h1. Misc Solaris Tips and Tricks h2. Keep the system up-to-date# smpatch analyze // see what should be applied # smpatch download // download them # smpatch update // applies them*!!! You don't need analyze and download. Update will do that.* By default, update will only install patches that are fairly safe. I.e. they can be installed with the system running normally, and won't cause trouble. Patches that require an immediate reboot will be skipped, and put into a file _/var/sadm/spool/disallowed_patch_list_ . When you're ready to do them, kick everybody off the system, shut down as much as you can, and do# smpatch add -x idlist=/var/sadm/spool/disallowed_patch_listthen reboot. h2. Firewall h3. Edit /etc/ipf/pfil.ap Uncomment the interfaces you want filtering on, probably your primary ethernet interface. Use /sbin/ifconfig -a if you don't know the interface names. Do# /usr/sbin/svcadm restart network/pfilh3. Create /etc/ipf/ipf.conf Start with rules that allow all traffic:pass in quick all pass out quick allh3. Start the firewall# /usr/sbin/svcadm enable network/ipfilterReboot and make sure the network is still available. h3. Better rules Allows all outgoing connections, and incoming for a few services. For a pure client machine remove all the pass in TCP rules and maybe also ICMP. icmp type 8 is needed to respond to ping. 13 is time stamp requestpass in quick proto tcp from any to any port = 22 keep state pass in quick proto tcp from any to any port = 80 keep state pass in quick proto tcp from any to any port = 443 keep state pass in quick proto icmp from any to any icmp-type 8 keep state pass in quick proto icmp from any to any icmp-type 13 keep state pass out quick from any to any keep state block in quick allRestart the firewall:# ipf -Fa -f /etc/ipf/ipf.confh3. Fix the active FTP connections Even if you're not going to create a NAT, you'll want one entry in ipnat.conf. It's a proxy that makes FTP work. Otherwise you can only use passive FTP. Put the following in _/etc/ipf/ipnat.conf_map rtls0 0/0 -> 0/32 proxy port 21 ftp/tcp*rtls0* is your ethernet interface name Restart the NAT service:# ipnat -CF -f /etc/ipf/ipnat.confh3. NAT for zones * Make sure the NAT is configured (see above)map rtls0 10.10.10.0/24 -> 0/32* Assign the global zone's imaginary address to the physical interface. Add a default route to the imaginary router. Use the imaginary router's IP address and the real router's MAC address.# ifconfig rtls0 addif 10.10.10.1/24 up # route add default 10.10.10.254 # arp -s 10.10.10.254 0:0:c:7:ac:6c // !!! replace with your own MAC* Run inbound network services (say, a web server) in different zones and give each service its own IP address:rdr rtls0 0/0 port 80 -> 10.10.10.2 port 80 tcph2. Modify the network configuration of a running zone The ifconfig(1M) command can be used in the global zone to modify a zone's existing network configuration or to add new logical interfaces to a zone.global# ifconfig rtls0 addif 192.168.200.202 zone zone100 global# ifconfig rtls0 removeif 192.168.200.202h2. Prevent a 'fork bomb' from affecting all of the zones# zonecfg -z bad add rctl set name=zone.max-lwps add value (priv=privileged,limit=1000,action=deny) endThat will prevent a zone's processes from having a total of more than 1000 LWPs simultaneously. h2. Change the hostname in Solaris 10 Change the hostname in the following files:/etc/nodename /etc/hostname.*interface /etc/inet/hosts /etc/inet/ipnodesand rename directory under /var/crash# cd /var/crash # mv oldname newnamethen reboot the server. h2. Enable some user to open ports < 1024# usermod -K defaultpriv=basic,net_privaddr myuserSee _/etc/user_attr_ for the current settings. h2. Memory usage$ echo "::memstat" | sudo mdb -k
Comparing version 5 and version 4 back
Powered by JunebugWiki v0.0.31 