Hi All,

Until now I've been content to use the base Solaris 9 Sparc install
(services locked down) with the simple addition of the Apache, OpenSSH, ftp
and Perl.  I've therefore not needed a firewall (IMHO).

However, now I'd like to install MySQL and PHP.  MySQL comes in a package
from sunfreeware, but it looks like PHP will need to be compiled.  As i'm
wary of installing compilers onto a production box, i'd like to install a
firewall onto it first.

I see that there are two options.  One is the bundled one on the Solaris 9
CD and the other is IPTables?

It would seem that the bundled Sun Version is graphical driven and my server
has no display.  Does anyone know if it can be controlled via the command
line?  If so, does anyone know of a tutorial?

IPTables may be the simplest bet, however, i can't seem to find an IPTable
package anywhere.

Are there any other options?

Thanks in advance for any help you may be able to give.

Regards

Neil

Neil sez:
> Hi All,
> 
> Until now I've been content to use the base Solaris 9 Sparc install
> (services locked down) with the simple addition of the Apache, OpenSSH, ftp
> and Perl.  I've therefore not needed a firewall (IMHO).
> 
> However, now I'd like to install MySQL and PHP.  MySQL comes in a package
> from sunfreeware, but it looks like PHP will need to be compiled. 

Or you could take a closed look at freeware CD in your media kit. And if
you don't find php and mysql there (my 12/02 kit doesn't have them), get
them from Sun's website.

As i'm
> wary of installing compilers onto a production box, i'd like to install a
> firewall onto it first.
> 
> I see that there are two options.  One is the bundled one on the Solaris 9
> CD and the other is IPTables?
> 
> It would seem that the bundled Sun Version is graphical driven and my server
> has no display.  Does anyone know if it can be controlled via the command
> line?  If so, does anyone know of a tutorial?

Uhmm, did you try "ssh -X"?

> IPTables may be the simplest bet, however, i can't seem to find an IPTable
> package anywhere.

IPTables is for Linux. What you're looking for is IP Filter.

Dima
-- 
.... with the exception of January and February 1900, all Microsoft application
libraries counted dates the same way.  
                            -- An Interview with Joel Spolsky of JoelonSoftware

Neil wrote:

> However, now I'd like to install MySQL and PHP.  MySQL comes in a package
> from sunfreeware, but it looks like PHP will need to be compiled.  As i'm
> wary of installing compilers onto a production box, i'd like to install a
> firewall onto it first.

Or you can get the php from blastwave.org.

> I see that there are two options.  One is the bundled one on the Solaris 9
> CD and the other is IPTables?

Iptables is Linucks. You might be thinking of IPFilter.

> It would seem that the bundled Sun Version is graphical driven and my server
> has no display.  Does anyone know if it can be controlled via the command
> line?  If so, does anyone know of a tutorial?

The Solaris bundled firewall is no longer going to be supported (come 
Solaris 10). You'll be better off using IPF (which is much faster anyways).

> Are there any other options?

http://www.mail.ac/index.php?option=content&task=view&id=3&Itemid=2

http://coombs.anu.edu.au/~avalon/

http://www.phildev.net/ipf/

Neil wrote:
> Hi All,
> 
> Until now I've been content to use the base Solaris 9 Sparc install
> (services locked down) with the simple addition of the Apache, OpenSSH, ftp
> and Perl.  I've therefore not needed a firewall (IMHO).
> 
> However, now I'd like to install MySQL and PHP.  MySQL comes in a package
> from sunfreeware, but it looks like PHP will need to be compiled.  As i'm
> wary of installing compilers onto a production box, i'd like to install a
> firewall onto it first.
> 
> I see that there are two options.  One is the bundled one on the Solaris 9
> CD and the other is IPTables?
> 
> It would seem that the bundled Sun Version is graphical driven and my server
> has no display.  Does anyone know if it can be controlled via the command
> line?  If so, does anyone know of a tutorial?
> 
> IPTables may be the simplest bet, however, i can't seem to find an IPTable
> package anywhere.
> 
> Are there any other options?
> 
> Thanks in advance for any help you may be able to give.
> 
> Regards
> 
> Neil
> 
> 
IP Filter is an option

http://www.cites.uiuc.edu/wsg/talks/ipfilter/

HI,
Neil wrote:
> Hi All,
> 
> Until now I've been content to use the base Solaris 9 Sparc install
> (services locked down) with the simple addition of the Apache, OpenSSH, ftp
> and Perl.  I've therefore not needed a firewall (IMHO).
> 
> However, now I'd like to install MySQL and PHP.  MySQL comes in a package
> from sunfreeware, but it looks like PHP will need to be compiled.  As i'm
> wary of installing compilers onto a production box, i'd like to install a
> firewall onto it first.
> 
> I see that there are two options.  One is the bundled one on the Solaris 9
> CD and the other is IPTables?
> 
> It would seem that the bundled Sun Version is graphical driven and my server
> has no display.  Does anyone know if it can be controlled via the command
> line?  If so, does anyone know of a tutorial?
> 
> IPTables may be the simplest bet, however, i can't seem to find an IPTable
> package anywhere.
> 
> Are there any other options?

