1<?xml version="1.0"?> 2<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> 3<!-- 4 Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. 5 6 CDDL HEADER START 7 8 The contents of this file are subject to the terms of the 9 Common Development and Distribution License (the "License"). 10 You may not use this file except in compliance with the License. 11 12 You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 13 or http://www.opensolaris.org/os/licensing. 14 See the License for the specific language governing permissions 15 and limitations under the License. 16 17 When distributing Covered Code, include this CDDL HEADER in each 18 file and include the License file at usr/src/OPENSOLARIS.LICENSE. 19 If applicable, add the following below this CDDL HEADER, with the 20 fields enclosed by brackets "[]" replaced with your own identifying 21 information: Portions Copyright [yyyy] [name of copyright owner] 22 23 CDDL HEADER END 24 25 NOTE: This service description is not editable; its contents 26 may be overwritten by package or patch operations, including 27 operating system upgrade. Make customizations in a different 28 file. 29 30 Service manifest for the ipfilter service. 31--> 32 33<service_bundle type='manifest' name='SUNWipfr:ipfilter'> 34 35<service 36 name='network/ipfilter' 37 type='service' 38 version='1'> 39 40 <single_instance /> 41 42 <dependency 43 name='filesystem' 44 grouping='require_all' 45 restart_on='none' 46 type='service'> 47 <service_fmri value='svc:/system/filesystem/minimal' /> 48 </dependency> 49 50 <dependency 51 name='physical' 52 grouping='require_all' 53 restart_on='restart' 54 type='service'> 55 <service_fmri value='svc:/network/physical' /> 56 </dependency> 57 58 <dependency 59 name='identity' 60 grouping='require_all' 61 restart_on='restart' 62 type='service'> 63 <service_fmri value='svc:/system/identity:node' /> 64 </dependency> 65 66 <dependency 67 name='domain' 68 grouping='require_all' 69 restart_on='restart' 70 type='service'> 71 <service_fmri value='svc:/system/identity:domain' /> 72 </dependency> 73 74 <dependent 75 name='ipf_network' 76 grouping='optional_all' 77 restart_on='restart'> 78 <service_fmri value='svc:/milestone/network' /> 79 </dependent> 80 81 <exec_method 82 type='method' 83 name='stop' 84 exec='/lib/svc/method/ipfilter %m' 85 timeout_seconds='60' > 86 </exec_method> 87 88 <exec_method 89 type='method' 90 name='start' 91 exec='/lib/svc/method/ipfilter %m' 92 timeout_seconds='120' > 93 </exec_method> 94 95 <exec_method 96 type='method' 97 name='refresh' 98 exec='/lib/svc/method/ipfilter reload' 99 timeout_seconds='120' > 100 </exec_method> 101 102 <instance name='default' enabled='false'> 103 <property_group name='firewall_config_default' 104 type='com.sun,fw_configuration'> 105 <propval name='policy' type='astring' value='none' /> 106 <propval name='custom_policy_file' type='astring' value='' /> 107 <propval name='apply_to' type='astring' value='' /> 108 <propval name='exceptions' type='astring' value='' /> 109 <propval name='open_ports' type='astring' value='' /> 110 <propval name='version' type='count' value='0' /> 111 <propval name='value_authorization' type='astring' 112 value='solaris.smf.value.firewall.config' /> 113 </property_group> 114 115 <property_group name='firewall_config_override' 116 type='com.sun,fw_configuration'> 117 <propval name='policy' type='astring' value='none' /> 118 <propval name='apply_to' type='astring' value='' /> 119 <propval name='value_authorization' type='astring' 120 value='solaris.smf.value.firewall.config' /> 121 </property_group> 122 123 <property_group name='config' type='application'> 124 <propval name='ipf6_config_file' type='astring' 125 value='/etc/ipf/ipf6.conf' /> 126 <propval name='ipnat_config_file' type='astring' 127 value='/etc/ipf/ipnat.conf' /> 128 <propval name='ippool_config_file' type='astring' 129 value='/etc/ipf/ippool.conf' /> 130 </property_group> 131 132 </instance> 133 134 <stability value='Unstable' /> 135 136 <template> 137 <common_name> 138 <loctext xml:lang='C'>IP Filter</loctext> 139 </common_name> 140 <description> 141 <loctext xml:lang='C'> 142 Solaris IP Filter - host-based firewall 143 </loctext> 144 </description> 145 <documentation> 146 <manpage title='ipfilter' section='5' 147 manpath='/usr/share/man' /> 148 </documentation> 149 150 <pg_pattern name='firewall_config_default' 151 type='com.sun,fw_configuration' target='this' 152 required='false'> 153 <common_name> 154 <loctext xml:lang='C'> 155Global Default firewall 156 </loctext> 157 </common_name> 158 <description> 159 <loctext xml:lang='C'> 160The default system-wide firewall policy. 