diff options
| author | Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> | 2015-02-13 12:46:42 +0100 |
|---|---|---|
| committer | Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> | 2016-01-22 16:23:04 +0100 |
| commit | 7ddce99911fbb5e44b38ac65e991a22e42267ee9 (patch) | |
| tree | 30032e916552c329c83dfc2ccd63042c3c7b7b85 /usr/src | |
| parent | 696be233fd50b992c5f28974cd022f078f832272 (diff) | |
| download | illumos-joyent-7ddce99911fbb5e44b38ac65e991a22e42267ee9.tar.gz | |
6123 SMF ipfilter support needs improvement
Reviewed by: Toomas Soome <tsoome@me.com>
Reviewed by: Attila Fülöp <attila@fueloep.org>
Reviewed by: Cody Mello <melloc@joyent.com>
Approved by: Dan McDonald <danmcd@omniti.com>
Diffstat (limited to 'usr/src')
38 files changed, 1115 insertions, 160 deletions
diff --git a/usr/src/cmd/cmd-inet/usr.lib/mdnsd/multicast.xml b/usr/src/cmd/cmd-inet/usr.lib/mdnsd/multicast.xml index 3a37e51ab2..a6c1901c97 100644 --- a/usr/src/cmd/cmd-inet/usr.lib/mdnsd/multicast.xml +++ b/usr/src/cmd/cmd-inet/usr.lib/mdnsd/multicast.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -127,15 +129,21 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> </instance> - <stability value='Unstable' /> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/comsat.xml b/usr/src/cmd/cmd-inet/usr.sbin/comsat.xml index dcfab5f69a..a66e18a02e 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/comsat.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/comsat.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org + CDDL HEADER START The contents of this file are subject to the terms of the @@ -79,8 +81,11 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='target' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/finger.xml b/usr/src/cmd/cmd-inet/usr.sbin/finger.xml index 3fd6e5321c..2c4281d84a 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/finger.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/finger.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -72,8 +74,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/in.routed/route.xml b/usr/src/cmd/cmd-inet/usr.sbin/in.routed/route.xml index 22d0f1b4eb..530ec5bda7 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/in.routed/route.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/in.routed/route.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -144,8 +146,11 @@ privileges='basic,proc_owner,proc_fork,proc_exec,proc_info,proc_session,file_cho <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='target' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/in.routed/svc-route b/usr/src/cmd/cmd-inet/usr.sbin/in.routed/svc-route index 87da8c7386..aa49137cb9 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/in.routed/svc-route +++ b/usr/src/cmd/cmd-inet/usr.sbin/in.routed/svc-route @@ -23,6 +23,8 @@ # Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # +# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> +# . /lib/svc/share/smf_include.sh . /lib/svc/share/routing_include.sh @@ -51,11 +53,11 @@ create_ipf_rules() uport=`$SERVINFO -p -u -s $iana_name 2>/dev/null` if [ -n "$tport" ]; then - generate_rules $FMRI $policy "tcp" "any" $tport $file + generate_rules $FMRI $policy "tcp" $tport $file fi if [ -n "$uport" ]; then - generate_rules $FMRI $policy "udp" "any" $uport $file + generate_rules $FMRI $policy "udp" $uport $file fi } diff --git a/usr/src/cmd/cmd-inet/usr.sbin/in.talkd/talk.xml b/usr/src/cmd/cmd-inet/usr.sbin/in.talkd/talk.xml index a867c40d66..c4d2494095 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/in.talkd/talk.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/in.talkd/talk.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -79,8 +81,11 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='target' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/login.xml b/usr/src/cmd/cmd-inet/usr.sbin/login.xml index 4e5f974034..f21084da5f 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/login.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/login.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -73,8 +75,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> @@ -116,8 +124,11 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> - <propval name='exception_list' type='astring' value='' /> - <propval name='override_list' type='astring' value='' /> + <propval name='block_policy' type='astring' + value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='target' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> @@ -161,8 +172,11 @@ remote login with Kerberos authentication <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> - <propval name='exception_list' type='astring' value='' /> - <propval name='override_list' type='astring' value='' /> + <propval name='block_policy' type='astring' + value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='target' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/rexec.xml b/usr/src/cmd/cmd-inet/usr.sbin/rexec.xml index 924ced88c4..98f83f3102 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/rexec.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/rexec.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -83,8 +85,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/shell.xml b/usr/src/cmd/cmd-inet/usr.sbin/shell.xml index 30730380a9..b841f99961 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/shell.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/shell.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -98,8 +100,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> @@ -141,8 +149,11 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='target' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/telnet.xml b/usr/src/cmd/cmd-inet/usr.sbin/telnet.xml index 6b0ac5dfa5..a5425c3fc1 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/telnet.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/telnet.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -72,8 +74,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/fs.d/nfs/svc/nfs-server b/usr/src/cmd/fs.d/nfs/svc/nfs-server index 1c7391b8df..11a54fea8a 100644 --- a/usr/src/cmd/fs.d/nfs/svc/nfs-server +++ b/usr/src/cmd/fs.d/nfs/svc/nfs-server @@ -21,8 +21,9 @@ # # -# Copyright 2015 Nexenta Systems, Inc. All rights reserved. # Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. +# Copyright 2015 Nexenta Systems, Inc. All rights reserved. +# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> # # Start/stop processes required for server NFS @@ -47,7 +48,8 @@ zone=`smf_zonename` configure_ipfilter() { ipfile=`fmri_to_file $SMF_FMRI $IPF_SUFFIX` - [ -f "$ipfile" ] && return 0 + ip6file=`fmri_to_file $SMF_FMRI $IPF6_SUFFIX` + [ -f "$ipfile" -a -f "$ip6file" ] && return 0 # # Nothing to do if: @@ -129,20 +131,22 @@ case "$1" in # - nfs/rquota # # The following services are enabled for both nfs client and - # server so we'll treat them as client services and simply - # allow incoming traffic. + # server, if nfs/client is enabled we'll treat them as client + # services and simply allow incoming traffic. # - nfs/status # - nfs/nlockmgr # - nfs/cbd # NFS_FMRI="svc:/network/nfs/server:default" + NFSCLI_FMRI="svc:/network/nfs/client:default" RQUOTA_FMRI="svc:/network/nfs/rquota:default" FMRI=$2 file=`fmri_to_file $FMRI $IPF_SUFFIX` + file6=`fmri_to_file $FMRI $IPF6_SUFFIX` echo "# $FMRI" >$file + echo "# $FMRI" >$file6 policy=`get_policy $NFS_FMRI` - ip="any" # # nfs/server configuration is processed in the start method. @@ -157,52 +161,107 @@ case "$1" in nfs_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI 2>/dev/null` tport=`$SERVINFO -p -t -s $nfs_name 2>/dev/null` if [ -n "$tport" ]; then - generate_rules $FMRI $policy "tcp" $ip $tport $file + generate_rules $FMRI $policy "tcp" $tport $file + fi + + tport6=`$SERVINFO -p -t6 -s $nfs_name 