Gang,

Attached is my latest version of how to remove Sun's 4.0.2
and install Darren's 4.1.8 on Solaris 10 systems. I tried
it with the x86 version of Solaris 10 3-2005, and there are
extra wrinkles -- like the /usr/sbin/pfild issue and how to
recover this file. I added more troubleshooting tips at the bottom.


Phil Dibowitz, maybe this blurb should go on your FAQ?  I'm
not much of a webpage guy myself...

Jeff Earickson
Colby College
How to replace Sun's Solaris 10 version of pfil/ipfilter
with Darren Reed's public-domain release
Sparc and x86 editions of Solaris 10
(last revised Apr 29, 2005)
========================================================

Note: if you install Solaris 10 via Jumpstart and you want to 
remove Sun's version of ipfilter via Profile commands, eg:

package SUNWipfr delete     # Sun IP Filter
package SUNWipfu delete     # Sun IP filter

then the Jumpstart install will complain that these are
required packages and won't remove them from the Jumpstart
install.  Bummer.

0) Go get the latest version of ipfilter and pfil from 
Darren's website:

http://coombs.anu.edu.au/~avalon/ip_fil4.1.8.tar.gz
http://coombs.anu.edu.au/~avalon/pfil-2.1.6.tar.gz

1) Disable Sun's ipfilter and pfil:

# svcadm -v disable pfil
# svcadm -v disable ipfilter

reboot

2) Check that the kernel modules are not loaded after the
reboot:

# modinfo | grep ipf
# modinfo | grep pfil

You should get no output.  

3) Save copies of some of the Sun ipfilter files before
removing the Sun packages -- removing the Sun packages will
remove these files and you will need them to launch the public
domain versions of pfil and ipfilter.  So save a copy:

# cp /lib/svc/method/pfil     /lib/svc/method/pfil.dist
# cp /lib/svc/method/ipfilter /lib/svc/method/ipfilter.dist
# cp /etc/ipf/pfil.ap /etc/ipf/pfil.ap.dist

---> x_86 Solaris 10 only:
#cp /usr/sbin/pfild /usr/sbin/pfild.dist

Note!  In this writeup, you should NOT have to fiddle with 
these files (ie, change paths) but if you do then you will
know what you changed.

4) Remove the Sun IP filter packages:

pkgrm SUNWipfu
pkgrm SUNWipfr

Reboot, otherwise pfil will complain when you install it.

---> x_86 Solaris 10 only: get pfild back in place

#cp /usr/sbin/pfild.dist /usr/sbin/pfild

5) Did the /lib/svc/method files for pfil and ipfilter get
removed after the pkgrm?  If so, then get these files back in
place:

# cp /lib/svc/method/pfil.dist     /lib/svc/method/pfil
# cp /lib/svc/method/ipfilter.dist /lib/svc/method/ipfilter

Otherwise pfil and ipfilter won't start later on.

6) Build and install pfil 2.1.6 and ipfilter 4.1.8
per the instructions that come in the tarfiles.  Follow
the instructions carefully.

After installation, remove the Solaris 9 era startup scripts
because they are not needed (you will be using svcadm because
of the files you saved in step 3 instead):

# rm /etc/rc2.d/S65ipfboot
# rm /etc/rc2.d/S10pfil
# rm /etc/rcS.d/S10pfil
# rm /etc/init.d/ipfboot
# rm /etc/init.d/pfil

NOTE!!!  The config files for the public-domain version live in
/etc/opt/ipf, while Sun's config files live in /etc/ipf.  This
can lead to confusion, because the svc files that you saved in
step 3 still refer to Sun's config file path.  You should use
/etc/ipf for the sake of consistency with Solaris 10.

7) Get pfil configured for you network devices.  Do "ifconfig -a"
and note your network devices other than lo0, for instance "hme0"
or "ce0" or "bge0".

You have two choices here: (a) Copy the public domain version
of the pfil config file to the Sun directory (this version should
already be configured properly for your machine), or (b) Edit the
Sun version of the pfil config file and uncomment the network
devices for your system.  Both choices rely on the fact that
pfil will be started via Sun's svc scripts.

  Choice (a) involves:

  # cp /etc/ipf/pfil.ap /etc/ipf/pfil.ap.dist
  # cp /etc/opt/pfil/iu.ap /etc/ipf/pfil.ap

  Choice (b) involves:

  # vi /etc/ipf/pfil.ap   (uncomment appropriate devices)

Then enable the pfil service:

# svcadm -v enable pfil

If you have problems, take a look at /lib/svc/method/pfil.
Make sure that the PFILAP variable matches the network device
config file.  If you get complaints about /usr/sbin/pfild not
being found, did you install the public-domain version of pfil
correctly?

