newB sol 9 experience / ipf queries

unix

    Sponsored Links

    Next

  • 1. solaris 10 vlan interfaces snmp queries
    Hi When querying solaris interfaces which are vlan'd the stats returned are for the physical interface as opposed to the counters receieved/ sent on the vlan interface. Does anyone know how to get the stats from the vlan interface?
  • 2. Can you install Solaris 9 into a Solaris 9 container?
    I found a lot of documentation about installing a Solaris 9 flar into a Solaris 9 container. Can you install Solaris 9 from media into a container? B.
  • 3. Recursive Snapshot from NGZ
    Hi, Here is my scenario. I have a zpool that has two filesystems in it. mypool mypool/fs1 mypool/fs2 Both fs1 and fs2 have been delegated to a NGZ. From within the zone I need to allow a non-root user to do a recursive snapshot destroy permissions on both these filesystems from mypool. However, we need to run it on mypool as we want both filesystems snapped at the same point in time. zfs snapshot -r mypool@monday When this is run, even as root in the NGZ, I get a permission denied. Adding the mypool dataset to the zone config is not an option ( although it would work, I think ) Is there another way to allow this without having to add mypool dataset to the zone config and reboot ? I have been unable to find any info on it, so any help is appreciated. This system is currently running ZFS pool version 15 Regards.

newB sol 9 experience / ipf queries

Postby Angus C » Wed, 19 Nov 2003 21:49:34 GMT

After upgrading my sparcstation 20 to 128mb ram
I cleaned the drive and installed solaris 9 from the free binary
program cdroms. This was all downloaded via my i386 router/firewall/gateway
box running FreeBSD attached to a 512kbps cable modem.

I'm planning on running the sparcstation as a headless alternative to the
above -
it needs to be a gateway machine for another freebsd desktop and a machine
running windows.
Also needs to be mailserver (sendmail probably + popper ) and be capable of
running mailing list.

It currently only has 2gb hard drive so loads of packages needed to be
removed during the install
but since then I managed to get gcc and the necessary SUNW programming
packages up and running.
Python is there, mailman has compiled ok but still needs a bit of work
(apache cgi probs I think).

It has 2 network cards le0 and hme0 set up at prom local-mac-address? true.
and I did get it browsing the web using lynx via dhcp on hme0 and ssh into
it on le0. That's as far as it goes at the moment because of dhcp related
hostname problems.   (I want to run something that will update the dynamic
ip and a liteweight dns as on the other box).

/etc/nsswitch.conf has a
hosts: files dns
line in it.

I'm looking for some good ipf rules that will work from the command line
and can then be put in a ipnat.conf file .
Any pointers greatly appreciated

Angus Claydon



Re: newB sol 9 experience / ipf queries

Postby Alex Balmer » Thu, 20 Nov 2003 08:39:47 GMT



I recently built a Solaris router running IPF. I can't tell you what 
firewall rules are best for your network setup, all I can say is that 
building a minimal Solaris system and compiling ipf are the easy part.

An excellent site I referred to heavily on this matter is 
 http://www.**--****.com/ 


Re: newB sol 9 experience / ipf queries

Postby Angus C » Thu, 20 Nov 2003 17:13:44 GMT






router/firewall/gateway
the
machine
of
true.
into
related
dynamic

Yes thanks for that, there are a few conceptual aspects that need to be
eschewed

ac




Re: newB sol 9 experience / ipf queries

Postby Thomas H Jones II » Sat, 22 Nov 2003 06:11:39 GMT

If your aim is really to secure your environment, then you really might
want to simply run the IPF device as -just- that: a filter/NAT device. When
you put things like mail servers, etc. on your filter device, you make that
device a LOT more at risk of being exploited.

I have an IPF SPARC 10 for one of my segments. The only purpose the IP 
bound to the external interface serves is as a collection point for the
various PNAT rules into my service boxes (web, mail and other servers). In
other words, you can't get directly into the filter box from outside: you
have to pass through the NAT, compromise the app on an interior box and
0wn the interior box via the compromise, THEN compromise the filter box 
from this other system. Still doable by the determined cracker, but it
at least makes it a bit harder. Plus, by doing this, you save all your
memory for network functions and could mount most of your filesystems
read-only to further lock things down.

