SVC.IPFD(8) | Maintenance Commands and Procedures | SVC.IPFD(8) |
svc.ipfd - IP Filter firewall monitoring daemon
/lib/svc/bin/svc.ipfd
svc:/network/ipfilter:default
The svc.ipfd daemon monitors actions on services that use firewall configuration and initiates update services' IP Filter configuration. The daemon allows the system to react to changes in system's firewall configuration in an incremental fashion, at a per-service level.
A service's firewall policy is activated when it is enabled, deactivated when it is disabled, and updated when its configuration property group is modified. svc.ipfd monitors the services management facility (SMF) repository for these actions and invokes the IP Filter rule-generation process to carry out the service's firewall policy.
This daemon is started by the network/ipfilter service either through the start or refresh method. Thus, the daemon inherits the environment variables and credentials from the method and runs as root with all zone privileges.
A static definition describes a service's network resource configuration that is used to generate service-specific IPF rules. The per-service firewall_context property group contains a service's static definition, similar to the inetd property group in inetd managed services. This property group supports:
firewall_context/name
firewall_context/isrpc
Additionally, some services may require a mechanism to generate and supply their own IPF rules. An optional property ipf_method, provides a mechanism to allow such custom rule generation:
firewall_context/ipf_method
A service's ipf_method specifies a command that takes an additional argument, its own fault management resource identifier (FMRI), and generates the service's firewall rules and outputs those rules to stdout. To generate rules for a service with the ipf_method property, the framework execs the command specified in ipf_method, passing the service FMRI as the additional argument, and stores the rules for that service by redirecting the command output, the rules, to the service's rule file. Because an ipf_method is exec'ed from the context of either the network/ipfilter start or refresh method process, it inherits the execution context and runs as root.
The service static configuration is delivered by the service developer and not intended to be modified by users. These properties are only modified upon installation of an updated service definition.
A per-service property group, firewall_config, stores the services' firewall policy configuration. Because network/ipfilter:default is responsible for two firewall policies, the Global Default and Global Override system-wide policies (as explained in ipfilter(7)), it has two property groups, firewall_config_default and firewall_config_override, to store the respective system-wide policies.
Below are the properties, their possible values, and corresponding semantics:
policy
none policy mode
deny policy mode
allow policy mode
block-policy
none block-policy mode
return block-policy mode
apply_to
host: host:IP "host:192.168.84.14" subnet: network:IP/netmask "network:129.168.1.5/24" ippool: pool:pool number "pool:77" interface: if:interface_name "if:e1000g0"
apply_to_6
host: host:IP "host:2001:DB8::12ff:fe34:5678" subnet: network:IP/netmask "network:2001:DB8::/32" ippool: pool:pool number "pool:77" interface: if:interface_name "if:e1000g0"
exceptions
exceptions_6
target
target_6
For individual network services only:
firewall_config/policy
firewall_config/block_policy
For the Global Default only:
firewall_config_default/policy
firewall_config_default/custom_policy_file
# svccfg -s ipfilter:default setprop \ firewall_config_default/policy = astring: "custom"
# svccfg -s ipfilter:default setprop \ firewall_config_default/custom_policy_file = astring: \ "/etc/ipf/ipf.conf"
# svcadm refresh ipfilter:default
firewall_config_default/open_ports
"{tcp | udp}:{PORT | PORT-PORT}"
Initially, the system-wide policies are set to none and network services' policies are set to use_global. Enabling network/ipfilter activates the firewall with an empty set of IP Filter rules, since system-wide policy is none and all services inherit that policy. To configure a more restrictive policy, use svccfg(8) to modify network services and system-wide policies.
A user configures firewall policy by modifying the service's firewall_config property group. A new authorization, solaris.smf.value.firewall.config, is created to allow delegation of the firewall administration privilege to users. Users with Service Operator privileges will need this new authorization to be able to configure firewall policy.
During boot, a firewall is configured for enabled services prior to the starting of those services. Thus, services are protected on boot. While the system is running, administrative actions such as service restarting, enabling, and refreshing may cause a brief service vulnerability during which the service runs while its firewall is being configured.
svc.ipfd monitors a service's start and stop events and configures or unconfigures a service's firewall at the same time that SMF is starting or stopping the service. Because the two operations are simultaneous, there is a possible window of exposure (less than a second) if the service is started before its firewall configuration completed. RPC services typically listen on ephemeral addresses, which are not known until the services are actually running. Thus RPC services are subjected to similar exposure since their firewalls are not configured until the services are running.
Services providing remote capabilities are encouraged to participate in the firewall framework to control network access to the service. While framework integration is not mandatory, remote access to services that are not integrated in the framework may not function correctly when a system-wide policy is configured.
Integrating a service into the framework is as straightforward as defining two additional property groups and their corresponding properties in the service manifest. IP Filter rules are generated when a user enables the service. In the non-trivial case of custom rule generation, where a shell script is required, there are existing scripts that can be used as examples.
The additional property groups, firewall_config and firewall_context, stores firewall policy configuration and provides static firewall definition, respectively. Below is a summary of new property groups and properties and their appropriate default values.
Firewall policy configuration:
firewall_config
<propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' />
A third party should follow the service symbol namespace convention to generate a user-defined type. Sun-delivered services can use com.sun,fw_configuration as the property type.
See "Firewall Policy Configuration," above, for more information.
firewall_config/policy
firewall_config/apply_to
firewall_config/exceptions
Firewall static definition:
firewall_context
See "Firewall Static Configuration," above, for more information.
firewall_context/name
firewall_context/isrpc
firewall_context/ipf_method
svc:/network/ftp:default svc:/network/nfs/server:default svc:/network/ntp:default
...and others with the ipf_method for guidance.
See attributes(7) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
Interface Stability | Committed |
svcprop(1), svcs(1), getservbyname(3SOCKET), rpc(5), attributes(7), ipfilter(7), smf(7), ipf(8), svcadm(8), svccfg(8)
December 30, 2015 | OmniOS |