I'd look for errors in the service's log - cat $(svcs -L /network/ipfilter)

Hi. It seems my ipf is acting up, so I have removed all configs (from GZ and from /zones/etc).

Now /etc/ipf/ipf.conf in GZ contains the following 2 lines:

pass in quick on lo0 all

pass out quick on lo0 all

I have also disabled ipf using: "svcadm disable network/ipfilter"

now svcs doesn't list ipfilter anymore and I have even rebooted the box to make sure it starts with a clean state.

so this is the current state: pastebin.com/raw/M2F9vtCH

enabling ipf doesn't populates the filter list, but manual reload populates it: pastebin.com/raw/ucrMmv4g

now, I assume ipf should read /etc/ipf/ipf.conf automatically, so let me reboot the box to see what happens.

It still doesn't loads the rules from ipf.conf automatically after a reboot: pastebin.com/raw/et9kCTLP

What am I doing wrong here?

maybe check it's setup to use the correct files as per the documentation on omnios.org/info/ipfilter.html

`svccfg -s ipfilter:default listprop | grep file`

but if things are in default state then it sounds like what you have should work

but also try sommerfeld's earlier suggestion:

01:20 < sommerfeld> I'd look for errors in the service's log - cat $(svcs -L /network/ipfilter)

The files are the default, and looks ok to me. The log output doesn't tells me too much: pastebin.com/raw/4zTQnwrW

Maybe: "Set 0 now inactive" ?

I try to reboot again, in this time I won't be available via irc.

I don't get this. Everything seems to be enabled according to the guides, i have rules in the ipf.conf, still the firewall rules doesn't gets loaded after booting the system: pastebin.com/raw/96QUxWhd

sometimes, it ma y happen, the guides are bad. from that log, see into /lib/svc/method/ipfilter - from it you will find the function to upgrade config and hint that you should have firewall_config_default/policy astring custom if you want to use those config files.... :P see also output from "svccfg -s ipfilter:default listprop"

tsoome: I see this: pastebin.com/raw/KhVcvpAB

Am I supposed to change firewall_config_default/policy to "custom"?

lemme try...

reboot.

Yess, it works now!

Thanks a lot!

I have documented it for myself here: extrowerk.com/2025-07-03/OmniOS-automatically-load-IPF-rules.html

I'd like to store the GZ and NGZ ipf configs in the same folder to make maintenance easier. IS it possible to symlink the NGZ ipf configs to the related zone/etc folders?

You can use lofs in the zone configs.

I do it on the directory level, but you can do it on the file level as well.

add fs

set dir="/etc/ipf"

set special="/some/gz/path/for-this-zone/ipf"

set type="lofs"

end

"dir" is in your zone. /some/gz/path/... is your gz (where you can manage it?)

I'm assuming these are native zones.

And also you can edit NGZ (assuming native) files from the gz by:

/zones/<zonename>/root/etc/ipf

(0)# zonename

global

(0)# ls /zones/router/root/etc/ipf

ipf.conf ipnat.conf

(0)#

I'm assuming native zones here (I use lipkg exclusively on my OmniOS-running HDC).

I have mixed brands here. mostly sparse, but also some lx and pkgsrc zones, and 1 bhyve aswell.

Can I use ipf in lx zones?

Not in them, but you can configure rulesets for them from the GZ.

andyf: in /etc/ipf/ipf.conf?

maybe it supports some kind of include directive, so i can have separate files for the separate zones...

No, in <zone path>/etc/ipf.conf

For something like an lipkg zone there are two rulesets. One configured and visible from inside the zone and one that's GZ controlled and can't be seen from inside the zone. You can use both at once.

What Dan posted is how you'd configure the firewall inside the zone (which you can't do for lx). The disadvantage of that is that you have to trust the zone.

andyf: I have some rules in the <zone path>/etc/ipf.conf, but the "ipfstat -z plex -ioh" command returns "empty list for ipfilter in/out"

Try `ipfstat -G plex -ioh`

-z will show you the in-zone stuff, -G will show you the GZ-managed zone stuff.

Ach so!

Thanks a lot, I got reasonable output with the -G switch.

The -G stuff cannot be seen or modified from inside the zone.

andyf: I think thats OK in my case. AFAIK this is relevant only if one plans to delegate the in-zone administrator role, right?

I have already set up a complete firewall ruleset in <zone path>/etc/ipf.conf, no need for additional rules.

Basically, yes. But both can be used together too, so you can have one set of rules managed by the GZ and another set by the zone admin. The second doesn't work in lx zones though.

andyf: thanks for the explanation!

Plex clent still works, ipfstat shows the packages going nicely.

However the connections to the nGZ doesn't shows up in the 'ipfstat -t' output running in the GZ. Maybe i should define the zone here aswell with -z plex.

Aha! It is 'ipfstat -t -G plex'

Really nice.

In terms of symlinking (just catching up), that should work one way or the other. I'm not sure if the brand will honour symlinks in <zonepath>/etc (I'd just test it) but if it doesn't you could symlink the other way so the real files stays in the zone path.