Since you're going to be running a protected unix box, any way, why not
use it for your server processes instead of the filter system?

-tom


Similar Threads:

1.newB serial console / nfs query

I'm about to aquire a completely headles sparcstation 20 - just the box
and am wondering my chances of exploring its workings using a serial console
null modem cable.  I don't even know if it has solaris installed at this
stage, only
that it has 2 network interfaces. I have found docs.sun.com which looks like
its going to be quite useful
once I get off the ground. It will have a place on my c class network here
for a while.

I thought I'd try a null modem cable attached to a 'tiny'  pc running fbsd
on com 1.

regards in meantime
angusc



2.ipf.rules query.

Hello,
I hope somebody here will help me.

I am trying to block any packets coming in that originate from port 6699
but I dont think i am wording the rule correctly because these packets are
still
coming through the firewall, viewable with tcpdump.
Can anyone please tell me how to word this rule.
Thanks
Vic

Below is my ipf.rules file.




#dc1 = external interface
#dc0 = internal interface
#################################################################
# Outside Interface
#################################################################
#block some exploits first thing
block return-rst in quick proto tcp from any to any port 136 >< 140 flags S
block return-rst in quick proto tcp from any to any port = 445 flags S
block return-icmp-as-dest(port-unr) in quick proto udp from any to any port
136 >< 140
block return-icmp-as-dest(port-unr) in quick proto udp from any to any port
= 445
block return-rst in quick proto tcp from any to any port = 1433 flags S
block return-rst in quick proto tcp from any to any port = 27374 flags S
block in proto tcp all with shorts
#


block in from any port = 6699 to any



#-------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state on it
# so that it's allowed back in.
#----------------------------------------------------------------
pass out quick on dc1 proto tcp from any to any keep state
pass out quick on dc1 proto udp from any to any keep state
pass out quick on dc1 proto icmp from any to any keep state
block out quick on dc1 all

#----------------------------------------------------------------
# Allow bootp traffic in from your ISP's DHCP server only.
# Replace X.X.X.X/32 with your ISP's DHCP server address.
#----------------------------------------------------------------
#pass in quick on dc1 proto udp from X.X.X.X/32 to any port = 68 keep state

pass in quick on dc1 proto tcp from any to any port = 25 flags S keep state
keep frags
pass in quick on dc1 proto tcp from any to any port = 21 flags S keep state
pass in quick on dc1 proto tcp from any to any port = 110 flags S keep State
keep frags
pass in quick on dc1 proto tcp from any to any port = 143 flags S keep State
keep frags
pass in quick on dc1 proto tcp from any to any port = 1352 flags S keep
State
#pass in quick on dc1 proto tcp from any to any port

#----------------------------------------------------------------
pass in quick on dc1 proto tcp from any to any port = 80 flags S keep state
#pass in quick on dc1 proto tcp from any to any port = 14000 flags S keep
state
pass in quick on dc1 proto tcp from any to any port = 3000 flags S keep
state
pass in quick on dc1 proto tcp from any to any port = 443 flags S keep state
# ---------------------------------------------------------------


# Block and log all remaining traffic coming into the firewall
# - Block TCP with a RST (to make it appear as if the service
# isn't listening)
# - Block UDP with an ICMP Port Unreachable (to make it appear
# as if the service isn't listening)
# - Block all remaining traffic the good 'ol fashioned way
#----------------------------------------------------------------
block return-rst in quick on dc1 proto tcp from any to any
block return-icmp-as-dest(port-unr) in quick on dc1 proto udp from any to
any
block in quick on dc1 all

#################################################################
# Inside Interface
#################################################################

#----------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state
#----------------------------------------------------------------
block out log quick on dc0 from 192.168.1.14 to any
block out log quick on dc0 from 192.168.1.120 to any
block out log quick on dc0 from any to 192.168.1.14
block out log quick on dc0 from any to 192.168.1.120

pass out quick on dc0 proto tcp from any to any keep state
pass out quick on dc0 proto udp from any to any keep state
pass out quick on dc0 proto icmp from any to any keep state

#----------------------------------------------------------------
# Allow in all TCP, UDP, and ICMP traffic & keep state
#----------------------------------------------------------------

