1svc.ipfd(1M)            System Administration Commands            svc.ipfd(1M)
2
3
4

NAME

6       svc.ipfd - IP Filter firewall monitoring daemon
7

SYNOPSIS

9       /lib/svc/bin/svc.ipfd
10
11
12       svc:/network/ipfilter:default
13
14

DESCRIPTION

16       The svc.ipfd daemon monitors actions on services that use firewall con‐
17       figuration and initiates update services' IP Filter configuration.  The
18       daemon  allows the system to react to changes in system's firewall con‐
19       figuration in an incremental fashion, at a per-service level.
20
21
22       A service's firewall policy is activated when it  is  enabled,  deacti‐
23       vated  when it is disabled, and updated when its configuration property
24       group is modified. svc.ipfd monitors the services  management  facility
25       (SMF)  repository for these actions and invokes the IP Filter rule-gen‐
26       eration process to carry out the service's firewall policy.
27
28
29       This daemon is started by the network/ipfilter service  either  through
30       the  start or refresh method. Thus, the daemon inherits the environment
31       variables and credentials from the method and runs  as  root  with  all
32       zone privileges.
33
34   Firewall Static Configuration
35       A  static  definition describes a service's network resource configura‐
36       tion that is used to generate service-specific IPF rules. The  per-ser‐
37       vice  firewall_context property group contains a service's static defi‐
38       nition, similar to the inetd property group in inetd managed  services.
39       This property group supports:
40
41       firewall_context/name
42
43           For  non-inetd  services.  The IANA name or RPC name, equivalent to
44           the inetd/name property.
45
46
47       firewall_context/isrpc
48
49           For non-inetd services. A boolean property where a true value indi‐
50           cates  an  RPC service, equivalent to the inetd/isrpc property. For
51           RPC services, the value of firewall_context/name  is  not  an  IANA
52           name but is either an RPC program number or name. See rpc(4).
53
54
55
56       Additionally,  some  services  may  require a mechanism to generate and
57       supply their own IPF rules. An optional property ipf_method, provides a
58       mechanism to allow such custom rule generation:
59
60       firewall_context/ipf_method
61
62           A  command.  Normally  a script that generates IPF rules for a ser‐
63           vice. The framework does not generate rules for services with  this
64           property  definition.  Rather, the framework expects these services
65           to provide their own rules.
66
67
68
69       A service's ipf_method specifies a command  that  takes  an  additional
70       argument, its own fault management resource identifier (FMRI), and gen‐
71       erates the service's firewall rules and outputs those rules to  stdout.
72       To  generate  rules  for  a  service  with the ipf_method property, the
73       framework execs the command specified in ipf_method, passing  the  ser‐
74       vice  FMRI  as  the  additional argument, and stores the rules for that
75       service by redirecting the command output, the rules, to the  service's
76       rule  file. Because an ipf_method is exec'ed from the context of either
77       the network/ipfilter start or refresh method process, it  inherits  the
78       execution context and runs as root.
79
80
81       The  service static configuration is delivered by the service developer
82       and not intended to be modified by users.  These  properties  are  only
83       modified upon installation of an updated service definition.
84
85   Firewall Policy Configuration
86       A  per-service  property  group,  firewall_config, stores the services'
87       firewall  policy  configuration.  Because  network/ipfilter:default  is
88       responsible  for  two  firewall policies, the Global Default and Global
89       Override system-wide policies (as explained in ipfilter(5)), it has two
90       property  groups, firewall_config_default and firewall_config_override,
91       to store the respective system-wide policies.
92
93
94       Below are the properties,  their  possible  values,  and  corresponding
95       semantics:
96
97       policy
98
99           The policy has the following modes:
100
101           none policy mode
102
103               No  access  restriction.  For a global policy, this mode allows
104               all incoming traffic. For a service policy,  this  mode  allows
105               all incoming traffic to its service.
106
107
108           deny policy mode
109
110               More  restrictive  than none. This mode allows incoming traffic
111               from all sources except those specified in the  apply_to  prop‐
112               erty.
113
114
115           allow policy mode
116
117               Most  restrictive  mode. This mode blocks incoming traffic from
118               all sources except those specified in the apply_to property.
119
120
121
122       apply_to
123
124           A multi-value property listing network entities to enforce the cho‐
