00:20:59 I'd look for errors in the service's log - cat $(svcs -L /network/ipfilter) 07:11:43 Hi. It seems my ipf is acting up, so I have removed all configs (from GZ and from /zones/etc). 07:11:58 Now /etc/ipf/ipf.conf in GZ contains the following 2 lines: 07:12:13 pass in quick on lo0 all 07:12:13 pass out quick on lo0 all 07:12:41 I have also disabled ipf using: "svcadm disable network/ipfilter" 07:13:03 now svcs doesn't list ipfilter anymore and I have even rebooted the box to make sure it starts with a clean state. 07:17:24 so this is the current state: https://pastebin.com/raw/M2F9vtCH 07:19:30 enabling ipf doesn't populates the filter list, but manual reload populates it: https://pastebin.com/raw/ucrMmv4g 07:21:33 now, I assume ipf should read /etc/ipf/ipf.conf automatically, so let me reboot the box to see what happens. 07:26:14 It still doesn't loads the rules from ipf.conf automatically after a reboot: https://pastebin.com/raw/et9kCTLP 07:26:24 What am I doing wrong here? 08:38:56 maybe check it's setup to use the correct files as per the documentation on https://omnios.org/info/ipfilter.html 08:39:00 `svccfg -s ipfilter:default listprop | grep file` 08:40:14 but if things are in default state then it sounds like what you have should work 08:41:05 but also try sommerfeld's earlier suggestion: 08:41:06 01:20 < sommerfeld> I'd look for errors in the service's log - cat $(svcs -L /network/ipfilter) 08:52:14 The files are the default, and looks ok to me. The log output doesn't tells me too much: https://pastebin.com/raw/4zTQnwrW 08:53:18 Maybe: "Set 0 now inactive" ? 09:02:28 I try to reboot again, in this time I won't be available via irc. 09:09:33 I don't get this. Everything seems to be enabled according to the guides, i have rules in the ipf.conf, still the firewall rules doesn't gets loaded after booting the system: https://pastebin.com/raw/96QUxWhd 09:24:14 sometimes, it ma y happen, the guides are bad. from that log, see into /lib/svc/method/ipfilter - from it you will find the function to upgrade config and hint that you should have firewall_config_default/policy astring custom if you want to use those config files.... :P see also output from "svccfg -s ipfilter:default listprop" 10:00:19 tsoome: I see this: https://pastebin.com/raw/KhVcvpAB 10:00:44 Am I supposed to change firewall_config_default/policy to "custom"? 10:19:27 lemme try... 10:19:28 reboot. 10:22:45 Yess, it works now! 10:22:52 Thanks a lot! 10:53:46 I have documented it for myself here: https://extrowerk.com/2025-07-03/OmniOS-automatically-load-IPF-rules.html 14:05:56 I'd like to store the GZ and NGZ ipf configs in the same folder to make maintenance easier. IS it possible to symlink the NGZ ipf configs to the related zone/etc folders? 14:14:55 You can use lofs in the zone configs. 14:15:12 I do it on the directory level, but you can do it on the file level as well. 14:16:57 add fs 14:16:58 set dir="/etc/ipf" 14:16:58 set special="/some/gz/path/for-this-zone/ipf" 14:16:59 set type="lofs" 14:17:01 end 14:17:28 "dir" is in your zone. /some/gz/path/... is your gz (where you can manage it?) 14:17:43 I'm assuming these are native zones. 14:18:23 And also you can edit NGZ (assuming native) files from the gz by: 14:18:35 /zones//root/etc/ipf 14:19:17 (0)# zonename 14:19:18 global 14:19:18 (0)# ls /zones/router/root/etc/ipf 14:19:19 ipf.conf ipnat.conf 14:19:21 (0)# 14:19:59 I'm assuming native zones here (I use lipkg exclusively on my OmniOS-running HDC). 14:21:44 I have mixed brands here. mostly sparse, but also some lx and pkgsrc zones, and 1 bhyve aswell. 14:29:36 Can I use ipf in lx zones? 14:37:35 Not in them, but you can configure rulesets for them from the GZ. 14:40:51 andyf: in /etc/ipf/ipf.conf? 14:41:21 maybe it supports some kind of include directive, so i can have separate files for the separate zones... 14:41:25 No, in /etc/ipf.conf 14:42:09 For something like an lipkg zone there are two rulesets. One configured and visible from inside the zone and one that's GZ controlled and can't be seen from inside the zone. You can use both at once. 14:42:37 What Dan posted is how you'd configure the firewall inside the zone (which you can't do for lx). The disadvantage of that is that you have to trust the zone. 14:42:44 andyf: I have some rules in the /etc/ipf.conf, but the "ipfstat -z plex -ioh" command returns "empty list for ipfilter in/out" 14:43:49 Try `ipfstat -G plex -ioh` 14:44:07 -z will show you the in-zone stuff, -G will show you the GZ-managed zone stuff. 14:44:35 Ach so! 14:45:00 Thanks a lot, I got reasonable output with the -G switch. 14:45:23 The -G stuff cannot be seen or modified from inside the zone. 14:48:16 andyf: I think thats OK in my case. AFAIK this is relevant only if one plans to delegate the in-zone administrator role, right? 14:48:59 I have already set up a complete firewall ruleset in /etc/ipf.conf, no need for additional rules. 14:49:02 Basically, yes. But both can be used together too, so you can have one set of rules managed by the GZ and another set by the zone admin. The second doesn't work in lx zones though. 14:49:31 andyf: thanks for the explanation! 14:50:03 Plex clent still works, ipfstat shows the packages going nicely. 14:51:39 However the connections to the nGZ doesn't shows up in the 'ipfstat -t' output running in the GZ. Maybe i should define the zone here aswell with -z plex. 14:52:43 Aha! It is 'ipfstat -t -G plex' 14:54:59 Really nice. 15:12:24 In terms of symlinking (just catching up), that should work one way or the other. I'm not sure if the brand will honour symlinks in /etc (I'd just test it) but if it doesn't you could symlink the other way so the real files stays in the zone path.