In an attempt to try to learn of the Solaris 10 way to start things..
# cp /lib/svc/method/pfil /lib/svc/method/pfil.dist # cp /lib/svc/method/ipfilter /lib/svc/method/ipfilter.dist # svcadm disable pfil # svcadm disable ipfilter # pkgrm SUNWipfu # pkgrm SUNWipfr # pkgadd -d /tmp/pfil.pkg (or whereever, I use patches 1, 2 and 4 from John). # pkgadd -d $your_sources/ipf.pkg # rm /etc/rc2.d/S65ipfboot # rm /etc/rc2.d/S10pfil # mv /etc/opt/pfil/ui.ap /etc/ipf/pfil.ap # svcadm enable pfil # svcadm enable ipfilter # cp /lib/svc/method/pfil.dist /lib/svc/method/pfil # cp /lib/svc/method/ipfilter.dist /lib/svc/method/ipfilter # reboot
Yeah I copy the dist files back after I enable it, so it fails to start - That way we can reboot before it tries to load things.
Hey, I just noticed ipf -T list - why didn't someone tell me about that! ;)
Seems to come up ok.
Lund
John Wehle wrote:
Firstly, if you were to disable ipfilter using svcadm and rely on /etc/rc2.d/S65ipfboot, ipfilter will start too late.
The recipe we're playing with is:
pkgrm SUNWipfu pkgrm SUNWipfr
svcadm disable network/pfil
install pfil 2.1.5 + patches install ipfilter 4.1.6
add:
pp::sysinit:/sbin/autopush -f /etc/opt/pfil/iu.ap
to /etc/inittab right after:
ap::sysinit:/sbin/autopush -f /etc/iu.ap
and reply on S65ipfboot to take care of doing the modinsert for the tunnels.
Comments welcomed.
-- John
PS: Hopefully Sun will release a patch which updates their package to pfil 2.1.5 / ipfilter 4.1.6 at which point we'll probably switch back to using SUNWipfr / SUNWipfu. ------------------------------------------------------------------------- | Feith Systems | Voice: 1-215-646-8000 | Email: [EMAIL PROTECTED] | | John Wehle | Fax: 1-215-540-5495 | | -------------------------------------------------------------------------
-- Jorgen Lundman | <[EMAIL PROTECTED]> Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work) Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell) Japan | +81 (0)3 -3375-1767 (home)
