- Thu 05 October 2017
- misc
I've written about SmartOS several times in the past; plain SmartOS without Triton/SDC is our virtualization platform of choice at ClueTrust.
LX brand zones are not KVMs and not native zones, but they're closer to the latter than the former. At a high level, they're a native zone (talk directly to Crossbow and ZFS datasets), but with a Linux ABI on the inside and a GNU userland. You can get LX datasets in Ubuntu, Debian, CentOS, and Alpine flavors. There is nothing to stop a motivated individual from building their own dataset with their Linux variant of choice in it.
Well-behaved (for instance don't depend on procfs or try to do stuff with loadable kernel modules) Linux applications work fine in LX zones. We transcode stuff with HandbrakeCLI and run CrashPlan Enterprise and Splunk in LX zones and they all work fine.
Host-based firewalls are a darned fine idea for anything that's exposed naked to the angry pixies of the Internet. Especially when you're running some kind of commercial enterprise software that might expose stuff with janky unencrypted or buggy APIs to the world, since it's intended for use in a datacenter environment rather than swinging in the breeze in a bad neighborhood.
And so it is that I came to try to get the native ipfilter (which is part of the enclosing zone) running in the LX world. For the added fun of having to sort out systemd at the same time I figured I'd run it under an Ubuntu 16.04 flavored zone.
Why isn't this part of the standard distribution and just something that you turn on? Near as I can tell, most folks who are using LX flavored zones are doing it in the context of Triton, where firewall rules are handled via the system management and orchestration toolset, not from within the zone itself. So I'm a bit of a corner case.
There are various tools that interface to the OS-behind-the-curtain
under /native so this turned out to just be a case of getting
appropriate ipf.conf and ipf6.conf files in place and wrapping up the
logic to turn it off and on into a service config file for systemd. Easy
Here's the bits. Sorry that I don't do anything fancy in the systemd file like check whether you have both an ipf.conf and an ipf6.conf before letting you do the deed. We're all grown-ups here.
{% raw %} root@splunk-ashburn:~# cat /etc/ipf/ipf.conf # # ipf.conf # # IP Filter rules to be loaded during startup # # See ipf(4) manpage for more information on # IP Filter rules syntax.
# Do NOT do this vv
#pass in to net0 all
pass out from any to any keep state
pass in quick proto tcp from any to any port=22
pass in quick proto tcp from any to any port=80
pass in quick proto tcp from any to any port=443
pass in quick proto icmp from any to any
pass out quick proto icmp from any to any
block in from any to any
root@splunk-ashburn:~#
{% endraw %}
{% raw %} root@splunk-ashburn:~# cat /etc/ipf/ipf6.conf # # ipf6.conf # # IP Filter rules to be loaded during startup # # See ipf(4) manpage for more information on # IP Filter rules syntax.
# Do NOT do this vv
#pass in to net0 all
pass out from any to any keep state
# allow ssh from anywhere
pass in quick proto tcp from any to any port=22
pass in quick proto tcp from any to any port=80
pass in quick proto tcp from any to any port=443
pass in quick proto icmp from any to any
pass out quick proto icmp from any to any
pass in quick proto ipv6-icmp from any to any
pass out quick proto ipv6-icmp from any to any
block in from any to any
root@splunk-ashburn:~#
{% endraw %}
{% raw %} root@splunk-ashburn:~# cat /etc/systemd/system/ipfilter.service # # cp -p ipfilter.service /etc/systemd/system/ # systemctl enable ipfilter #
[Unit]
Description=native ipfilter service
[Service]
Type=oneshot
ExecStart=/bin/bash -c "/native/usr/sbin/ipf -E -Fa -f /etc/ipf/ipf.conf ; /native/usr/sbin/ipf -E -6 -f /etc/ipf/ipf6.conf"
ExecStop=/native/usr/sbin/ipf -D
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
root@splunk-ashburn:~#
{% endraw %}
That should be enough to get you going.