Project

General

Profile

Actions

Bug #6123

closed

SMF ipfilter support needs improvement

Added by Hans Rosenfeld about 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Category:
smf
Start date:
2015-08-14
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

We currently have support for securing SMF-managed services with ipfilter. This is especially useful for securing RPC services using dynamic ports.

As it happens this support is somewhat limited:
  • supports only dropping of packets, there is no setting to return RST (TCP) or ICMP error messages (all other protocols)
  • supports only filtering on source addresses, source address pools, and incoming interfaces
  • supports only IPv4

For a few months now I have been running with a bunch of changes that allow IPv6 support, specifying a block policy, and filtering on destination addresses. It's time to have these upstreamed.

Actions

Also available in: Atom PDF