The generic_limited_net.xml service profile says the following :
The purpose of the limited_net profile is to provide a set of
active services that allow one to connect to the machine via ssh
(requires sshd). The services which are deactivated here are those
that are at odds with this goal. Those which are activated are
explicit requirements for the goal's satisfaction.
If one uses svccfg to apply that profile then I would think that the system
would no longer be listening on many many network ports.
That seems to definately NOT be the case however.
# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 0 0 0 15:48:49 ? 0:01 sched
root 1 0 0 15:48:50 ? 0:09 /sbin/init
root 2 0 0 15:48:50 ? 0:00 pageout
root 3 0 0 15:48:50 ? 0:32 fsflush
root 221 1 0 15:50:00 ? 0:00 /usr/lib/utmpd
root 7 1 0 15:48:53 ? 0:06 /lib/svc/bin/svc.startd
root 9 1 0 15:48:53 ? 0:28 /lib/svc/bin/svc.configd
root 105 1 0 15:49:28 ? 0:00 /usr/lib/picl/picld
root 223 7 0 15:50:01 console 0:00 -sh
root 205 1 0 15:49:57 ? 0:00 /usr/sbin/cron
root 118 1 0 15:49:33 ? 0:00 /usr/lib/power/powerd
daemon 206 1 0 15:49:57 ? 0:00 /usr/sbin/rpcbind
root 151 1 0 15:49:44 ? 0:14 /usr/sbin/in.routed
root 95 1 0 15:49:25 ? 0:04 /usr/sbin/nscd
root 408 1 0 15:50:46 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 215 7 0 15:49:59 ? 0:00 /usr/lib/saf/sac -t 300
root 102 1 0 15:49:26 ? 0:00 /usr/lib/sysevent/syseventd
root 325 1 0 15:50:24 ? 0:04 /usr/lib/fm/fmd/fmd
daemon 114 1 0 15:49:31 ? 0:00 /usr/lib/crypto/kcfd
root 216 215 0 15:50:00 ? 0:00 /usr/lib/saf/ttymon
root 218 1 0 15:50:00 ? 0:03 /usr/lib/inet/inetd start
root 290 1 0 15:50:13 ? 0:00 /usr/lib/autofs/automountd
root 291 290 0 15:50:13 ? 0:00 /usr/lib/autofs/automountd
root 369 368 0 15:50:35 ? 0:00
/usr/sadm/lib/smc/bin/smcboot
root 306 1 0 15:50:17 ? 0:00 /usr/sbin/syslogd
root 15750 223 0 12:11:44 console 0:00 ps -ef
root 370 368 0 15:50:35 ? 0:00
/usr/sadm/lib/smc/bin/smcboot
root 470 1 0 15:50:54 ? 0:00 /usr/lib/snmp/snmpdx -y
-c /etc/snmp/conf
root 368 1 0 15:50:35 ? 0:00
/usr/sadm/lib/smc/bin/smcboot
root 481 1 0 15:50:57 ? 0:00 /usr/lib/dmi/dmispd
root 483 1 0 15:50:58 ? 0:00 /usr/lib/dmi/snmpXdmid -s
tester
root 550 1 0 15:51:12 ? 0:02 /usr/sfw/sbin/snmpd
#
That is a LOT of stuff running still and ...
# netstat -an
UDP: IPv4
Local Address Remote Address State
-------------------- -------------------- -------
*.520 Idle
*.111 Idle
*.* Unbound
*.32771 Idle
*.32776 Idle
*.514 Idle
*.177 Idle
*.16161 Idle
*.32777 Idle
*.32778 Idle
*.32779 Idle
*.32780 Idle
*.32781 Idle
*.32784 Idle
*.32786 Idle
*.161 Idle
*.32790 Idle
*.* Unbound
*.* Unbound
*.* Unbound
*.* Unbound
UDP: IPv6
Local Address Remote Address State
If
--------------------------------- ---------------------------------
---------- -----
*.177 Idle
TCP: IPv4
Local Address Remote Address Swind Send-Q Rwind Recv-Q State
-------------------- -------------------- ----- ------ ----- ------ -------
*.* *.* 0 0 49152 0 IDLE
*.32789 *.* 0 0 49152 0 LISTEN
*.32790 *.* 0 0 49152 0 LISTEN
*.32791 *.* 0 0 49152 0 LISTEN
*.32792 *.* 0 0 49152 0 LISTEN
*.111 *.* 0 0 49152 0 LISTEN
*.* *.* 0 0 49152 0 IDLE
*.7100 *.* 0 0 49152 0 LISTEN
*.32773 *.* 0 0 49152 0 LISTEN
*.5987 *.* 0 0 49152 0 LISTEN
*.898 *.* 0 0 49152 0 LISTEN
*.32774 *.* 0 0 49152 0 LISTEN
*.5988 *.* 0 0 49152 0 LISTEN
*.32775 *.* 0 0 49152 0 LISTEN
*.32776 *.* 0 0 49152 0 LISTEN
*.32777 *.* 0 0 49152 0 LISTEN
*.32778 *.* 0 0 49152 0 LISTEN
TCP: IPv6
Local Address Remote Address Swind
Send-Q Rwind Recv-Q State If
--------------------------------- --------------------------------- -----
------ ----- ------ ----------- -----
*.* *.* 0
0 49152 0 IDLE
*.7100 *.* 0
0 49152 0 LISTEN
SCTP:
Local Address Remote Address Swind
Send-Q Rwind Recv-Q StrsI/O State
------------------------------- ------------------------------- ------
------ ------ ------ ------- -----------
0.0.0.0 0.0.0.0 0
0 102400 0 32/32 CLOSED
Active UNIX domain sockets
Address Type Vnode Conn Local Addr Remote Addr
30001255988 stream-ord 30002983000 00000000 /var/run/.inetd.uds
#
That is a LOT of listening services and even syslog is still listening on an
external port.
# grep -v "^#" /etc/default/syslogd
LOG_FROM_REMOTE=NO
that solves that ... with a restart of syslog
where am I going with all this ?
Essentially it would be nice to have a really really small box running like
an appliance with one task only. Run SendMail and maybe dovecot etc etc.
It would be nice if it were dead quiet on ALL network ports other than those
reqested and required.
I know that ipfilter will do a nice job of getting me to the desired level
of quiet but .. consider this :
# prtconf -v | grep Memory
Memory size: 64 Megabytes
#
yep ... that's right. I have modern Solaris running in 64Mb of RAM. That's
so small that its perfectly reasonable to see it running on a embedded
solution. If I can just get all these other non-essential tasks from
running without doing a pkgrm or kill -9 after startup.
# /bin/echo "::memstat" | mdb -k
Page Summary Pages MB %Tot
------------ ---------------- ---------------- ----
Kernel 4603 35 64%
Anon 1689 13 24%
Exec and libs 565 4 8%
Page cache 83 0 1%
Free (cachelist) 149 1 2%
Free (freelist) 62 0 1%
Total 7151 55
Physical 7125 55
thats just spooky .. I know :-)
Dennis
_______________________________________________
opensolaris-discuss mailing list
[email protected]
