[SOLVED] how to enable firewall on boot/reboot with openindiana?

birdy-97 · 06-03-2017, 02:47 PM

Hello every one,

I was just wondering if any one knew how to setup ipfilter using custom settings to be enabled on boot/reboot. I have been trying out some Solaris init scripts. The scripts do work on a cold boot, but not on a reboot. So I was wondering if there is a better way to do enable this at boot?
By the way, I'm running the latest release of OI on my test server.

Thanks in advanced,

birdy-97

rigor · 06-03-2017, 06:41 PM

Hi birdy-97,

With what init state do you have the script associated?

Also, when you reboot, what command are you using to reboot?

birdy-97 · 06-03-2017, 10:12 PM

Thank you for responding rigor,

The init script number that I'm associating the script is 3. I thought it should fit since all the services start in run level 3.
If it helps here is my start up script that is located in /etc/init.d/ and is also linked statically to /etc/rc3.d/S20pkcfirewall

Code:

#!/bin/sh
# Start up script to enable the firewall
case $1 in

'start')
#put startup commands here

svcadm enable ipfilter
svcadm enable ipfilter

#load custom configuration

#Enable custom firewall rules for ipfilter...

 svccfg -s ipfilter:default setprop \
   firewall_config_default/policy = astring: "custom"

 svccfg -s ipfilter:default setprop \
   firewall_config_default/custom_policy_file = astring: \
   "/etc/ipf/ipf.conf"

 svcadm refresh ipfilter:default

;;
'stop')
#stop service
;;
*)
echo "Usage: $0 start|stop" >&2
exit 1
;;
esac
exit 0

I got the script from a web site from 2006, I think it was UNIX forums or something, I'll post it once I find the pdf I saved.

To answer your other question, I have been using shutdown -y -i 6, although before finding this shutdown command. I have been using reboot. But both do not start up the script.

rigor · 06-04-2017, 01:32 AM

Thanks for the additional info. Are you sure that everything on which your script depends is started by the point at which it tries to run?

What messages are put in the logs when the script is running?

birdy-97 · 06-04-2017, 07:04 PM

So I think I fixed the problem, the script now executes on shutdowns and reboots!

I didn't think that all of those services had been setup at the exact time the script starts, but it gave me an idea. Instead of the script running just as a script, I made a script in /usr/local/bin/ called firewall that did the commands for starting up the service, but I made it wait 15 seconds to execute. The reason for 15 sec delay, is because it will apply the changes around the same time the login prompt is started. As well as when the dependencies have started to run. Along with this, I put the execution in the background, since I didn't know nor want to find out if the load/boot process would hang.

Here is what the init script looks like now:

Code:

#!/bin/sh
# Start up script to enable the firewall
case $1 in

'start')
#load custom configuration

/usr/local/bin/firewall &

;;
'stop')
#stop service
;;
*)
echo "Usage: $0 start|stop" >&2
exit 1
;;
esac
exit 0

Along with my firewall script in /usr/local/bin/ :

Code:

#!/bin/sh
#wait for system to bootup and services start
sleep 15 
#Enable custom firewall rules for ipfilter...
svcadm enable ipfilter

 svccfg -s ipfilter:default setprop \
   firewall_config_default/policy = astring: "custom"

 svccfg -s ipfilter:default setprop \
   firewall_config_default/custom_policy_file = astring: \
   "/etc/ipf/ipf.conf"

 svcadm refresh ipfilter:default

Here is the svcs -xv on a cold boot:

Code:

root@openindiana:~# svcs -xv ipfilter
svc:/network/ipfilter:default (IP Filter)
 State: online since June  4, 2017 04:27:16 PM PDT
   See: man -M /usr/share/man -s 5 ipfilter
   See: /var/svc/log/network-ipfilter:default.log
Impact: None.

Here is the ipfilter log:

Code:

[ Jun  4 16:26:38 Rereading configuration. ]
[ Jun  4 16:26:39 Executing start method ("/lib/svc/method/ipfilter start"). ]
Set 0 now inactive
filter sync'd
0 entries flushed from NAT table
4 entries flushed from NAT list
[ Jun  4 16:26:39 Method "start" exited with status 0. ]
[ Jun  4 16:26:39 Stopping because service disabled. ]
[ Jun  4 16:26:39 Executing stop method ("/lib/svc/method/ipfilter stop"). ]
[ Jun  4 16:26:39 Method "stop" exited with status 0. ]
[ Jun  4 16:26:49 Rereading configuration. ]
[ Jun  4 16:27:05 Rereading configuration. ]
[ Jun  4 16:27:06 Rereading configuration. ]
[ Jun  4 16:27:16 Enabled. ]
[ Jun  4 16:27:16 Rereading configuration. ]
[ Jun  4 16:27:16 Executing start method ("/lib/svc/method/ipfilter start"). ]
Set 0 now inactive
filter sync'd
0 entries flushed from NAT table
4 entries flushed from NAT list
[ Jun  4 16:27:16 Method "start" exited with status 0. ]

Along with /var/adm/messages

Code:

Jun  4 16:27:16 openindiana ipf: [ID 774698 kern.info] IP Filter: v4.1.9, running.