125           sen  policy  mode.  Entities  listed  in  apply_to property will be
126           denied if policy is deny and allowed if policy is allow. The syntax
127           for possible values are:
128
129             host:           host:IP                 "host:192.168.84.14"
130             subnet:         network:IP/netmask      "network:129.168.1.5/24"
131             ippool:         pool:pool number        "pool:77"
132             interface:      if:interface_name       "if:e1000g0"
133
134
135
136
137       exceptions
138
139           A multi-value property listing network entities to be excluded from
140           the apply_to list. For example, when deny policy is  applied  to  a
141           subnet,  exceptions  can  be  made  to some hosts in that subnet by
142           specifying them in the exceptions property. This property  has  the
143           same value syntax as apply_to property.
144
145
146
147       For individual network services only:
148
149       firewall_config/policy
150
151           A  service's  policy  can  also be set to use_global. Services with
152           use_global policy mode inherits the Global Default firewall policy.
153
154
155
156       For the Global Default only:
157
158       firewall_config_default/policy
159
160           Global Default policy, firewall_config property group in  svc:/net‐
161           work/ipfilter:default,  can  also  be  set to custom. Users can set
162           policy to custom to use prepopulated IP Filter  configuration,  for
163           example,  an  existing IP Filter configuration or custom configura‐
164           tions that  cannot  be  provided  by  the  framework.  This  Global
165           Default-only  policy  mode  allows users to supply a text file con‐
166           taining the  complete  set  of  IPF  rules.  When  custom  mode  is
167           selected, the specified set of IPF rules is complete and the frame‐
168           work will not generate IPF rules from configured firewall policies.
169
170
171       firewall_config_default/custom_policy_file
172
173           A file path to be used when Global Default policy is set to custom.
174           The  file  contains  a set of IPF rules that provide the desired IP
175           Filter configuration. For example, users with existing IPF rules in
176           /etc/ipf/ipf.conf  can  execute  the  following commands to use the
177           existing rules:
178
179               1.     Set custom policy:
180
181                        # svccfg -s ipfilter:default setprop \
182                        firewall_config_default/policy = astring: "custom"
183
184
185
186               2.     Specify custom file:
187
188                        # svccfg -s ipfilter:default setprop \
189                        firewall_config_default/custom_policy_file = astring: \
190                        "/etc/ipf/ipf.conf"
191
192
193
194               3.     Refresh configuration:
195
196                        # svcadm refresh ipfilter:default
197
198
199
200
201       firewall_config_default/open_ports
202
203           Non-service program requiring allowance of its incoming traffic can
204           request that the firewall allow traffic to its communication ports.
205           This multi-value property contains protocol and  port(s)  tuple  in
206           the form:
207
208             "{tcp | udp}:{PORT | PORT-PORT}"
209
210
211
212
213
214       Initially,  the  system-wide  policies are set to none and network ser‐
215       vices' policies are set to use_global. Enabling network/ipfilter  acti‐
216       vates  the firewall with an empty set of IP Filter rules, since system-
217       wide policy is none and all services inherit that policy. To  configure
218       a  more  restrictive  policy, use svccfg(1M) to modify network services
219       and system-wide policies.
220
221
222       A user configures firewall policy  by  modifying  the  service's  fire‐
223       wall_config      property      group.      A     new     authorization,
224       solaris.smf.value.firewall.config, is created to  allow  delegation  of
225       the  firewall  administration  privilege  to  users. Users with Service
226       Operator privileges will need this new authorization to be able to con‐
227       figure firewall policy.
228
229   Firewall Availability
230       During boot, a firewall is configured for enabled services prior to the
231       starting of those services. Thus, services are protected on boot. While
232       the  system is running, administrative actions such as service restart‐
233       ing, enabling, and refreshing may cause a brief  service  vulnerability
234       during which the service runs while its firewall is being configured.
235
236
237       svc.ipfd  monitors  a service's start and stop events and configures or
238       unconfigures a service's firewall at the same time that SMF is starting
239       or  stopping  the service. Because the two operations are simultaneous,
240       there is a possible window of exposure (less than a second) if the ser‐
241       vice  is  started before its firewall configuration completed. RPC ser‐
