David Bustos wrote: >Quoth Darren.Reed at sun.com on Wed, Oct 11, 2006 at 07:54:38PM -0700: > >>To manipulate these properties of the ipfilter service, >>a new script called "ipfadm" is to be used as follows: >> >>ipfadm ipf <enable|disable|start|stop|status|restart|refresh> >>ipfadm ipnat <enable|disable|start|stop|status|restart|refresh> >>ipfadm ippool <enable|disable|start|stop|status|restart> >>ipfadm ipmon <enable|disable|start|stop|status|restart|refresh> >>ipfadm ipfilter <enable|disable|start|stop|status> >> > >Can you walk through a few simple use cases? Like if I were to start >with a stock installation and I wanted to set up NAT, or set up >filtering, etc. >
If I have an OpenSolaris system with IPFilter disabled, to get it running I need to: 1.a- edit /etc/ipf/pfil.ap (not required post-pfhooks) 1.b- activate /etc/ipf/pfil.ap (not required post-pfhooks) 1.c- edit /etc/ipf/ipf.conf 1.d- svcadm enable pfil 1.e- svcadm enable ipfilter If I then want to enable NAT, I must do: 2.a- edit /etc/ipf/ipnat.conf 2.b- svcadm restart ipfilter If I then want to disable NAT, I must do: 3.a- disable any active entries in /etc/ipf/ipnat.conf 3.b- svcadm restart ipfilter If I want to disable ipmon, I must do: 4.a- edit /lib/svc/method/ipfilter and/or 4.b pkill ipmon With the proposed changes, the steps that change are: 2.b ipfadm ipnat restart 3.a - no longer required 3.b ipfadm ipnat disable 4.a ipfadm ipmon disable 4.b - no longer required ...regarding ipmon, we would also be making public at least one property to make it easy for people to specify what command line parameters are used when starting it. At this point, doing this would only be possible via svccfg. Going from scratch to something working doesn't change, this command is really about managing what's running once you've gotten something working. At present the "ipfilter" part of the above isn't present in the prototype and all actions that relate to disabling/enabling of the FMRI itself must be done using svcadm. Something that might cause confusion is that the "name" comes before the enable/disable. In running it by a friend of mine who has done his fair share of work as a systems administrator, he pointed out that by having start/stop last, it makes it much easier when typing interactively to do: # ipfadm ipnat stop ... - then go back in shell history, delete "stop" and write "start". Looking at this topic, in light of the changes being discussed for NFS, one might argue that "svcadm enable ipfilter" should receive the same treatment and default to locked. Turning this on/off would then be a matter for the ipfadm program/script, if/when it is satisfied that the machine's configuration is sane. Darren
