--------------------------------------------------------------------------------
REMOVED from solaris 10
--------------------------------------------------------------------------------
netstat -k
admintool
GMT Zoneinfo Time Zones - zoneinfo
--------------------------------------------------------------------------------
solaris: scanpci
redhat: lspci
ifconfig INFC dhcp start
ifconfig INFC ether x:x:x:x:x
svcadm restart milestone/network
--------------------------------------------------------------------------------
Burn a DVD
growiofs -M /dev/rdsk/c1t1d0s0 -R -J /my/dir
OR
mkisofs -r /my/dir 2> /dev/null | cdrw -i -p 1
Steps to burn a CD/DVD in Solaris
1. Create a temporary directory.
2. Copy the files you want to burn to CD/DVD to this temporary directory.
3. Make an iso image out of it.
4. Mount the iso image (to make sure that it works)
5. Now insert the CD/DVD media in the drive and burn the data onto it.
Example:
SKIP mkdir ./temp_dir
SKIP cp /my_dir_path/myfiles ./temp_dir
SKIP mkisofs -J -R -o /my_dir_path/my_files.iso ./temp_dir
mkisofs -J -R -o /my_dir_path/my_files.iso my/path/files
#lofiadm -a /my_dir_path/my_files.iso
gives you a device to use to mount with: i.e. /dev/lofi/1
#mount -F hsfs /dev/lofi/1 /mnt
#umount /mnt
cdrw -i /my_dir_path/my_files.iso
Looking for CD devices...
Initializing device...done.
Preparing to write DVD
Writing track 1...done.
Finalizing (Can take several minutes)...done.
--------------------------------------------------------------------------------
NEW/CHANGED in solaris 10
--------------------------------------------------------------------------------
Zones:
List the owner/master global zone name from a local (non-global) zone.
#NOTE: convention could be all global zones end in a letter 'g'
arp -a \
| grep $(arp -a | grep `hostname` | awk '{print $NF}') \
| grep -v `hostname` \
| awk '{print $2}' \
| awk -F. '{print $1}' \
| grep g$
zonename - gives "global" or else zone's hostname
nfs- put DOMAINNAME in /etc/default/nfs on both client and server for nfs to work with NFS4 mixed client
halt -d **OR** reboot -d #halt, and force a crash dump
pgrep -f nfs -d, | xargs ps -fp
#java web console
/usr/share setup
https://$HOSTNAME:6789
prctl -n process.max-cpu-time $$
rctladm -n project.max-shm-memory
rctladm
prctl $$
ipcs -J
/etc/rctladm.conf
/etc/project
df -kZ | sed 1d | sed -e 's/%//' | awk '{if ($5 > 90) print $6}'
--------------------------------------------------------------------------------
CONSOLIDATAION
http://www.sun.com/bigadmin/content/consolidation_tool/
Can you discuss or point me to information on the selective security feature
of the Solaris 10 OS, where applications can be assigned select privileges
(as opposed to simply running with full root privs)?
A: Sure, it's known as Process Rights Management, and information is
available in technical form in the Solaris 10 OS documents on
http://docs.sun.com/ as well as on the Solaris 10 OS white paper and
datasheet at www.sun.com/solaris/
--------------------------------------------------------------------------------
RC and inetd.conf migrations:
/usr/share/lib/xml/dtd/service_bundle.dtd.1
/var/svc/log
inetadm
Provides the ability to observe or configure services controlled by inetd
svcadm
Provides the ability to perform common service management tasks, such as
enabling, disabling, or restarting service instances
svccfg
Provides the ability to display and manipulate the contents of the service
configuration repository
svcprop
Retrieves property values from the service configuration repository with a
output format appropriate for use in shell scripts
svcs
Gives detailed views of the service state of all service instances in the
service configuration repository
----------------------------
Convert/Move an /etc/rc.? or /etc/init.d script to SMF
APP=myappname
change exec lines to "/path/to/exectuable %m"
cd /var/svc/manifest/site
--X--/--Y--
system/utmp for a simple standalone daemon
system/coreadm for simple configuration service
(e.g. the service runs only once at system start)
network/telnet for an inetd-managed service
network/http:apache2 for an service with dependencies
cp /var/svc/manifest/X/Y.xml $APP.xml
vi $APP.xml
#large example/documentation/help: /usr/share/lib/xml/dtd/service_bundle.dtd.1
-----------------------------------------
#
# make lots of modifications
#
-----------------------------------------
$APP
-----------------------------------------
/etc/init.d/$APP stop
svccfg validate /var/svc/manifest/site/$APP.xml
xmllint --valid /var/svc/manifest/site/$APP.xml #success: lists the file
echo $?
