SMF ipfilter support needs improvement
We currently have support for securing SMF-managed services with ipfilter. This is especially useful for securing RPC services using dynamic ports.As it happens this support is somewhat limited:
- supports only dropping of packets, there is no setting to return RST (TCP) or ICMP error messages (all other protocols)
- supports only filtering on source addresses, source address pools, and incoming interfaces
- supports only IPv4
For a few months now I have been running with a bunch of changes that allow IPv6 support, specifying a block policy, and filtering on destination addresses. It's time to have these upstreamed.
Updated by Hans Rosenfeld about 7 years ago
While at it I fixed a few minor issues in the nfs/client ipfilter support (handled by /lib/svc/method/nfs-server):
- block tcp6 ports for IPv4, too
- only open client ports when nfs/client is enabled
I also fixed the yp client to use "getent ipnodes $hostname" instead of parsing /etc/hosts directly, this is a requirement to allow IPv6 support.
Updated by Electric Monk over 6 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
commit 7ddce99911fbb5e44b38ac65e991a22e42267ee9 Author: Hans Rosenfeld <email@example.com> Date: 2016-01-22T15:23:04.000Z 6123 SMF ipfilter support needs improvement Reviewed by: Toomas Soome <firstname.lastname@example.org> Reviewed by: Attila Fülöp <email@example.com> Reviewed by: Cody Mello <firstname.lastname@example.org> Approved by: Dan McDonald <email@example.com>