SVC.IPFD(1M)SVC.IPFD(1M)NAMEsvc.ipfd - IP Filter firewall monitoring daemon
SYNOPSIS
/lib/svc/bin/svc.ipfd
svc:/network/ipfilter:default
DESCRIPTION
The svc.ipfd daemon monitors actions on services that use firewall con‐
figuration and initiates update services' IP Filter configuration. The
daemon allows the system to react to changes in system's firewall con‐
figuration in an incremental fashion, at a per-service level.
A service's firewall policy is activated when it is enabled, deacti‐
vated when it is disabled, and updated when its configuration property
group is modified. svc.ipfd monitors the services management facility
(SMF) repository for these actions and invokes the IP Filter rule-gen‐
eration process to carry out the service's firewall policy.
This daemon is started by the network/ipfilter service either through
the start or refresh method. Thus, the daemon inherits the environment
variables and credentials from the method and runs as root with all
zone privileges.
Firewall Static Configuration
A static definition describes a service's network resource configura‐
tion that is used to generate service-specific IPF rules. The per-ser‐
vice firewall_context property group contains a service's static defi‐
nition, similar to the inetd property group in inetd managed services.
This property group supports:
firewall_context/name
For non-inetd services. The IANA name or RPC name, equivalent to
the inetd/name property.
firewall_context/isrpc
For non-inetd services. A boolean property where a true value indi‐
cates an RPC service, equivalent to the inetd/isrpc property. For
RPC services, the value of firewall_context/name is not an IANA
name but is either an RPC program number or name. See rpc(4).
Additionally, some services may require a mechanism to generate and
supply their own IPF rules. An optional property ipf_method, provides a
mechanism to allow such custom rule generation:
firewall_context/ipf_method
A command. Normally a script that generates IPF rules for a ser‐
vice. The framework does not generate rules for services with this
property definition. Rather, the framework expects these services
to provide their own rules.
A service's ipf_method specifies a command that takes an additional
argument, its own fault management resource identifier (FMRI), and gen‐
erates the service's firewall rules and outputs those rules to stdout.
To generate rules for a service with the ipf_method property, the
framework execs the command specified in ipf_method, passing the ser‐
vice FMRI as the additional argument, and stores the rules for that
service by redirecting the command output, the rules, to the service's
rule file. Because an ipf_method is exec'ed from the context of either
the network/ipfilter start or refresh method process, it inherits the
execution context and runs as root.
The service static configuration is delivered by the service developer
and not intended to be modified by users. These properties are only
modified upon installation of an updated service definition.
Firewall Policy Configuration
A per-service property group, firewall_config, stores the services'
firewall policy configuration. Because network/ipfilter:default is
responsible for two firewall policies, the Global Default and Global
Override system-wide policies (as explained in ipfilter(5)), it has two
property groups, firewall_config_default and firewall_config_override,
to store the respective system-wide policies.
Below are the properties, their possible values, and corresponding
semantics:
policy
The policy has the following modes:
none policy mode
No access restriction. For a global policy, this mode allows
all incoming traffic. For a service policy, this mode allows
all incoming traffic to its service.
deny policy mode
More restrictive than none. This mode allows incoming traffic
from all sources except those specified in the apply_to prop‐
erty.
allow policy mode
Most restrictive mode. This mode blocks incoming traffic from
all sources except those specified in the apply_to property.
apply_to
A multi-value property listing network entities to enforce the cho‐
sen policy mode. Entities listed in apply_to property will be
denied if policy is deny and allowed if policy is allow. The syntax
for possible values are:
host: host:IP "host:192.168.84.14"
subnet: network:IP/netmask "network:129.168.1.5/24"
ippool: pool:pool number "pool:77"
interface: if:interface_name "if:e1000g0"
exceptions
A multi-value property listing network entities to be excluded from
the apply_to list. For example, when deny policy is applied to a
subnet, exceptions can be made to some hosts in that subnet by
specifying them in the exceptions property. This property has the
same value syntax as apply_to property.
For individual network services only:
firewall_config/policy
A service's policy can also be set to use_global. Services with
use_global policy mode inherits the Global Default firewall policy.
For the Global Default only:
firewall_config_default/policy
Global Default policy, firewall_config property group in svc:/net‐
work/ipfilter:default, can also be set to custom. Users can set
policy to custom to use prepopulated IP Filter configuration, for
example, an existing IP Filter configuration or custom configura‐
tions that cannot be provided by the framework. This Global
Default-only policy mode allows users to supply a text file con‐
taining the complete set of IPF rules. When custom mode is
selected, the specified set of IPF rules is complete and the frame‐
work will not generate IPF rules from configured firewall policies.
firewall_config_default/custom_policy_file
A file path to be used when Global Default policy is set to custom.