#
block in log quick on dc0 from any to 192.168.1.14
block in log quick on dc0 from any to 192.168.1.120
block in log quick on dc0 from any to 192.168.1.44
block in log quick on dc0 from any to 192.168.1.68
block in log quick on dc0 from 192.168.1.14 to any
block in log quick on dc0 from 192.168.1.120 to any
block in log quick on dc0 from 192.168.1.44 to any
block in log quick on dc0 from 192.168.1.68 to any

pass in quick on dc0 proto tcp from any to any keep state
pass in quick on dc0 proto udp from any to any keep state
pass in quick on dc0 proto icmp from any to any keep state



3.Query good/bad experiences with CD-RW/DVD Combo Internal IDE drives

Hello,

Does anybody have any very good or very bad experiences using CD-RW/DVD 
Combo Internal IDE drives on Linux?  (E.g. hardware compatibility / 
drivers / support ... etc)

Particular models of interest to me are:
Samsung SM-352B
Sony CRX-300A

TIA,
nsb.

4.ipf: ipf.conf help

Gang, I need to block access to a couple port ranges.  I need to allow
access from 2 netblocks.  So I think this is what I need:

block in from any to any port 598 >< 1025
block in from any to any port 7935 >< 7940
pass in from 1.2.3.4/32 to any port 598 >< 1025
pass in from 1.2.3.4/32 to any port 7935 >< 7940
pass in from 1.2.3.5/32 to any port 598 >< 1025
pass in from 1.2.3.5/32 to any port 7935 >< 7940


I only want 1.2.3.4 and 1.2.3.5 netblocks to get to ports 599-1024 and
7936-7939.  Does my syntax look right?  Does the first 2 lines override
my pass lines?  Thanks in advance.

5.ipfilter WARNING: ddi_installdrv: no major number for ipf WARNING: mod_installdrv: Cannot install ipf

This has been discussed before, over multiple threads, about different
Solaris platforms.  However, I believe I may have a new variation of the
problem.  The OS is Solaris7 SPARC, pure 32-bit.

Some of the tell-tale signs are

WARNING: ddi_installdrv: no major number for ipf
WARNING: mod_installdrv: Cannot install ipf
can't load module: Out of memory or no room in system tables
open device: No such device or address
open device: No such device or address
ioctl(SIOCIPFFL): Bad file number
constructing minimal name resolution rules...
open device: No such device or address
1:ioctl(add/insert rule): Bad file number
open device: No such device or address
1:ioctl(add/insert rule): Bad file number
open device: No such device or address
ioctl(SIOCIPFFL): Bad file number
open device: No such device or address
open device: No such device or address
ioctl(SIOCSWAPA): Bad file number
open device: No such device or address
SIOCFRSYN: Bad file number
/dev/ipf: open: No such device or address


Some of the solutions included:

- checking that the /etc/devlinks.tab file is populated with correct
entries - and it is
- running a reconfiguration boot, which I did with `touch /reconfigure; exec
init 6`, and it ran
- verifying that the /dev/ipf* and /devices/pseudo/ipf* files are there -
and they are
- checking that there is an entry in /etc/name_to_major for ipf, and there
is, corresponding to the major number of files in /devices/pseudo/ipf*
- running `rem_drv ipf; add_drv ipf` which is what I also did, and in this
case ipfilter attaches to the interfaces and I can run `/etc/init.d/ipfboot
start` and it starts up.

However, when I reboot, I get the same messages as above, and the ipf module
hasn't been loaded in, because `modinfo | grep ipf` returns nothing.

This has been happening with 3.4.28, 3.4.29, 3.4.33pre2.  Based on this, I
suspect other revisions of the software will exhibit the same behaviour.

I'm not using le0, only qe0 and qe1 (at the moment).

What exactly *IS* the problem in this case, and why won't ipf start
automatically upon reboot?????


6. Sol 9/ Sol 10 open() different

7. SSH'ing between Sol 8 -> Sol 10 hosts

8. HELP: Problem install Sol 9 or Sol 8 on my Ultra 60



Return to unix

 

Who is online

Users browsing this forum: No registered users and 44 guest