IPFILTER as the other also recommendes, it is part of S10 so I think you 
can say thay IPF is perfectly okey to use. FWIW mine has never crashed 
on S8 and it was installed in feb 2003, Maybe I should upgrade NO :)

/michael

> I see that there are two options.  One is the bundled one on the Solaris 9
> CD and the other is IPTables?

Bundled version is SunScreen, and comes on disk 2 of the Solaris 9
CD-ROMs.

> It would seem that the bundled Sun Version is graphical driven and my server
> has no display.  Does anyone know if it can be controlled via the command
> line?  If so, does anyone know of a tutorial?

I've used this guide to setup something similar on a v210 headless
server via command line with much success:

http://docs.style.net/os/solaris/common/SunScreen-v3.2.txt

HTH,

P.

Michael Laajanen <michael.laajanen.no-spam.@telia.com> wrote:

> IPFILTER as the other also recommendes, it is part of S10 so I think you 
> can say thay IPF is perfectly okey to use. FWIW mine has never crashed 
> on S8 and it was installed in feb 2003, Maybe I should upgrade NO :)

There have been a few stability issues in the recent past.
Some day I wanted to set up an old SS10 running S9 as a
firewall (nothing else) and the resulting system crashed
twice a week before I replaced the whole thing with
something different. I have been using ip-filter on an
Ultra running S9 too and never had any problems there.
I certainly won't upgrade that machine if there is no
critical reason. YMMV of course.

mfg
Dennis

-- 
from the manpage of cdrecord,  section BUGS:

Cdrecord has even more options than ls.

HI,

Dennis Grevenstein wrote:
> Michael Laajanen <michael.laajanen.no-spam.@telia.com> wrote:
> 
> 
>>IPFILTER as the other also recommendes, it is part of S10 so I think you 
>>can say thay IPF is perfectly okey to use. FWIW mine has never crashed 
>>on S8 and it was installed in feb 2003, Maybe I should upgrade NO :)
> 
> 
> There have been a few stability issues in the recent past.
> Some day I wanted to set up an old SS10 running S9 as a
> firewall (nothing else) and the resulting system crashed
> twice a week before I replaced the whole thing with
> something different. I have been using ip-filter on an
> Ultra running S9 too and never had any problems there.
> I certainly won't upgrade that machine if there is no
> critical reason. YMMV of course.
> 
What ipfilter version have been having problems, is that on the 3.4 
branch or 4.1 branch?

/michael

Michael Laajanen <michael.laajanen.no-spam.@telia.com> wrote:

> What ipfilter version have been having problems, is that on the 3.4 
> branch or 4.1 branch?

4 didn't compile back then. It was a late 3 release.

mfg
Dennis

-- 
from the manpage of cdrecord,  section BUGS:

Cdrecord has even more options than ls.

In article <s3l_c.2259$d5.18236@newsb.telia.net>,
	Michael Laajanen <michael.laajanen.no-spam.@telia.com> writes:
> HI,
> 
> Dennis Grevenstein wrote:
>> Michael Laajanen <michael.laajanen.no-spam.@telia.com> wrote:
>> 
>> 
>>>IPFILTER as the other also recommendes, it is part of S10 so I think you 
>>>can say thay IPF is perfectly okey to use. FWIW mine has never crashed 
>>>on S8 and it was installed in feb 2003, Maybe I should upgrade NO :)
>> 
>> 
>> There have been a few stability issues in the recent past.
>> Some day I wanted to set up an old SS10 running S9 as a
>> firewall (nothing else) and the resulting system crashed
>> twice a week before I replaced the whole thing with
>> something different. I have been using ip-filter on an
>> Ultra running S9 too and never had any problems there.
>> I certainly won't upgrade that machine if there is no
>> critical reason. YMMV of course.
>> 
> What ipfilter version have been having problems, is that on the 3.4 
> branch or 4.1 branch?

