One more note. When I did pkgrm, it blew away my /etc/ipf/ipf.conf (but not ipnat.conf?) which was rather annoying, so it is recommended you take a copy of it first :)
Lund
Jeff A. Earickson wrote:
Gang,
Attached is my write-up of how to replace the version of ipfilter
and pfil shipped with Solaris 10 (Sparc) with the latest public-domain
version supplied by Darren. Thanks go to Jorgen Lundman and John Wehle from the ipfilter list for valuable clues on meshing
the public-domain ipfilter with svc.
Disclaimer: removing Sun's version of ipfilter and pfil will get you no sympathy or help from Sun support if your system panics or otherwise has problems. Sun support will simply blame ipfilter.
Your sole resource will probably be the ipfilter list. You also will loose the benefit of Sun patches to their version of ipfilter/pfil in the future. Think hard before doing this. You wuz warned.
Jeff Earickson Colby College
------------------------------------------------------------------------
How to replace Sun's Solaris 10 version of pfil/ipfilter with Darren Reed's public-domain release ========================================================
Note: if you install Solaris 10 via Jumpstart and you want to remove Sun's version of ipfilter via Profile commands, eg:
package SUNWipfr delete # Sun IP Filter package SUNWipfu delete # Sun IP filter
then the Jumpstart install will complain that these are required packages and won't remove them from the Jumpstart install. Bummer.
0) Go get the latest version of ipfilter and pfil from Darren's website:
http://coombs.anu.edu.au/~avalon/ip_fil4.1.7.tar.gz http://coombs.anu.edu.au/~avalon/pfil-2.1.6.tar.gz
1) Disable Sun's ipfilter and pfil:
# svcadm -v disable pfil # svcadm -v disable ipfilter
reboot
2) Check that the kernel modules are not loaded after the reboot:
# modinfo | grep ipf # modinfo | grep pfil
You should get no output.
3) Save copies of some of the Sun ipfilter files before removing the Sun packages; you will need these later:
# cp /lib/svc/method/pfil /lib/svc/method/pfil.dist # cp /lib/svc/method/ipfilter /lib/svc/method/ipfilter.dist # cp /etc/ipf/pfil.ap /etc/ipf/pfil.ap.dist
4) Remove the Sun IP filter packages:
pkgrm SUNWipfu pkgrm SUNWipfr
reboot
5) Build and install pfil 2.1.6 and ipfilter 4.1.7 per the instructions that come in the tarfiles.
After installation, remove the Solaris 9 era startup scripts because they are not needed (you will be using svcadm because of the files you saved in step 3 instead):
# rm /etc/rc2.d/S65ipfboot # rm /etc/rc2.d/S10pfil # rm /etc/init.d/ipfboot # rm /etc/init.d/pfil
NOTE!!! The config files for the public-domain version live in
/etc/opt/ipf, while Sun's config files live in /etc/ipf. This
can lead to confusion, because the svc files that you saved in
step 3 still refer to Sun's config file path.
6) Get pfil configured for you network devices. Do "ifconfig -a" and note your network devices other than lo0, for instance "hme0" or "ce0" or "bge0", for instance "hme0" or "ce0" or "bge0".
You have two choices here: (a) Copy the public domain version of the pfil config file to the Sun directory, or (b) Edit the Sun version of the pfil config file and uncomment the network devices for your system. Both choices relay on the fact that pfil will be started via Sun's svc scripts.
Choice (a) involves:
# cp /etc/ipf/pfil.ap /etc/ipf/pfil.ap.dist # cp /etc/opt/pfil/iu.ap /etc/ipf/pfil.ap
Choice (b) involves:
# vi /etc/ipf/pfil.ap (uncomment appropriate devices)
Then enable the pfil service:
# svcadm -v enable pfil
If you have problems, take a look at /lib/svc/method/pfil. Make sure that the PFILAP variable matches the network device config file.
7) Get ipfilter ready to go. Put your ipf.conf and ipnat.conf files in the Sun ipfilter config file directory structure:
# cp [someplace]/ipf.conf /etc/ipf # cp [someplace]/ipnat.conf /etc/ipf
Edit these files as needed. Then enable the ipfilter service:
# svcadm -v enable ipfilter
If you have problems, look at /lib/svc/method/ipfilter and make sure that the variables specifying file paths matches where you put your config files.
8) Time to see if things work. Reboot from the system console so you can see what complaints might appear there.
If you see the complaint "ipfilter: pfil not configured for firewall/NAT operation" during the reboot, then pfil didn't
start. Go back to step 6 and figure out what you did wrong.
9) Check things over afterwords. First, see that the pfil and ipfilter kernel modules are loaded:
# modinfo | grep pfil 101 7ba76000 6450 - 1 pfil (pfil Streams module 2.1.6) 101 7ba76000 6450 229 1 pfil (pfil Streams driver 2.1.6)
# modinfo | grep ipf 161 7b6e0000 3a288 228 1 ipf (IP Filter: v4.1.7)
Make sure that pfil is in the right place in your network device's configuration list:
# ifconfig [driver] modlist (eg, bge0 in this case) 0 arp 1 ip 2 pfil <--- this better be there 3 bge
Check that ipmon is running so that ipfilter complaints get to syslog:
# ps -ef | grep ipmon (ipmon process should be running)
Check that your ipfilter rules got loaded:
#ipfstat -ioh (your ipfilter rules should show up and the counters should be nonzero after a while).
If it says that you have empty filter sets, then you put ipf.conf in the wrong directory. Review step 7.
-- Jorgen Lundman | <[EMAIL PROTECTED]> Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work) Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell) Japan | +81 (0)3 -3375-1767 (home)
