PSARC 2008/580 - Host based firewall
In my presentation at the Partner University 2009 in Weimar, i´ve talked about systemic features - a feature in Solaris consisting out of several features. Something like the vast possibibilities Crossbow, ZFS and Zones gives you or the combinations of RBAC, SMF and Privileges . There is a new one of this kind.The output of the PSARC 2008/580 was integrated into Opensolaris build 109. It integrates SMF, Authorisations, IPFilter,
svc.ipfd monitors actions to services with firewall configuration and initiates update services' IPfilter configuration. The daemon allows us to react to changes in system's firewall configuration in an incremental fashion, at per service level.
This enables Solaris to do some neat tricks:
A service's firewall policy is activated when it's enabled, deactivated when it's disabled, and updated when its configuration property group is modified. svc.ipfd monitors SMF repository for these actions and invokes IPfilter rule generation process to carry out the service's firewall policy.
You define the firewall policy in the properties of a service in the SMF and thus SMF configured the firewall as soon as you use a service. And even more interesting: A software vendor can supply a firewall configuration with the SMF manifest and the host firewall is automatically configured correctly to run the application. This feature has some real potential to make the admins life easier. You should really read the case log of 2008/580.