Solaris host-based firewall [PSARC/2008/580 FastTrack]

[Andrew Gabriel]

I've looked through the new spec.

I have some questions about how the current method of configuring 
IPfilter will continue to work in the new framework. (I have programs 
which build ipf.conf and reapply it dynamically as needed, and I don't 
have any interest in automatically allowing/denying access based on SMF 
service states. I guess that makes me an "advanced user" in your 
terminology.)

So, if I understand correctly, to enable current mode of operation, I 
would issue the commands:

svccfg -s svc:/network/ipfilter: setprop firewall_config_default/policy 
= custom
svcadm enable svc:/network/ipfilter

This needs clearly stating as an example on a manpage (ipf(1M) and/or 
ipf(4)).

What happens on upgrade of a system with an existing ipf.conf file and 
IPfilter enabled? Will you automatically do this? If not, how do you 
handle upgrade?

In the ipf(1M) manpage, you have removed the ipf and ipnat command 
examples. This is incorrect -- these are still used and required for 
current method of operation. You perhaps just need to add a comment that 
these wouldn't be used if using the SMF framework to automatically build 
firewall rules. You have also effectively removed the instructions for 
changing filter rules without either rebooting or disabling IPfilter. It 
is an important feature of IPfilter that it allows rules to be changed 
dynamically without disabling it or rebooting the system, and this needs 
to remain on the manpage. ipf(1M) is a committed interface and a key 
part of the access to important features of IPfilter.

-- 
Andrew