Solaris 10+ipfilter how-to (revised)

[Jeff A. Earickson]

Hi,
   Attached is a revised version of my how-to for changing from
Sun's version of pfil/ipfilter shipped with Solaris 10, to Darren's
public-domain release.  This version was revised due to comments
received from others on the list about x86 (I only use Sparc),
and changes due to the introduction of Sun Update Connection/Manager
patching system for Solaris 10.  See:
http://www.sun.com/service/sunupdate/index.html

SunUpdate is a cool new tool/method for patching.  However, in the
sequence of (a) cold-install S10, (b) install SunUpdate and patch
for the first time, (c) replace Sun ipfilter with latest version, 
I discovered that /usr/sbin/pfild appeared, where I don't remember
it in the original Solaris 10 3/05 release.  Darren's pfil won't run 
without pfild in place, and removing packages SUNWipfu and SUNWipfr
removes pfild.  So, you have to hang on to it.

Darren, what is pfild and how come the public-domain version doesn't
come with it?

Jeff Earickson
Colby College
========================================================
How to replace Sun's Solaris 10 version of pfil/ipfilter
with Darren Reed's public-domain release
Sparc and x86 editions of Solaris 10
(last revised Sept 30, 2005)
========================================================

Note: if you install Solaris 10 via Jumpstart and you want to 
remove Sun's version of ipfilter via Profile commands, eg:

package SUNWipfr delete     # Sun IP Filter
package SUNWipfu delete     # Sun IP filter

then the Jumpstart install will complain that these are
required packages and won't remove them from the Jumpstart
install.  Bummer.

0) Go get the latest version of ipfilter and pfil from 
Darren's website:

http://coombs.anu.edu.au/~avalon/ip_fil4.1.8.tar.gz
http://coombs.anu.edu.au/~avalon/pfil-2.1.6.tar.gz

1) Disable Sun's ipfilter and pfil:

svcadm -v disable pfil
svcadm -v disable ipfilter

reboot

2) Check that the kernel modules are not loaded after the
reboot:

modinfo | grep ipf
modinfo | grep pfil

You should get no output.  Note that with Solaris 10-03/05 with
Sun Update Connection installed and patches installed from that,
I had a near impossible time modunloading pfil on some machines.  
Even in single-user mode, it would not unload, saying 
"can't unload the module: Device busy".  However it would meekly
disappear on other systems.  Strange.

I did step 3 below, rebooted, pfil still loaded.  Then I did step 4
and pfil finally went away.

3) Save copies of some of the Sun ipfilter files before
removing the Sun packages -- removing the Sun packages will
remove these files and you will need them to launch the public
domain versions of pfil and ipfilter.  So save a copy:

cp /lib/svc/method/pfil     /lib/svc/method/pfil.dist
cp /lib/svc/method/ipfilter /lib/svc/method/ipfilter.dist
cp /etc/ipf/pfil.ap /etc/ipf/pfil.ap.dist
cp /usr/sbin/pfild /usr/sbin/pfild.dist

Note!  In this writeup, you should NOT have to fiddle with 
these files (ie, change paths) but if you do then you will
know what you changed.

4) Remove the Sun IP filter packages:

pkgrm SUNWipfu
pkgrm SUNWipfr

Reboot, otherwise pfil will complain when you install it.

Then get pfild back into place, else ipfilter will not start
later on:

cp /usr/sbin/pfild.dist /usr/sbin/pfild

5) Did the /lib/svc/method files for pfil and ipfilter get
removed after the pkgrm?  If so, then get these files back in
place:

cp /lib/svc/method/pfil.dist     /lib/svc/method/pfil
cp /lib/svc/method/ipfilter.dist /lib/svc/method/ipfilter

Otherwise pfil and ipfilter won't start later on.

6) Build and install pfil 2.1.6 and ipfilter 4.1.8
per the instructions that come in the tarfiles.  Follow
the instructions carefully.

After installation, remove the Solaris 9 era startup scripts
because they are not needed (you will be using svcadm because
of the files you saved in step 3 instead):

rm /etc/rc2.d/S65ipfboot
rm /etc/rc2.d/S10pfil
rm /etc/rcS.d/S10pfil
rm /etc/init.d/ipfboot
rm /etc/init.d/pfil

NOTE!!!  The config files for the public-domain version live in
/etc/opt/ipf, while Sun's config files live in /etc/ipf.  This
can lead to confusion, because the svc files that you saved in
step 3 still refer to Sun's config file path.  You should use
/etc/ipf for the sake of consistency with Solaris 10.

7) Get pfil configured for you network devices.  Do "ifconfig -a"
and note your network devices other than lo0, for instance "hme0"
or "ce0" or "bge0".

You have two choices here: (a) Copy the public domain version
of the pfil config file to the Sun directory (this version should
already be configured properly for your machine), or (b) Edit the
Sun version of the pfil config file and uncomment the network
devices for your system.  Both choices rely on the fact that
pfil will be started via Sun's svc scripts.

