1<?xml version="1.0"?> 2<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> 3<!-- 4 Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. 5 Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> 6 7 CDDL HEADER START 8 9 The contents of this file are subject to the terms of the 10 Common Development and Distribution License (the "License"). 11 You may not use this file except in compliance with the License. 12 13 You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 14 or http://www.opensolaris.org/os/licensing. 15 See the License for the specific language governing permissions 16 and limitations under the License. 17 18 When distributing Covered Code, include this CDDL HEADER in each 19 file and include the License file at usr/src/OPENSOLARIS.LICENSE. 20 If applicable, add the following below this CDDL HEADER, with the 21 fields enclosed by brackets "[]" replaced with your own identifying 22 information: Portions Copyright [yyyy] [name of copyright owner] 23 24 CDDL HEADER END 25 26 NOTE: This service description is not editable; its contents 27 may be overwritten by package or patch operations, including 28 operating system upgrade. Make customizations in a different 29 file. 30 31 Service manifest for the ipfilter service. 32--> 33 34<service_bundle type='manifest' name='SUNWipfr:ipfilter'> 35 36<service 37 name='network/ipfilter' 38 type='service' 39 version='1'> 40 41 <single_instance /> 42 43 <dependency 44 name='filesystem' 45 grouping='require_all' 46 restart_on='none' 47 type='service'> 48 <service_fmri value='svc:/system/filesystem/minimal' /> 49 </dependency> 50 51 <dependency 52 name='physical' 53 grouping='require_all' 54 restart_on='restart' 55 type='service'> 56 <service_fmri value='svc:/network/physical' /> 57 </dependency> 58 59 <dependency 60 name='identity' 61 grouping='require_all' 62 restart_on='restart' 63 type='service'> 64 <service_fmri value='svc:/system/identity:node' /> 65 </dependency> 66 67 <dependency 68 name='domain' 69 grouping='require_all' 70 restart_on='restart' 71 type='service'> 72 <service_fmri value='svc:/system/identity:domain' /> 73 </dependency> 74 75 <dependent 76 name='ipf_network' 77 grouping='optional_all' 78 restart_on='restart'> 79 <service_fmri value='svc:/milestone/network' /> 80 </dependent> 81 82 <exec_method 83 type='method' 84 name='stop' 85 exec='/lib/svc/method/ipfilter %m' 86 timeout_seconds='60' > 87 </exec_method> 88 89 <exec_method 90 type='method' 91 name='start' 92 exec='/lib/svc/method/ipfilter %m' 93 timeout_seconds='120' > 94 </exec_method> 95 96 <exec_method 97 type='method' 98 name='refresh' 99 exec='/lib/svc/method/ipfilter reload' 100 timeout_seconds='120' > 101 </exec_method> 102 103 <instance name='default' enabled='false'> 104 <property_group name='firewall_config_default' 105 type='com.sun,fw_configuration'> 106 <propval name='policy' type='astring' value='none' /> 107 <propval name='block_policy' type='astring' 108 value='none' /> 109 <propval name='custom_policy_file' type='astring' value='' /> 110 <propval name='apply_to' type='astring' value='' /> 111 <propval name='apply_to_6' type='astring' value='' /> 112 <propval name='exceptions' type='astring' value='' /> 113 <propval name='exceptions_6' type='astring' value='' /> 114 <propval name='target' type='astring' value='' /> 115 <propval name='target_6' type='astring' value='' /> 116 <propval name='open_ports' type='astring' value='' /> 117 <propval name='version' type='count' value='0' /> 118 <propval name='value_authorization' type='astring' 119 value='solaris.smf.value.firewall.config' /> 120 </property_group> 121 122 <property_group name='firewall_config_override' 123 type='com.sun,fw_configuration'> 124 <propval name='policy' type='astring' value='none' /> 125 <propval name='block_policy' type='astring' 126 value='none' /> 127 <propval name='apply_to' type='astring' value='' /> 128 <propval name='apply_to_6' type='astring' value='' /> 129 <propval name='value_authorization' type='astring' 130 value='solaris.smf.value.firewall.config' /> 131 </property_group> 132 133 <property_group name='config' type='application'> 134 <propval name='ipf6_config_file' type='astring' 135 value='/etc/ipf/ipf6.conf' /> 136 <propval name='ipnat_config_file' type='astring' 137 value='/etc/ipf/ipnat.conf' /> 138 <propval name='ippool_config_file' type='astring' 139 value='/etc/ipf/ippool.conf' /> 140 </property_group> 141 142 </instance> 143 144 <stability value='Unstable' /> 145 146 <template> 147 <common_name> 148 <loctext xml:lang='C'>IP Filter</loctext> 149 </common_name> 150 <description> 151 <loctext xml:lang='C'> 152 Solaris IP Filter - host-based firewall 153 </loctext> 154 </description> 155 <documentation> 156 <manpage title='ipfilter' section='5' 157 manpath='/usr/share/man' /> 158 </documentation> 159 160 <pg_pattern name='firewall_config_default' 161 type='com.sun,fw_configuration' target='this' 162 required='false'> 163 <common_name> 164 <loctext xml:lang='C'> 165Global Default firewall 166 </loctext> 167 </common_name> 168 <description> 169 <loctext xml:lang='C'> 170The default system-wide firewall policy. 