8) Get ipfilter ready to go.  Put your ipf.conf and ipnat.conf
files in the Sun ipfilter config file directory structure:

  # cp [someplace]/ipf.conf /etc/ipf
  # cp [someplace]/ipnat.conf /etc/ipf

Edit these files as needed.  Then enable the ipfilter service:

# svcadm -v enable ipfilter

If you have problems, look at /lib/svc/method/ipfilter and make
sure that the variables specifying file paths matches where you
put your config files.

NOTE!!! The configuration files for your public-domain version of
ipfilter now live where Sun expects them to be (/etc/ipf) and not where
the public-domain version expects them to be (/etc/opt/ipf).  If you
are used to the public-domain version, you might want to consider
a symlink like so:

ln -s /etc/opt/ipf /etc/ipf

9) Time to see if things work.  Reboot from the system console
so you can see what complaints might appear there.

If you see the complaint "ipfilter: pfil not configured for 
firewall/NAT operation" during the reboot, then pfil didn't
start.  Go back to step 6 and figure out what you did wrong.
Possible mistakes include:

  * uncommenting the wrong device in /etc/ipf/pfil.ap
  * editing /etc/opt/pfil/iu.ap instead of /etc/ipf/pfil.ap
  * no /lib/svc/method/pfil file.  See step 5.

Also type "svcs -x" and see what that says.  

10) Check that pfil is in place.  First, see that the pfil
kernel modules are loaded:

# modinfo | grep pfil
101 7ba76000   6450   -   1  pfil (pfil Streams module 2.1.6)
101 7ba76000   6450 229   1  pfil (pfil Streams driver 2.1.6)

Then make sure that pfil is in the right place in your network
device's configuration list:

# ifconfig [driver] modlist  (eg, bge0 in this case)
0 arp
1 ip
2 pfil     <--- this better be there, before the device name
3 bge

If you see these two things, then pfil is ok.

11) Check to see that ipfilter is in place and working.  First
check that the kernel module got loaded:

# modinfo | grep ipf
161 7b6e0000  3a288 228   1  ipf (IP Filter: v4.1.8)

Check that ipmon is running so that ipfilter complaints get to
syslog:

# ps -ef | grep ipmon
(ipmon process should be running)

Check that your ipfilter rules got loaded:

#ipfstat -ioh
(your ipfilter rules should show up and the counters should be
nonzero after a while).

If it says that you have empty filter sets, then you put ipf.conf
in the wrong directory.  Review step 8.  You want things in 
/etc/ipf, not /etc/opt/ipf.

Troubleshooting
---------------

If you had problems with pfil (step 9) and you don't see ipfilter
working like above, then ipfilter got put into "maintenance mode"
during one of the previous reboots because pfil was down.  Do 
"svcs -a | grep pfil".  If you see a legacy_run pfil, then you didn't 
delete an init script in step 6.  If ipfilter is listed as maintenance 
in the first column, then you need to clear it out of maintenance mode:

# svcadm -v clear ipfilter
(reboot)

Also do "svcs -vx".  It will give you more information about the
problem.  Go take a look at the logs it will refer to in /var/svc/log.

If you are running on x86 and ipfilter does not start, it may be because
the public-domain version got installed in /sbin instead of /usr/sbin.
The start script (/lib/svc/method/ipfilter) expects files to be in
/usr/sbin.  The quick fix:  

# cd /sbin
# mv ipf* /usr/sbin
# mv ipnat /usr/sbin

If you are running on x86 and you didn't save a copy of /usr/sbin/pfild, 
then you have some work to do to get it back.  Dig out your Solaris 10
x86 install CDs (or DVD) and mount them.  Do:

# cd /cdrom
# find . -name 'SUNWipfu' -print

When this directory is found, cd to /cdrom/[path]/SUNWipfu/archive, and
grab the "none.bz2" file:

# cp none.bz2 /tmp             (none.bz2 contains the file you need)
# cd /tmp
# bunzip2 none.bz2
# cpio -id usr/sbin/pfild < none  (use cpio to recover file)
# cd /tmp/usr/sbin                (where cpio put the file)
# cp pfid /usr/sbin    
# cd /usr/sbin
# chmod 555 pfild
# chown root:bin pfild

Reply via email to