  Choice (a) involves:

  # cp /etc/ipf/pfil.ap /etc/ipf/pfil.ap.dist
  # cp /etc/opt/pfil/iu.ap /etc/ipf/pfil.ap

  Choice (b) involves:

  # cp /etc/ipf/pfil.ap.dist /etc/ipf/pfil.ap
  # vi /etc/ipf/pfil.ap   (uncomment appropriate devices)

Then enable the pfil service:

# svcadm -v enable pfil

Make sure that the service started by checking the kernel modules:

# modinfo | grep pfil
188  139a8f8   6450   -   1  pfil (pfil Streams module 2.1.6)
188  139a8f8   6450 229   1  pfil (pfil Streams driver 2.1.6)

This should show the public-domain version, not Sun's version.
If you have problems, take a look at /lib/svc/method/pfil.
Make sure that the PFILAP variable matches the network device
config file.

8) Get ipfilter ready to go.  Put your ipf.conf and ipnat.conf
files in the Sun ipfilter config file directory structure:

  # cp [someplace]/ipf.conf /etc/ipf
  # cp [someplace]/ipnat.conf /etc/ipf

Edit these files as needed.  Then enable the ipfilter service:

# svcadm -v enable ipfilter

If you have problems, look at /lib/svc/method/ipfilter and make
sure that the variables specifying file paths matches where you
put your config files.

NOTE!!! The configuration files for your public-domain version of
ipfilter now live where Sun expects them to be (/etc/ipf) and not where
the public-domain version expects them to be (/etc/opt/ipf).  If you
are used to the public-domain version, you might want to consider
a symlink like so:

ln -s /etc/opt/ipf /etc/ipf

9) Time to see if things work.  Reboot from the system console
so you can see what complaints might appear there.

If you see the complaint "ipfilter: pfil not configured for 
firewall/NAT operation" during the reboot, then pfil didn't
start.  Go back to step 6 and figure out what you did wrong.
Possible mistakes include:

  * uncommenting the wrong device in /etc/ipf/pfil.ap
  * editing /etc/opt/pfil/iu.ap instead of /etc/ipf/pfil.ap
  * no /lib/svc/method/pfil file.  See step 5.

Also type "svcs -x" and see what that says.  

10) Check that pfil is in place.  First, see that the pfil
kernel modules are loaded:

# modinfo | grep pfil
101 7ba76000   6450   -   1  pfil (pfil Streams module 2.1.6)
101 7ba76000   6450 229   1  pfil (pfil Streams driver 2.1.6)

Then make sure that pfil is in the right place in your network
device's configuration list:

# ifconfig [driver] modlist  (eg, bge0 in this case)
0 arp
1 ip
2 pfil     <--- this better be there, before the device name
3 bge

If you see these two things, then pfil is ok.

11) Check to see that ipfilter is in place and working.  First
check that the kernel module got loaded:

# modinfo | grep ipf
161 7b6e0000  3a288 228   1  ipf (IP Filter: v4.1.8)

Check that ipmon is running so that ipfilter complaints get to
syslog:

# ps -ef | grep ipmon
(ipmon process should be running)

Check that your ipfilter rules got loaded:

#ipfstat -ioh
(your ipfilter rules should show up and the counters should be
nonzero after a while).

If it says that you have empty filter sets, then you put ipf.conf
in the wrong directory.  Review step 8.  You want things in 
/etc/ipf, not /etc/opt/ipf.

Troubleshooting
---------------

If you had problems with pfil (step 9) and you don't see ipfilter
working like above, then ipfilter got put into "maintenance mode"
during one of the previous reboots because pfil was down.  Do 
"svcs -a | grep pfil".  If you see a legacy_run pfil, then you didn't 
delete an init script in step 6.  If ipfilter is listed as maintenance 
in the first column, then you need to clear it out of maintenance mode:

# svcadm -v clear ipfilter
(reboot)

Also do "svcs -vx".  It will give you more information about the
problem.  Go take a look at the logs it will refer to in /var/svc/log.

If you are running on x86 and ipfilter does not start, it may be because
the public-domain version got installed in /sbin instead of /usr/sbin.
The start script (/lib/svc/method/ipfilter) expects files to be in
/usr/sbin.  The quick fix:  

# cd /sbin
# mv ipf* /usr/sbin
# mv ipnat /usr/sbin

If pfil starts but ipfilter does not (see 
/var/svc/log/network-ipfilter:default.log for details) then pfild may
be missing.  If you didn't save a copy of /usr/sbin/pfild, then you have 
some work to do to get it back.  Grab a copy from another Solaris 10
system.  Or dig out your Solaris 10 install CDs (or DVD) and mount them.  
Do:

# cd /cdrom
# find . -name 'SUNWipfu' -print

When this directory is found, cd to /cdrom/[path]/SUNWipfu/archive, and
grab the "none.bz2" file:

# cp none.bz2 /tmp             (none.bz2 contains the file you need)
# cd /tmp
# bunzip2 none.bz2
# cpio -id usr/sbin/pfild < none  (use cpio to recover file)
# cd /tmp/usr/sbin                (where cpio put the file)
# cp pfid /usr/sbin    
# cd /usr/sbin
# chmod 555 pfild
# chown root:bin pfild