242       vices typically listen on ephemeral  addresses,  which  are  not  known
243       until  the  services  are  actually running. Thus RPC services are sub‐
244       jected to similar exposure since their  firewalls  are  not  configured
245       until the services are running.
246
247   Developer Documentation
248       Services providing remote capabilities are encouraged to participate in
249       the firewall framework to control network access to the service.  While
250       framework  integration is not mandatory, remote access to services that
251       are not integrated in the framework may not function correctly  when  a
252       system-wide policy is configured.
253
254
255       Integrating  a  service  into  the  framework  is as straightforward as
256       defining two additional property groups and their corresponding proper‐
257       ties in the service manifest. IP Filter rules are generated when a user
258       enables the service. In the non-trivial case of custom rule generation,
259       where  a  shell script is required, there are existing scripts that can
260       be used as examples.
261
262
263       The additional property groups, firewall_config  and  firewall_context,
264       stores firewall policy configuration and provides static firewall defi‐
265       nition, respectively. Below is a summary of  new  property  groups  and
266       properties and their appropriate default values.
267
268
269       Firewall policy configuration:
270
271       firewall_config
272
273           Access to the system is protected by a new authorization definition
274           and a user-defined property type. The new authorization  should  be
275           assigned  to  the  property group value_authorization property in a
276           way such as:
277
278             <propval name='value_authorization' type='astring'
279             value='solaris.smf.value.firewall.config' />
280
281
282           A third party should follow the service symbol namespace convention
283           to  generate  a  user-defined  type. Sun-delivered services can use
284           com.sun,fw_configuration as the property type.
285
286           See "Firewall Policy Configuration," above, for more information.
287
288
289       firewall_config/policy
290
291           This property's initial value should be use_global since  services,
292           by default, inherit the Global Default firewall policy.
293
294
295       firewall_config/apply_to
296
297           An empty property, this property has no initial value.
298
299
300       firewall_config/exceptions
301
302           An empty property, this property has no initial value.
303
304
305
306       Firewall static definition:
307
308       firewall_context
309
310           A  third party should follow service symbol namespace convention to
311           generate a  user-defined  type,  Sun  delivered  services  can  use
312           com.sun,fw_definition as the property type.
313
314           See "Firewall Static Configuration," above, for more information.
315
316
317       firewall_context/name
318
319           Service  with  well-known, IANA defined port, which can be obtained
320           by getservbyname(3SOCKET). The service's IANA  name  is  stored  in
321           this  property.  For RPC services, the RPC program number is stored
322           in this property.
323
324
325       firewall_context/isrpc
326
327           For RPC services, this property should be created  with  its  value
328           set to true.
329
330
331       firewall_context/ipf_method
332
333           In  general,  the  specified firewall policy is used to generate IP
334           Filter rules to the service's communication port, derived from  the
335           firewall_context/name  property.  Services  that  do not have IANA-
336           defined ports and are not RPC services will need to generate  their
337           own  IP  Filter  rules.  Services that generate their own rules may
338           choose not to have firewall_context/name and firewall_context/isrpc
339           properties. See the following services:
340
341             svc:/network/ftp:default
342             svc:/network/nfs/server:default
343             svc:/network/ntp:default
344
345
346           ...and others with the ipf_method for guidance.
347
348

ATTRIBUTES

350       See attributes(5) for descriptions of the following attributes:
351
352
353
354
355       ┌─────────────────────────────┬─────────────────────────────┐
356       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
357       ├─────────────────────────────┼─────────────────────────────┤
358       │Availability                 │SUNWcsu, SUNWipfr            │
359       ├─────────────────────────────┼─────────────────────────────┤
360       │Interface Stability          │Committed                    │
361       └─────────────────────────────┴─────────────────────────────┘
362

SEE ALSO

364       svcprop(1),   svcs(1),   ipf(1M),  svcadm(1M),  svccfg(1M),  getservby‐
365       name(3SOCKET), rpc(4), attributes(5), ipfilter(5), smf(5)
366
367
368
369SunOS 5.11                        13 Jan 2009                     svc.ipfd(1M)
Impressum