>>
>>>>> Thanks for your help.
>>>> > ...
>>>>
>>>> In illumos-gate/usr/src/lib/libnwam/common/libnwam.h, I see
>>>> #define NWAM_LOC_PROP_IPFILTER_CONFIG_FILE "ipfilter-config-file"
>>>> #define NWAM_LOC_PROP_IPFILTER_V6_CONFIG_FILE
>>>> "ipfilter-v6-config-file"
>>>
>>> Wild guess: These are probably defineable in the nwam_netcfg group
>>> of the svcprop entries via svccfg.
>>>
>>> _______________________________________________
>>> openindiana-discuss mailing list
>>> openindiana-discuss at openindiana.org
>>> https://openindiana.org/mailman/listinfo/openindiana-discuss
>>
>> _______________________________________________
>> openindiana-discuss mailing list
>> openindiana-discuss at openindiana.org
>> https://openindiana.org/mailman/listinfo/openindiana-discuss
>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
More information about the openindiana-discuss
mailing list