Heads-up: PSARC 2008/580 Solaris host-based firewall (resend)
Date: Mon, 23 Feb 2009 14:15:59 -0800
From: Tony Nguyen <Truong.Q.Nguyen at sun dot com>
To: onnv-gate at onnv dot eng dot sun dot com, on-all at eng dot sun dot com
Subject: Heads-up: PSARC 2008/580 Solaris host-based firewall (resend)
This is a multi-part message in MIME format.
~--Boundary_(ID_8CEgvGcg/M3ESnTEGc7UiQ)
Content-type: text/plain; format=flowed; charset=ISO-8859-1
Content-transfer-encoding: 7BIT
Resending as I forgot to attach svc.ipfd(1m)
The integration of:
6761070 PSARC 2008/580 Solaris host-based firewall
6236609 svc.startd resets auxiliary state on svcadm mark maintenance
6762307 SMF - expressing a service's maintenance state by request of
another service
introduced a simpler way to configure host-based firewall for Solaris
systems. Rather than manually generating an ipf.conf file, users can
configure policy for the system and/or at the services' level by setting
SMF firewall properties. network/ipfilter will generate and load ipf
rules according to the configured policies.
Users can still have manually generated ipf rule file by configuring the
global policy to "custom" and specify the ipf rule file. See PSARC 2008/580
http://www.opensolaris.org/os/community/arc/caselog/2008/580/
or the attached svc.ipfd(1M) for details on how to configure firewall
policies.
Upgrade:
For systems with prior active /etc/ipf/ipf.conf file, the first start of
network/ipfilter migrates to the new configuration model (set global
policy to 'custom'). In other words, network/ipfilter will have the
following property values:
firewall_config_default/custom_policy_file astring /etc/ipf/ipf.conf
firewall_config_default/policy astring custom
thus existing rules will remain active and user intervention is not needed.
Developers:
New services, by default, inherit the global policy. However, full
integration
with the firewall framework will allow services to have firewall
configuration independent from global policy. Integration can be as
simple as adding new property groups (firewall_config and
firewall_context) and their corresponding properties to the service.
See Developer Documentation section in the ARC case or the attached
svc.ipfd(1M) for information on firewall_context and firewall_config
property groups and refer to existing services for examples.
Questions should be directed to both:
smf-discuss at opensolaris dot org
network-discuss at opensolaris dot org
Thanks,
tony
~--Boundary_(ID_8CEgvGcg/M3ESnTEGc7UiQ)
Content-type: text/plain; name=svc.ipfd.1m
Content-transfer-encoding: 7BIT
Content-disposition: inline; filename=svc.ipfd.1m
System Administration Commands svc.ipfd(1M)
NAME
svc.ipfd - IPfilter firewall monitoring daemon
SYNOPSIS
/lib/svc/bin/svc.ipfd
svc:/network/ipfilter:default
DESCRIPTION
svc.ipfd monitors actions to services with firewall configuration and
initiates update services' IPfilter configuration. The daemon allows us to
react to changes in system's firewall configuration in an incremental
fashion, at per service level.
A service's firewall policy is activated when it's enabled, deactivated
when it's disabled, and updated when its configuration property group is
modified. svc.ipfd monitors SMF repository for these actions and invokes
IPfilter rule generation process to carry out the service's firewall
policy.
Environment Variables and Context
This daemon is started by the network/ipfilter service either through the
start or refresh method. Thus, the daemon inherits the environment
variables and credentials from the method and runs as root with all zone
privileges.
FIREWALL STATIC CONFIGURATION
Static definition describing service's network resource configuration that
is used to generate service specific ipf rules. A new per service
"firewall_context" property group contains a service's static definition,
similar to "inetd" property group in inetd managed services.
- firewall_context/name, for non-inetd services, it's the IANA name or
RPC name, equivalent to inetd/name property
- firewall_context/isrpc, for non-inetd services, a boolean property where
a "true" value indicates an RPC service, equivalent to inetd/isrpc
property. For RPC services, the value of firewall_context/name is not an
IANA name but is either an RPC program number or name, see rpc(4).