2>/dev/null` + if [ -n "$tport6" ]; then + generate_rules $FMRI $policy "tcp" $tport6 $file6 _6 fi uport=`$SERVINFO -p -u -s $nfs_name 2>/dev/null` if [ -n "$uport" ]; then - generate_rules $FMRI $policy "udp" $ip $uport $file + generate_rules $FMRI $policy "udp" $uport $file fi + uport6=`$SERVINFO -p -u6 -s $nfs_name 2>/dev/null` + if [ -n "$uport6" ]; then + generate_rules $FMRI $policy "udp" $uport6 $file6 _6 + fi + + # mountd IPv6 ports are also reachable through IPv4, so include + # them when generating IPv4 rules. tports=`$SERVINFO -R -p -t -s "mountd" 2>/dev/null` - if [ -n "$tports" ]; then + tports6=`$SERVINFO -R -p -t6 -s "mountd" 2>/dev/null` + if [ -n "$tports" -o -n "$tports6" ]; then + tports=`unique_ports $tports $tports6` for tport in $tports; do - generate_rules $FMRI $policy "tcp" $ip \ + generate_rules $FMRI $policy "tcp" \ $tport $file done fi + if [ -n "$tports6" ]; then + for tport6 in $tports6; do + generate_rules $FMRI $policy "tcp" \ + $tport6 $file6 _6 + done + fi + uports=`$SERVINFO -R -p -u -s "mountd" 2>/dev/null` - if [ -n "$uports" ]; then + uports6=`$SERVINFO -R -p -u6 -s "mountd" 2>/dev/null` + if [ -n "$uports" -o -n "$uports6" ]; then + uports=`unique_ports $uports $uports6` for uport in $uports; do - generate_rules $FMRI $policy "udp" $ip \ + generate_rules $FMRI $policy "udp" \ $uport $file done fi + if [ -n "$uports6" ]; then + for uport6 in $uports6; do + generate_rules $FMRI $policy "udp" \ + $uport6 $file6 _6 + done + fi + elif [ "$FMRI" = "$RQUOTA_FMRI" ]; then iana_name=`svcprop -p inetd/name $FMRI` + # rquota IPv6 ports are also reachable through IPv4, so include + # them when generating IPv4 rules. tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` - if [ -n "$tports" ]; then + tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null` + if [ -n "$tports" -o -n "$tports6" ]; then + tports=`unique_ports $tports $tports6` for tport in $tports; do generate_rules $NFS_FMRI $policy "tcp" \ - $ip $tport $file + $tport $file + done + fi + + if [ -n "$tports6" ]; then + for tport6 in $tports6; do + generate_rules $NFS_FMRI $policy "tcp" \ + $tport6 $file6 _6 done fi uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` - if [ -n "$uports" ]; then + uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null` + if [ -n "$uports" -o -n "$uports6" ]; then + uports=`unique_ports $uports $uports6` for uport in $uports; do generate_rules $NFS_FMRI $policy "udp" \ - $ip $uport $file + $uport $file + done + fi + + if [ -n "$uports6" ]; then + for uport6 in $uports6; do + generate_rules $NFS_FMRI $policy "udp" \ + $uport6 $file6 _6 done fi else # # Handle the client services here # + if service_check_state $NFSCLI_FMRI $SMF_ONLINE; then + policy=none + ip=any + fi + restarter=`svcprop -p general/restarter $FMRI 2>/dev/null` if [ "$restarter" = "$INETDFMRI" ]; then iana_name=`svcprop -p inetd/name $FMRI` @@ -214,24 +273,41 @@ case "$1" in if [ "$isrpc" = "true" ]; then tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` + tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null` uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` + uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null` else tports=`$SERVINFO -p -t -s $iana_name 2>/dev/null` + tports6=`$SERVINFO -p -t6 -s $iana_name 2>/dev/null` uports=`$SERVINFO -p -u -s $iana_name 2>/dev/null` + uports6=`$SERVINFO -p -u6 -s $iana_name 2>/dev/null` fi - if [ -n "$tports" ]; then + # IPv6 ports are also reachable through IPv4, so include + # them when generating IPv4 rules. + if [ -n "$tports" -o -n "$tports6" ]; then + tports=`unique_ports $tports $tports6` for tport in $tports; do - echo "pass in log quick proto tcp from any" \ - "to any port = ${tport} flags S " \ - "keep state" >>${file} + generate_rules $FMRI $policy "tcp" $tport $file + done + fi + + if [ -n "$tports6" ]; then + for tport6 in $tports6; do + generate_rules $FMRI $policy "tcp" $tport6 $file6 _6 done fi - if [ -n "$uports" ]; then + if [ -n "$uports" -o -n "$uports6" ]; then + uports=`unique_ports $uports $uports6` for uport in $uports; do - echo "pass in log quick proto udp from any" \ - "to any port = ${uport}" >>${file} + generate_rules $FMRI $policy "udp" $uport $file + done + fi + + if [ -n "$uports6" ]; then + for uport6 in $uports6; do + generate_rules $FMRI $policy "udp" $uport6 $file6 _6 done fi fi diff --git a/usr/src/cmd/fs.d/nfs/svc/rquota.xml b/usr/src/cmd/fs.d/nfs/svc/rquota.xml index 08fad0b16f..1f7e6554f3 100644 --- a/usr/src/cmd/fs.d/nfs/svc/rquota.xml +++ b/usr/src/cmd/fs.d/nfs/svc/rquota.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -90,10 +92,22 @@ <propval name='wait' type='boolean' value='true' /> </property_group> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='name' type='astring' value='rquotad' /> + <propval name='ipf_method' type='astring' + value='/lib/svc/method/nfs-server ipfilter' /> + </property_group> + <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/fs.d/nfs/svc/server.xml b/usr/src/cmd/fs.d/nfs/svc/server.xml index 3faffa1457..c963a01fcf 100644 --- a/usr/src/cmd/fs.d/nfs/svc/server.xml +++ b/usr/src/cmd/fs.d/nfs/svc/server.xml @@ -22,7 +22,8 @@ CDDL HEADER END Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. - Copyright 2014 Nexenta Systems, Inc. All rights reserved. + Copyright 2014 Nexenta Systems, Inc. All rights reserved + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including @@ -153,8 +154,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/ipf/svc/ipfilter b/usr/src/cmd/ipf/svc/ipfilter index 6be1eeb7cc..2e6f2189f6 100644 --- a/usr/src/cmd/ipf/svc/ipfilter +++ b/usr/src/cmd/ipf/svc/ipfilter @@ -23,6 +23,8 @@ # Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # +# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> +# . /lib/svc/share/smf_include.sh . /lib/svc/share/ipf_include.sh @@ -48,6 +50,7 @@ logmsg() load_ipf() { bad=0 ipf -IFa + ipf -6IFa for file in $IPFILOVRCONF $CONF_FILES $IPFILCONF; do if [ -r ${file} ]; then @@ -60,13 +63,16 @@ load_ipf() { fi done - if [ -r ${IP6FILCONF} ]; then - ipf -6IFa -f ${IP6FILCONF} - if [ $? != 0 ]; then - echo "$0: load of ${IP6FILCONF} into alternate set failed" - bad=1 + for file in $IP6FILOVRCONF $CONF6_FILES $IP6FILCONF; do + if [ -r ${file} ]; then + ipf -6I -f ${file} + if [ $? != 0 ]; then + echo "$0: load of ${file} into alternate set failed" + bad=1 + fi fi - fi + done + if [ $bad -eq 0 ] ; then ipf -s -y return 0 diff --git a/usr/src/cmd/ipf/svc/ipfilter.xml b/usr/src/cmd/ipf/svc/ipfilter.xml index 4729deb085..e4a70405c1 100644 --- a/usr/src/cmd/ipf/svc/ipfilter.xml +++ b/usr/src/cmd/ipf/svc/ipfilter.xml @@ -2,6 +2,7 @@ <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> CDDL HEADER START @@ -103,9 +104,15 @@ <property_group name='firewall_config_default' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='none' /> + <propval name='block_policy' type='astring' + value='none' /> <propval name='custom_policy_file' type='astring' value='' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='open_ports' type='astring' value='' /> <propval name='version' type='count' value='0' /> <propval name='value_authorization' type='astring' @@ -115,7 +122,10 @@ <property_group name='firewall_config_override' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='none' /> + <propval name='block_policy' type='astring' + value='none' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> @@ -209,6 +219,47 @@ Apply the custom ipfilter configuration stored in a custom file (custom file pro <include_values type='values'/> </choices> </prop_pattern> + <prop_pattern name='block_policy' type='astring' + required='false'> + <common_name> + <loctext xml:lang='C'> +Firewall block policy + </loctext> + </common_name> + <description> + <loctext xml:lang='C'> +Service firewall block