Gang,
Attached is my latest version of how to remove Sun's 4.0.2
and install Darren's 4.1.8 on Solaris 10 systems. I tried
it with the x86 version of Solaris 10 3-2005, and there are
extra wrinkles -- like the /usr/sbin/pfild issue and how to
recover this file. I added more troubleshooting tips at the bottom.
Phil Dibowitz, maybe this blurb should go on your FAQ? I'm not much of a webpage guy myself...
Jeff Earickson Colby College
How to replace Sun's Solaris 10 version of pfil/ipfilter with Darren Reed's public-domain release Sparc and x86 editions of Solaris 10 (last revised Apr 29, 2005) ========================================================
Note: if you install Solaris 10 via Jumpstart and you want to remove Sun's version of ipfilter via Profile commands, eg: package SUNWipfr delete # Sun IP Filter package SUNWipfu delete # Sun IP filter then the Jumpstart install will complain that these are required packages and won't remove them from the Jumpstart install. Bummer. 0) Go get the latest version of ipfilter and pfil from Darren's website: http://coombs.anu.edu.au/~avalon/ip_fil4.1.8.tar.gz http://coombs.anu.edu.au/~avalon/pfil-2.1.6.tar.gz 1) Disable Sun's ipfilter and pfil: # svcadm -v disable pfil # svcadm -v disable ipfilter reboot 2) Check that the kernel modules are not loaded after the reboot: # modinfo | grep ipf # modinfo | grep pfil You should get no output. 3) Save copies of some of the Sun ipfilter files before removing the Sun packages -- removing the Sun packages will remove these files and you will need them to launch the public domain versions of pfil and ipfilter. So save a copy: # cp /lib/svc/method/pfil /lib/svc/method/pfil.dist # cp /lib/svc/method/ipfilter /lib/svc/method/ipfilter.dist # cp /etc/ipf/pfil.ap /etc/ipf/pfil.ap.dist ---> x_86 Solaris 10 only: #cp /usr/sbin/pfild /usr/sbin/pfild.dist Note! In this writeup, you should NOT have to fiddle with these files (ie, change paths) but if you do then you will know what you changed. 4) Remove the Sun IP filter packages: pkgrm SUNWipfu pkgrm SUNWipfr Reboot, otherwise pfil will complain when you install it. ---> x_86 Solaris 10 only: get pfild back in place #cp /usr/sbin/pfild.dist /usr/sbin/pfild 5) Did the /lib/svc/method files for pfil and ipfilter get removed after the pkgrm? If so, then get these files back in place: # cp /lib/svc/method/pfil.dist /lib/svc/method/pfil # cp /lib/svc/method/ipfilter.dist /lib/svc/method/ipfilter Otherwise pfil and ipfilter won't start later on. 6) Build and install pfil 2.1.6 and ipfilter 4.1.8 per the instructions that come in the tarfiles. Follow the instructions carefully. After installation, remove the Solaris 9 era startup scripts because they are not needed (you will be using svcadm because of the files you saved in step 3 instead): # rm /etc/rc2.d/S65ipfboot # rm /etc/rc2.d/S10pfil # rm /etc/rcS.d/S10pfil # rm /etc/init.d/ipfboot # rm /etc/init.d/pfil NOTE!!! The config files for the public-domain version live in /etc/opt/ipf, while Sun's config files live in /etc/ipf. This can lead to confusion, because the svc files that you saved in step 3 still refer to Sun's config file path. You should use /etc/ipf for the sake of consistency with Solaris 10. 7) Get pfil configured for you network devices. Do "ifconfig -a" and note your network devices other than lo0, for instance "hme0" or "ce0" or "bge0". You have two choices here: (a) Copy the public domain version of the pfil config file to the Sun directory (this version should already be configured properly for your machine), or (b) Edit the Sun version of the pfil config file and uncomment the network devices for your system. Both choices rely on the fact that pfil will be started via Sun's svc scripts. Choice (a) involves: # cp /etc/ipf/pfil.ap /etc/ipf/pfil.ap.dist # cp /etc/opt/pfil/iu.ap /etc/ipf/pfil.ap Choice (b) involves: # vi /etc/ipf/pfil.ap (uncomment appropriate devices) Then enable the pfil service: # svcadm -v enable pfil If you have problems, take a look at /lib/svc/method/pfil. Make sure that the PFILAP variable matches the network device config file. If you get complaints about /usr/sbin/pfild not being found, did you install the public-domain version of pfil correctly? 