Bug #6123
SMF ipfilter support needs improvement
100%
Description
We currently have support for securing SMF-managed services with ipfilter. This is especially useful for securing RPC services using dynamic ports.
As it happens this support is somewhat limited:- supports only dropping of packets, there is no setting to return RST (TCP) or ICMP error messages (all other protocols)
- supports only filtering on source addresses, source address pools, and incoming interfaces
- supports only IPv4
For a few months now I have been running with a bunch of changes that allow IPv6 support, specifying a block policy, and filtering on destination addresses. It's time to have these upstreamed.
History
Updated by Hans Rosenfeld about 5 years ago
Updated by Webrev: http://ma.nexenta.com/~woodstock/illumos-6123/
While at it I fixed a few minor issues in the nfs/client ipfilter support (handled by /lib/svc/method/nfs-server):
- block tcp6 ports for IPv4, too
- only open client ports when nfs/client is enabled
I also fixed the yp client to use "getent ipnodes $hostname" instead of parsing /etc/hosts directly, this is a requirement to allow IPv6 support.
Updated by Electric Monk over 4 years ago
Updated by - Status changed from New to Closed
- % Done changed from 0 to 100
git commit 7ddce99911fbb5e44b38ac65e991a22e42267ee9
commit 7ddce99911fbb5e44b38ac65e991a22e42267ee9
Author: Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org>
Date: 2016-01-22T15:23:04.000Z
6123 SMF ipfilter support needs improvement
Reviewed by: Toomas Soome <tsoome@me.com>
Reviewed by: Attila Fülöp <attila@fueloep.org>
Reviewed by: Cody Mello <melloc@joyent.com>
Approved by: Dan McDonald <danmcd@omniti.com>