if 0 then
svccfg import /var/svc/manifest/site/$APP.xml
else
fix errors
endif
#x86 boot dir
/platform/i386/boot-archive
#to list errors in the startup
svcs -xv
#fix any errors
svcadm clear FRI
svcadm clear system/boot-archive
svcadm enable $APP
svcs $APP
svcs -l $APP
svccfg -s $APP listprop
mkdir /etc/init.d/OLD-SCRIPTS
mv /etc/init.d/$APP /etc/init.d/OLD-SCRIPTS
rm -i /etc/rc?.d/$APP
----------------------------
REMOVE a service
svcadm disable $APP
svccfg delete $APP
svcs $APP
----------------------------
Move an /etc/inetd.conf to SMF
cp /etc/inetd.conf /tmp/newinetd.conf #edit and leave only line(s) you want
inetconv -i /tmp/newinetd.conf -o /var/tmp
cd /var/tmp
xmllint --valid /var/tmp/$FILE.xml #success: lists the file
svccfg import /var/tmp/$FILE.xml
svcadm enable $SERVICE #use 'svcs | grep PATT' to find the name
vi /etc/inetd.conf #comment out new migrated service(s)
----------------------------
inetadm
inetadm -l PATTERN #list details of
inetadm -e PATTERN #enable
inetadm -d PATTERN #disable
inetconv
inetconv -i filename #filename has inetd.conf entires, converts into xml.manifest file for each entry
vi /etc/inetd.conf #comment out new migrated service(s)
svcs
svcs -a #default
svcs -H -o state APP #only print state
svcs -l network/smtp:sendmail #list details about it
svcs -D milestone/multi-user #what is dependent on it
svcs -d milestone/multi-user:default #what it is dependent on
svcs -p APP #list running process for service
svcs -xv
svcs -xv nfs/server #state (uptime), man and log file location
svcs | grep online #list services with online states
svcs | grep -v online #list services that are not online
svcadm enable SERVICE
svcadm -t enable SERVICE #temporarily start - not persistent with reboot
svcadm disable SERVICE
svcadm restart SERVICE
svccfg
svccfg -s APP #interactive modification
svccfg -s $APP listprop #list properties
svccfg import /var/tmp/dump.xml
svccfg export dumpadm >/tmp/dump.xml
svccfg delete network/inetd-upgrade:default
svcprop network/inetd:default
svcprop -p general/enabled network/inetd:default
svcprop -p stop/exec network/inetd:default
svcprop -p ttymon system/console-login
--------------------------------------------------------------------------------
http://home.arcor.de/bnsmb/public/htdocs/My_Little_SMF_FAQ.html#mozTocId734628
http://docs.sun.com/app/docs/doc/816-5175/6mbba7f3o?a=view
http://docs.sun.com/app/docs/doc/816-5175/6mbba7f3o?a=view
http://blogs.sun.com/roller/page/ganesh
A ^d (control-d) does not continue bootup from single user.
Must use: svcadm milestone all
---------------------------------
What milestone state am I in?:
svcprop -p options_ovr/milestone svc:/system/svc/restarter:default
If you get the following error message, it means you're in the milestone "all"
svcprop: Couldn't find property `options_ovr/milestone' for instance
`svc:/system/svc/restarter:default'.
---------------------------------
The legacy script log to the logfile of the milestone that executes the
scripts. That are Scripts in the directory /etc/rcS.d log to the logfile
of the milestone single-user:
/var/svc/log/milestone-single-user:default.log
Scripts in the directory /etc/rc2.d log to the logfile of the milestone
multi-user:
/var/svc/log/milestone-multi-user:default.log
Scripts in the directory /etc/rc3.d/ log to the logfile of the milestone
multi-user-server:
/var/svc/log/milestone-multi-user-server:default.log
------------------------------------------
There is a additional system state which is associated with the all
milestone. This milestone is different than the multiuser init state because
SMF only knows about the services that are defined. If you have added
services, such as third party products, they may not be started automatically
unless you use the following command:
# boot -m milestone=all
------------------------------------------
If you boot a system using one of the milestones, it is important to use the
-s option as well. If you do not include the -s, then the system will stay in
the milestone state that you booted the system in. The system will not go
into multiuser state automatically by typing Control-D. You can get into the
multiuser state by using the following command:
# svcadm milestone all
------------------------------------------
When booting a system, you can choose to use the verbose option to see more
messages. By default, the system will not display these messages. To boot in
the verbose mode, use the following command:
# boot -m verbose
------------------------------------------
Boot without starting any milestones.
This command instructs the svc.startd daemon to temporarily disable all
services and start sulogin on the console.
svcfg import /var/svc/manifest/local/$APP.xml
ok boot -m milestone=none
Log in to the system as root.
Enable all services.
# svcadm milestone -t all
------------------------------------------
Determine where the boot process is hanging.
When the boot process hangs, determine which services are not running by
running svcs -l. Look for error messages in the log files in /var/svc/log.
After fixing the problems, verify that all services are ready to be
started.
Verify that all needed services are online.
# svcs -l
Verify that the console-login service dependencies are satisfied.
This command verifies that the login process on the console will run.
# svcs -l system/console-login:default
Continue the normal booting process.
------------------------------------------
Request information about the hung service.
# svcs -xv
svc:/application/print/server:default (LP Print Service)
State: disabled since Wed 13 Oct 2004 02:20:37 PM PDT
Reason: Disabled by an administrator.
See: http://sun.com/msg/SMF-8000-05
See: man -M /usr/share/man -s 1M lpsched
Impact: 2 services are not running:
svc:/application/print/rfc1179:default
svc:/application/print/ipp-listener:default
The -x option provides additional information about the service instances
that are impacted.
Enable the service.
