pfil revision 7c478bd95313f5f23a4c958a745db2134aa03244
#!/sbin/sh
#
# ident "%Z%%M% %I% %E% SMI"
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
#
# Autopush pfil on to filtering interfaces and restrict
# network traffic during startup
#
PFILAP=/etc/ipf/pfil.ap
case "$1" in
'start')
/sbin/autopush -f ${PFILAP}
enabled=`svcprop -p general/enabled svc:/network/ipfilter:default`
# To avoid a window of vulnerability during the time that networking
# is being initialized but before the full ipf.conf configuration is
# loaded, install a temporary, restrictive rule set now, early in
# boot. This gets replaced by the contents of ipf.conf when the
# svc:/network/ipfilter service is started. Note that if /usr is not
# mounted, the window of vulnerability still exists because we can't
# run the ipf command this early.
if [ -x /usr/sbin/ipf ] && [ "$enabled" = "true" ]; then
echo "block in all" | /usr/sbin/ipf -Fa -f -
echo "block out all" | /usr/sbin/ipf -f -
echo "pass out from any to any port = 53 keep state" \
| /usr/sbin/ipf -f -
fi
;;
*)
echo "Usage: $0 start"
exit 1
;;
esac
exit 0