Automatically load IPF rules after reboot

Firewall

I had configured some firewall rules on my NAS, which initially seemed to work correctly. However, I later noticed that the rules were not being applied after the NAS was rebooted.

I began investigating the issue. First, I removed all customizations and disabled, then re-enabled the IP filter service. After rebooting the NAS, I examined the current state of the system:

root@omnios:~# svcs |grep ipf
online         11:03:32 svc:/network/ipfilter:default

Okay, ipfilter service is enabled and running. Let’s identify the files the system relies on.

root@omnios:~# svccfg -s ipfilter:default listprop | grep file
config/ipf6_config_file                       astring  /etc/ipf/ipf6.conf
config/ipnat_config_file                      astring  /etc/ipf/ipnat.conf
config/ippool_config_file                     astring  /etc/ipf/ippool.conf
firewall_config_default/custom_policy_file    astring  /etc/ipf/ipf.conf
firewall_config_default/custom_policy_file_6  astring  /etc/ipf/ipf6.conf
restarter/logfile                             astring  /var/svc/log/network-ipfilter:default.log

All settings seem to be at their defaults. Next, we’ll add a basic ruleset.

root@omnios:~# cat /etc/ipf/ipf.conf
#
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(5) manpage for more information on
# IP Filter rules syntax.

# no restrictions on loopback interface
pass in quick on lo0 all
pass out quick on lo0 all

block in all
pass  in quick on e1000g0 proto icmp keep state
pass  in quick on e1000g0 proto tcp to port = 22 keep state
pass out all

Now lets reboot and check the rules loaded:

root@omnios:~# ipfstat -io
empty list for ipfilter(out)
empty list for ipfilter(in)

Hmm, something seems off. Interestingly, the firewall rules are correctly loaded if I manually instruct the system to apply them.

root@omnios:~# ipf -Fa -f /etc/ipf/ipf.conf

Reviewing the logs doesn’t reveal any obvious cause:

root@omnios:~# cat $(svcs -L /network/ipfilter)
[ Jul  3 11:03:27 Enabled. ]
[ Jul  3 11:03:30 Executing start method ("/lib/svc/method/ipfilter start"). ]
Set 0 now inactive
filter sync'd
0 entries flushed from NAT table
4 entries flushed from NAT list
[ Jul  3 11:03:32 Method "start" exited with status 0. ]

I got the following hint from tsoome:

sometimes, it may happen, the guides are bad.  from that log, see into /lib/svc/method/ipfilter - from it you will find the function to upgrade config and hint that you should have firewall_config_default/policy                astring  custom if you want to use those config files....  :P see also output from "svccfg -s ipfilter:default listprop"

Let’s check what do we got here:

root@omnios:~# svccfg -s ipfilter:default listprop |grep firewall_config_default/policy
firewall_config_default/policy                astring  none

Okay, this is default. Let’s try to modify the property value to “custom”:

root@omnios:~# svccfg -s ipfilter:default setprop firewall_config_default/policy = custom
root@omnios:~# svcadm refresh ipfilter:default

After reboot:

root@omnios:~# ipfstat -io
pass out quick on lo0 all
pass out all
pass in quick on lo0 all
block in all
pass in quick on e1000g0 proto icmp from any to any keep state
pass in quick on e1000g0 proto tcp from any to any port = ssh keep state

It’s all working perfectly now! Lessons learned.

Pic