# svcadm enable application/print/server
-------------------------
Fix a corrupted SMF repository:
#check it first
echo PRAGMA integrity_check \; | /lib/svc/bin/sqlite /var/tmp/myrepository.db
#how to
http://www.sun.com/msg/SMF-8000-MY
--------------------------------------------------------------------------------
SMF commands
Information Gathering Commands
==============================
svcs(1) and inetadm(1M)
svcs -a Show the state of all the services on the
systemsvcs -l Show detailed information about a service
instancesvcs -d Show the dependencies for a given service
instancesvcs -D Show the dependents for a given service
instancesvcs -p Show the process ID for a given service
instancesvcs -x [FMRI] Explain why a service instance has failed
svcs -v [FMRI] Show verbose information for a given service instance
inetadm -l Show detailed information about an inetd service
FMRI - Fault Management Resource Identifier Administration Commands
=======================
svcadm(1M) and inetadm(1M)
svcadm enable Attempt to enable a given service
svcadm disable [-t] Disable a given service (temporarily, until next reboot)
svcadm restart Restart a given service
svcadm refresh Re-read the configuration information in the repository for the given service
svcadm mark Manually put a service into a maintenance or degraded state
svcadm clear Once a fault on a service has been repaired, clear the maintenance/degraded state and inform the restarter
svcadm milestone | all Enable/disable the services for the milestone you wish to move to. If the all keyword is used then temporarily enable all services.
inetadm -e Attempt to enable a given inetd based service
inetadm -d Disable a given inetd based service
Configuration Commands======================
svccfg(1M), svcprop(1) and inetadm(1M)
The svccfg command is used for manipulating data in the repository (properties,snapshots, etc) and uses sub-commands to perform the various actions. Some common sub-commands are:
select Select a service or instance to work on
list Show the children of a selected service
listprop List the properties for a given service or service instance
setprop = Assign a new value to a given property
delete Delete a service from the repository. Avoid deleting instances unless you really need to as this can cause problems when reimporting a manifest
validate Validate a manifest before importing into the repository. See also xmllint(1)
import Import a service manifest into the repository
unselect Navigate to the parent selection, eg: from the instance back to the service
listsnap List the snapshots for a given service instances
electsnap Select a snapshot at the instance level
revert [] Revert the service instance to a selected snapshot
The svcprop command is used to display information about a service from therepository. There are various options to this command, for example:
svcprop -p Show the values for a given property,
eg: $ svcprop-p start smtp:sendmail
svcprop -s Show the details from a given snapshot
The inetadm command when used with the -m option modifies a property for a giveninetd based service instance. An example of this is:
inetadm -m svc:/network/ftp:default exec="/usr/sbin/in.ftpd -a -l"Permalink
http://blogs.sun.com/roller/trackback/ganesh/Weblog/smf_commands_demo
SMF troubleshooting techniques
Logfiles, Manifests and Methods
===============================
SMF logfiles can be found in the following locations:
/var/svc/log
/etc/svc/volatile
The SMF manifests and methods may be found here:
/var/svc/manifest/*
/lib/svc/method/*
To see the log file location for a given service use:
$ svcs -l | grep logfile
( - Fault Management Resource Identifier. See the svcs(1) manual page
for
details of how to specify an FMRI)
Daemons, Configuration and Recovery
===================================
The primary daemons for SMF are svc.startd and svc.configd. At boot time the
kernel will start init, which in turn starts svc.startd and that starts
svc.configd. This latter daemon (svc.configd) will read information from the
repository in /etc/svc/repository.db which is then used by svc.startd to
start
the services.
If there is a problem booting the system you should try:
ok boot -m milestone=none
Then try to reach milestone "single-user" by running:
# svcadm milestone svc:/milestone/single-user:default
Observe the services as they start, look at any messages on screen and
consult
the error logs for more information. If the repository is corrupt you may
need
to restore from a previous saved copy, or reseed it.
The /lib/svc/bin/restore_repository script will guide you through this
process.
=================================================
If a service fails to start, you should check:
* The state of the service instance
- If a service is in maintenance mode use:
svcs -xv or svcs -l to see why it failed
inspect the log files for further information
svcadm clear once the fault has been repaired
* The dependencies for the service
- Are they optional or required?
svcs -d shows the dependencies for a service
svcs -l shows whether the dependencies are optional or required
* The error log for the instance
svcs -l | grep logfile tells you where the logfile is
* The properties for the service
svcprop -p start shows the start properties for a service
* Have any changes been made to the repository?
- How many services are affected?
- Have any snapshots been created?
- Can you resort to a previous snapshot?
* The start method for the service
- What type of service is it? (transient, child, contract)
- Look at the start method
- Did the service get killed? Why?
- Check the start method in the manifest and compare it to the repository
entry
- If you need to truss the service starting, you could try something like:
# svcprop -p start/exec network/inetd ! Use to figure out start
# method
# svccfg -s network/inetd setprop 'start/exec = truss -f -a -o
/tmp/truss.out
/usr/lib/inet/inetd %m' ! Use the method obtained from svcprop
# svcadm refresh network/inetd
# svcadm restart network/inetd
Remember to restore the original start method when finished!
======================================================
If there are problems booting the system, you should:
* Capture the error message(s)
* Try to boot to an alternative milestone, eg:
ok boot -m milestone=none
ok boot -s
* If successful and you can login, try to start the next milestone
* Check the error logs and dependencies
* Can you boot the system in verbose mode, eg:
ok boot -m verbose
NOTE: This changes the boot behaviour from parallel to serial
* If the repository is beyond repair, try restoring from an earlier copy
or in the worst case you may need to reseed it.