The versions you add to Solaris yourself have always had the
potential for panics as they go through Solaris's dynamic data
structures without taking the locks and patch themselves into
streams in ways which could panic if the stream is unplumbed
at the same time. Of course this mostly isn't a problem, but
I excpect it would be relatively easy to engineer a panic if
you want to. The other thing is they use private data structures
in the kernel and so there's no backwards or forwards binary
compatibility -- make sure you build it on the specific release
and kernel patch level you are running, and you should rebuild 
it if you patch the kernel (OK, you will often get away without
doing so).

The version integrated into Solaris 10 has these issues fixed.
The fixes maybe in the 4.x version, but only if run on
Solaris 10 -- earlier versions of Solaris don't have all the
necessary hooks in the OS to get it completely right.

-- 
Andrew Gabriel

HI;
Dennis Grevenstein wrote:
> Michael Laajanen <michael.laajanen.no-spam.@telia.com> wrote:
> 
> 
>>What ipfilter version have been having problems, is that on the 3.4 
>>branch or 4.1 branch?
> 
> 
> 4 didn't compile back then. It was a late 3 release.
> 
> mfg
> Dennis
> 

HI, I have been and am running ipf-3.4.29, but I think I would give the 
4.1.x a try quite soon, only question is of I should build it on the 
same physical platform and OS or swap it all :) Since I am a HW Eng. I 
don't belive in "that should not affect that..." :)))

/michael

Michael Laajanen <michael.laajanen.no-spam.@telia.com> wrote:

> HI, I have been and am running ipf-3.4.29, but I think I would give the 
> 4.1.x a try quite soon, only question is of I should build it on the 
> same physical platform and OS or swap it all :) Since I am a HW Eng. I 
> don't belive in "that should not affect that..." :)))

I too think that you should build it on the exact release.
For a 64bit kernel you have to build 64bit ipf binaries,
so you will need a proper compiler.

mfg
Dennis

-- 
from the manpage of cdrecord,  section BUGS:

Cdrecord has even more options than ls.

Neil wrote:
> I see that there are two options.  One is the bundled one on the Solaris 9
> CD and the other is IPTables?

Perhaps I'm getting to be really "out of it", but last I knew iptables 
was a firewall solution than ran only on Linux since it interfaced with 
the Linux kernel directly.

You options are either SunScreen, CheckPoint FireWall-1 or CheckPoint 
FireWall NG, or IPFilter.

I don't have any exeperience with SunScreen, but Sun has announced EOL 
for this product a while ago.

CheckPoint's firewalls are an excellent choice, but it also holds true 
that you get what you pay for. In this particular case, last I bought a 
license it was $20,000 USD for a single firewall unlimited license, plus 
a bunch of features (remote management module, VPN/encryption, GUI).

Lastly, there is IPFilter, the unsung hero of firewalls on Solaris (and 
other corporate UNIXes). The 3.4.xx series is a stable product, which is 
easy to compile and install (Forte or GCC, generates its own package). 
It is easy to learn, its capabilities are good (for example NAT, 
transparent proxying, stateful inspection) and it handles the load very 
well, even on 50MHz sun4c boxes.  On more powerful hardware (like a 
333MHz Ultra5, or a dual 296MHz E250) it flies.
Another bonus for IPFilter is that it's free-as-in-beer.

Michael Laajanen wrote:
> What ipfilter version have been having problems, is that on the 3.4 
> branch or 4.1 branch?

4.1.x branch is nowhere near ready for production. People can't even get 
it to compile right at this point, let alone get it to work. It seems 
like pfil is a nightmare. Why Darren decided to do it that way is beyond 
me (I don't understand what the deal is with pfil). It'll be a while 
before he irons out all the glitches, but the patches for 4.1.x series 
have been circulating extensively in the last few months.

Michael Laajanen wrote:
> HI, I have been and am running ipf-3.4.29, but I think I would give the 
> 4.1.x a try quite soon, only question is of I should build it on the 
> same physical platform and OS or swap it all :) Since I am a HW Eng. I 
> don't belive in "that should not affect that..." :)))

See my previous post.  I'm also running both 3.4.29 and 3.4.35 and 
they've both been stable.  If it ain't broke don't fix it.  There are 
currently more problems with 4.1.x series than you can shake a stick at.

Andrew Gabriel wrote:
> I excpect it would be relatively easy to engineer a panic if
> you want to. The other thing is they use private data structures
> in the kernel and so there's no backwards or forwards binary
> compatibility -- make sure you build it on the specific release
> and kernel patch level you are running, and you should rebuild 
> it if you patch the kernel (OK, you will often get away without
> doing so).

