Edward Pilatowicz wrote: > hey tony, > > imho, if an admin configures ipfilter settings incorrectly, haveing the > system come up and not actively notify the admin of the misconfiguration > seems bad and broken. ipfilters is a critical part of system security, > if it's configuration is invalid, the security of the system may be > compromised and it's important for the admin to know about this. > having the admin "poll" log files for errors is not a valid option. > > i personally think it would be much more appropriate to have a > smf service fail to start, and an error message should be > generated and put into the smf service log file clearly indicating > the reason for the failure. > > you could have the ipfilter service itself fail to start, but > i think it would be better to have the individual service that > has the invalid configuration parameters fail to start. the > reason i think the latter option is better is because it means > that the services aren't running exposed. for example, if i > incorrectly configure ssh with an allow ipfiler configuration, > then if the ipfilter smf services goes into maintainance then > all my services on the machine are accessible (read exposed to > the world) until i fix the ssh ipfilter configuration. if just > the ssh service fails to come online, then all my other services > are available with their proper ipfilter configuration. >
Ed, I was prioritizing service availability but understand the concerns now. Essentially, the desired behaviors should be 1. If a service firewall policy is misconfigured, the service shouldn't be running exposed and appropriate information should be logged for that service. 2. If a system-wide policy is misconfigured, network/ipfilter should be placed in maintenance which is the current behavior. Additionally, we also want services to in maintenance, not running exposed. This additional behavior can be done by specifying network/ipfilter as an optional dependency for network services. What do you think? Andrew, I'll look into addressing that6623013 bug if possible. Thanks, tony > > On Wed, Sep 24, 2008 at 04:22:48PM -0700, Tony Nguyen wrote: >> Edward Pilatowicz wrote: >>> just one quick question. >>> >>> given that ipfilter service specific configuration is stored with >>> the services themselves, how will the user know if a specific service >>> has an invalid ipfilter configuration? will that specific service >>> fail go into the maintainance state? or will the ipfilter:default >>> service go into the maintainance state? >>> >> Ed, >> >> Think I missed your point in my earlier response. Putting a service into >> maintenance seems heavy-handed but we need the observability. How about a >> message in network/ipfilter log file? Do you have other suggestions? >> >> thanks, >> tony