The utility for this is /lib/svc/bin/restore_repository
--------------------------------------------------------------------------------
prodreg (product registration - works with pkgadd)
pwck
grpck
pwconf (add any mising entires to /etc/shadow from /etc/passwd)
fssnap
ldap
/usr/lib/ldap/idsconfig
ldapclient
ldapsearch
ldapmodify
samba
smbumount
smbmount
smbclient
smbstatus
>= sol8
/opt/sfw
gcc and lots of other stuff
#setting and view semaphores
set shmsys:shminfo_shmmni = 4096
* default sol 10: set to 128
*project.max-shm-ids = 4096
set semsys:seminfo_semmni = 512
* default sol 10: set to 128
*project.max-sem-ids = 512
modload -p sys/shmsys
modload -p sys/semsys
sysdev -i
prctl $$
NAME PRIVILEGE VALUE FLAG ACTION
RECIPIENT
process.max-port-events
privileged 65.5K - deny -
system 2.15G max deny -
process.max-msg-messages
privileged 8.19K - deny -
system 4.29G max deny -
process.max-msg-qbytes
privileged 64.0KB - deny -
system 16.0EB max deny -
process.max-sem-ops
privileged 512 - deny -
system 2.15G max deny -
process.max-sem-nsems
privileged 512 - deny -
system 32.8K max deny -
process.max-address-space
privileged 16.0EB max deny -
system 16.0EB max deny -
process.max-file-descriptor
privileged 1.02K - deny -
system 2.15G max deny -
process.max-core-size
privileged 8.00EB max deny -
system 8.00EB max deny -
process.max-stack-size
basic 10.0MB - deny 912
privileged 125TB - deny -
system 125TB max deny -
process.max-data-size
privileged 16.0EB max deny -
system 16.0EB max deny -
process.max-file-size
privileged 8.00EB max deny,signal=XFSZ -
system 8.00EB max deny -
process.max-cpu-time
privileged 18.4Es inf signal=XCPU -
system 18.4Es inf none -
task.max-cpu-time
system 18.4Es inf none -
task.max-lwps
system 2.15G max deny -
project.max-contracts
privileged 10.0K - deny -
system 2.15G max deny -
project.max-device-locked-memory
privileged 255MB - deny -
system 16.0EB max deny -
project.max-port-ids
privileged 8.19K - deny -
system 65.5K max deny -
project.max-shm-memory
privileged 32.0GB - deny -
system 16.0EB max deny -
project.max-shm-ids
privileged 4.10K - deny -
system 16.8M max deny -
project.max-msg-ids
privileged 128 - deny -
system 16.8M max deny -
project.max-sem-ids
privileged 512 - deny -
system 16.8M max deny -
project.max-crypto-memory
privileged 1022MB - deny -
system 16.0EB max deny -
project.max-tasks
system 2.15G max deny -
project.max-lwps
system 2.15G max deny -
project.cpu-shares
privileged 1 - none -
system 65.5K max none -
zone.max-lwps
system 2.15G max deny -
zone.cpu-shares
privileged 1 - none -
system 65.5K max none -
ipf: /etc/ipf
vi /etc/ipf/ipf.conf
vi /etc/ipf/pfil.ap
uncomment interface you have:
i.e: eri -1 0 pfil
svcadm enable pfil
svcadm enable ipfilter
init 6 (you can unplumb and plumb up the interface instead of rebooting)
ipfstat -hio
ipfstat -hi
ipfstat -ho
ipfstat -s
ipfstat -t
ipmon -a
#flush all rules
ipf -F a
#reread the rules file
ipf -A -f /etc/ipf/ipf.conf
#list the rules file
ipf -T list
IPFILTER
http://docs.sun.com/app/docs/doc/816-4554/6maoq025a?a=view
http://www.obfuscation.org/ipf/ipf-howto.html
http://daemons.net/~matty/articles/solaris.ipfilter.html
Filtering Network Traffic with Solaris 10 And IP Filter
07/24/2005
I use Solaris 10 as my primary desktop, and like to use the Java
desktop environment (GNOME w/ enhancements). To allow everything to
function
corectly, I have to run rpcbind and a font server. To remediate the
risks
associated with these services, I filter all ingress traffic with IP
filter,
which is now integrated into the Solaris 10 Operating System.
Since my desktop doesn't need to accept inbound connections from other
network
devices (other than SSH), I use the followng IP filter rules to allow
stateful
outbound connectivity, and limit ingress traffic to port 22 (SSH):
$ cat /etc/ipf/ipf.conf
#
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
block in log on eri0 all head 100
block out log on eri0 all head 150
^^^
if you want rules to log to the log file you setup later
### Allow inbound SSH connections
pass in quick proto tcp from any to 172.16.64.199 port = 22 keep state
group 100
### Allow my box to utilize all UDP, TCP and ICMP services
pass out quick proto tcp all flags S/SA keep state group 150
pass out quick proto udp all keep state group 150
pass out quick proto icmp all keep state group 150
Once the rules are defined in /etc/ipf/ipf.conf, IP filter needs to be
enabled,
and bound to the interfaces you want to filter traffic on. To bind IP
filter
to a physical interface, you need to uncomment out the applicable
entries
in /etc/ipf/pfil.ap:
$ grep eri /etc/ipf/pfil.ap
eri -1 0 pfil
Once IP filter has been configured to bind to the physical interfaces in
a
system, you need to enable IP filter with the svcadm(1m) utility:
$ svcadm enable pfil
$ svcadm enable ipfilter
One IP filter is enabled, you can run the svcs(1m) utility to verify
that
it's running:
$ svcs | egrep '(pfil|ipfilter)'
online Mar_11 svc:/network/pfil:default
online Mar_11 svc:/system/rmtmpfiles:default
online Mar_11 svc:/network/ipfilter:default
Once IP filter is activated, if will begin filtering traffic. When IP
filter
processes a packet arrives that matches the log keyword, IP filter will
write the
packets headers to the /dev/ipl pseudo-device. This device is monitored
by
ipmon(1m), which is started by the IP filter initialization scripts.
