Alan Maguire wrote: > Anurag Maskey wrote: >> With the putback of PSARC 2008/580 Solaris host-based firewall, some >> of our changes to the network/ipfilter service have created design >> conflicts. >> >> We added config/*_config_file properties to specify the >> configurations files. Previously, these were hardcoded in the >> service's script. >> But, host-based firewall added new properties to network/ipfilter. >> Among other things, specifying our ipf.conf file (e.g for Automatic >> and NoNet) requires setting the policy to "custom" and specifying the >> ipf.conf file to the custom_policy_file. I think the policies for >> Automatic and NoNet can be specified without custom ipf.conf files >> (need to do some reading on this). The other properties are still >> hard-coded. >> >> I am not able to find emails/discussions that decided on using the >> config/*_config_file properties in network/ipfilter. I only see this >> [1] thread, that talks about locations and security policy, but >> nothing about the four properties we added. Does anything else >> change for us with the introduction of host-based firewalls? >> > I don't think so. The introduction of the config > properties was just a way of allowing us to > specify location-specific config file paths for > ipf.conf, ipnat.conf etc. Sounds like the right > answer may be to merge things so that > we specify that we have a custom config > and point custom_policy_file at the > appropriate ipf.conf while retaining the > config file properties for other files not > covered by the host-based firewall. I guess > we'll also need to ensure that the netadm > user (i.e. nwamd) has the > solaris.smf.value.firewall.config auth. I'll clean up the auths and ipfilter.
What does complicate things for us is that users may have specified policies without the "custom" policy and custom file. When creating the Legacy location, we'll have to somehow save these configuration. I've asked Tony Nguyen if there's a way to "export" (and later import) these configurations to a file so that Legacy location just stores that file. Anurag