171 </loctext> 172 </description> 173 <prop_pattern name='policy' type='astring' 174 required='true'> 175 <common_name> 176 <loctext xml:lang='C'> 177Global Default policy 178 </loctext> 179 </common_name> 180 <description> 181 <loctext xml:lang='C'> 182Firewall policy. 183 </loctext> 184 </description> 185 <visibility value='readwrite'/> 186 <cardinality min='1' max='1'/> 187 <values> 188 <value name='none'> 189 <description> 190 <loctext xml:lang='C'> 191No firewall (allow all), this is the default value. 192 </loctext> 193 194 </description> 195 </value> 196 <value name='deny'> 197 <description> 198 <loctext xml:lang='C'> 199Deny access to entities specified in 'apply_to' property. 200 </loctext> 201 </description> 202 </value> 203 <value name='allow'> 204 <description> 205 <loctext xml:lang='C'> 206Allow access to entities specified in 'apply_to' property. 207 </loctext> 208 </description> 209 </value> 210 <value name='custom'> 211 <description> 212 <loctext xml:lang='C'> 213Apply the custom ipfilter configuration stored in a custom file (custom file property must be set). 214 </loctext> 215 </description> 216 </value> 217 </values> 218 <choices> 219 <include_values type='values'/> 220 </choices> 221 </prop_pattern> 222 <prop_pattern name='block_policy' type='astring' 223 required='false'> 224 <common_name> 225 <loctext xml:lang='C'> 226Firewall block policy 227 </loctext> 228 </common_name> 229 <description> 230 <loctext xml:lang='C'> 231Service firewall block policy. 232 </loctext> 233 </description> 234 <visibility value='readwrite'/> 235 <cardinality min='1' max='1'/> 236 <values> 237 <value name='use_global'> 238 <description> 239 <loctext xml:lang='C'> 240Apply Global Default block policy, specified in network/ipfilter for the service. This is the default value. 241 </loctext> 242 </description> 243 </value> 244 <value name='none'> 245 <description> 246 <loctext xml:lang='C'> 247Block by dropping packets. 248 </loctext> 249 </description> 250 </value> 251 <value name='return'> 252 <description> 253 <loctext xml:lang='C'> 254Block by returning RST or ICMP messages. 255 </loctext> 256 </description> 257 </value> 258 </values> 259 <choices> 260 <include_values type='values'/> 261 </choices> 262 </prop_pattern> 263 <prop_pattern name="apply_to" type="astring" 264 required="false"> 265 <common_name> 266 <loctext xml:lang='C'> 267Apply policy to 268 </loctext> 269 </common_name> 270 <description> 271 <loctext xml:lang="C"> 272The source host and network IPv4 addresses, incoming network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. 273 </loctext> 274 </description> 275 </prop_pattern> 276 <prop_pattern name="apply_to_6" type="astring" 277 required="false"> 278 <common_name> 279 <loctext xml:lang='C'> 280Apply policy to 281 </loctext> 282 </common_name> 283 <description> 284 <loctext xml:lang="C"> 285The source host and network IPv6 addresses, incoming network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. 286 </loctext> 287 </description> 288 </prop_pattern> 289 <prop_pattern name="exceptions" type="astring" 290 required="false"> 291 <common_name> 292 <loctext xml:lang='C'> 293Make exceptions to 294 </loctext> 295 </common_name> 296 <description> 297 <loctext xml:lang="C"> 298The source host and network IPv4 addresses, incoming network interfaces, and ippools which will be exempted from the set policy, accept if the policy is set to deny, or deny if the policy is set to accept. 299 </loctext> 300 </description> 301 </prop_pattern> 302 <prop_pattern name="exceptions_6" type="astring" 303 required="false"> 304 <common_name> 305 <loctext xml:lang='C'> 306Make exceptions to 307 </loctext> 308 </common_name> 309 <description> 310 <loctext xml:lang="C"> 311The source host and network IPv6 addressess, incoming network interfaces, and ippools to exempt from the set policy. That is, those to accept if the policy is set to deny, or to deny if the policy is set to accept. 