I have ipfilter running on a Solaris 11.2 server with rules similar to:
pass in log first quick proto tcp from any to any port = 22 flags S keep state
I would like to be able to edit and reload the ipfilter configuration from /etc/ipf/ipf.conf
. However, when I run svcadm refresh ipfilter
, the dynamic state is dropped and I lose any active sessions that rely on state.
It appears that refreshing the service in Solaris takes the simple but brutal approach of:
ipf -D
ipf -E
- Load the rules from the configuration file
Is there a better way to refresh ipfilter which (a) does not drop the state, and (b) ensures that the running configuration is identical to loading the configuration from scratch?
It looks like this does what I want:
ipf -IFa && ipf -If /etc/ipf/ipf.conf && ipf -s -y
This flushes the inactive filter list, loads the rules into the inactive filter list, swaps the active and inactive filter lists, and updates ipfilter with the current list of network interfaces.
The dynamic state can be monitored with
ipfstat -t
andipfstat -sl
and flushed (if needed) withipf -FS
In order to check whether the on-disk configuration matches the active configuration, I found this command useful (note that it will obliterate the inactive filter list):
diff -u <(ipfstat -io) <(ipf -IFa && ipf -If /etc/ipf/ipf.conf && ipfstat -Iio)
If anyone knows why the Solaris service by default resorts to
ipf -D
andipf -E
, I'd love to know.