Project

General

Profile

Bug #6123

SMF ipfilter support needs improvement

Added by Hans Rosenfeld about 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Category:
smf
Start date:
2015-08-14
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

We currently have support for securing SMF-managed services with ipfilter. This is especially useful for securing RPC services using dynamic ports.

As it happens this support is somewhat limited:
  • supports only dropping of packets, there is no setting to return RST (TCP) or ICMP error messages (all other protocols)
  • supports only filtering on source addresses, source address pools, and incoming interfaces
  • supports only IPv4

For a few months now I have been running with a bunch of changes that allow IPv6 support, specifying a block policy, and filtering on destination addresses. It's time to have these upstreamed.

History

#1

Updated by Hans Rosenfeld about 5 years ago

Webrev: http://ma.nexenta.com/~woodstock/illumos-6123/

While at it I fixed a few minor issues in the nfs/client ipfilter support (handled by /lib/svc/method/nfs-server):
- block tcp6 ports for IPv4, too
- only open client ports when nfs/client is enabled

I also fixed the yp client to use "getent ipnodes $hostname" instead of parsing /etc/hosts directly, this is a requirement to allow IPv6 support.

#2

Updated by Electric Monk over 4 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit 7ddce99911fbb5e44b38ac65e991a22e42267ee9

commit  7ddce99911fbb5e44b38ac65e991a22e42267ee9
Author: Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org>
Date:   2016-01-22T15:23:04.000Z

    6123 SMF ipfilter support needs improvement
    Reviewed by: Toomas Soome <tsoome@me.com>
    Reviewed by: Attila Fülöp <attila@fueloep.org>
    Reviewed by: Cody Mello <melloc@joyent.com>
    Approved by: Dan McDonald <danmcd@omniti.com>

Also available in: Atom PDF