When
ipmon(1m) detects that a new entry has been logged to /dev/ipl, the
message
is routed to syslogd's local0 facility ( you can also configure IP
filter to
log directly to a file), using one of several priorities listed in the
ipmon(1m) manual page:
LOG_INFO
Packets logged using the log keyword as the action
rather than pass or block.
LOG_NOTICE
Packets logged that are also passed.
LOG_WARNING
Packets logged that are also blocked.
LOG_ERR
Packets that have been logged and that can be con-
sidered "short".
These packets can be logged to a text file by appending the following
line
to /etc/syslog.conf:
local0.debug /var/log/ipflog
(lines in rules file (ipf.conf) need "log" to log to the file)
Once this entry is added to the syslog.conf configuration file (remember
to
use tabs to delimit the entries), syslogd needs to be restarted. This
can be
accomplished with the svcadm(1m) utility:
$ svcadm restart system-log
Once syslog is restarted, you should see a file named "/var/log/ipflog":
$ ls -la /var/log/ipflog
-rw-r--r-- 1 root root 33765 Mar 13 21:08 /var/log/ipflog
This file will grow rapidly on busy networks, so it's best to add
a daily log rotation job to ensure that the /var file system doesn't
fill up:
$ logadm -w ipflog -C 30 -o sys -g sys -m 600 /var/log/ipflog
-a 'kill -HUP `cat /var/run/syslog.pid'
This will keep thirty copies of ipflog, set the owner and group to sys,
and restart syslogd after the logfiles are rotated.
For the Solaris IP Filter firewall to function, the pfil kernel module must be loaded
on each network interface on the system on which packet filtering is to be applied.
The pfil kernel module is loaded on an individual network interface when the interface
is plumbed if packet filtering has been enabled for that type of interface (hme, qfe,
and so on).
The default configuration in the Solaris 10 OS is that packet filtering is not enabled
for any network interface. Packet filtering is enabled on a particular network
interface type by uncommenting the line relating to the network interface type in the
/etc/ipf/pfil.ap file.
The /etc/ipf/pfil.ap file contains a list of network interfaces. Remove the leading
comment character from the appropriate lines for the interface for which filtering is
to be configured.
# cat /etc/ipf/pfil.ap
# IP Filter pfil autopush setup
#
# See autopush(1M) manpage for more information.
#
# Format of the entries in this file is:
#
#major minor lastminor modules
#le -1 0 pfil
#qe -1 0 pfil
#hme -1 0 pfil
#qfe -1 0 pfil
#eri -1 0 pfil
#ce -1 0 pfil
#bge -1 0 pfil
#be -1 0 pfil
#vge -1 0 pfil
#ge -1 0 pfil
#nf -1 0 pfil
#fa -1 0 pfil
#ci -1 0 pfil
#el -1 0 pfil
#ipdptp -1 0 pfil
#lane -1 0 pfil
#dmfe -1 0 pfil
#
Any existing, plumbed network interfaces to which you choose to apply filtering must
be unplumbed and plumbed. For example, you can use the autopush command to read
changes to the /etc/ipf/pfil.ap file before you unplumb and plumb the interfaces.
# autopush -f /etc/ipf/pfil.ap
Solaris IP Filter Services
The svc:/network/pfil and the svc:/network/ipfilter SMF services control the pfild
daemon process. Like other SMF services, use the svcs and svcadm commands to manage
these filtering services.
# ls /usr/share/ipfilter/examples
BASIC.NAT example.1 example.12 example.3 example.6 example.9
ftp-proxy mkfilters pool.conf
BASIC_1.FW example.10 example.13 example.4 example.7 example.sr
ftppxy nat-setup server
BASIC_2.FW example.11 example.2 example.5 example.8 firewall
ip_rules nat.eg tcpstate
Using the quick keyword
Recall that the default behavior of the Solaris IP Filter firewall is to find every
rule that matches and remember the action from the last rule matched. The quick
keyword is used to change this behavior.
If a packet matches a rule containing the quick keyword, then the Solaris IP Filter
firewall stops matching at that rule and applies the action contained in the rule. The
remaining rules are not processed against the packet for matches.
The quick keyword, if present, is found between the direction keyword and the matching
keywords in the rule.
To define a rule that will block any incoming packet matching the rule and will stop
the Solaris IP Filter firewall from processing any further rules, start the rule with:
block in quick ...
To define a rule that will permit any outgoing packet matching the rule and will stop
the Solaris IP Filter firewall from processing any further rules, start the rule with:
pass out quick ...
Matching All Packets
The all keyword is used to match every packet either arriving or leaving at a system.
For example, to block every packet arriving at a system, use the rule:
block in all
To block every packet arriving at a system and stop processing rules at this point,
use the rule:
block in quick all
To permit all packets arriving at a system to be passed, use the rule:
pass in all
To permit all packets arriving at a system to be passed and to stop processing rules
at this point use the rule:
pass in quick all
Configuring Filtering on a Specific Network Interface
The Solaris IP Filter firewall applies each rule to every network interface on the
system by default. Use of the on keyword enables you to apply a rule to a particular
network interface only.
Note: The Solaris IP Filter firewall does not filter the loopback interface. You
should not use the interface identifier lo0 in the /etc/ipf/ipf.conf file. Note that
the lo identifier does not appear in the /etc/ipf/pfil.ap file.
