After I spent hours thinking I have lost the plot, I finally read about how IPF is configured by default now. I am not sure what build this was changed, but now, by default IPF on OpenIndiana does not look @ /etc/ipf/ipf.conf for default IPv4 IPF Rules to load @ start. To make it look @ this file apply the following.
[bash]
#!/bin/bash
IPFW_CFG="/etc/ipf/ipf.conf"
PRIV_EXEC="pfexec"
# Turn IPF back to legacy text file usage
$PRV_EXEC svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"
$PRV_EXEC svccfg -s ipfilter:default setprop firewall_config_default/custom_policy_file = astring: "$IPFW_CFG"
$PRV_EXEC svcadm refresh ipfilter:default
echo "Done - Edit $IPFW_CFG and enable IPF now ..."
[/bash]
Sample Conf:
[bash]
# Default policies
pass out all keep state
block in all
block return-rst in log first proto tcp all
block return-icmp(host-unr) in log proto udp all
# Allow Loopback
pass in quick on lo0 all
pass out quick on lo0 all
# Allow ICMP
pass out quick proto icmp all keep state
pass in quick proto icmp all keep state
# Allow SSH
pass in quick proto tcp from any to any port = 22 flags S/FSRPAU keep state keep frags
# Allow SSH
pass in quick proto tcp from any to any port = 80 keep state
[/bash]
Now just enable the service
pfexec svcadm enable svc:/network/ipfilter:default
Handy IPF Commands
ipf -E : Enable ipfilter when running
: for the first time.
: (Needed for ipf on Tru64)
ipf -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file
: into the active firewall.
ipf -Fa -f /etc/ipf/ipf.conf : Flush all rules, then load rules in
: /etc/ipf/ipf.conf into active firwall.
ipf -Fi : Flush all input rules.
ipf -I -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file
: into inactive firewall.
ipf -V : Show version info and active list.
ipf -s : Swap active and inactive firewalls.
ipfstat : Show summary
ipfstat -i : Show input list
ipfstat -o : Show output list
ipfstat -hio : Show hits against all rules
ipfstat -t -T 5 : Monitor the state table and refresh every
: 5 seconds. Output is similiar to
: 'top' monitoring the process table.
ipmon -s S : Watch state table.
ipmon -sn : Write logged entries to syslog, and
: convert back to hostnames and servicenames.
ipmon -s [file] : Write logged entries to some file.
ipmon -Ds : Run ipmon as a daemon, and log to
: default location.
: (/var/adm/messages for Solaris)
I just upgraded to OI and was wondering what happened to IPF. So glad to see you already tackled this. When you say “To make it look @ this file apply the following.” What is “this file”?