I'm trying to get IP Filter to work on Solaris 11.1.
I'm following the official Solaris 11.1 guide.
When the host is booted it doesn't pick up the ipf.conf that I expect. Here's the contents of svccfg -s ipfilter:default listprop:
config application config/ipf6_config_file astring /etc/ipf/ipf6.conf config/ipnat_config_file astring /etc/ipf/ipnat.conf config/ippool_config_file astring /etc/ipf/ippool.conf firewall_config_default com.sun,fw_configuration firewall_config_default/apply_to astring firewall_config_default/exceptions astring firewall_config_default/open_ports astring firewall_config_default/value_authorization astring solaris.smf.value.firewall.config firewall_config_default/version count 1 firewall_config_default/policy astring custom firewall_config_default/custom_policy_file astring /etc/ipf/ipf.conf firewall_config_override com.sun,fw_configuration firewall_config_override/apply_to astring firewall_config_override/policy astring none firewall_config_override/value_authorization astring solaris.smf.value.firewall.config general framework general/complete astring general/enabled boolean true restarter framework NONPERSISTENT restarter/logfile astring /var/svc/log/network-ipfilter:default.log restarter/contract count 7951 restarter/start_pid count 4031 restarter/start_method_timestamp time 1354809979.642008000 restarter/start_method_waitstatus integer 0 restarter/auxiliary_state astring dependencies_satisfied restarter/next_state astring none restarter/state astring online restarter/state_timestamp time 1354809979.645753000 From the above I'm expecting that it will pick up /etc/ipf/ipf.conf and use that. It doesn't! Instead it use an empty rule set.
After boot I have:
$ svcs network/ipfilter STATE STIME FMRI online 17:06:19 svc:/network/ipfilter:default $ ipfstat -io empty list for ipfilter(out) empty list for ipfilter(in) I can enable my config file manually with ipf -Fa -f /etc/ipf/ipf.conf and that works fine so it is solely the SMF stuff I cannot get to work as I expect.
I've been trying to read and also look trough the script that SMF executes with respect to IPFilter. But I'm stuck. It is far more complex than what I can comprehend.
Perhaps it has something to do with Solaris' automatic network configuration feature?
It would have been great if the fairly complex SMF script would make some output to console (and thus to SMF logfile) as to the choices it is making. Unfortunately it doesn't.
My host is a non-global zone with exclusive IP stack.
What have I overlooked?
