1svc.ipfd(1M) System Administration Commands svc.ipfd(1M)
2
3
4
6 svc.ipfd - IP Filter firewall monitoring daemon
7
9 /lib/svc/bin/svc.ipfd
10
11
12 svc:/network/ipfilter:default
13
14
16 The svc.ipfd daemon monitors actions on services that use firewall con‐
17 figuration and initiates update services' IP Filter configuration. The
18 daemon allows the system to react to changes in system's firewall con‐
19 figuration in an incremental fashion, at a per-service level.
20
21
22 A service's firewall policy is activated when it is enabled, deacti‐
23 vated when it is disabled, and updated when its configuration property
24 group is modified. svc.ipfd monitors the services management facility
25 (SMF) repository for these actions and invokes the IP Filter rule-gen‐
26 eration process to carry out the service's firewall policy.
27
28
29 This daemon is started by the network/ipfilter service either through
30 the start or refresh method. Thus, the daemon inherits the environment
31 variables and credentials from the method and runs as root with all
32 zone privileges.
33
34 Firewall Static Configuration
35 A static definition describes a service's network resource configura‐
36 tion that is used to generate service-specific IPF rules. The per-ser‐
37 vice firewall_context property group contains a service's static defi‐
38 nition, similar to the inetd property group in inetd managed services.
39 This property group supports:
40
41 firewall_context/name
42
43 For non-inetd services. The IANA name or RPC name, equivalent to
44 the inetd/name property.
45
46
47 firewall_context/isrpc
48
49 For non-inetd services. A boolean property where a true value indi‐
50 cates an RPC service, equivalent to the inetd/isrpc property. For
51 RPC services, the value of firewall_context/name is not an IANA
52 name but is either an RPC program number or name. See rpc(4).
53
54
55
56 Additionally, some services may require a mechanism to generate and
57 supply their own IPF rules. An optional property ipf_method, provides a
58 mechanism to allow such custom rule generation:
59
60 firewall_context/ipf_method
61
62 A command. Normally a script that generates IPF rules for a ser‐
63 vice. The framework does not generate rules for services with this
64 property definition. Rather, the framework expects these services
65 to provide their own rules.
66
67
68
69 A service's ipf_method specifies a command that takes an additional
70 argument, its own fault management resource identifier (FMRI), and gen‐
71 erates the service's firewall rules and outputs those rules to stdout.
72 To generate rules for a service with the ipf_method property, the
73 framework execs the command specified in ipf_method, passing the ser‐
74 vice FMRI as the additional argument, and stores the rules for that
75 service by redirecting the command output, the rules, to the service's
76 rule file. Because an ipf_method is exec'ed from the context of either
77 the network/ipfilter start or refresh method process, it inherits the
78 execution context and runs as root.
79
80
81 The service static configuration is delivered by the service developer
82 and not intended to be modified by users. These properties are only
83 modified upon installation of an updated service definition.
84
85 Firewall Policy Configuration
86 A per-service property group, firewall_config, stores the services'
87 firewall policy configuration. Because network/ipfilter:default is
88 responsible for two firewall policies, the Global Default and Global
89 Override system-wide policies (as explained in ipfilter(5)), it has two
90 property groups, firewall_config_default and firewall_config_override,
91 to store the respective system-wide policies.
92
93
94 Below are the properties, their possible values, and corresponding
95 semantics:
96
97 policy
98
99 The policy has the following modes:
100
101 none policy mode
102
103 No access restriction. For a global policy, this mode allows
104 all incoming traffic. For a service policy, this mode allows
105 all incoming traffic to its service.
106
107
108 deny policy mode
109
110 More restrictive than none. This mode allows incoming traffic
111 from all sources except those specified in the apply_to prop‐
112 erty.
113
114
115 allow policy mode
116
117 Most restrictive mode. This mode blocks incoming traffic from
118 all sources except those specified in the apply_to property.