312 </loctext> 313 </description> 314 </prop_pattern> 315 <prop_pattern name="target" type="astring" 316 required="false"> 317 <common_name> 318 <loctext xml:lang='C'> 319Apply policy to 320 </loctext> 321 </common_name> 322 <description> 323 <loctext xml:lang="C"> 324The destination host and network IPv4 addresses, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. 325 </loctext> 326 </description> 327 </prop_pattern> 328 <prop_pattern name="target6" type="astring" 329 required="false"> 330 <common_name> 331 <loctext xml:lang='C'> 332Apply policy to 333 </loctext> 334 </common_name> 335 <description> 336 <loctext xml:lang="C"> 337The destination host and network IPv6 addresses, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. 338 </loctext> 339 </description> 340 </prop_pattern> 341 <prop_pattern name="custom_policy_file" type="astring" 342 required="false"> 343 <common_name> 344 <loctext xml:lang='C'> 345Custom policy IPfilter file 346 </loctext> 347 </common_name> 348 <description> 349 <loctext xml:lang='C'> 350The file containing a custom ipfilter configuration to use if a custom policy is enforced. 351 </loctext> 352 </description> 353 </prop_pattern> 354 <prop_pattern name="open_ports" type="astring" 355 required="false"> 356 <common_name> 357 <loctext xml:lang='C'> 358Open ports 359 </loctext> 360 </common_name> 361 <description> 362 <loctext xml:lang='C'> 363A set of ports to leave open regardless of firewall policy. 364 </loctext> 365 </description> 366 </prop_pattern> 367 <prop_pattern name="upgraded" type="boolean" 368 required="false"> 369 <visibility value='hidden'/> 370 </prop_pattern> 371 </pg_pattern> 372 373 <pg_pattern name='firewall_config_override' 374 type='com.sun,fw_configuration' target='this' 375 required='false'> 376 <common_name> 377 <loctext xml:lang='C'> 378Global Override firewall 379 </loctext> 380 </common_name> 381 <description> 382 <loctext xml:lang='C'> 383The system-wide firewall policy that overrides default system-wide and all services' policies. 384 </loctext> 385 </description> 386 <prop_pattern name='policy' type='astring' 387 required='true'> 388 <common_name> 389 <loctext xml:lang='C'> 390Global Override policy 391 </loctext> 392 </common_name> 393 <description> 394 <loctext xml:lang='C'> 395Firewall policy. 396 </loctext> 397 </description> 398 <visibility value='readwrite'/> 399 <cardinality min='1' max='1'/> 400 <values> 401 <value name='none'> 402 <description> 403 <loctext xml:lang='C'> 404No firewall (allow all), this is the default value. 405 </loctext> 406 </description> 407 </value> 408 <value name='deny'> 409 <description> 410 <loctext xml:lang='C'> 411Deny access to entities specified in 'apply_to' property. 412 </loctext> 413 </description> 414 </value> 415 <value name='allow'> 416 <description> 417 <loctext xml:lang='C'> 418Allow access to entities specified in 'apply_to' property. 419 </loctext> 420 </description> 421 </value> 422 </values> 423 <choices> 424 <include_values type='values'/> 425 </choices> 426 </prop_pattern> 427 <prop_pattern name='block_policy' type='astring' 428 required='false'> 429 <common_name> 430 <loctext xml:lang='C'> 431Firewall block policy 432 </loctext> 433 </common_name> 434 <description> 435 <loctext xml:lang='C'> 436Service firewall block policy. 437 </loctext> 438 </description> 439 <visibility value='readwrite'/> 440 <cardinality min='1' max='1'/> 441 <values> 442 <value name='use_global'> 443 <description> 444 <loctext xml:lang='C'> 445Apply Global Default block policy, specified in network/ipfilter for the service. This is the default value. 446 </loctext> 447 </description> 448 </value> 449 <value name='none'> 450 <description> 451 <loctext xml:lang='C'> 452Block by dropping packets. 453 </loctext> 454 </description> 455 </value> 456 <value name='return'> 457 <description> 458 <loctext xml:lang='C'> 459Block by returning RST or ICMP messages. 460 </loctext> 461 </description> 462 </value> 463 </values> 464 <choices> 465 <include_values type='values'/> 466 </choices> 467 </prop_pattern> 468 <prop_pattern name="apply_to" type="astring" 469 required="false"> 470 <common_name> 471 <loctext xml:lang='C'> 472Apply policy to 473 </loctext> 474 </common_name> 475 <description> 476 <loctext xml:lang="C"> 477The host and network IPs, network interfaces, and ippools to deny if the 478policy is set to deny, or accept if the policy is set to accept. 479 </loctext> 480 </description> 481 </prop_pattern> 482 </pg_pattern> 483 484 </template> 485</service> 486 487</service_bundle> 488