Hey Will, If you want to block everything outbound, you can write something like the following:
FROM vm <uuid> TO ANY BLOCK TCP PORT all FROM vm <uuid> TO ANY BLOCK UDP PORT all If you want to block all outbound except for several ports, you can do the following (assuming you're on a recent platform with FWAPI-197's changes): FROM vm <uuid> TO any BLOCK TCP PORTS 1-21, 23-79, 81-65535 And yes, fwadm is a wrapper around ipf that's aware of VM uuids and tags. It makes use of the global zone controlled ruleset (versus the in-zone controlled ruleset). I don't think it's stated explicitly anywhere, fwadm(1M) does mention some flags related to ipf. - Cody On Sun, Mar 6, 2016 at 6:57 AM, Will Beazley <[email protected]> wrote: > Cody, > > Quick follow-up. > > I undertook the following two steps once I had read your email and now that > I had a window to work on it: > 1. Went back and update the owner_uuid (conflict indeed); and > 2. reapplied the existing rules, after no change after step [1]. > > Now it works. > > Is there a way using fwadm to block everything outbound (save for a clutch > of ports) or shall I need to use ipf for that (not an issue at all)? > > Stop me if you have heard this one: > It seems to me that fwadm is likely a VM aware wrapper for ipf; now why this > possibility didn't dawn on me earlier, I am sure it is likely hidden in > plain sight in the manual. > > Many Thanks, > Will > > > > > On 2/29/16 3:54 PM, Cody Mello wrote: >> >> This type of rule is meant to work, and works when I set one up on my >> local instance. There are two possibilities that I can think of right >> now: >> >> - What version of SmartOS are you running? This may be a bug that has >> since been fixed >> - What's the output of `fwadm list -j'? If your rule isn't a global >> rule and has an owner_uuid, then it won't be applied to the VM if the >> owner_uuid disagrees. >> >> - Cody >> >> On Mon, Feb 29, 2016 at 1:37 PM, Will Beazley >> <[email protected]> wrote: >>> >>> [root@90-b1-1c-00-0b-6a /usbkey]# ipfstat -nio -G >>> 49700b0b-55a8-4245-b3bf-907e098130ab >>> @1 pass out quick proto tcp from any to any flags S/SA keep state >>> @2 pass out proto tcp from any to any >>> @3 pass out proto udp from any to any keep state >>> @4 pass out quick proto icmp from any to any keep state >>> @5 pass out proto icmp from any to any >>> @1 pass in quick proto icmp from any to any icmp-type echo code 0 >>> @2 pass in quick proto tcp from any to any port = ssh >>> @3 block in all >>> [root@90-b1-1c-00-0b-6a /usbkey]# >>> >>> On 2/29/16 3:14 PM, Cody Mello wrote: >>>> >>>> ipfstat -nio -G 49700b0b-55a8-4245-b3bf-907e098130a >>> >>> >> > > ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
