Anurag Maskey wrote: > With the putback of PSARC 2008/580 Solaris host-based firewall, some > of our changes to the network/ipfilter service have created design > conflicts. > > We added config/*_config_file properties to specify the configurations > files. Previously, these were hardcoded in the service's script. > But, host-based firewall added new properties to network/ipfilter. > Among other things, specifying our ipf.conf file (e.g for Automatic > and NoNet) requires setting the policy to "custom" and specifying the > ipf.conf file to the custom_policy_file. I think the policies for > Automatic and NoNet can be specified without custom ipf.conf files > (need to do some reading on this). The other properties are still > hard-coded. > > I am not able to find emails/discussions that decided on using the > config/*_config_file properties in network/ipfilter. I only see this > [1] thread, that talks about locations and security policy, but > nothing about the four properties we added. Does anything else change > for us with the introduction of host-based firewalls? > I don't think so. The introduction of the config properties was just a way of allowing us to specify location-specific config file paths for ipf.conf, ipnat.conf etc. Sounds like the right answer may be to merge things so that we specify that we have a custom config and point custom_policy_file at the appropriate ipf.conf while retaining the config file properties for other files not covered by the host-based firewall. I guess we'll also need to ensure that the netadm user (i.e. nwamd) has the solaris.smf.value.firewall.config auth.
Alan
