1<?xml version="1.0"?> 2<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> 3<!-- 4 Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. 5 Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> 6 7 CDDL HEADER START 8 9 The contents of this file are subject to the terms of the 10 Common Development and Distribution License (the "License"). 11 You may not use this file except in compliance with the License. 12 13 You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 14 or http://www.opensolaris.org/os/licensing. 15 See the License for the specific language governing permissions 16 and limitations under the License. 17 18 When distributing Covered Code, include this CDDL HEADER in each 19 file and include the License file at usr/src/OPENSOLARIS.LICENSE. 20 If applicable, add the following below this CDDL HEADER, with the 21 fields enclosed by brackets "[]" replaced with your own identifying 22 information: Portions Copyright [yyyy] [name of copyright owner] 23 24 CDDL HEADER END 25 26 NOTE: This service description is not editable; its contents 27 may be overwritten by package or patch operations, including 28 operating system upgrade. Make customizations in a different 29 file. 30 31 Service manifest for the ipfilter service. 32--> 33 34<service_bundle type='manifest' name='SUNWipfr:ipfilter'> 35 36<service 37 name='network/ipfilter' 38 type='service' 39 version='1'> 40 41 <single_instance /> 42 43 <dependency 44 name='filesystem' 45 grouping='require_all' 46 restart_on='none' 47 type='service'> 48 <service_fmri value='svc:/system/filesystem/minimal' /> 49 </dependency> 50 51 <dependency 52 name='physical' 53 grouping='require_all' 54 restart_on='restart' 55 type='service'> 56 <service_fmri value='svc:/network/physical' /> 57 </dependency> 58 59 <dependency 60 name='identity' 61 grouping='require_all' 62 restart_on='restart' 63 type='service'> 64 <service_fmri value='svc:/system/identity:node' /> 65 </dependency> 66 67 <dependency 68 name='domain' 69 grouping='require_all' 70 restart_on='restart' 71 type='service'> 72 <service_fmri value='svc:/system/identity:domain' /> 73 </dependency> 74 75 <dependent 76 name='ipf_network' 77 grouping='optional_all' 78 restart_on='restart'> 79 <service_fmri value='svc:/milestone/network' /> 80 </dependent> 81 82 <exec_method 83 type='method' 84 name='stop' 85 exec='/lib/svc/method/ipfilter %m' 86 timeout_seconds='60' > 87 </exec_method> 88 89 <exec_method 90 type='method' 91 name='start' 92 exec='/lib/svc/method/ipfilter %m' 93 timeout_seconds='120' > 94 </exec_method> 95 96 <exec_method 97 type='method' 98 name='refresh' 99 exec='/lib/svc/method/ipfilter reload' 100 timeout_seconds='120' > 101 </exec_method> 102 103 <instance name='default' enabled='false'> 104 <property_group name='firewall_config_default' 105 type='com.sun,fw_configuration'> 106 <propval name='policy' type='astring' value='none' /> 107 <propval name='block_policy' type='astring' 108 value='none' /> 109 <propval name='custom_policy_file' type='astring' 110 value='/etc/ipf/ipf.conf' /> 111 <propval name='custom_policy_file_6' type='astring' 112 value='/etc/ipf/ipf6.conf' /> 113 <propval name='apply_to' type='astring' value='' /> 114 <propval name='apply_to_6' type='astring' value='' /> 115 <propval name='exceptions' type='astring' value='' /> 116 <propval name='exceptions_6' type='astring' value='' /> 117 <propval name='target' type='astring' value='' /> 118 <propval name='target_6' type='astring' value='' /> 119 <propval name='open_ports' type='astring' value='' /> 120 <propval name='version' type='count' value='0' /> 121 <propval name='value_authorization' type='astring' 122 value='solaris.smf.value.firewall.config' /> 123 </property_group> 124 125 <property_group name='firewall_config_override' 126 type='com.sun,fw_configuration'> 127 <propval name='policy' type='astring' value='none' /> 128 <propval name='block_policy' type='astring' 129 value='none' /> 130 <propval name='apply_to' type='astring' value='' /> 131 <propval name='apply_to_6' type='astring' value='' /> 132 <propval name='value_authorization' type='astring' 133 value='solaris.smf.value.firewall.config' /> 134 </property_group> 135 136 <property_group name='config' type='application'> 137 <propval name='ipf6_config_file' type='astring' 138 value='/etc/ipf/ipf6.conf' /> 139 <propval name='ipnat_config_file' type='astring' 140 value='/etc/ipf/ipnat.conf' /> 141 <propval name='ippool_config_file' type='astring' 142 value='/etc/ipf/ippool.conf' /> 143 </property_group> 144 145 </instance> 146 147 <stability value='Unstable' /> 148 149 <template> 150 <common_name> 151 <loctext xml:lang='C'>IP Filter</loctext> 152 </common_name> 153 <description> 154 <loctext xml:lang='C'> 155 IP Filter - host-based firewall 156 </loctext> 157 </description> 158 <documentation> 159 <manpage title='ipfilter' section='7' 160 manpath='/usr/share/man' /> 161 </documentation> 162 163 <pg_pattern name='firewall_config_default' 164 type='com.sun,fw_configuration' target='this' 165 required='false'> 166 <common_name> 167 <loctext xml:lang='C'> 168Global Default firewall 169 </loctext> 170 </common_name> 171 <description> 172 <loctext xml:lang='C'> 173The default system-wide firewall policy. 