That is exactly what happened to me -- I had a firewall and decided to 
apply the latest master patch cluster (MCP). After that, the machine was 
shot. IPFilter caused the kernel to panic, dump the pages to swap, and 
reboot. Then it would repeat the nightmare over and over again.

I was left with no recourse but to rebuild the machine from scratch. 
Only this time, IPFilter wouldn't even fire up.
Finally, when the next kernel patch rev came out, I MCPed the system 
once again and managed to compile IPFilter. It needed the (new?) 
functionality of the later kernel revisions.

There is no way I'm gonna be patching the kernel on that machine. It 
will run until it either fries or falls apart, whichever comes first, 
for it is a Solaris based firewall appliance at this point. Luckily, 
when it was completely busted it had been souped up with newer, more 
powerful extra fans, more powerful & newer power supply and newer disks 
in a RAID1+0 config. So it should run for another 10 years, or until I 
decide to decommission it.

ipfilter 4 is bundled with solaris 10 and appears to work fine.

It is very likely that it has been worked on within Sun.

Thomas

On Sun, 5 Sep 2004, Thomas Tornblom wrote:

> ipfilter 4 is bundled with solaris 10 and appears to work fine.
>
> It is very likely that it has been worked on within Sun.

Darren Reed was on contract to Sun, integrating IPF with
Solaris 10.

-- 
Rich Teer, SCNA, SCSA, author of "Solaris Systems Programming",
published in August 2004.

President,
Rite Online Inc.

Voice: +1 (250) 979-1638
URL: http://www.rite-group.com/rich

Rich Teer wrote:
> On Sun, 5 Sep 2004, Thomas Tornblom wrote:
> 
> 
>>ipfilter 4 is bundled with solaris 10 and appears to work fine.
>>
>>It is very likely that it has been worked on within Sun.
> 
> 
> Darren Reed was on contract to Sun, integrating IPF with
> Solaris 10.

Probably one of the smartest things they did lately.  I don't know why 
they haven't hired him, like ages ago.

Him and Masayuki Murayama.
Sometimes Sun doesn't make sense.

Thomas Tornblom <thomas@Hax.SE.remove-to-reply> writes:

>ipfilter 4 is bundled with solaris 10 and appears to work fine.

>It is very likely that it has been worked on within Sun.

The version of ipfilter bundled with Solaris 10 was quite extensively
worked on because we don't allow stuff in which doesn't play ball
with the kernel interfaces. (Both the 3.x series and the public 4.x
series poke in the kernel or look at bits of the kernel they shouldn't)

There seem to be some glitches in the re-sync, but it is certainly
the intention to make the public ipfilter 4.x to be as well be haved and
to re-sync the two.

Casper
-- 
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

HI,

Casper H.S. Dik wrote:
> Thomas Tornblom <thomas@Hax.SE.remove-to-reply> writes:
> 
> 
>>ipfilter 4 is bundled with solaris 10 and appears to work fine.
> 
> 
>>It is very likely that it has been worked on within Sun.
> 
> 
> The version of ipfilter bundled with Solaris 10 was quite extensively
> worked on because we don't allow stuff in which doesn't play ball
> with the kernel interfaces. (Both the 3.x series and the public 4.x
> series poke in the kernel or look at bits of the kernel they shouldn't)
  >
> There seem to be some glitches in the re-sync, but it is certainly
> the intention to make the public ipfilter 4.x to be as well be haved and
> to re-sync the two.
> 
> Casper
Is IPF(4.x) still work in progress at Sun and with Phil or is that job 
finnished and will in that case the work he did for Sun be available in 
the "open" source so we don't have to jump on S10 beta for firwall 
upgrades at the moment?


/michael

Michael Laajanen wrote:

> Is IPF(4.x) still work in progress at Sun and with Phil or is that job 
> finnished and will in that case the work he did for Sun be available in 
> the "open" source so we don't have to jump on S10 beta for firwall 
> upgrades at the moment?

Darren had worked with the SUN engineers to improve the current version 
of IPF. His changes have been incorporated back into IPFilter 4.x which 
can be downloaded and installed on any Sun box.

On a personal note, I've tried out that 4.x version and found our 
production servers (Solaris 7-9) to crash when running these version(s). 
  [See the archives of ipf for details].

Hence, we're currently sticking to 3.4.35 release (Binary can be 
downloaded here http://mail.ac/users/bruno/projects.html). And the older 
release of Solaris 10 express I tried had some bits of ipf broken (nat 
etc.).

-Bruno