policy. + </loctext> + </description> + <visibility value='readwrite'/> + <cardinality min='1' max='1'/> + <values> + <value name='use_global'> + <description> + <loctext xml:lang='C'> +Apply Global Default block policy, specified in network/ipfilter for the service. This is the default value. + </loctext> + </description> + </value> + <value name='none'> + <description> + <loctext xml:lang='C'> +Block by dropping packets. + </loctext> + </description> + </value> + <value name='return'> + <description> + <loctext xml:lang='C'> +Block by returning RST or ICMP messages. + </loctext> + </description> + </value> + </values> + <choices> + <include_values type='values'/> + </choices> + </prop_pattern> <prop_pattern name="apply_to" type="astring" required="false"> <common_name> @@ -218,7 +269,20 @@ Apply policy to </common_name> <description> <loctext xml:lang="C"> -The host and network IPs, network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. +The source host and network IPv4 addresses, incoming network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="apply_to_6" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Apply policy to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The source host and network IPv6 addresses, incoming network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. </loctext> </description> </prop_pattern> @@ -231,7 +295,46 @@ Make exceptions to </common_name> <description> <loctext xml:lang="C"> -The host and network IPs, network interfaces, and ippools which will be exempted from the set policy, accept if the policy is set to deny, or deny if the policy is set to accept. +The source host and network IPv4 addresses, incoming network interfaces, and ippools which will be exempted from the set policy, accept if the policy is set to deny, or deny if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="exceptions_6" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Make exceptions to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The source host and network IPv6 addressess, incoming network interfaces, and ippools to exempt from the set policy. That is, those to accept if the policy is set to deny, or to deny if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="target" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Apply policy to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The destination host and network IPv4 addresses, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="target6" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Apply policy to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The destination host and network IPv6 addresses, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. </loctext> </description> </prop_pattern> @@ -321,6 +424,47 @@ Allow access to entities specified in 'apply_to' property. <include_values type='values'/> </choices> </prop_pattern> + <prop_pattern name='block_policy' type='astring' + required='false'> + <common_name> + <loctext xml:lang='C'> +Firewall block policy + </loctext> + </common_name> + <description> + <loctext xml:lang='C'> +Service firewall block policy. + </loctext> + </description> + <visibility value='readwrite'/> + <cardinality min='1' max='1'/> + <values> + <value name='use_global'> + <description> + <loctext xml:lang='C'> +Apply Global Default block policy, specified in network/ipfilter for the service. This is the default value. + </loctext> + </description> + </value> + <value name='none'> + <description> + <loctext xml:lang='C'> +Block by dropping packets. + </loctext> + </description> + </value> + <value name='return'> + <description> + <loctext xml:lang='C'> +Block by returning RST or ICMP messages. + </loctext> + </description> + </value> + </values> + <choices> + <include_values type='values'/> + </choices> + </prop_pattern> <prop_pattern name="apply_to" type="astring" required="false"> <common_name> diff --git a/usr/src/cmd/lp/cmd/lpsched/print-svc b/usr/src/cmd/lp/cmd/lpsched/print-svc index ff6599faf9..49b082f9a6 100644 --- a/usr/src/cmd/lp/cmd/lpsched/print-svc +++ b/usr/src/cmd/lp/cmd/lpsched/print-svc @@ -23,6 +23,7 @@ # Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # +# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> # . /lib/svc/share/smf_include.sh @@ -121,23 +122,27 @@ fi IPP_FMRI="svc:/application/print/ipp-listener:default" RFC1179_FMRI="svc:/application/print/rfc1179:default" IPP_CONF=/etc/lp/ipp/httpd-standalone-ipp.conf - ip="any" policy=`get_policy $FMRI` file=`fmri_to_file $RFC1179_FMRI $IPF_SUFFIX` + file6=`fmri_to_file $RFC1179_FMRI $IPF6_SUFFIX` echo "# $RFC1179_FMRI" >$file + echo "# $RFC1179_FMRI" >$file6 service_is_enabled ${RFC1179_FMRI} if [ $? -eq 0 ]; then rfc_name=`svcprop -p inetd/name ${RFC1179_FMRI} 2>/dev/null` rfc_proto=`svcprop -p inetd/proto ${RFC1179_FMRI} 2>/dev/null | \ sed 's/6/ /'` rfc_port=`$SERVINFO -p -t -s $rfc_name` - generate_rules $FMRI $policy $rfc_proto $ip $rfc_port $file + generate_rules $FMRI $policy $rfc_proto $rfc_port $file + generate_rules $FMRI $policy $rfc_proto $rfc_port $file6 _6 fi file=`fmri_to_file $IPP_FMRI $IPF_SUFFIX` + file6=`fmri_to_file $IPP_FMRI $IPF6_SUFFIX` echo "# $IPP_FMRI" >$file + echo "# $IPP_FMRI" >$file6 service_is_enabled ${IPP_FMRI} if [ $? -eq 0 ]; then # @@ -153,7 +158,8 @@ fi fi for port in $ipp_ports; do - generate_rules $FMRI $policy "tcp" $ip $port $file + generate_rules $FMRI $policy "tcp" $port $file + generate_rules $FMRI $policy "tcp" $port $file6 _6 done fi diff --git a/usr/src/cmd/lp/cmd/lpsched/server.xml b/usr/src/cmd/lp/cmd/lpsched/server.xml index 790355f873..d8df778cd9 100644 --- a/usr/src/cmd/lp/cmd/lpsched/server.xml +++ b/usr/src/cmd/lp/cmd/lpsched/server.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -112,8 +114,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/lvm/rpc.mdcommd/mdcomm.xml b/usr/src/cmd/lvm/rpc.mdcommd/mdcomm.xml index a59ca4b2e6..5c9762edf7 100644 --- a/usr/src/cmd/lvm/rpc.mdcommd/mdcomm.xml +++ b/usr/src/cmd/lvm/rpc.mdcommd/mdcomm.xml @@ -2,6 +2,7 @@ <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- Copyright 2015 Nexenta Systems, Inc. All rights reserved. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. @@ -90,8 +91,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/lvm/rpc.metad/meta.xml b/usr/src/cmd/lvm/rpc.metad/meta.xml index 9d940bd2d1..83840692a2 100644 --- a/usr/src/cmd/lvm/rpc.metad/meta.xml +++ b/usr/src/cmd/lvm/rpc.metad/meta.xml @@ -2,6 +2,7 @@ <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- Copyright 2015 Nexenta Systems, Inc. All rights reserved. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. @@ -89,8 +90,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/lvm/rpc.metamedd/metamed.xml b/usr/src/cmd/lvm/rpc.metamedd/metamed.xml index 2c8be3a6c7..8fc3a6c530 100644 --- a/usr/src/cmd/lvm/rpc.metamedd/metamed.xml +++ b/usr/src/cmd/lvm/rpc.metamedd/metamed.xml @@ -2,6 +2,7 @@ <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- Copyright 2015 Nexenta Systems, Inc. All rights reserved. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. @@ -89,8 +90,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/lvm/rpc.metamhd/metamh.xml b/usr/src/cmd/lvm/rpc.metamhd/metamh.xml index 40b7f950f7..952a59064d 100644 --- a/usr/src/cmd/lvm/rpc.metamhd/metamh.xml +++ b/usr/src/cmd/lvm/rpc.metamhd/metamh.xml @@ -2,6 +2,7 @@ <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- Copyright 2015 Nexenta Systems, Inc. All rights reserved. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. @@ -89,8 +90,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/rexd/rex.xml b/usr/src/cmd/rexd/rex.xml index 8d3e77ffb0..8b9843328d 100644 --- a/usr/src/cmd/rexd/rex.xml +++ b/usr/src/cmd/rexd/rex.