Hmm... I've been building PFIL and IPF on my Ultra-5 and moving the
packages over to the SunFire systems without any problem so far...
I can't rebuild pfil on the systems it is running on since I've stripped
out C compilers, headers, make and CC utilities, etc since the are
supposed to be protected systems where you want minimal things available
if possible
I wrote this script to help with the post-pfil install steps that are
listed in the README to allow me to easily move the package around to
the various systems:
This might be broken lines when it gets posted if they are too long...
so you may need to join lines.
--------------------------------------------------------------
#!/bin/sh
#
# Written by Brian Olmsted (c)2004/05/20
#
# Script that will automagically insert the "pfil" module between the
"ip"
# module and the interface type (e.g. hme, qfe, bge, eri) module for
each
# physical interface (hme0, hme1, qfe0, qfe1, bge0, etc) that is in the
# system.
if [ $LOGNAME != root ]
then
echo "$0: Execute this command as root (or sudo with root privileges)"
exit 1
fi
# NOTE: we are only concerned about physical interface types and not
loopback (lo0)
# or virtual IP interfaces (e.g. hme0:0, hme0:1, hme0:2)
#-----------------------------------------------------------------------
--------------------------------------------
INTF_TYPES=`ifconfig -a | egrep "[0-9]: " | awk '{print $1}' | egrep -v
"[0-9]:[0-9]*:" | sed 's/:$//g' | egrep -v "lo0" | sed 's/[0
-9]//g' | sort -u`
echo "===================================== CHECKING IF PFIL IS LOADED
============================================"
# check to see if we have the "pfil" module loaded with respect to every
interface type.
for intf in $INTF_TYPES
do
echo "Checking for \"pfil\" for interface of type: $intf...\c"
if [ `/bin/strconf < /dev/$intf | /bin/grep -c pfil` -le 0 ];
then
echo " NOT FOUND."
echo
echo "Did not find \"pfil\" Packet Filter Module
required for IP Filter on Solaris"
echo
echo
else
echo " FOUND."
fi
done
echo
"=======================================================================
======================================"
#-----------------------------------------------------------------------
--------------------------------------------
echo
echo
echo
#-----------------------------------------------------------------------
--------------------------------------------
INTF_NAMES=`ifconfig -a | egrep "[0-9]: " | awk '{print $1}' | egrep -v
"[0-9]:[0-9]*:" | sed 's/:$//g' | egrep -v "lo0" | sort -u`
# for each interface name (hme0, hme1, qfe0, qfe2, bge0, etc), check to
see if "pfil" module
# is inserted for the module and if not insert it.
echo "============================== CHECKING/ADDING PFIL ON EACH
INTERFACE ======================================="
for intf in $INTF_NAMES
do
echo "Checking to see if \"pfil\" is already loaded for
interface $intf...\c"
if [ `/sbin/ifconfig $intf modlist | grep -c pfil` -le 0 ];
then
echo " NOT FOUND. INSERTING MODULE..."
echo
echo "Current module list for interface $intf..."
/sbin/ifconfig $intf modlist
echo
# pfil module needs to be loaded between the ip module
and the
# interface module, so directly after ip would be best.
# -> find position of the ip module for the interface
(most likely 1)
IP_MOD_POS=`ifconfig $intf modlist | egrep '[0-9]* ip$'
| awk '{print $1}'`
# pfil will go directly after ip
PFIL_MOD_POS=`expr $IP_MOD_POS + 1`
# insert the pfil module for this interface
/sbin/ifconfig $intf modinsert [EMAIL PROTECTED]
echo
echo "Module list for interface $intf after any
additions..."
/sbin/ifconfig $intf modlist
echo
echo
else
echo " FOUND."
fi
echo
echo
done
echo
"=======================================================================
======================================"
#-----------------------------------------------------------------------
--------------------------------------------
echo
echo
echo
#-----------------------------------------------------------------------
--------------------------------------------
echo "============================== CONFIRMING INTERFACE ATTACHMENT FOR
PFIL ====================================="
/usr/sbin/ndd /dev/pfil qif_status
echo
echo
echo "NOTE: IF YOU SEE an error message directly above along the lines
of..."
echo " couldn't push module 'pfil', No such device or address"
echo "then this script failed to load the module \"pfil\" info the
kernel"
echo
"=======================================================================
======================================"
#-----------------------------------------------------------------------
--------------------------------------------
exit 0
# end
--------------------------------------------------------------
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil
Dibowitz
Sent: Friday, April 22, 2005 2:41 AM
To: Olmsted, Brian
Cc: [email protected]
Subject: Re: IP Filter 4.1.8 Kernel Panic HELP!!!!
Olmsted, Brian wrote:
> ("pkgadd -d pfil-2.1.6.pkg",) "pkgadd -d ipf-4.1.8.pkg ipfx" and
"pkgadd
> -d ipf-4.1.8.pkg ipf".
Just pkgadd -d ipf-4.1.8.pkg should prompt you to install both of them -
and it will install ipf before ipfx, fwiw.
I found pfil to be _very_ picky... to the point where I had to build it
on the system I was running it on or I had random issues.
--
Phil Dibowitz [EMAIL PROTECTED]
Freeware and Technical Pages Insanity Palace of Metallica
http://www.phildev.net/ http://www.ipom.com/
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
- Benjamin Franklin, 1759
