Project

General

Profile

Actions

Bug #14076

open

OI: Ipfilter firewall table rules won't load at startup

Added by Adrian Kieß 12 days ago. Updated 12 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

Dear Developers,

using my OpenIndiana installation, the ipfilter service won't load at startup after adding content to /etc/ipf/ipf.conf and /etc/ipf/ipf6.conf.
I enabled the ipfilter service with svcadm enable ipfilter.

I found a script in a forum @ the Internet, which fixes the issue. I paste it down below:

#!/bin/sh
#wait for system to bootup and services start
sleep 15
#Enable custom firewall rules for ipfilter...
svcadm enable ipfilter

svccfg -s ipfilter:default setprop \
firewall_config_default/policy = astring: "custom"

svccfg -s ipfilter:default setprop \
firewall_config_default/custom_policy_file = astring: \
"/etc/ipf/ipf.conf"

svcadm refresh ipfilter:default

This script I have put in /usr/local/bin/pkcfirewall.

Please have a look at the issue.

Thank you very much in advance.

Sincerely,

Adrian Kieß

Actions #1

Updated by Gary Mills 12 days ago

This sounds like an illumos problem, not an OI problem. Try posting the same report to the illumos bug reporting site. You will likely get some help with the problem there.

Actions #2

Updated by Marcel Telka 12 days ago

  • Project changed from OpenIndiana Distribution to illumos gate
  • Target version deleted (2021.04)
Actions #3

Updated by Dan McDonald 12 days ago

Curious.

What should happen is that:

1.) Edit /etc/ipf/ipf.conf as appropriate.
2.) svcadm enable ipfilter

should just work, and on subsequent reboots.

If that doesn't, we should see the state of the "ipfilter" service and why it isn't doing what it is supposed to be doing.

I note your /usr/local/ script uses svccfg to point to /etc/ipf/ipf.conf. Why the service doesn't do that already is an interesting question. I'm going to reproduce those steps on an OmniOS VM and report back here.

Actions #4

Updated by Dan McDonald 12 days ago

I had a bad config file when I was testing -- pardon the bad, now deleted, comments.

Make sure your config is okay (what does "ipf -f /etc/ipf/ipf.conf" do?), and if an SMF service generally fails, it's good to report the SMF service log

svcs -L ipfilter

shows you where that file is.

Actions

Also available in: Atom PDF