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -89,8 +91,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/rpcbind/bind.xml b/usr/src/cmd/rpcbind/bind.xml index fca29c8993..c1f264e5f4 100644 --- a/usr/src/cmd/rpcbind/bind.xml +++ b/usr/src/cmd/rpcbind/bind.xml @@ -21,6 +21,7 @@ CDDL HEADER END + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> Copyright 2015 Nexenta Systems, Inc. All rights reserved. Copyright 2014 OmniTI Computer Consulting, Inc. All rights reserved. Copyright 2009 Sun Microsystems, Inc. All rights reserved. @@ -191,8 +192,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/rpcsvc/rpc.bootparamd/bootparams.xml b/usr/src/cmd/rpcsvc/rpc.bootparamd/bootparams.xml index c372d710b0..0fd6257a73 100644 --- a/usr/src/cmd/rpcsvc/rpc.bootparamd/bootparams.xml +++ b/usr/src/cmd/rpcsvc/rpc.bootparamd/bootparams.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -92,11 +94,17 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> - </property_group> + </property_group> <stability value='Unstable' /> diff --git a/usr/src/cmd/rpcsvc/rstat.xml b/usr/src/cmd/rpcsvc/rstat.xml index cd60e85df7..7d3676eca7 100644 --- a/usr/src/cmd/rpcsvc/rstat.xml +++ b/usr/src/cmd/rpcsvc/rstat.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -90,8 +92,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/rpcsvc/rusers.xml b/usr/src/cmd/rpcsvc/rusers.xml index eb3ab91ccd..c033136ac4 100644 --- a/usr/src/cmd/rpcsvc/rusers.xml +++ b/usr/src/cmd/rpcsvc/rusers.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -94,8 +96,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/rpcsvc/spray.xml b/usr/src/cmd/rpcsvc/spray.xml index 2b8bb3fe5b..03f886b05e 100644 --- a/usr/src/cmd/rpcsvc/spray.xml +++ b/usr/src/cmd/rpcsvc/spray.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -90,8 +92,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/rpcsvc/wall.xml b/usr/src/cmd/rpcsvc/wall.xml index 835eafe117..acf23ede82 100644 --- a/usr/src/cmd/rpcsvc/wall.xml +++ b/usr/src/cmd/rpcsvc/wall.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -90,8 +92,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/sendmail/lib/smtp-sendmail.xml b/usr/src/cmd/sendmail/lib/smtp-sendmail.xml index c19403e568..168d98b4c1 100644 --- a/usr/src/cmd/sendmail/lib/smtp-sendmail.xml +++ b/usr/src/cmd/sendmail/lib/smtp-sendmail.xml @@ -23,6 +23,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -84,8 +86,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/smbsrv/smbd/server.xml b/usr/src/cmd/smbsrv/smbd/server.xml index 3364a193f3..875d6d3bc0 100644 --- a/usr/src/cmd/smbsrv/smbd/server.xml +++ b/usr/src/cmd/smbsrv/smbd/server.xml @@ -23,6 +23,7 @@ CDDL HEADER END Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. Copyright 2015 Nexenta Systems, Inc. All rights reserved. +Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including @@ -126,8 +127,14 @@ file. <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/smbsrv/smbd/svc-smbd b/usr/src/cmd/smbsrv/smbd/svc-smbd index 175d2749d7..e6d4b89a23 100644 --- a/usr/src/cmd/smbsrv/smbd/svc-smbd +++ b/usr/src/cmd/smbsrv/smbd/svc-smbd @@ -22,6 +22,8 @@ # Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # +# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> +# # Scripts that generate IPfilter rules for SMB server @@ -32,7 +34,7 @@ create_ipf_rules() { FMRI=$1 file=`fmri_to_file $FMRI $IPF_SUFFIX` - ip=any + file6=`fmri_to_file $FMRI $IPF6_SUFFIX` policy=`get_policy ${FMRI}` iana_names="microsoft-ds netbios-ns netbios-dgm netbios-ssn" @@ -40,13 +42,16 @@ create_ipf_rules() # Enforce policy on each port # echo "# $FMRI" >$file + echo "# $FMRI" >$file6 for name in $iana_names; do port=`$SERVINFO -p -s $name 2>/dev/null` if [ -z "$port" ]; then continue; fi - generate_rules $FMRI $policy "tcp" $ip $port $file - generate_rules $FMRI $policy "udp" $ip $port $file + generate_rules $FMRI $policy "tcp" $port $file + generate_rules $FMRI $policy "tcp" $port $file6 _6 + generate_rules $FMRI $policy "udp" $port $file + generate_rules $FMRI $policy "udp" $port $file6 _6 done } diff --git a/usr/src/cmd/ssh/etc/ssh.xml b/usr/src/cmd/ssh/etc/ssh.xml index 3a08195ff1..f5fb471669 100644 --- a/usr/src/cmd/ssh/etc/ssh.xml +++ b/usr/src/cmd/ssh/etc/ssh.xml @@ -23,6 +23,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -145,8 +147,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/ssh/etc/sshd b/usr/src/cmd/ssh/etc/sshd index 10f539251d..d52b1afd25 100644 --- a/usr/src/cmd/ssh/etc/sshd +++ b/usr/src/cmd/ssh/etc/sshd @@ -3,6 +3,8 @@ # Copyright 2010 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # +# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> +# . /lib/svc/share/ipf_include.sh . /lib/svc/share/smf_include.sh @@ -49,6 +51,7 @@ create_ipf_rules() { FMRI=$1 ipf_file=`fmri_to_file ${FMRI} $IPF_SUFFIX` + ipf6_file=`fmri_to_file ${FMRI} $IPF6_SUFFIX` policy=`get_policy ${FMRI}` # @@ -58,8 +61,10 @@ create_ipf_rules() awk '{print $2}'` echo "# $FMRI" >$ipf_file + echo "# $FMRI" >$ipf6_file for port in $tports; do - generate_rules $FMRI $policy "tcp" "any" $port $ipf_file + generate_rules $FMRI $policy "tcp" $port $ipf_file + generate_rules $FMRI $policy "tcp" $port $ipf6_file _6 done } diff --git a/usr/src/cmd/svc/milestone/global.xml b/usr/src/cmd/svc/milestone/global.xml index b1fca9b3cf..dd65d9fed2 100644 --- a/usr/src/cmd/svc/milestone/global.xml +++ b/usr/src/cmd/svc/milestone/global.xml @@ -2,6 +2,7 @@ <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> CDDL HEADER START @@ -730,6 +731,47 @@ Allow access to entities specified in 'apply_to' property. <include_values type='values'/> </choices> </prop_pattern> + <prop_pattern name='block_policy' type='astring' + required='false'> + <common_name> + <loctext xml:lang='C'> +Firewall block policy + </loctext> + </common_name> + <description> + <loctext xml:lang='C'> +Service firewall block policy. + </loctext> + </description> + <visibility value='readwrite'/> + <cardinality min='1' max='1'/> + <values> + <value name='use_global'> + <description> + <loctext xml:lang='C'> +Apply Global Default block policy, specified in network/ipfilter for the service. This is the default value. + </loctext> + </description> + </value> + <value name='none'> + <description> + <loctext xml:lang='C'> +Block by dropping packets. + </loctext> + </description> + </value> + <value name='return'> + <description> + <loctext xml:lang='C'> +Block by returning RST or ICMP messages. + </loctext> + </description> + </value> + </values> + <choices> + <include_values type='values'/> + </choices> + </prop_pattern> <prop_pattern name="apply_to" type="astring" required="false"> <common_name> @@ -739,7 +781,20 @@ Apply policy to </common_name> <description> <loctext xml:lang="C"> -The host and network IPs, network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. +The source host and network IPv4 addresses, incoming network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="apply_to_6" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Apply policy to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The source host and network IPv6 addresses, incoming network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. </loctext> </description> </prop_pattern> @@ -752,7 +807,46 @@ Make exceptions to </common_name> <description> <loctext xml:lang="C"> -The host and network IPs, network interfaces, and ippools to exempt from the set policy. That is, those to accept if the policy is set to deny, or to deny if the policy is set to accept. +The source host and network IPv4 addresses, incoming network interfaces, and ippools to exempt from the set policy. That is, those to accept if the policy is set to deny, or to deny if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="exceptions_6" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Make exceptions to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The source host and network IPv6 addressess, incoming