On 03/10/10 05:48 AM, Ivan Wang wrote:
Reply to myself..
I got default policy working, forgot to refresh after setting property with
svccfg.
So for my use-case the only thing not there is the ability to filter non
transport layer traffics, but on the other hand, it's not something I cannot
live up with, default block all can serve as a catch-all.
Glad you got it figured out. Yes, setting the default global policy to
allow only explicitly specified entities should be sufficient since it
would block all. ICMP traffic is currently only allowed if
routing/rdisc:default or routing/route:default is enabled.
Good thing with SMF approach is that I can svccfg script to configure service
firewall to some degree without operating directly on configuration file.
Yup, one of our goals was to allow users to set common firewall
configurations without too much knowledge of IPFilter.
-tn
_______________________________________________
networking-discuss mailing list
[email protected]