174 </loctext> 175 </description> 176 <prop_pattern name='policy' type='astring' 177 required='true'> 178 <common_name> 179 <loctext xml:lang='C'> 180Global Default policy 181 </loctext> 182 </common_name> 183 <description> 184 <loctext xml:lang='C'> 185Firewall policy. 186 </loctext> 187 </description> 188 <visibility value='readwrite'/> 189 <cardinality min='1' max='1'/> 190 <values> 191 <value name='none'> 192 <description> 193 <loctext xml:lang='C'> 194No firewall (allow all), this is the default value. 195 </loctext> 196 197 </description> 198 </value> 199 <value name='deny'> 200 <description> 201 <loctext xml:lang='C'> 202Deny access to entities specified in 'apply_to' property. 203 </loctext> 204 </description> 205 </value> 206 <value name='allow'> 207 <description> 208 <loctext xml:lang='C'> 209Allow access to entities specified in 'apply_to' property. 210 </loctext> 211 </description> 212 </value> 213 <value name='custom'> 214 <description> 215 <loctext xml:lang='C'> 216Apply the custom ipfilter configuration stored in a custom file (custom file property must be set). 217 </loctext> 218 </description> 219 </value> 220 </values> 221 <choices> 222 <include_values type='values'/> 223 </choices> 224 </prop_pattern> 225 <prop_pattern name='block_policy' type='astring' 226 required='false'> 227 <common_name> 228 <loctext xml:lang='C'> 229Firewall block policy 230 </loctext> 231 </common_name> 232 <description> 233 <loctext xml:lang='C'> 234Service firewall block policy. 235 </loctext> 236 </description> 237 <visibility value='readwrite'/> 238 <cardinality min='1' max='1'/> 239 <values> 240 <value name='use_global'> 241 <description> 242 <loctext xml:lang='C'> 243Apply Global Default block policy, specified in network/ipfilter for the service. This is the default value. 244 </loctext> 245 </description> 246 </value> 247 <value name='none'> 248 <description> 249 <loctext xml:lang='C'> 250Block by dropping packets. 251 </loctext> 252 </description> 253 </value> 254 <value name='return'> 255 <description> 256 <loctext xml:lang='C'> 257Block by returning RST or ICMP messages. 258 </loctext> 259 </description> 260 </value> 261 </values> 262 <choices> 263 <include_values type='values'/> 264 </choices> 265 </prop_pattern> 266 <prop_pattern name="apply_to" type="astring" 267 required="false"> 268 <common_name> 269 <loctext xml:lang='C'> 270Apply policy to 271 </loctext> 272 </common_name> 273 <description> 274 <loctext xml:lang="C"> 275The source host and network IPv4 addresses, incoming network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. 276 </loctext> 277 </description> 278 </prop_pattern> 279 <prop_pattern name="apply_to_6" type="astring" 280 required="false"> 281 <common_name> 282 <loctext xml:lang='C'> 283Apply policy to 284 </loctext> 285 </common_name> 286 <description> 287 <loctext xml:lang="C"> 288The source host and network IPv6 addresses, incoming network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. 289 </loctext> 290 </description> 291 </prop_pattern> 292 <prop_pattern name="exceptions" type="astring" 293 required="false"> 294 <common_name> 295 <loctext xml:lang='C'> 296Make exceptions to 297 </loctext> 298 </common_name> 299 <description> 300 <loctext xml:lang="C"> 301The source host and network IPv4 addresses, incoming network interfaces, and ippools which will be exempted from the set policy, accept if the policy is set to deny, or deny if the policy is set to accept. 302 </loctext> 303 </description> 304 </prop_pattern> 305 <prop_pattern name="exceptions_6" type="astring" 306 required="false"> 307 <common_name> 308 <loctext xml:lang='C'> 309Make exceptions to 310 </loctext> 311 </common_name> 312 <description> 313 <loctext xml:lang="C"> 314The source host and network IPv6 addressess, incoming network interfaces, and ippools to exempt from the set policy. That is, those to accept if the policy is set to deny, or to deny if the policy is set to accept. 