To apply a rule to a specific interface, use the on keyword followed by the name of
the interface. For example, to permit all packets arriving and leaving the hme0
interface and to stop further processing rules at this point, use the rules:
pass in quick on hme0 all
pass out quick on hme0 all
Configuring Filtering on IP Address
The Solaris IP Filter firewall can filter packets based on their source and
destination IP addresses. To filter packets based on the source IP address, the from
keyword is used. To filter packets based on the destination IP address, the to keyword
is used.
The from and to keywords take IP addresses as arguments. IP addresses are suffixed by
a netmask value specified by using prefix notation. To specify an IP address for a
single host, use the suffix /32 or /255.255.255.255. To specify a Class C network, use
the suffix /24 or /255.255.255.0. To specify a Class B network, use the suffix /16 or
/255.255.0.0. To match any IP address, use the keyword any.
For example, the rule:
pass in from 192.168.1.0/24 to any
will permit any packets originating from the Class C network 192.168.1.0 and intended
for any destination to enter the system from the network on any network interface.
The rule:
block out from any to 192.168.30.30/32
will block any packets leaving the current system which have the host 192.168.30.30 as
their destination.
Network interfaces and IP addresses can be combined in rules. For example, the rule:
block in on qfe0 from any to 192.168.1.0/24
will block any packets arriving at the qfe0 network interface from any source IP
address which are intended for the 192.168.1.0 network.
IP addresses can be used as both source and destination addresses. For example, the
rule
block out on qfe0 from 192.168.1.2/32 to 192.168.3.0/24
will block any packet leaving the qfe0 interface which originated from the host
192.168.1.2 and is intended for the 192.168.3.0 network.
Configuring Filtering on Protocol Type and Port Number
The Solaris IP Filter firewall is also capable of filtering traffic based on the
network protocol contained in a packet. The protocols which can be filtered are TCP,
UDP and ICMP.
The proto keyword is used to filter on protocol type. The proto keyword is followed by
a second keyword that identifies the protocol or protocols to be filtered. The table
shows the keywords and the protocols to which they relate.
Protocol Keywords Keyword Protocols Filtered
icmp
ICMP
tcp
TCP
udp
UDP
tcp/udp
Both TCP and UDP
For example, to block all ICMP packets arriving on the hme0 interface, use the rule:
block in on hme0 proto icmp from any to any
In this form, this rule blocks all ICMP packets. The icmp-type keyword can be used to
specify a single ICMP type value for the rule. All ICMP packets contain a type value
in the ICMP header. Some common ICMP types are shown in the table.
ICMP Type Values and Keywords ICMP Type Value Keyword
Echo reply
0
echorep
Echo request
8
echo
Router advertisement
9
routerad
Router solicitation
10
routersol
Note: A complete list of ICMP type values can be found in the
/usr/include/netinet/ip_icmp.h file.
The icmp-type keyword is appended to the end of a rule to make the rule apply to a
specific type of ICMP packet. The type value can be specified numerically or
textually. For example, to permit a system to receive ICMP router discovery
solicitations on the hme0 interface connected to the 192.168.1.0 network and to send
router advertisements on the same interface, but to block all other ICMP traffic on
the hme0 interface, use the rules:
pass in quick on hme0 proto icmp from 192.168.1.0/24 to any icmp-type 10
pass out quick on hme0 proto icmp from any to 192.168.1.0/24 icmp-type 9
block in quick on hme0 proto icmp from any to any
block out quick on hme0 proto icmp from any to any
To block outgoing ICMP echo replies (responses to the ping command) on the qfe0
interface, use the rule:
block out quick on qfe0 proto icmp from any to any icmp-type echorep
Filtering of TCP and UDP packets can be restricted to a particular port by using the
port = keywords. The port to which the rule is to apply is specified after the equal
sign (=). For example, to block the default telnet server port (23) the keywords port
= 23 are appended to the rule.
Port-based filtering can be applied to the source address or the destination address.
Note that the spaces on either sides of the equals sign are required.
Note: When configuring filtering based upon port number, it is important to understand
the manner in which the applications you are filtering uses ports. Some applications,
for example, routing protocols, use the same port on the server and the client. Other
applications, for example, FTP and telnet, use a well-known port on the server side
and an anonymous port for the client. When writing rules for protocols like Telnet and
FTP, the keep state keywords are a convenient way to avoid having to know the
per-session, anonymous-client port assignments. See the ipf.conf(4) man page for
details.
To block all incoming packets intended for the telnet server port (port 23), use the
rule:
block in quick proto tcp from any to any port = 23
To block all incoming telnet packets except those originating from the 192.168.1.0
network, use the rules:
pass in quick proto tcp from 192.168.1.0/24 to any port = 23
block in quick proto tcp from any to any port = 23
To permit incoming RPC requests to the rpcbind daemon from the 192.168.1.0 network on
the hme0 interface only, use the rules:
pass in quick on hme0 proto tcp/udp from 192.168.1.0 to any port = 111
block in quick on hme0 proto tcp/udp from any to any port = 111
To permit packets to leave the telnet server port if they are intended for the local
subnet, use the rule:
pass out quick proto tcp from 192.168.1.1/32 port = 23 to 192.168.1.0/24
The ipf command is used to update the set of filtering rules in place on a system.