network interfaces, and ippools to exempt from the set policy. That is, those to accept if the policy is set to deny, or to deny if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="target" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Apply policy to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The destination host and network IPv4 addresses, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="target6" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Apply policy to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The destination host and network IPv6 addresses, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. </loctext> </description> </prop_pattern> diff --git a/usr/src/cmd/svc/shell/ipf_include.sh b/usr/src/cmd/svc/shell/ipf_include.sh index ac159b6946..bb41e2ac49 100644 --- a/usr/src/cmd/svc/shell/ipf_include.sh +++ b/usr/src/cmd/svc/shell/ipf_include.sh @@ -20,15 +20,11 @@ # CDDL HEADER END # # Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. +# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> # IPFILTER_FMRI="svc:/network/ipfilter:default" ETC_IPF_DIR=/etc/ipf -IP6FILCONF=`/usr/bin/svcprop -p config/ipf6_config_file $IPFILTER_FMRI \ - 2>/dev/null` -if [ $? -eq 1 ]; then - IP6FILCONF=$ETC_IPF_DIR/ipf6.conf -fi IPNATCONF=`/usr/bin/svcprop -p config/ipnat_config_file $IPFILTER_FMRI \ 2>/dev/null` if [ $? -eq 1 ]; then @@ -41,11 +37,15 @@ if [ $? -eq 1 ]; then fi VAR_IPF_DIR=/var/run/ipf IPFILCONF=$VAR_IPF_DIR/ipf.conf +IP6FILCONF=$VAR_IPF_DIR/ipf6.conf IPFILOVRCONF=$VAR_IPF_DIR/ipf_ovr.conf +IP6FILOVRCONF=$VAR_IPF_DIR/ipf6_ovr.conf IPF_LOCK=/var/run/ipflock CONF_FILES="" +CONF6_FILES="" NAT_FILES="" IPF_SUFFIX=".ipf" +IPF6_SUFFIX=".ipf6" NAT_SUFFIX=".nat" # version for configuration upgrades @@ -65,11 +65,17 @@ METHOD_PROP="ipf_method" FW_CONFIG_PG="firewall_config" POLICY_PROP="policy" APPLY2_PROP="apply_to" +APPLY2_6_PROP="apply_to_6" EXCEPTIONS_PROP="exceptions" +EXCEPTIONS_6_PROP="exceptions_6" +TARGET_PROP="target" +TARGET_6_PROP="target_6" +BLOCKPOL_PROP="block_policy" FW_CONFIG_DEF_PG="firewall_config_default" FW_CONFIG_OVR_PG="firewall_config_override" CUSTOM_FILE_PROP="custom_policy_file" +CUSTOM_FILE_6_PROP="custom_policy_file_6" OPEN_PORTS_PROP="open_ports" PREFIX_HOST="host:" @@ -79,6 +85,7 @@ PREFIX_IF="if:" GLOBAL_CONFIG="" GLOBAL_POLICY="" +GLOBAL_BLOCK_POLICY="" SERVINFO=/usr/lib/servinfo @@ -129,10 +136,11 @@ global_get_prop_value() # service method, it's best to read all relevant configuration via one svcprop # invocation and cache it for later use. # -# This function reads and store relevant configuration into GLOBAL_CONFIG and -# initializes GLOBAL_POLICY variable. GLOBAL_CONFIG is a string containing pg/prop -# and their corresponding values (i.e. svcprop -p pg fmri output). To get values -# for a certain pg/prop, use global_get_prop_value(). +# This function reads and stores relevant configuration into GLOBAL_CONFIG and +# initializes the GLOBAL_POLICY and GLOBAL_BLOCK_POLICY variables. GLOBAL_CONFIG +# is a string containing pg/prop and their corresponding values (i.e. svcprop -p +# pg fmri output). To get values for a certain pg/prop, use +# global_get_prop_value(). # global_init() { @@ -140,6 +148,8 @@ global_init() $IPF_FMRI 2>/dev/null | awk '{$2=" "; print $0}'` GLOBAL_POLICY=`global_get_prop_value $FW_CONFIG_DEF_PG $POLICY_PROP` + GLOBAL_BLOCK_POLICY=`global_get_prop_value $FW_CONFIG_DEF_PG \ + $BLOCKPOL_PROP` } # @@ -165,21 +175,76 @@ get_policy() } # -# Given a service, gets its firewall policy +# block policy can be set to "return", which will expand into +# separate block rules for tcp (block return-rst ...) and all other +# protocols (block return-icmp-as-dest ...) +# +get_block_policy() +{ + config_pg=`get_config_pg $1` + svcprop -p $config_pg/${BLOCKPOL_PROP} $1 2>/dev/null +} + +# +# Given a service, gets its source address exceptions for IPv4 # get_exceptions() { config_pg=`get_config_pg $1` - svcprop -p $config_pg/${EXCEPTIONS_PROP} $1 2>/dev/null + exceptions=`svcprop -p $config_pg/${EXCEPTIONS_PROP} $1 2>/dev/null` + echo $exceptions | sed -e 's/\\//g' } # -# Given a service, gets its firewall policy +# Given a service, gets its source address exceptions for IPv6 +# +get_exceptions_6() +{ + config_pg=`get_config_pg $1` + exceptions6=`svcprop -p $config_pg/${EXCEPTIONS_6_PROP} $1 2>/dev/null` + echo $exceptions6 | sed -e 's/\\//g' +} + +# +# Given a service, gets its firewalled source addresses for IPv4 # get_apply2_list() { config_pg=`get_config_pg $1` - svcprop -p $config_pg/${APPLY2_PROP} $1 2>/dev/null + apply2=`svcprop -p $config_pg/${APPLY2_PROP} $1 2>/dev/null` + echo $apply2 | sed -e 's/\\//g' +} + +# +# Given a service, gets its firewalled source addresses for IPv6 +# +get_apply2_6_list() +{ + config_pg=`get_config_pg $1` + apply2_6=`svcprop -p $config_pg/${APPLY2_6_PROP} $1 2>/dev/null` + echo $apply2_6 | sed -e 's/\\//g' +} + +# +# Given a service, gets its firewalled target addresses for IPv4 +# +get_target_list() +{ + config_pg=`get_config_pg $1` + target=`svcprop -p $config_pg/${TARGET_PROP} $1 2>/dev/null` + [ -z "$target" -o "$target" = '""' ] && target=any + echo $target | sed -e 's/\\//g' +} + +# +# Given a service, gets its firewalled target addresses for IPv6 +# +get_target_6_list() +{ + config_pg=`get_config_pg $1` + target6=`svcprop -p $config_pg/${TARGET_6_PROP} $1 2>/dev/null` + [ -z "$target6" -o "$target6" = '""' ] && target6=any + echo $target6 | sed -e 's/\\//g' } check_ipf_dir() @@ -244,15 +309,16 @@ service_check_state() get_IP() { value_is_interface $1 && return 1 - echo "$1" | sed -n -e 's,^pool:\(.*\),pool/\1,p' \ - -e 's,^host:\(.*\),\1,p' \ - -e 's,^network:\(.*\),\1,p' + echo "$1" | sed -n -e "s,^${PREFIX_POOL}\(.*\),pool/\1,p" \ + -e "s,^${PREFIX_HOST}\(.*\),\1,p" \ + -e "s,^${PREFIX_NET}\(.*\),\1,p" \ + -e "s,^any,any,p" } get_interface() { value_is_interface $1 || return 1 - scratch=`echo "$1" | sed -e 's/^if://'` + scratch=`echo "$1" | sed -e "s/^${PREFIX_IF}//"` ifconfig $scratch >/dev/null 2>&1 || return 1 echo $scratch | sed -e 's/:.*//' @@ -264,7 +330,7 @@ get_interface() value_is_interface() { [ -z "$1" ] && return 1 - echo $1 | grep "^if:" >/dev/null 2>&1 + echo $1 | grep "^${PREFIX_IF}" >/dev/null 2>&1 } # @@ -272,7 +338,7 @@ value_is_interface() # remove_rules() { - [ -f "$1" ] && ipf -r -f $1 >/dev/null 2>&1 + [ -f "$1" ] && ipf $2 -r -f $1 >/dev/null 2>&1 } remove_nat_rules() @@ -282,7 +348,7 @@ remove_nat_rules() check_ipf_syntax() { - ipf -n -f $1 >/dev/null 2>&1 + ipf $2 -n -f $1 >/dev/null 2>&1 } check_nat_syntax() @@ -290,16 +356,21 @@ check_nat_syntax() ipnat -n -f $1 >/dev/null 2>&1 } +unique_ports() +{ + echo $* | xargs -n 1 echo | sort -u +} + file_get_ports() { - ipf -n -v -f $1 2>/dev/null | sed -n -e \ + ipf $2 -n -v -f $1 2>/dev/null | sed -n -e \ 's/.*to.* port = \([a-z0-9]*\).*/\1/p' | uniq | \ awk '{if (length($0) > 1) {printf("%s ", $1)}}' } get_active_ports() { - ipfstat -io 2>/dev/null | sed -n -e \ + ipfstat $1 -io 2>/dev/null | sed -n -e \ 's/.*to.* port = \([a-z0-9]*\).