-
sommerfeldI'd look for errors in the service's log - cat $(svcs -L /network/ipfilter)
-
szilardHi. It seems my ipf is acting up, so I have removed all configs (from GZ and from /zones/etc).
-
szilardNow /etc/ipf/ipf.conf in GZ contains the following 2 lines:
-
szilardpass in quick on lo0 all
-
szilardpass out quick on lo0 all
-
szilardI have also disabled ipf using: "svcadm disable network/ipfilter"
-
szilardnow svcs doesn't list ipfilter anymore and I have even rebooted the box to make sure it starts with a clean state.
-
szilardso this is the current state: pastebin.com/raw/M2F9vtCH
-
szilardenabling ipf doesn't populates the filter list, but manual reload populates it: pastebin.com/raw/ucrMmv4g
-
szilardnow, I assume ipf should read /etc/ipf/ipf.conf automatically, so let me reboot the box to see what happens.
-
szilardIt still doesn't loads the rules from ipf.conf automatically after a reboot: pastebin.com/raw/et9kCTLP
-
szilardWhat am I doing wrong here?
-
m1arimaybe check it's setup to use the correct files as per the documentation on omnios.org/info/ipfilter.html
-
m1ari`svccfg -s ipfilter:default listprop | grep file`
-
m1aribut if things are in default state then it sounds like what you have should work
-
m1aribut also try sommerfeld's earlier suggestion:
-
m1ari01:20 < sommerfeld> I'd look for errors in the service's log - cat $(svcs -L /network/ipfilter)
-
szilardThe files are the default, and looks ok to me. The log output doesn't tells me too much: pastebin.com/raw/4zTQnwrW
-
szilardMaybe: "Set 0 now inactive" ?
-
szilardI try to reboot again, in this time I won't be available via irc.
-
szilardI don't get this. Everything seems to be enabled according to the guides, i have rules in the ipf.conf, still the firewall rules doesn't gets loaded after booting the system: pastebin.com/raw/96QUxWhd
-
tsoomesometimes, it ma y happen, the guides are bad. from that log, see into /lib/svc/method/ipfilter - from it you will find the function to upgrade config and hint that you should have firewall_config_default/policy astring custom if you want to use those config files.... :P see also output from "svccfg -s ipfilter:default listprop"
-
szilardtsoome: I see this: pastebin.com/raw/KhVcvpAB
-
szilardAm I supposed to change firewall_config_default/policy to "custom"?
-
szilardlemme try...
-
szilardreboot.
-
szilardYess, it works now!
-
szilardThanks a lot!
-
szilardI have documented it for myself here: extrowerk.com/2025-07-03/OmniOS-automatically-load-IPF-rules.html
-
szilardI'd like to store the GZ and NGZ ipf configs in the same folder to make maintenance easier. IS it possible to symlink the NGZ ipf configs to the related zone/etc folders?
-
danmcdYou can use lofs in the zone configs.
-
danmcdI do it on the directory level, but you can do it on the file level as well.
-
danmcdadd fs
-
danmcdset dir="/etc/ipf"
-
danmcdset special="/some/gz/path/for-this-zone/ipf"
-
danmcdset type="lofs"
-
danmcdend
-
danmcd"dir" is in your zone. /some/gz/path/... is your gz (where you can manage it?)
-
danmcdI'm assuming these are native zones.
-
danmcdAnd also you can edit NGZ (assuming native) files from the gz by:
-
danmcd/zones/<zonename>/root/etc/ipf
-
danmcd(0)# zonename
-
danmcdglobal
-
danmcd(0)# ls /zones/router/root/etc/ipf
-
danmcdipf.conf ipnat.conf
-
danmcd(0)#
-
danmcdI'm assuming native zones here (I use lipkg exclusively on my OmniOS-running HDC).
-
szilardI have mixed brands here. mostly sparse, but also some lx and pkgsrc zones, and 1 bhyve aswell.
-
szilardCan I use ipf in lx zones?
-
andyfNot in them, but you can configure rulesets for them from the GZ.
-
szilardandyf: in /etc/ipf/ipf.conf?
-
szilardmaybe it supports some kind of include directive, so i can have separate files for the separate zones...
-
andyfNo, in <zone path>/etc/ipf.conf
-
andyfFor something like an lipkg zone there are two rulesets. One configured and visible from inside the zone and one that's GZ controlled and can't be seen from inside the zone. You can use both at once.
-
andyfWhat Dan posted is how you'd configure the firewall inside the zone (which you can't do for lx). The disadvantage of that is that you have to trust the zone.
-
szilardandyf: I have some rules in the <zone path>/etc/ipf.conf, but the "ipfstat -z plex -ioh" command returns "empty list for ipfilter in/out"
-
andyfTry `ipfstat -G plex -ioh`
-
andyf-z will show you the in-zone stuff, -G will show you the GZ-managed zone stuff.
-
szilardAch so!
-
szilardThanks a lot, I got reasonable output with the -G switch.
-
andyfThe -G stuff cannot be seen or modified from inside the zone.
-
szilardandyf: I think thats OK in my case. AFAIK this is relevant only if one plans to delegate the in-zone administrator role, right?
-
szilardI have already set up a complete firewall ruleset in <zone path>/etc/ipf.conf, no need for additional rules.
-
andyfBasically, yes. But both can be used together too, so you can have one set of rules managed by the GZ and another set by the zone admin. The second doesn't work in lx zones though.
-
szilardandyf: thanks for the explanation!
-
szilardPlex clent still works, ipfstat shows the packages going nicely.
-
szilardHowever the connections to the nGZ doesn't shows up in the 'ipfstat -t' output running in the GZ. Maybe i should define the zone here aswell with -z plex.
-
szilardAha! It is 'ipfstat -t -G plex'
-
szilardReally nice.
-
andyfIn terms of symlinking (just catching up), that should work one way or the other. I'm not sure if the brand will honour symlinks in <zonepath>/etc (I'd just test it) but if it doesn't you could symlink the other way so the real files stays in the zone path.
2 hours ago