8) Get ipfilter ready to go. Put your ipf.conf and ipnat.conf files in the Sun ipfilter config file directory structure: # cp [someplace]/ipf.conf /etc/ipf # cp [someplace]/ipnat.conf /etc/ipf Edit these files as needed. Then enable the ipfilter service: # svcadm -v enable ipfilter If you have problems, look at /lib/svc/method/ipfilter and make sure that the variables specifying file paths matches where you put your config files. NOTE!!! The configuration files for your public-domain version of ipfilter now live where Sun expects them to be (/etc/ipf) and not where the public-domain version expects them to be (/etc/opt/ipf). If you are used to the public-domain version, you might want to consider a symlink like so: ln -s /etc/opt/ipf /etc/ipf 9) Time to see if things work. Reboot from the system console so you can see what complaints might appear there. If you see the complaint "ipfilter: pfil not configured for firewall/NAT operation" during the reboot, then pfil didn't start. Go back to step 6 and figure out what you did wrong. Possible mistakes include: * uncommenting the wrong device in /etc/ipf/pfil.ap * editing /etc/opt/pfil/iu.ap instead of /etc/ipf/pfil.ap * no /lib/svc/method/pfil file. See step 5. Also type "svcs -x" and see what that says. 10) Check that pfil is in place. First, see that the pfil kernel modules are loaded: # modinfo | grep pfil 101 7ba76000 6450 - 1 pfil (pfil Streams module 2.1.6) 101 7ba76000 6450 229 1 pfil (pfil Streams driver 2.1.6) Then make sure that pfil is in the right place in your network device's configuration list: # ifconfig [driver] modlist (eg, bge0 in this case) 0 arp 1 ip 2 pfil <--- this better be there, before the device name 3 bge If you see these two things, then pfil is ok. 11) Check to see that ipfilter is in place and working. First check that the kernel module got loaded: # modinfo | grep ipf 161 7b6e0000 3a288 228 1 ipf (IP Filter: v4.1.8) Check that ipmon is running so that ipfilter complaints get to syslog: # ps -ef | grep ipmon (ipmon process should be running) Check that your ipfilter rules got loaded: #ipfstat -ioh (your ipfilter rules should show up and the counters should be nonzero after a while). If it says that you have empty filter sets, then you put ipf.conf in the wrong directory. Review step 8. You want things in /etc/ipf, not /etc/opt/ipf. Troubleshooting --------------- If you had problems with pfil (step 9) and you don't see ipfilter working like above, then ipfilter got put into "maintenance mode" during one of the previous reboots because pfil was down. Do "svcs -a | grep pfil". If you see a legacy_run pfil, then you didn't delete an init script in step 6. If ipfilter is listed as maintenance in the first column, then you need to clear it out of maintenance mode: # svcadm -v clear ipfilter (reboot) Also do "svcs -vx". It will give you more information about the problem. Go take a look at the logs it will refer to in /var/svc/log. If you are running on x86 and ipfilter does not start, it may be because the public-domain version got installed in /sbin instead of /usr/sbin. The start script (/lib/svc/method/ipfilter) expects files to be in /usr/sbin. The quick fix: # cd /sbin # mv ipf* /usr/sbin # mv ipnat /usr/sbin If you are running on x86 and you didn't save a copy of /usr/sbin/pfild, then you have some work to do to get it back. Dig out your Solaris 10 x86 install CDs (or DVD) and mount them. Do: # cd /cdrom # find . -name 'SUNWipfu' -print When this directory is found, cd to /cdrom/[path]/SUNWipfu/archive, and grab the "none.bz2" file: # cp none.bz2 /tmp (none.bz2 contains the file you need) # cd /tmp # bunzip2 none.bz2 # cpio -id usr/sbin/pfild < none (use cpio to recover file) # cd /tmp/usr/sbin (where cpio put the file) # cp pfid /usr/sbin # cd /usr/sbin # chmod 555 pfild # chown root:bin pfild