The -f option is used to add filtering rules. The -f option takes the name of a file
containing the new rules as an argument. The rules found in the file are appended to
any existing rules:
# ipf -f /etc/ipf/ipf.conf
#
The ipf command can also be used to remove rules from the current configuration. The
-F (flush) option is used to clear rules. The -F option is combined with one of three
choices of the rules to clear:
ipf Command Options Option Description
-Fa
Flush all rules (both input and output)
-Fi
Flush input rules only
-Fo
Flush output rules only
For example, to clear all of the input rules, type the command:
# ipf -Fi
#
If you have made changes to the rule set in the /etc/ipf/ipf.conf file, you can load
the new rules by combining a flush operation and an add operation in one command:
# ipf -Fa -f /etc/ipf/ipf.conf
#
Note: Options to the ipf command are executed in the order in which they are specified
on the command line. If a flush option is specified after an add rules option, the new
rules will be added, then flushed along with the old rules. To clear the existing
rules and load a new or updated set, the flush option must be specified first.
The ipfstat command is used to display information about the behavior and
configuration of the Solaris IP Filter firewall.
Running the ipfstat command with no arguments displays statistics about the Solaris IP
Filter firewall:
# ipfstat
bad packets: in 0 out 0
input packets: blocked 37 passed 71 nomatch 71 counted 0 short 0
output packets: blocked 0 passed 77 nomatch 50 counted 0 short 0
input packets logged: blocked 0 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0
fragment state(out): kept 0 lost 0
packet state(in): kept 0 lost 0
packet state(out): kept 0 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 13 (out): 27
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 10 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 1426
Packet log flags set: (0)
none
#
The ipfstat command can also be used to display the rules being used currently by
using the -io option:
# ipfstat -io
empty list for ipfilter(out)
block in proto tcp from any to 192.168.2.0/24 port = telnet
#
Note: The ipfstat -io command does not display the rules in the same sequence as they
are listed in the /etc/ipf/ipf.conf file. The out rules are listed in order first, and
then the in rules are listed.
The Solaris IP Filter firewall includes the ability to log its actions.
Logged information is sent to the /dev/ipl device. The /dev/ipl device can be
monitored by running the ipmon command. The ipmon command can log information to
standard output, to a file, or send the information to the syslogd daemon.
Configuring Logging of a Rule Match
To configure a rule match to be logged by the Solaris IP Filter firewall, the log
keyword is used. The log keyword is placed immediately after the direction keyword in
a rule, and any matches of that rule are sent to the /dev/ipl device.
For example, to log any packets which are received on the hme0 interface and intended
for the rpcbind daemon, but which do not originate from the 192.168.1.0 network, add
the log keyword to the block rule in the following example:
pass in quick on hme0 proto tcp/udp from 192.168.1.0 to any port = 111
block in log quick on hme0 proto tcp/udp from any to any port = 111
Configuring the Solaris IP Filter Firewall to Log to Standard Output
To display logged information on standard output, use the ipmon command:
# ipmon
23/07/2004 15:27:35.607407 hme0 @0:1 b 192.168.2.2,32861 -> 192.168.2.1,23 PR tc
p len 20 52 -S IN
23/07/2004 15:27:38.978075 hme0 @0:1 b 192.168.2.2,32861 -> 192.168.2.1,23 PR tc
p len 20 52 -S IN
23/07/2004 15:27:45.738002 hme0 @0:1 b 192.168.2.2,32861 -> 192.168.2.1,23 PR tc
p len 20 52 -S IN
23/07/2004 15:27:59.248572 hme0 @0:1 b 192.168.2.2,32861 -> 192.168.2.1,23 PR tc
p len 20 52 -S IN
23/07/2004 15:28:03.121993 hme0 @0:1 b 192.168.2.2,32861 -> 192.168.2.1,23 PR tc
p len 20 40 -R IN
Control-C#
Configuring the Solaris IP Filter Firewall to Log to a File
To capture logged information to a file, supply the name of the file to log to as an
argument to the ipmon command:
# ipmon /var/tmp/filterlog.txt
-C
#
The ipmon process can be instructed to run as a daemon by using the -D option:
# ipmon -D /var/tmp/filterlog2.txt
#
Configuring the Solaris IP Filter Firewall to Log by Using Syslog
The -s option to the ipmon command causes log information to be sent to the syslogd
daemon.
The Solaris IP Filter firewall sends packets by using the local0 facility, and so the
/etc/syslog.conf file must be configured appropriately to record logging information
sent to it by the ipmon command.
The Solaris IP Filter firewall generates messages at four levels, as show in the
table.
Solaris IP Filter Firewall Message Levels Message Level Meaning
local0.error
Packets that are logged and are short.
local0.warning
Packets blocked by Solaris IP Filter firewall.
local0.notice
Packets passed by Solaris IP Filter firewall.
local0.info
Packets matching a logged rule, but that do not have the action associated with
the rule applied. This information tells you that the packet matches the rule, but has
been matched by a later rule in the /etc/ipf/ipf.conf file subsequently.
To configure the ipmon command to run as a daemon and to send logging information by
using the syslogd daemon to the /var/adm/ipflog file:
# cat /etc/syslog.conf
local0.notice /var/adm/ipflog
# touch /var/adm/ipflog
# pkill -HUP syslogd
# ipmon -D -s
# ...
The Solaris IP Filter firewall includes the ability to log its actions.
Logged information is sent to the /dev/ipl device. The /dev/ipl device can be
monitored by running the ipmon command. The ipmon command can log information to
standard output, to a file, or send the information to the syslogd daemon.