Additionally, some services may require a mechanism to generate and supply
their own ipf rules. An optional property ipf_method, provides a mechanism
to allow custom rule generation.
- firewall_context/ipf_method, a command, normally a script that
generates ipf rules for a service. The framework does not generate
rules for services with this property definition but expect these
services to provide their own rules.
A service's ipf_method specifies a command that takes an additional
argument, its own fmri and generates the service's firewall rules and
output the rules to stdout. To generate rules for a service with
ipf_method property, the framework execs the command specified in
ipf_method, passing the service fmri as the additional argument and
stores the rules for that service by redirecting the command output,
the rules, to the service's rule file. Because an ipf_method is
exec'ed from the context of either network/ipfilter start or refresh
method process, it inherits the execution context and runs as root.
Administrative Privilege
The service static configuration, is delivered by service developer and
and not intended to be modified by users. These properties are only
modified upon installation of an updated service definition.
FIREWALL POLICY CONFIGURATION
A per service property group, firewall_config, stores the services' firewall
policy configuration. Since network/ipfilter:default is responsible for two
firewall policies, Global Default and Global Override system-wide policies
as explained in ipfilter(5), it has two property groups,
firewall_config_default and firewall_config_override, to store the respective
sytem-wide policies.
Below are the properties, their possible values and corresponding semantics:
policy
"none" policy mode - no access restriction. For a global policy, this
mode allows all incoming traffic. For a service policy, this mode
allows all incoming traffic to its service.
"deny" policy mode: more restrictive than "none". This mode allows
incoming traffic from all sources except those specified in the
"apply_to" property.
"allow" policy mode: most restrictive mode. This mode blocks incoming
traffic from all sources except those specified in the "apply_to"
property.
apply_to
A multi-value property listing network entities to enforce the
chosen policy mode. Entities listed in apply_to property will be denied
if policy is "deny" and allowed if policy is "allow". The syntax for
possible values are:
host: host:IP "host:192.168.84.14"
subnet: network:IP/netmask "network:129.168.1.5/24"
ippool: pool:pool number "pool:77"
interface: if:interface_name "if:e1000g0"
exceptions
A multi-value property listing network entities to be excluded from the
"apply_to" list. For example, when deny policy is applied to a subnet,
exceptions can be made to some hosts in that subnet by specifying them
in the "exceptions" property. This property has the same value syntax
as "apply_to" property.
For individual network services only:
firewall_config/policy
A service's policy can also be set to "use_global". Services with
"use_global" policy mode inherits the Global Default firewall policy.
For the Global Default only:
firewall_config_default/policy - can also be set to "custom"
Global Default policy, firewall_config property group in
svc:/network/ipfilter:default, can also be set to "custom". Users
can set policy to "custom" to use prepopulated IPfilter configuration,
e.g. existing IPfilter configuration or custom configurations that
can't be provided by the framework. This Global Default only policy
mode allows users to supply a text file containing the complete set of
ipf rules. When "custom" mode is selected, the specified set of ipf
rules is *complete* and the framework will not generate ipf rules from
configured firewall policies.
firewall_config_default/custom_policy_file
A file path to be used when Global Default policy is set to "custom".
The file contains a set of ipf rules which provide the desired IPfilter
configuration. For example, users with existing ipf rules in
/etc/ipf/ipf.conf can execute the following commands to use the existing
rules:
1. Set custom policy
#svccfg -s ipfilter:default setprop \
firewall_config_default/policy = astring: "custom"
2. Specify custom file
#svccfg -s ipfilter:default setprop \
firewall_config_default/custom_policy_file = astring: \
"/etc/ipf/ipf.conf"
3. Refresh configuration
#svcadm refresh ipfilter:default
firewall_config_default/open_ports
Non-service program requiring allowance of its incoming traffic can
request the firewall to allow traffic to its communication ports. This
multi-value property property contains protocol and port(s) tuple in
the form
"{tcp | udp}:{PORT | PORT-PORT}"
Initially, the system-wide policies are set to "none" and network services'
policies are set to "use_global". Enabling network/ipfilter activates the
firewall with an empty set of ipfilter rules, since system-wide policy is
"none" and all services inherit that policy. To configure a more restrictive
policy, use svccfg(1M) to modify network services and system-wide policies.
