UNIX System Administration Handbook - Evi Nemeth [190]
Third-party software packages can provide both NAT and IP filtering for Solaris. Our favorite is the IPFilter suite, which not only does IP filtering and NAT, but also transparent port forwarding. It is free, open source, and advertised to work on either SPARC or Intel hardware. It’s available from
http://cheops.anu.edu.au/~avalon/ip-filter.html
For details on configuring the IPFilter programs ipf and ipnat, see the FreeBSD section on page 333.
Checkpoint’s commercial Firewall-1 offering runs on Solaris and provides functionality similar to that of IPFilter. It’s quite pricey, however, and judging from the number of gripes we have heard about it from various web hosting sites, it might be one to research carefully before you spend lots of money.
PPP configuration for Solaris
The package that’s integrated into Solaris is “asynchronous PPP,” since it is designed to handle connections over standard serial lines, such as dial-up modems. It’s an official part of Solaris, so you don’t need to perform all the sticky steps of installing a kernel PPP module. You can verify that PPP is available with the command
# pkginfo | grep ppp
If PPP is installed, you should get a response such as
system SUNWapppr PPP/IP Async PPP daemon config files
system SUNWapppu PPP/IP Async PPP daemon, login service
system SUNWpppk PPP/IP and IPdialup Device Drivers
If PPP is not already installed, you’ll need to install it as a Solaris package. See the manual page for pkgadd for more details. Table 13.18 lists the files that configure and manage Solaris’s PPP software.
Table 13.18 PPP-related files on Solaris
The Solaris man page for aspppd claims that its log file is /etc/log/asppp.log. This is a lie; a grep on the startup files and strings on the binary show that the log file is really in /var/adm, not /etc.
We were sure that UUCP was all but dead, but alas, Solaris’s PPP uses the old UUCP config files to set up PPP servers and to manage dial-out modems. Sigh. To set up a PPP connection to a remote site, you should first add the modem and the site to the Systems, Dialers, and Devices files in the /etc/uucp directory. The details of this procedure were covered in the previous edition of this book, but they are not included in this one. If you have a copy of the second edition (red cover), you can refer to Chapter 30. Better yet, buy a terminal server and avoid all this mess.
Once the modem and remote site have been set up in the UUCP files (including a login script for the remote site in /etc/uucp/Systems), you must edit /etc/asppp.cf to configure the connection’s IP address and associate it with a Systems entry.
The following example /etc/asppp.cf illustrates a link to “ppphub” (192.225.32.1) from “myhost” (192.225.32.2).
# set IP addresses of the pseudo-interface
ifconfig ipdptp0 plumb 192.225.32.2 192.225.32.1 up
# dynamic dial-up parameters for pseudo-interface path
interface ipdptp0
peer_system_name ppphub # Same as in Systems file
inactivity_timeout 600 # time out if idle 10 minutes
Once this file is in place, you can start the PPP daemon manually with the command
# /etc/init.d/asppp start
This step should only be necessary when you first configure PPP. On subsequent reboots, the PPP daemon will be started by init. If all goes well (check for error messages in /var/adm/log/asppp.log), you should be able to reach the remote site with commands such as ssh and ftp.
Networking quirks for Solaris
Solaris has two versions of the ifconfig command, one in /sbin and one in /usr/sbin. The /sbin version uses a fixed search order for name-to-IP-address lookups: it first consults /etc/hosts, and then DNS. The /usr/sbin version uses /etc/nsswitch.conf to determine the search order; this is the more normal behavior. /sbin/ifconfig is used at boot time in the expectation that the /etc/hosts file will have enough entries to get the interfaces