Configuring Logging of a Rule Match
To configure a rule match to be logged by the Solaris IP Filter firewall, the log
keyword is used. The log keyword is placed immediately after the direction keyword in
a rule, and any matches of that rule are sent to the /dev/ipl device.
For example, to log any packets which are received on the hme0 interface and intended
for the rpcbind daemon, but which do not originate from the 192.168.1.0 network, add
the log keyword to the block rule in the following example:
pass in quick on hme0 proto tcp/udp from 192.168.1.0 to any port = 111
block in log quick on hme0 proto tcp/udp from any to any port = 111
Configuring the Solaris IP Filter Firewall to Log to Standard Output
To display logged information on standard output, use the ipmon command:
# ipmon
23/07/2004 15:27:35.607407 hme0 @0:1 b 192.168.2.2,32861 -> 192.168.2.1,23 PR tc
p len 20 52 -S IN
23/07/2004 15:27:38.978075 hme0 @0:1 b 192.168.2.2,32861 -> 192.168.2.1,23 PR tc
p len 20 52 -S IN
23/07/2004 15:27:45.738002 hme0 @0:1 b 192.168.2.2,32861 -> 192.168.2.1,23 PR tc
p len 20 52 -S IN
23/07/2004 15:27:59.248572 hme0 @0:1 b 192.168.2.2,32861 -> 192.168.2.1,23 PR tc
p len 20 52 -S IN
23/07/2004 15:28:03.121993 hme0 @0:1 b 192.168.2.2,32861 -> 192.168.2.1,23 PR tc
p len 20 40 -R IN
Control-C#
Configuring the Solaris IP Filter Firewall to Log to a File
To capture logged information to a file, supply the name of the file to log to as an
argument to the ipmon command:
# ipmon /var/tmp/filterlog.txt
-C
#
The ipmon process can be instructed to run as a daemon by using the -D option:
# ipmon -D /var/tmp/filterlog2.txt
#
Configuring the Solaris IP Filter Firewall to Log by Using Syslog
The -s option to the ipmon command causes log information to be sent to the syslogd
daemon.
The Solaris IP Filter firewall sends packets by using the local0 facility, and so the
/etc/syslog.conf file must be configured appropriately to record logging information
sent to it by the ipmon command.
The Solaris IP Filter firewall generates messages at four levels, as show in the
table.
Solaris IP Filter Firewall Message Levels Message Level Meaning
local0.error
Packets that are logged and are short.
local0.warning
Packets blocked by Solaris IP Filter firewall.
local0.notice
Packets passed by Solaris IP Filter firewall.
local0.info
Packets matching a logged rule, but that do not have the action associated with
the rule applied. This information tells you that the packet matches the rule, but has
been matched by a later rule in the /etc/ipf/ipf.conf file subsequently.
To configure the ipmon command to run as a daemon and to send logging information by
using the syslogd daemon to the /var/adm/ipflog file:
# cat /etc/syslog.conf
local0.notice /var/adm/ipflog
# touch /var/adm/ipflog
# pkill -HUP syslogd
# ipmon -D -s
# ...
--------------------------------------------------------------------------------
# create the ramdisk
#
[Mon Mar 17 22:15:03 root@sol9 /]
# ramdiskadm -a mydisk 40m
/dev/ramdisk/mydisk
# check the result
#
[Mon Mar 17 22:15:21 root@sol9 /]
# ls -l /dev/ramdisk/mydisk
lrwxrwxrwx 1 root root 40 Mar 17 22:15 /dev/ramdisk/mydisk ->
../../devices/pseudo/ramdisk@1024:mydisk
[Mon Mar 17 22:16:04 root@sol9 /]
# ls -l /dev/rramdisk/mydisk
lrwxrwxrwx 1 root root 44 Mar 17 22:15 /dev/rramdisk/mydisk ->
../../devices/pseudo/ramdisk@1024:mydisk,raw
# check the fstype
#
[Mon Mar 17 22:16:07 root@sol9 /]
# fstyp /dev/rramdisk/mydisk
unknown_fstyp (no matches)
# create a filesystem on the ramdisk
#
[Mon Mar 17 22:16:22 root@sol9 /]
# newfs /dev/rramdisk/mydisk
/dev/rramdisk/mydisk: Unable to find Media type. Proceeding with system
determined parameters.
newfs: construct a new file system /dev/rramdisk/mydisk: (y/n)? y
/dev/rramdisk/mydisk: 81872 sectors in 136 cylinders of 1 tracks, 602
sectors
40.0MB in 9 cyl groups (16 c/g, 4.70MB/g, 2240 i/g)
super-block backups (for fsck -F ufs -o b=#) at:
32, 9664, 19296, 28928, 38560, 48192, 57824, 67456, 77088,
# mount the ramdisk
#
[Mon Mar 17 22:16:44 root@sol9 /]
# mkdir /myramdisk
[Mon Mar 17 22:16:51 root@sol9 /]
# mount /dev/ramdisk/mydisk /myramdisk
[Mon Mar 17 22:17:01 root@sol9 /]
# df -k /myramdisk
Filesystem kbytes used avail capacity Mounted on
/dev/ramdisk/mydisk 38255 1041 33389 4% /myramdisk
--------------------------------------------------------------------------------
ftpcount -v
ftpwho -v
ftpshut
ftpgroups
ftpaddhost
rmmount (solaris 10 replacement for vold - USB drives)
--------------------------------------------------------------------------------
storedge 3310
CLI: sccli
> show configuration
GUI: /opt/SUNWsscs/sscsconsole/sscs
--------------------------------------------------------------------------------