Administrative Privilege
User configures firewall policy by modifying the service's firewall_config
property group. A new authorization "solaris.smf.value.firewall.config" is
created to allow delegation of firewall administration privilege to users.
The Service Operator users will need this new authorization to be able to
configuration firewall policy.
FIREWALL AVAILABILITY
During boot, firewall is configured for enabled services prior to starting
of those services thus services are protected on boot. While the system is
running, administrative actions such as service restarting, enabling and
refreshing may cause a brief service vulnerability during which the service
runs while its firewall is being configured.
svc.ipfd monitors service's start/stop events and configures or unconfigures
service's firewall at the same time that SMF is starting or stopping the
service. Since the two operations are simultaneous, there's a possible
window of exposure (less than a second) if the service is started before its
firewall configuration completed. RPC services typically listen on ephemeral
ports which are not known until the services are actually running. Thus RPC
services are subjected to similar exposure since their firewall are not
configured until the services are running.
DEVELOPER DOCUMENTATION
Services providing remote capabilities are encouraged to participate in the
firewall framework to control network access to the service. While
framework integration isn't mandatory, remote access to services that are not
integrated in the framework may not function correctly when a system-wide
policy is configured.
Integrating a service into the framework is as straightforward as defining
two additional property groups and their corresponding properties in the
service manifest. IPfilter rules are generated when user enables the
service. In the non-trivial case of custom rule generation where a shell
script is required, there are existing scripts that can be used as examples.
The additional property groups, firewall_config and firewall_context store
firewall policy configuration and provides static firewall definition,
respectively. Below is a summary of new property groups and properties
and their appropriate default values.
Firewall policy configuration:
firewall_config
See FIREWALL POLICY CONFIGURATION section for more information. Access
to is protected by a new authorization definition and a user-defined
property type. The new authorization should be assigned to the property
group value_authorization property such as
<propval name='value_authorization' type='astring'
value='solaris.smf.value.firewall.config' />
Third party should follow service symbol namespace convention to
generate a user-defined type, Sun delivered services can use
"com.sun,fw_configuration" as the property type.
firewall_config/policy
This property's initial value should be "use_global" since services,
by default, inherit the Global Default firewall policy.
firewall_config/apply_to
An empty property, this property has no initial value.
firewall_config/exceptions
An empty property, this property has no initial value.
Firewall static definition:
firewall_context
See FIREWALL STATIC CONFIGURATION section for more information. Third
party should follow service symbol namespace convention to generate a
user-defined type, Sun delivered services can use
"com.sun,fw_definition" as the property type.
firewall_context/name
Service with well-known, IANA defined port which can be obtained by
getservbyname(3SOCKET), the service's IANA name is stored in this
property. For RPC services, the RPC program number is stored in this
property.
firewall_context/isrpc
For RPC services, this property should be created with its value set to
"true"
firewall_context/ipf_method
In general, the specified firewall policy is used to generate IPfilter
rules to the service's communication port, derived from
firewall_context/name property. Services which don't have IANA defined
ports and are not RPC services, will need to generate their own IPfilter
rules. Services that generate their own rules may choose not to have
firewall_context/name and firewall_context/isrpc properties. See
the following services
svc:/network/ftp:default
svc:/network/nfs/server:default
svc:/network/ntp:default
and others with existing ipf_method for guidance.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
System Administration Commands svc.ipfd(1M)
{{{____________________________________________________________}}}
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|{{{_____________________________}}}|{{{_____________________________}}}|
| Availability | SUNWcsu SUNWipfr |
|{{{_____________________________}}}|{{{_____________________________}}}|
| Interface Stability | Committed |
|{{{_____________________________}}}|{{{_____________________________}}}|
SEE ALSO
ipfilter(5), ipf(4), rpc(4), svcs(1), svcprop(1), svcadm(1M),
svccfg(1M), attributes(5), smf(5)
~--Boundary_(ID_8CEgvGcg/M3ESnTEGc7UiQ)~--
on 2009/11/20 23:48