The file contains a set of IPF rules that provide the desired IP
Filter configuration. For example, users with existing IPF rules in
/etc/ipf/ipf.conf can execute the following commands to use the
existing rules:
1. Set custom policy:
# svccfg -s ipfilter:default setprop \
firewall_config_default/policy = astring: "custom"
2. Specify custom file:
# svccfg -s ipfilter:default setprop \
firewall_config_default/custom_policy_file = astring: \
"/etc/ipf/ipf.conf"
3. Refresh configuration:
# svcadm refresh ipfilter:default
firewall_config_default/open_ports
Non-service program requiring allowance of its incoming traffic can
request that the firewall allow traffic to its communication ports.
This multi-value property contains protocol and port(s) tuple in
the form:
"{tcp | udp}:{PORT | PORT-PORT}"
Initially, the system-wide policies are set to none and network ser‐
vices' policies are set to use_global. Enabling network/ipfilter acti‐
vates the firewall with an empty set of IP Filter rules, since system-
wide policy is none and all services inherit that policy. To configure
a more restrictive policy, use svccfg(1M) to modify network services
and system-wide policies.
A user configures firewall policy by modifying the service's fire‐
wall_config property group. A new authorization,
solaris.smf.value.firewall.config, is created to allow delegation of
the firewall administration privilege to users. Users with Service
Operator privileges will need this new authorization to be able to con‐
figure firewall policy.
Firewall Availability
During boot, a firewall is configured for enabled services prior to the
starting of those services. Thus, services are protected on boot. While
the system is running, administrative actions such as service restart‐
ing, enabling, and refreshing may cause a brief service vulnerability
during which the service runs while its firewall is being configured.
svc.ipfd monitors a service's start and stop events and configures or
unconfigures a service's firewall at the same time that SMF is starting
or stopping the service. Because the two operations are simultaneous,
there is a possible window of exposure (less than a second) if the ser‐
vice is started before its firewall configuration completed. RPC ser‐
vices typically listen on ephemeral addresses, which are not known
until the services are actually running. Thus RPC services are sub‐
jected to similar exposure since their firewalls are not configured
until the services are running.
Developer Documentation
Services providing remote capabilities are encouraged to participate in
the firewall framework to control network access to the service. While
framework integration is not mandatory, remote access to services that
are not integrated in the framework may not function correctly when a
system-wide policy is configured.
Integrating a service into the framework is as straightforward as
defining two additional property groups and their corresponding proper‐
ties in the service manifest. IP Filter rules are generated when a user
enables the service. In the non-trivial case of custom rule generation,
where a shell script is required, there are existing scripts that can
be used as examples.
The additional property groups, firewall_config and firewall_context,
stores firewall policy configuration and provides static firewall defi‐
nition, respectively. Below is a summary of new property groups and
properties and their appropriate default values.
Firewall policy configuration:
firewall_config
Access to the system is protected by a new authorization definition
and a user-defined property type. The new authorization should be
assigned to the property group value_authorization property in a
way such as:
<propval name='value_authorization' type='astring'
value='solaris.smf.value.firewall.config' />
A third party should follow the service symbol namespace convention
to generate a user-defined type. Sun-delivered services can use
com.sun,fw_configuration as the property type.
See "Firewall Policy Configuration," above, for more information.
firewall_config/policy
This property's initial value should be use_global since services,
by default, inherit the Global Default firewall policy.
firewall_config/apply_to
An empty property, this property has no initial value.
firewall_config/exceptions
An empty property, this property has no initial value.
Firewall static definition:
firewall_context
A third party should follow service symbol namespace convention to
generate a user-defined type, Sun delivered services can use
com.sun,fw_definition as the property type.
See "Firewall Static Configuration," above, for more information.
firewall_context/name
Service with well-known, IANA defined port, which can be obtained
by getservbyname(3SOCKET). The service's IANA name is stored in
this property. For RPC services, the RPC program number is stored
in this property.
firewall_context/isrpc
For RPC services, this property should be created with its value
set to true.
firewall_context/ipf_method
In general, the specified firewall policy is used to generate IP
Filter rules to the service's communication port, derived from the
firewall_context/name property. Services that do not have IANA-
defined ports and are not RPC services will need to generate their
own IP Filter rules. Services that generate their own rules may
choose not to have firewall_context/name and firewall_context/isrpc
properties. See the following services:
svc:/network/ftp:default
svc:/network/nfs/server:default
svc:/network/ntp:default
...and others with the ipf_method for guidance.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌────────────────────┬─────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├────────────────────┼─────────────────┤
│Interface Stability │ Committed │
└────────────────────┴─────────────────┘
SEE ALSOsvcprop(1), svcs(1), ipf(1M), svcadm(1M), svccfg(1M), getservby‐
name(3SOCKET), rpc(4), attributes(5), ipfilter(5), smf(5)
Jan 13, 2009 SVC.IPFD(1M)
