Running Ipfilter on Solaris 10 i386 ok here. But the only thing that does not work is traceroute (both icmp and udp). (That is, pass all, with NAT rules). All traffic, and ping works fine. I see the traceroute packet leave the external nic, but it must do so corrupted.
I do agree there is a lot running on a default Solaris 10. It doesn't have to be quite as lean as a fresh NetBSD, but some of that certainly feels excessive.
I run these commands on our jumpstart server:
svcadm enable ssh
svcadm disable sendmail svcadm disable ftp svcadm disable telnet svcadm disable finger svcadm disable rlogin svcadm disable kshell svcadm disable shell:default svcadm disable autofs svcadm disable xfs svcadm disable power inetadm -d gss inetadm -d ktkt_warn inetadm -d rquota inetadm -d rstat inetadm -d rusers inetadm -d rfc1179 inetadm -d rpc_ticotsord inetadm -d rpc_tcp inetadm -d rpc_udp inetadm -d stfsloader
and remove a few: 90wbem 94ncalogd 99dtlogin 85power 80lp 73nfs.client 72slpd 71ldap.client 71rpc S74autofs 15nfs.server 50apache 76snmpdx 77dmi 80mipagent S81volmgt
But personal preferences reside.
Oh Sun people:
When installing Solaris 10 (on a Sol10 preview machine) you go through all the setup of nics and network, then pick "upgrade machine". It will boot and use the old nic information. Slight IP clash here :)
Lund
Jeff A. Earickson wrote:
Hi,
Ipfilter (4.0.2) on Solaris 10 (3/5) for Sparc flat does not work. I have my old ipf.conf and ipnat.conf files from Solaris 9 for the box in /etc/ipf (I was running ipfilter 3.4.31 in S9). I can see my rules with "ipfstat -ioh", but nothing happens. Connections from "outside" work with no incrementation of ipfstat counters. I'm not happy about having a machine so available, especially after I ran nmap against it and found all kinds of crap running (like "finger"?? Gimee a break!) A search of /var/adm/messages reveals:
Feb 15 15:06:13 cayuga ipfilter: [ID 702911 daemon.warning] pfil not configured for firewall/NAT operation
Feb 15 15:06:13 cayuga ipf: [ID 774698 kern.info] IP Filter: v4.0.2, running.
Hunh? What is this about? Should I upgrade to public domain 4.1.5? I ran "smpatch" to see if there were any S10 patches out yet, nothing.
Jeff Earickson Colby College
On Tue, 15 Feb 2005, Michael Lim(vpn) wrote:
Date: Tue, 15 Feb 2005 13:27:53 -0800 From: "Michael Lim(vpn)" <[EMAIL PROTECTED]> To: Jeff A. Earickson <[EMAIL PROTECTED]> Cc: [email protected] Subject: Re: Getting ipfilter to work on Solaris 10
Jeff A. Earickson wrote:
I'm playing with the Solaris 10 release on Sparc. Another gotcha is the fact that the config files (ipf.conf and ipnat.conf) go into /etc/ipf, and NOT /etc/opt/ipf. I stared at the S10 manpages for ipf, ipfstat, ipmon, etc, and none of these pages make **any** reference to where the config files live. I consider this a BUG in the ipfilter manpages for Solaris 10.
I'll file this.
Also, it would be nice if Sun had a symlink from /etc/opt/ipf -> /etc/ipf
for us old-timers, so we could find the config files.
and I'll look into this as well.
-Mike
-- Jorgen Lundman | <[EMAIL PROTECTED]> Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work) Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell) Japan | +81 (0)3 -3375-1767 (home)