119
120
121
122 apply_to
123
124 A multi-value property listing network entities to enforce the cho‐
125 sen policy mode. Entities listed in apply_to property will be
126 denied if policy is deny and allowed if policy is allow. The syntax
127 for possible values are:
128
129 host: host:IP "host:192.168.84.14"
130 subnet: network:IP/netmask "network:129.168.1.5/24"
131 ippool: pool:pool number "pool:77"
132 interface: if:interface_name "if:e1000g0"
133
134
135
136
137 exceptions
138
139 A multi-value property listing network entities to be excluded from
140 the apply_to list. For example, when deny policy is applied to a
141 subnet, exceptions can be made to some hosts in that subnet by
142 specifying them in the exceptions property. This property has the
143 same value syntax as apply_to property.
144
145
146
147 For individual network services only:
148
149 firewall_config/policy
150
151 A service's policy can also be set to use_global. Services with
152 use_global policy mode inherits the Global Default firewall policy.
153
154
155
156 For the Global Default only:
157
158 firewall_config_default/policy
159
160 Global Default policy, firewall_config property group in svc:/net‐
161 work/ipfilter:default, can also be set to custom. Users can set
162 policy to custom to use prepopulated IP Filter configuration, for
163 example, an existing IP Filter configuration or custom configura‐
164 tions that cannot be provided by the framework. This Global
165 Default-only policy mode allows users to supply a text file con‐
166 taining the complete set of IPF rules. When custom mode is
167 selected, the specified set of IPF rules is complete and the frame‐
168 work will not generate IPF rules from configured firewall policies.
169
170
171 firewall_config_default/custom_policy_file
172
173 A file path to be used when Global Default policy is set to custom.
174 The file contains a set of IPF rules that provide the desired IP
175 Filter configuration. For example, users with existing IPF rules in
176 /etc/ipf/ipf.conf can execute the following commands to use the
177 existing rules:
178
179 1. Set custom policy:
180
181 # svccfg -s ipfilter:default setprop \
182 firewall_config_default/policy = astring: "custom"
183
184
185
186 2. Specify custom file:
187
188 # svccfg -s ipfilter:default setprop \
189 firewall_config_default/custom_policy_file = astring: \
190 "/etc/ipf/ipf.conf"
191
192
193
194 3. Refresh configuration:
195
196 # svcadm refresh ipfilter:default
197
198
199
200
201 firewall_config_default/open_ports
202
203 Non-service program requiring allowance of its incoming traffic can
204 request that the firewall allow traffic to its communication ports.
205 This multi-value property contains protocol and port(s) tuple in
206 the form:
207
208 "{tcp | udp}:{PORT | PORT-PORT}"
209
210
211
212
213
214 Initially, the system-wide policies are set to none and network ser‐
215 vices' policies are set to use_global. Enabling network/ipfilter acti‐
216 vates the firewall with an empty set of IP Filter rules, since system-
217 wide policy is none and all services inherit that policy. To configure
218 a more restrictive policy, use svccfg(1M) to modify network services
219 and system-wide policies.
220
221
222 A user configures firewall policy by modifying the service's fire‐
223 wall_config property group. A new authorization,
224 solaris.smf.value.firewall.config, is created to allow delegation of
225 the firewall administration privilege to users. Users with Service
226 Operator privileges will need this new authorization to be able to con‐
227 figure firewall policy.
228
229 Firewall Availability
230 During boot, a firewall is configured for enabled services prior to the
231 starting of those services. Thus, services are protected on boot. While
232 the system is running, administrative actions such as service restart‐
233 ing, enabling, and refreshing may cause a brief service vulnerability
234 during which the service runs while its firewall is being configured.
