Nicolas Williams wrote: > On Tue, Oct 28, 2008 at 03:16:15PM -0700, Tony Nguyen wrote: > >> Darren Reed wrote: >> >>> Stepping beyond that, is it possible for NWAM locations to also apply >>> a SMF template that results in services being enabled/disabled as >>> appropriate? >>> >> The current SMF profiles feature may be the solution. See svccfg(1M), >> smf(5) and examples in /var/svc/profile. >> > > That's what I think, and, I was under the impression that NWAM and > Enhanced SMF Profiles were supposed to go hand-in-hand (NWAM location > change -> switch current SMF profile). That would certainly work for > the host-based firewall -- the per-service filters are configured > via SMF while Enhanced SMF Profiles lets you capture arbitrary property > groups and properties in each profile. > Agreed. My response to Darren was to point out how the existing SMF Profile functionality can be used to switch different set of enabled/disabled services. Enhanced Profiles also provides the ability to apply a profile's values while preserving user customizations which potentially make NWAM's profiles and locations implementation much simpler.
In absence of Enhance Profiles, however, I'm very curious how NWAM will implement switching of profiles and locations, w.r.t SMF properties. Are user's customizations (service's enabled state and property values) preserved when profiles and locations deliver different values? > The question is: is it reasonable to deliver NWAM locations *before* > delivering Enhanced SMF Profiles. Without the host-based firewall in > the picture I'd say "yes, but it's asking for trouble." With the > host-based firewall in the picture I'd say "trouble's here." :( > As Renee described in an earlier email, we can configure location specific IPfilter rules as services' firewall configurations and apply those firewall configuration (change services' firewall properties) when a location is activated. This is equivalent to applying a profile, setting enable state of services. Do you still see troubles? -tony