315 </loctext> 316 </description> 317 </prop_pattern> 318 <prop_pattern name="target" type="astring" 319 required="false"> 320 <common_name> 321 <loctext xml:lang='C'> 322Apply policy to 323 </loctext> 324 </common_name> 325 <description> 326 <loctext xml:lang="C"> 327The destination host and network IPv4 addresses, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. 328 </loctext> 329 </description> 330 </prop_pattern> 331 <prop_pattern name="target6" type="astring" 332 required="false"> 333 <common_name> 334 <loctext xml:lang='C'> 335Apply policy to 336 </loctext> 337 </common_name> 338 <description> 339 <loctext xml:lang="C"> 340The destination host and network IPv6 addresses, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. 341 </loctext> 342 </description> 343 </prop_pattern> 344 <prop_pattern name="custom_policy_file" type="astring" 345 required="false"> 346 <common_name> 347 <loctext xml:lang='C'> 348Custom policy IPfilter file 349 </loctext> 350 </common_name> 351 <description> 352 <loctext xml:lang='C'> 353The file containing a custom ipfilter configuration to use if a custom policy is enforced. 354 </loctext> 355 </description> 356 </prop_pattern> 357 <prop_pattern name="open_ports" type="astring" 358 required="false"> 359 <common_name> 360 <loctext xml:lang='C'> 361Open ports 362 </loctext> 363 </common_name> 364 <description> 365 <loctext xml:lang='C'> 366A set of ports to leave open regardless of firewall policy. 367 </loctext> 368 </description> 369 </prop_pattern> 370 <prop_pattern name="upgraded" type="boolean" 371 required="false"> 372 <visibility value='hidden'/> 373 </prop_pattern> 374 </pg_pattern> 375 376 <pg_pattern name='firewall_config_override' 377 type='com.sun,fw_configuration' target='this' 378 required='false'> 379 <common_name> 380 <loctext xml:lang='C'> 381Global Override firewall 382 </loctext> 383 </common_name> 384 <description> 385 <loctext xml:lang='C'> 386The system-wide firewall policy that overrides default system-wide and all services' policies. 387 </loctext> 388 </description> 389 <prop_pattern name='policy' type='astring' 390 required='true'> 391 <common_name> 392 <loctext xml:lang='C'> 393Global Override policy 394 </loctext> 395 </common_name> 396 <description> 397 <loctext xml:lang='C'> 398Firewall policy. 399 </loctext> 400 </description> 401 <visibility value='readwrite'/> 402 <cardinality min='1' max='1'/> 403 <values> 404 <value name='none'> 405 <description> 406 <loctext xml:lang='C'> 407No firewall (allow all), this is the default value. 408 </loctext> 409 </description> 410 </value> 411 <value name='deny'> 412 <description> 413 <loctext xml:lang='C'> 414Deny access to entities specified in 'apply_to' property. 415 </loctext> 416 </description> 417 </value> 418 <value name='allow'> 419 <description> 420 <loctext xml:lang='C'> 421Allow access to entities specified in 'apply_to' property. 422 </loctext> 423 </description> 424 </value> 425 </values> 426 <choices> 427 <include_values type='values'/> 428 </choices> 429 </prop_pattern> 430 <prop_pattern name='block_policy' type='astring' 431 required='false'> 432 <common_name> 433 <loctext xml:lang='C'> 434Firewall block policy 435 </loctext> 436 </common_name> 437 <description> 438 <loctext xml:lang='C'> 439Service firewall block policy. 440 </loctext> 441 </description> 442 <visibility value='readwrite'/> 443 <cardinality min='1' max='1'/> 444 <values> 445 <value name='use_global'> 446 <description> 447 <loctext xml:lang='C'> 448Apply Global Default block policy, specified in network/ipfilter for the service. This is the default value. 449 </loctext> 450 </description> 451 </value> 452 <value name='none'> 453 <description> 454 <loctext xml:lang='C'> 455Block by dropping packets. 456 </loctext> 457 </description> 458 </value> 459 <value name='return'> 460 <description> 461 <loctext xml:lang='C'> 462Block by returning RST or ICMP messages. 463 </loctext> 464 </description> 465 </value> 466 </values> 467 <choices> 468 <include_values type='values'/> 469 </choices> 470 </prop_pattern> 471 <prop_pattern name="apply_to" type="astring" 472 required="false"> 473 <common_name> 474 <loctext xml:lang='C'> 475Apply policy to 476 </loctext> 477 </common_name> 478 <description> 479 <loctext xml:lang="C"> 480The host and network IPs, network interfaces, and ippools to deny if the 481policy is set to deny, or accept if the policy is set to accept. 482 </loctext> 483 </description> 484 </prop_pattern> 485 </pg_pattern> 486 487 </template> 488</service> 489 490</service_bundle> 491