235
236
237 svc.ipfd monitors a service's start and stop events and configures or
238 unconfigures a service's firewall at the same time that SMF is starting
239 or stopping the service. Because the two operations are simultaneous,
240 there is a possible window of exposure (less than a second) if the ser‐
241 vice is started before its firewall configuration completed. RPC ser‐
242 vices typically listen on ephemeral addresses, which are not known
243 until the services are actually running. Thus RPC services are sub‐
244 jected to similar exposure since their firewalls are not configured
245 until the services are running.
246
247 Developer Documentation
248 Services providing remote capabilities are encouraged to participate in
249 the firewall framework to control network access to the service. While
250 framework integration is not mandatory, remote access to services that
251 are not integrated in the framework may not function correctly when a
252 system-wide policy is configured.
253
254
255 Integrating a service into the framework is as straightforward as
256 defining two additional property groups and their corresponding proper‐
257 ties in the service manifest. IP Filter rules are generated when a user
258 enables the service. In the non-trivial case of custom rule generation,
259 where a shell script is required, there are existing scripts that can
260 be used as examples.
261
262
263 The additional property groups, firewall_config and firewall_context,
264 stores firewall policy configuration and provides static firewall defi‐
265 nition, respectively. Below is a summary of new property groups and
266 properties and their appropriate default values.
267
268
269 Firewall policy configuration:
270
271 firewall_config
272
273 Access to the system is protected by a new authorization definition
274 and a user-defined property type. The new authorization should be
275 assigned to the property group value_authorization property in a
276 way such as:
277
278 <propval name='value_authorization' type='astring'
279 value='solaris.smf.value.firewall.config' />
280
281
282 A third party should follow the service symbol namespace convention
283 to generate a user-defined type. Sun-delivered services can use
284 com.sun,fw_configuration as the property type.
285
286 See "Firewall Policy Configuration," above, for more information.
287
288
289 firewall_config/policy
290
291 This property's initial value should be use_global since services,
292 by default, inherit the Global Default firewall policy.
293
294
295 firewall_config/apply_to
296
297 An empty property, this property has no initial value.
298
299
300 firewall_config/exceptions
301
302 An empty property, this property has no initial value.
303
304
305
306 Firewall static definition:
307
308 firewall_context
309
310 A third party should follow service symbol namespace convention to
311 generate a user-defined type, Sun delivered services can use
312 com.sun,fw_definition as the property type.
313
314 See "Firewall Static Configuration," above, for more information.
315
316
317 firewall_context/name
318
319 Service with well-known, IANA defined port, which can be obtained
320 by getservbyname(3SOCKET). The service's IANA name is stored in
321 this property. For RPC services, the RPC program number is stored
322 in this property.
323
324
325 firewall_context/isrpc
326
327 For RPC services, this property should be created with its value
328 set to true.
329
330
331 firewall_context/ipf_method
332
333 In general, the specified firewall policy is used to generate IP
334 Filter rules to the service's communication port, derived from the
335 firewall_context/name property. Services that do not have IANA-
336 defined ports and are not RPC services will need to generate their
337 own IP Filter rules. Services that generate their own rules may
338 choose not to have firewall_context/name and firewall_context/isrpc
339 properties. See the following services:
340
341 svc:/network/ftp:default
342 svc:/network/nfs/server:default
343 svc:/network/ntp:default
344
345
346 ...and others with the ipf_method for guidance.
347
348
350 See attributes(5) for descriptions of the following attributes:
351
352
353
354
355 ┌─────────────────────────────┬─────────────────────────────┐
356 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
357 ├─────────────────────────────┼─────────────────────────────┤
358 │Availability │SUNWcsu, SUNWipfr │
359 ├─────────────────────────────┼─────────────────────────────┤
360 │Interface Stability │Committed │
361 └─────────────────────────────┴─────────────────────────────┘
362
364 svcprop(1), svcs(1), ipf(1M), svcadm(1M), svccfg(1M), getservby‐
365 name(3SOCKET), rpc(4), attributes(5), ipfilter(5), smf(5)
366
367
368
369SunOS 5.11 13 Jan 2009 svc.ipfd(1M)