*/\1/p' | uniq | \ awk '{if (length($0) > 1) {printf("%s ",$1)}}' } @@ -330,42 +401,51 @@ sets_check_duplicate() # update_check_ipf_rules() { - check_ipf_syntax $1 || return 1 + check_ipf_syntax $1 $2 || return 1 - lports=`file_get_ports $1` - lactive_ports=`get_active_ports` + lports=`file_get_ports $1 $2` + lactive_ports=`get_active_ports $2` sets_check_duplicate "$lports" "$lactive_ports" || return 1 } server_port_list="" +server_port_list_6="" # # Given a file containing ipf rules, check the syntax and verify # the rules don't conflict with already processed services. # # The list of processed services' ports are maintained in the global -# variable 'server_port_list'. +# variables 'server_port_list' and 'server_port_list_6'. # check_ipf_rules() { - check_ipf_syntax $1 || return 1 - lports=`file_get_ports $1` - sets_check_duplicate "$lports" "$server_port_list" || return 1 - server_port_list="$server_port_list $lports" + check_ipf_syntax $1 $2 || return 1 + + lports=`file_get_ports $1 $2` + + if [ "$2" = "-6" ]; then + sets_check_duplicate "$lports" "$server_port_list_6" || return 1 + server_port_list_6="$server_port_list_6 $lports" + else + sets_check_duplicate "$lports" "$server_port_list" || return 1 + server_port_list="$server_port_list $lports" + fi + return 0 } prepend_new_rules() { - check_ipf_syntax $1 && tail -r $1 | sed -e 's/^[a-z]/@0 &/' | \ - ipf -f - >/dev/null 2>&1 + check_ipf_syntax $1 $2 && tail -r $1 | sed -e 's/^[a-z]/@0 &/' | \ + ipf $2 -f - >/dev/null 2>&1 } append_new_rules() { - check_ipf_syntax $1 && ipf -f $1 >/dev/null 2>&1 + check_ipf_syntax $1 $2 && ipf $2 -f $1 >/dev/null 2>&1 } append_new_nat_rules() @@ -494,7 +574,6 @@ replace_file() process_server_svc() { service=$1 - ip="any" policy=`get_policy ${service}` # @@ -502,8 +581,10 @@ process_server_svc() # we fail here. # file=`fmri_to_file $service $IPF_SUFFIX` + file6=`fmri_to_file $service $IPF6_SUFFIX` [ -z "$file" ] && return 1 echo "# $service" >${file} + echo "# $service" >${file6} # # Nothing to do if policy is "use_global" @@ -530,19 +611,39 @@ process_server_svc() # RPC services # if [ "$isrpc" = "true" ]; then + # The ports used for IPv6 are usually also reachable + # through IPv4, so generate IPv4 rules for them, too. tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` - if [ -n "$tports" ]; then + tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null` + if [ -n "$tports" -o -n "$tports6" ]; then + tports=`unique_ports $tports $tports6` for tport in $tports; do generate_rules $service $policy "tcp" \ - $ip $tport $file + $tport $file + done + fi + + if [ -n "$tports6" ]; then + for tport6 in $tports6; do + generate_rules $service $policy "tcp" \ + $tport6 $file6 _6 done fi uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` + uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null` if [ -n "$uports" ]; then + uports=`unique_ports $uports $uports6` for uport in $uports; do generate_rules $service $policy "udp" \ - $ip $uport $file + $uport $file + done + fi + + if [ -n "$uports6" ]; then + for uport6 in $uports6; do + generate_rules $service $policy "udp" \ + $uport6 $file6 _6 done fi @@ -551,16 +652,25 @@ process_server_svc() # # Get the IANA port and supported protocols(tcp and udp) - # No support for IPv6 at this point. # tport=`$SERVINFO -p -t -s $iana_name 2>&1` if [ $? -eq 0 -a -n "$tport" ]; then - generate_rules $service $policy "tcp" $ip $tport $file + generate_rules $service $policy "tcp" $tport $file + fi + + tport6=`$SERVINFO -p -t6 -s $iana_name 2>&1` + if [ $? -eq 0 -a -n "$tport6" ]; then + generate_rules $service $policy "tcp" $tport6 $file6 _6 fi uport=`$SERVINFO -p -u -s $iana_name 2>&1` if [ $? -eq 0 -a -n "$uport" ]; then - generate_rules $service $policy "udp" $ip $uport $file + generate_rules $service $policy "udp" $uport $file + fi + + uport6=`$SERVINFO -p -u6 -s $iana_name 2>&1` + if [ $? -eq 0 -a -n "$uport6" ]; then + generate_rules $service $policy "udp" $uport6 $file6 _6 fi return 0 @@ -583,9 +693,9 @@ generate_rules() service=$1 mypolicy=$2 proto=$3 - ip=$4 - port=$5 - out=$6 + port=$4 + out=$5 + _6=$6 # # Default mode is to inherit from global's policy @@ -595,57 +705,95 @@ generate_rules() tcp_opts="" [ "$proto" = "tcp" ] && tcp_opts="flags S keep state keep frags" + block_policy=`get_block_policy $1` + if [ "$block_policy" = "use_global" ]; then + block_policy=${GLOBAL_BLOCK_POLICY} + fi + + if [ "$block_policy" = "return" ]; then + [ "$proto" = "tcp" ] && block_policy="return-rst" + [ "$proto" != "tcp" ] && block_policy="return-icmp-as-dest" + else + block_policy="" + fi + + iplist=`get_target${_6}_list $service` + # # Allow all if policy is 'none' # if [ "$mypolicy" = "none" ]; then - echo "pass in log quick proto ${proto} from any to ${ip}" \ - "port = ${port} ${tcp_opts}" >>${out} + for ip in $iplist; do + daddr=`get_IP ${ip}` + [ -z "$daddr" -o "$daddr" = '""' ] && continue + echo "pass in log quick proto ${proto} from any to ${daddr}" \ + "port = ${port} ${tcp_opts}" >>${out} + done return 0 fi # - # For now, let's concern only with incoming traffic. + # For now, let's concern ourselves only with incoming traffic. # - [ "$mypolicy" = "deny" ] && { ecmd="pass"; acmd="block"; } - [ "$mypolicy" = "allow" ] && { ecmd="block"; acmd="pass"; } + [ "$mypolicy" = "deny" ] && { ecmd="pass"; acmd="block ${block_policy}"; } + [ "$mypolicy" = "allow" ] && { ecmd="block ${block_policy}"; acmd="pass"; } - for name in `get_exceptions $service`; do + for name in `get_exceptions${_6} $service`; do [ -z "$name" -o "$name" = '""' ] && continue ifc=`get_interface $name` if [ $? -eq 0 -a -n "$ifc" ]; then - echo "${ecmd} in log quick on ${ifc} from any to" \ - "${ip} port = ${port}" >>${out} + for ip in $iplist; do + daddr=`get_IP ${ip}` + [ -z "$daddr" -o "$daddr" = '""' ] && continue + echo "${ecmd} in log quick on ${ifc} from any to" \ + "${daddr} port = ${port}" >>${out} + done continue fi - addr=`get_IP ${name}` - if [ $? -eq 0 -a -n "$addr" ]; then - echo "${ecmd} in log quick proto ${proto} from ${addr}" \ - "to ${ip} port = ${port} ${tcp_opts}" >>${out} + saddr=`get_IP ${name}` + if [ $? -eq 0 -a -n "$saddr" ]; then + for ip in $iplist; do + daddr=`get_IP ${ip}` + [ -z "$daddr" -o "$daddr" = '""' ] && continue + echo "${ecmd} in log quick proto ${proto} from ${saddr}" \ + "to ${daddr} port = ${port} ${tcp_opts}" >>${out} + done fi done - for name in `get_apply2_list $service`; do + for name in `get_apply2${_6}_list $service`; do [ -z "$name" -o "$name" = '""' ] && continue ifc=`get_interface $name` if [ $? -eq 0 -a -n "$ifc" ]; then - echo "${acmd} in log quick on ${ifc} from any to" \ - "${ip} port = ${port}" >>${out} + for ip in $iplist; do + daddr=`get_IP ${ip}` + [ -z "$daddr" -o "$daddr" = '""' ] && continue + echo "${acmd} in log quick on ${ifc} from any to" \ + "${daddr} port = ${port}" >>${out} + done continue fi - addr=`get_IP ${name}` - if [ $? -eq 0 -a -n "$addr" ]; then - echo "${acmd} in log quick proto ${proto} from ${addr}" \ - "to ${ip} port = ${port} ${tcp_opts}" >>${out} + saddr=`get_IP ${name}` + if [ $? -eq 0 -a -n "$saddr" ]; then + for ip in $iplist; do + daddr=`get_IP ${ip}` + [ -z "$daddr" -o "$daddr" = '""' ] && continue + echo "${acmd} in log quick proto ${proto} from ${saddr}" \ + "to ${daddr} port = ${port} ${tcp_opts}" >>${out} + done fi done - echo "${ecmd} in log quick proto ${proto} from any to ${ip}" \ - "port = ${port} ${tcp_opts}" >>${out} + for ip in $iplist; do + daddr=`get_IP ${ip}` + [ -z "$daddr" -o "$daddr" = '""' ] && continue + echo "${ecmd} in log quick proto ${proto} from any to ${daddr}" \ + "port = ${port} ${tcp_opts}" >>${out} + done return 0 } @@ -732,23 +880,31 @@ create_global_rules() { if [ "$GLOBAL_POLICY" = "custom" ]; then file=`global_get_prop_value $FW_CONFIG_DEF_PG $CUSTOM_FILE_PROP` + file6=`global_get_prop_value $FW_CONFIG_DEF_PG $CUSTOM_FILE_6_PROP` [ -n "$file" ] && custom_set_symlink $file + [ -n "$file6" ] && custom_set_symlink $file6 + return 0 fi TEMP=`mktemp /var/run/ipf.conf.pid$$.XXXXXX` + TEMP6=`mktemp /var/run/ipf6.conf.pid$$.XXXXXX` process_nonsvc_progs $TEMP + process_nonsvc_progs $TEMP6 echo "# Global Default rules" >>${TEMP} + echo "# Global Default rules" >>${TEMP6} if [ "$GLOBAL_POLICY" != "none" ]; then echo "pass out log quick all keep state" >>${TEMP} + echo "pass out log quick all keep state" >>${TEMP6} fi case "$GLOBAL_POLICY" in 'none') # No rules replace_file ${IPFILCONF} ${TEMP} + replace_file ${IP6FILCONF} ${TEMP6} return $? ;; @@ -782,6 +938,22 @@ create_global_rules() done + for name in `global_get_prop_value $FW_CONFIG_DEF_PG $EXCEPTIONS_6_PROP`; do + [ -z "$name" -o "$name" = '""' ] && continue + + ifc=`get_interface $name` + if [ $? -eq 0 -a -n "$ifc" ]; then + echo "${ecmd} in log quick on ${ifc} all" >>${TEMP6} + continue + fi + + addr=`get_IP ${name}` + if [ $? -eq 0 -a -n "$addr" ]; then + echo "${ecmd} in log quick from ${addr} to any" >>${TEMP6} + fi + + done + for name in `global_get_prop_value $FW_CONFIG_DEF_PG $APPLY2_PROP`; do [ -z "$name" -o "$name" = '""' ] && continue @@ -797,23 +969,41 @@ create_global_rules() fi done + for name in `global_get_prop_value $FW_CONFIG_DEF_PG $APPLY2_6_PROP`; do + [ -z "$name" -o "$name" = '""' ] && continue + + ifc=`get_interface $name` + if [ $? -eq 0 -a -n "$ifc" ]; then + echo "${acmd} in log quick on ${ifc} all" >>${TEMP6} + continue + fi + + addr=`get_IP ${name}` + if [ $? -eq 0 -a -n "$addr" ]; then + echo "${acmd} in log quick from ${addr} to any" >>${TEMP6} + fi + done + if [ "$GLOBAL_POLICY" = "allow" ]; then # - # Allow DHCP traffic if running as a DHCP client + # Allow DHCP(v6) traffic if running as a DHCP client # /sbin/netstrategy | grep dhcp >/dev/null 2>&1 if [ $? -eq 0 ]; then echo "pass out log quick from any port = 68" \ "keep state" >>${TEMP} - echo "pass out log quick from any port = 546" \ - "keep state" >>${TEMP} echo "pass in log quick from any to any port = 68" >>${TEMP} - echo "pass in log quick from any to any port = 546" >>${TEMP} + + echo "pass out log quick from any port = 546" \ + "keep state" >>${TEMP6} + echo "pass in log quick from any to any port = 546" >>${TEMP6} fi echo "block in log all" >>${TEMP} + echo "block in log all" >>${TEMP6} fi replace_file ${IPFILCONF} ${TEMP} + replace_file ${IP6FILCONF} ${TEMP6} return $? } @@ -833,6 +1023,7 @@ create_global_ovr_rules() # if [ "$GLOBAL_POLICY" = "custom" ]; then echo "# 'custom' global policy" >$IPFILOVRCONF + echo "# 'custom' global policy" >$IP6FILOVRCONF return 0 fi @@ -842,6 +1033,7 @@ create_global_ovr_rules() ovr_policy=`global_get_prop_value $FW_CONFIG_OVR_PG $POLICY_PROP` if [ "$ovr_policy" = "none" ]; then echo "# global override policy is 'none'" >$IPFILOVRCONF + echo "# global override policy is 'none'" >$IP6FILOVRCONF return 0 fi @@ -865,7 +1057,24 @@ create_global_ovr_rules() fi done + apply2_6_list=`global_get_prop_value $FW_CONFIG_OVR_PG $APPLY2_6_PROP` + for name in $apply2_6_list; do + [ -z "$name" -o "$name" = '""' ] && continue + + ifc=`get_interface $name` + if [ $? -eq 0 -a -n "$ifc" ]; then + echo "${acmd} on ${ifc} all" >>${TEMP6} + continue + fi + + addr=`get_IP ${name}` + if [ $? -eq 0 -a -n "$addr" ]; then + echo "${acmd} from ${addr} to any" >>${TEMP6} + fi + done + replace_file ${IPFILOVRCONF} ${TEMP} + replace_file ${IP6FILOVRCONF} ${TEMP6} return $? } @@ -887,6 +1096,8 @@ svc_mark_maintenance() # ipfile=`fmri_to_file $1 $IPF_SUFFIX` [ -f "$ipfile" ] && mv $ipfile "$ipfile.bak" + ip6file=`fmri_to_file $1 $IPF6_SUFFIX` + [ -f "$ip6file" ] && mv $ip6file "$ip6file.bak" natfile=`fmri_to_file $1 $NAT_SUFFIX` [ -f "$natfile" ] && mv $natfile "$natfile.bak" @@ -945,6 +1156,25 @@ create_services_rules() CONF_FILES="$CONF_FILES $ipfile" fi + ip6file=`fmri_to_file $s $IPF6_SUFFIX` + if [ -n "$ip6file" -a -r "$ip6file" ]; then + check_ipf_syntax $ip6file -6 + if [ $? -ne 0 ]; then + svc_mark_maintenance $s + continue + fi + + svc_is_server $s + if [ $? -eq 0 ]; then + check_ipf_rules $ip6file -6 + if [ $? -ne 0 ]; then + svc_mark_maintenance $s + continue + fi + fi + CONF6_FILES="$CONF6_FILES $ip6file" + fi + natfile=`fmri_to_file $s $NAT_SUFFIX` if [ -n "$natfile" -a -r "$natfile" ]; then check_nat_syntax $natfile @@ -971,9 +1201,11 @@ service_update_rules() svc=$1 ipfile=`fmri_to_file $svc $IPF_SUFFIX` - [ -z "$ipfile" ] && return 0 + ip6file=`fmri_to_file $svc $IPF6_SUFFIX` + [ -n "$ipfile" ] && remove_rules $ipfile + [ -n "$ip6file" ] && remove_rules $ip6file -6 - remove_rules $ipfile + [ -z "$ipfile" -a -z "$ip6file" ] && return 0 natfile=`fmri_to_file $svc $NAT_SUFFIX` [ -n "$natfile" ] && remove_nat_rules $natfile @@ -993,6 +1225,14 @@ service_update_rules() fi fi + if [ -f "$ip6file" ]; then + check_ipf_syntax $ip6file -6 + if [ $? -ne 0 ]; then + svc_mark_maintenance $svc + return 1 + fi + fi + if [ -f "$natfile" ]; then check_nat_syntax $natfile if [ $? -ne 0 ]; then @@ -1021,6 +1261,26 @@ service_update_rules() prepend_new_rules $IPFILOVRCONF fi + if [ -f "$ip6file" ]; then + svc_is_server $svc + if [ $? -eq 0 ]; then + update_check_ipf_rules $ip6file -6 + if [ $? -ne 0 ]; then + svc_mark_maintenance $svc + return 1 + fi + fi + + prepend_new_rules $ip6file -6 + + # + # reload Global Override rules to + # maintain correct ordering. + # + remove_rules $IP6FILOVRCONF -6 + prepend_new_rules $IP6FILOVRCONF -6 + fi + [ -f "$natfile" ] && append_new_nat_rules $natfile return 0 diff --git a/usr/src/cmd/syslogd/system-log.xml b/usr/src/cmd/syslogd/system-log.xml index 80f147f0fc..8802d363b7 100644 --- a/usr/src/cmd/syslogd/system-log.xml +++ b/usr/src/cmd/syslogd/system-log.xml @@ -23,6 +23,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -140,8 +142,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/ypcmd/yp.sh b/usr/src/cmd/ypcmd/yp.sh index 0d690e65f1..277d970465 100644 --- a/usr/src/cmd/ypcmd/yp.sh +++ b/usr/src/cmd/ypcmd/yp.sh @@ -21,6 +21,7 @@ # # # Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. +# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> # . /lib/svc/share/smf_include.sh @@ -32,6 +33,7 @@ create_client_ipf_rules() { FMRI=$1 file=`fmri_to_file $FMRI $IPF_SUFFIX` + file6=`fmri_to_file $FMRI $IPF6_SUFFIX` iana_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI` domain=`domainname` @@ -43,44 +45,76 @@ create_client_ipf_rules() return fi echo "# $FMRI" >$file + echo "# $FMRI" >$file6 ypfile="/var/yp/binding/$domain/ypservers" if [ -f $ypfile ]; then tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` + tports_6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null` + uports_6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null` server_addrs="" + server_addrs_6="" for ypsvr in `grep -v '^[ ]*#' $ypfile`; do # - # Get corresponding IPv4 address in /etc/hosts + # Get corresponding IPv4/IPv6 addresses # - servers=`grep -v '^[ ]*#' /etc/hosts | awk ' { - if ($1 !~/:/) { - for (i=2; i<=NF; i++) { - if (s == $i) printf("%s ", $1); - } } - }' s="$ypsvr"` - - [ -z "$servers" ] && continue - server_addrs="$server_addrs $servers" - done + servers=`getent ipnodes $ypsvr | awk '/^:/{ print $1 }'` + servers_6=`getent ipnodes $ypsvr | awk '/:/{ print $1 }'` - [ -z "$server_addrs" ] && return 0 - for s in $server_addrs; do - if [ -n "$tports" ]; then - for tport in $tports; do - echo "pass in log quick proto tcp" \ - "from $s to any port = $tport" >>$file - done + if [ -n "$servers" ]; then + server_addrs="$server_addrs $servers" fi - if [ -n "$uports" ]; then - for uport in $uports; do - echo "pass in log quick proto udp" \ - "from $s to any port = $uport" >>$file - done + if [ -n "$servers_6" ]; then + server_addrs_6="$server_addrs_6 $servers" fi done + + if [ -n "$server_addrs" ]; then + for s in $server_addrs; do + if [ -n "$tports" ]; then + for tport in $tports; do + echo "pass in log quick" \ + "proto tcp from $s" \ + "to any port = $tport" \ + >>$file + done + fi + + if [ -n "$uports" ]; then + for uport in $uports; do + echo "pass in log quick" \ + "proto udp from $s" \ + "to any port = $uport" \ + >>$file + done + fi + done + fi + + if [ -n "$server_addrs_6" ]; then + for s in $server_addrs_6; do + if [ -n "$tports_6" ]; then + for tport in $tports_6; do + echo "pass in log quick" \ + "proto tcp from $s" \ + "to any port = $tport" \ + >>$file6 + done + fi + + if [ -n "$uports_6" ]; then + for uport in $uports_6; do + echo "pass in log quick" \ + "proto udp from $s" \ + "to any port = $uport" \ + >>$file6 + done + fi + done + fi else # # How do we handle the client broadcast case? Server replies @@ -93,6 +127,8 @@ create_client_ipf_rules() # echo "pass in log quick proto udp from any to any" \ "port > 32768" >>$file + echo "pass in log quick proto udp from any to any" \ + "port > 32768" >>$file6 fi } diff --git a/usr/src/man/man1m/svc.ipfd.1m b/usr/src/man/man1m/svc.ipfd.1m index 58b8ffb151..3790a40c3d 100644 --- a/usr/src/man/man1m/svc.ipfd.1m +++ b/usr/src/man/man1m/svc.ipfd.1m @@ -2,7 +2,8 @@ .