161 </loctext> 162 </description> 163 <prop_pattern name='policy' type='astring' 164 required='true'> 165 <common_name> 166 <loctext xml:lang='C'> 167Global Default policy 168 </loctext> 169 </common_name> 170 <description> 171 <loctext xml:lang='C'> 172Firewall policy. 173 </loctext> 174 </description> 175 <visibility value='readwrite'/> 176 <cardinality min='1' max='1'/> 177 <values> 178 <value name='none'> 179 <description> 180 <loctext xml:lang='C'> 181No firewall (allow all), this is the default value. 182 </loctext> 183 184 </description> 185 </value> 186 <value name='deny'> 187 <description> 188 <loctext xml:lang='C'> 189Deny access to entities specified in 'apply_to' property. 190 </loctext> 191 </description> 192 </value> 193 <value name='allow'> 194 <description> 195 <loctext xml:lang='C'> 196Allow access to entities specified in 'apply_to' property. 197 </loctext> 198 </description> 199 </value> 200 <value name='custom'> 201 <description> 202 <loctext xml:lang='C'> 203Apply the custom ipfilter configuration stored in a custom file (custom file property must be set). 204 </loctext> 205 </description> 206 </value> 207 </values> 208 <choices> 209 <include_values type='values'/> 210 </choices> 211 </prop_pattern> 212 <prop_pattern name="apply_to" type="astring" 213 required="false"> 214 <common_name> 215 <loctext xml:lang='C'> 216Apply policy to 217 </loctext> 218 </common_name> 219 <description> 220 <loctext xml:lang="C"> 221The host and network IPs, network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. 222 </loctext> 223 </description> 224 </prop_pattern> 225 <prop_pattern name="exceptions" type="astring" 226 required="false"> 227 <common_name> 228 <loctext xml:lang='C'> 229Make exceptions to 230 </loctext> 231 </common_name> 232 <description> 233 <loctext xml:lang="C"> 234The host and network IPs, network interfaces, and ippools which will be exempted from the set policy, accept if the policy is set to deny, or deny if the policy is set to accept. 235 </loctext> 236 </description> 237 </prop_pattern> 238 <prop_pattern name="custom_policy_file" type="astring" 239 required="false"> 240 <common_name> 241 <loctext xml:lang='C'> 242Custom policy IPfilter file 243 </loctext> 244 </common_name> 245 <description> 246 <loctext xml:lang='C'> 247The file containing a custom ipfilter configuration to use if a custom policy is enforced. 248 </loctext> 249 </description> 250 </prop_pattern> 251 <prop_pattern name="open_ports" type="astring" 252 required="false"> 253 <common_name> 254 <loctext xml:lang='C'> 255Open ports 256 </loctext> 257 </common_name> 258 <description> 259 <loctext xml:lang='C'> 260A set of ports to leave open regardless of firewall policy. 261 </loctext> 262 </description> 263 </prop_pattern> 264 <prop_pattern name="upgraded" type="boolean" 265 required="false"> 266 <visibility value='hidden'/> 267 </prop_pattern> 268 </pg_pattern> 269 270 <pg_pattern name='firewall_config_override' 271 type='com.sun,fw_configuration' target='this' 272 required='false'> 273 <common_name> 274 <loctext xml:lang='C'> 275Global Override firewall 276 </loctext> 277 </common_name> 278 <description> 279 <loctext xml:lang='C'> 280The system-wide firewall policy that overrides default system-wide and all services' policies. 281 </loctext> 282 </description> 283 <prop_pattern name='policy' type='astring' 284 required='true'> 285 <common_name> 286 <loctext xml:lang='C'> 287Global Override policy 288 </loctext> 289 </common_name> 290 <description> 291 <loctext xml:lang='C'> 292Firewall policy. 293 </loctext> 294 </description> 295 <visibility value='readwrite'/> 296 <cardinality min='1' max='1'/> 297 <values> 298 <value name='none'> 299 <description> 300 <loctext xml:lang='C'> 301No firewall (allow all), this is the default value. 302 </loctext> 303 </description> 304 </value> 305 <value name='deny'> 306 <description> 307 <loctext xml:lang='C'> 308Deny access to entities specified in 'apply_to' property. 309 </loctext> 310 </description> 311 </value> 312 <value name='allow'> 313 <description> 314 <loctext xml:lang='C'> 315Allow access to entities specified in 'apply_to' property. 316 </loctext> 317 </description> 318 </value> 319 </values> 320 <choices> 321 <include_values type='values'/> 322 </choices> 323 </prop_pattern> 324 <prop_pattern name="apply_to" type="astring" 325 required="false"> 326 <common_name> 327 <loctext xml:lang='C'> 328Apply policy to 329 </loctext> 330 </common_name> 331 <description> 332 <loctext xml:lang="C"> 333The host and network IPs, network interfaces, and ippools to deny if the 334policy is set to deny, or accept if the policy is set to accept. 335 </loctext> 336 </description> 337 </prop_pattern> 338 </pg_pattern> 339 340 </template> 341</service> 342 343</service_bundle> 344