> Ivan Wang wrote: > > Hi all, > > > > Sorry if this is kind of old question.. > > > > I've been using /etc/ipf/ipf.conf to configure > ipfilter until recently I checked ipfilter svc method > out of curiosity, I saw there is a new way using smf > firewall_config property group to automate ipf > ruleset generation. > > > > Is this to be the preferred way to configure > ipfilter? I don't find a way to selective admit ICMP > packet with the new facility though.. > > > > Thanks > > Ivan. > > > What exactly are you trying to achieve?
very normal filtering, that's why I think the smf approach fits the purpose (for the most part) With firewall_config_default/policy set to "allow" at ipfilter:default and set apply_to of specific service to selected hosts (or host:any for general available service like ssh) However I didn't find the hook to apply ICMP filtering this way. The smf approach requires a endpoint at transport layer, either udp or tcp port. there isn't a way to block things like ICMP redirect or ICMP router advertisement. Another thing I am curious about is no matter how I tried, svcadm enable ipfilter always set ipfilter:default instance's policy to "custom", after a bit of tracing, it looks like config_get_version() from ipfilter svc method somehow succeeds but its result does not match CURRENT_VERSION from ipf_include.sh Another thing I saw is dns/multicast (mDNS) service does not have firewall_config property group defined. I am running from an image-updated b134. So at the end, I gave up the ipf.conf -> smf conversion and wonders which the preferred way in the future to configure ipf.. Ivan. > > -tn > _______________________________________________ > networking-discuss mailing list > [email protected] > -- This message posted from opensolaris.org _______________________________________________ networking-discuss mailing list [email protected]