\" To view license terms, attribution, and copyright for IP Filter, the default path is /usr/lib/ipf/IPFILTER.LICENCE. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the installed .\" location. .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved -.TH SVC.IPFD 1M "Jan 13, 2009" +.\" Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> +.TH SVC.IPFD 1M "Dec 30, 2015" .SH NAME svc.ipfd \- IP Filter firewall monitoring daemon .SH SYNOPSIS @@ -17,7 +18,6 @@ svc.ipfd \- IP Filter firewall monitoring daemon .fi .SH DESCRIPTION -.sp .LP The \fBsvc.ipfd\fR daemon monitors actions on services that use firewall configuration and initiates update services' IP Filter configuration. The @@ -37,7 +37,6 @@ This daemon is started by the \fBnetwork/ipfilter\fR service either through the variables and credentials from the method and runs as root with all zone privileges. .SS "Firewall Static Configuration" -.sp .LP A static definition describes a service's network resource configuration that is used to generate service-specific IPF rules. The per-service @@ -103,7 +102,6 @@ The service static configuration is delivered by the service developer and not intended to be modified by users. These properties are only modified upon installation of an updated service definition. .SS "Firewall Policy Configuration" -.sp .LP A per-service property group, \fBfirewall_config\fR, stores the services' firewall policy configuration. Because \fBnetwork/ipfilter:default\fR is @@ -161,21 +159,77 @@ except those specified in the \fBapply_to\fR property. .sp .ne 2 .na +\fB\fBblock-policy\fR\fR +.ad +.sp .6 +.RS 4n +The \fBblock-policy\fR property defines the handling of packets that +are blocked by the filter. It has the following modes: +.sp +.ne 2 +.na +\fB\fBnone\fR block-policy mode\fR +.ad +.sp .6 +.RS 4n +Block by dropping packets. +.RE + +.sp +.ne 2 +.na +\fB\fBreturn\fR block-policy mode\fR +.ad +.sp .6 +.RS 4n +Block by returning RST (for TCP) or ICMP messages (for other +protocols) to the sender of the blocked packets. +.RE + +.RE + +.sp +.ne 2 +.na \fB\fBapply_to\fR\fR .ad .sp .6 .RS 4n -A multi-value property listing network entities to enforce the chosen policy -mode. Entities listed in \fBapply_to\fR property will be denied if policy is -\fBdeny\fR and allowed if policy is \fBallow\fR. The syntax for possible values -are: +A multi-value property listing IPv4 network source entities to enforce the +chosen policy mode. Packets coming from the entities listed in \fBapply_to\fR +property will be denied if policy is \fBdeny\fR and allowed if policy is +\fBallow\fR. The syntax for possible values are: +.sp +.in +2 +.nf +host: host:\fIIP\fR "host:192.168.84.14" +subnet: network:\fIIP/netmask\fR "network:129.168.1.5/24" +ippool: pool:\fIpool number\fR "pool:77" +interface: if:\fIinterface_name\fR "if:e1000g0" +.fi +.in -2 +.sp + +.RE + +.sp +.ne 2 +.na +\fB\fBapply_to_6\fR\fR +.ad +.sp .6 +.RS 4n +A multi-value property listing IPv6 network source entities to enforce the +chosen policy mode. Packets coming from the entities listed in \fBapply_to_6\fR +property will be denied if policy is \fBdeny\fR and allowed if policy is +\fBallow\fR. The syntax for possible values are: .sp .in +2 .nf -host: host:\fIIP\fR "host:192.168.84.14" -subnet: network:\fIIP/netmask\fR "network:129.168.1.5/24" -ippool: pool:\fIpool number\fR "pool:77" -interface: if:\fIinterface_name\fR "if:e1000g0" +host: host:\fIIP\fR "host:2001:DB8::12ff:fe34:5678" +subnet: network:\fIIP/netmask\fR "network:2001:DB8::/32" +ippool: pool:\fIpool number\fR "pool:77" +interface: if:\fIinterface_name\fR "if:e1000g0" .fi .in -2 .sp @@ -189,14 +243,58 @@ interface: if:\fIinterface_name\fR "if:e1000g0" .ad .sp .6 .RS 4n -A multi-value property listing network entities to be excluded from the -\fBapply_to\fR list. For example, when \fBdeny\fR policy is applied to a +A multi-value property listing IPv4 network source entities to be excluded from +the \fBapply_to\fR list. For example, when \fBdeny\fR policy is applied to a subnet, exceptions can be made to some hosts in that subnet by specifying them in the \fBexceptions\fR property. This property has the same value syntax as \fBapply_to\fR property. .RE .sp +.ne 2 +.na +\fB\fBexceptions_6\fR\fR +.ad +.sp .6 +.RS 4n +A multi-value property listing IPv6 network source entities to be excluded from +the \fBapply_to_6\fR list. For example, when \fBdeny\fR policy is applied to a +subnet, exceptions can be made to some hosts in that subnet by specifying them +in the \fBexceptions_6\fR property. This property has the same value syntax as +\fBapply_to_6\fR property. +.RE + +.sp +.ne 2 +.na +\fB\fBtarget\fR\fR +.ad +.sp .6 +.RS 4n +A multi-value property listing IPv4 network destination entities to enforce the +chosen policy mode. Packets directed to the destination entities listed in +\fBtarget\fR property will be denied if policy is \fBdeny\fR and allowed if +policy is \fBallow\fR. This property has the same value syntax as \fBapply_to\fR +property, with the notable exception that specifying network interfaces is not +supported. +.RE + +.sp +.ne 2 +.na +\fB\fBtarget_6\fR\fR +.ad +.sp .6 +.RS 4n +A multi-value property listing IPv6 network destination entities to enforce the +chosen policy mode. Packets directed to the destination entities listed in +\fBtarget_6\fR property will be denied if policy is \fBdeny\fR and allowed if +policy is \fBallow\fR. This property has the same value syntax as +\fBapply_to_6\fR property, with the notable exception that specifying network +interfaces is not supported. +.RE + +.sp .LP For individual network services only: .sp @@ -207,7 +305,19 @@ For individual network services only: .sp .6 .RS 4n A service's policy can also be set to \fBuse_global\fR. Services with -\fBuse_global\fR policy mode inherits the Global Default firewall policy. +\fBuse_global\fR policy mode inherit the Global Default firewall policy. +.RE + +.sp +.ne 2 +.na +\fB\fBfirewall_config/block_policy\fR\fR +.ad +.sp .6 +.RS 4n +A service's block policy can also be set to \fBuse_global\fR. Services with +\fBuse_global\fR block policy mode inherit the Global Default firewall block +policy. .RE .sp @@ -324,7 +434,6 @@ firewall administration privilege to users. Users with Service Operator privileges will need this new authorization to be able to configure firewall policy. .SS "Firewall Availability" -.sp .LP During boot, a firewall is configured for enabled services prior to the starting of those services. Thus, services are protected on boot. While the @@ -342,7 +451,6 @@ ephemeral addresses, which are not known until the services are actually running. Thus RPC services are subjected to similar exposure since their firewalls are not configured until the services are running. .SS "Developer Documentation" -.sp .LP Services providing remote capabilities are encouraged to participate in the firewall framework to control network access to the service. While framework @@ -490,7 +598,6 @@ svc:/network/ntp:default .RE .SH ATTRIBUTES -.sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp @@ -506,7 +613,6 @@ Interface Stability Committed .TE .SH SEE ALSO -.sp .LP \fBsvcprop\fR(1), \fBsvcs\fR(1), \fBipf\fR(1M), \fBsvcadm\fR(1M), \fBsvccfg\fR(1M), \fBgetservbyname\fR(3SOCKET), \fBrpc\fR(4), |