======================================================================= How to replace Sun's Solaris 10 version of pfil/ipfilter, for Releases U3 and earlier, with Darren Reed's public-domain release (last revised October 10, 2007) ======================================================================= Disclaimers: Think hard before doing this change! * You are advised to test this on a non-production system first. * You give up any Sun Support for ipfilter if you do this. ======================================================================= If you replaced Sun's version with the public-domain version and decide to revert to Sun's version then see the bottom of this file for directions on going back. ======================================================================= As of the Solaris 10 release of August 2007 ("U4"), pfil has been replaced with direction function calls out of ipfilter. The pfil kernel module is gone as of U4 and later. Says Darren Reed: To upgrade IPFilter in S10U4 and beyond to my home grown stuff, there is a "replace" script in the SunOS5 directory. The latest version of this can be found at: http://ipfilter.cvs.sourceforge.net/ipfilter/ipfilter/SunOS5/replace?hideattic=0&view=log click on the "download" for version 1.1.2.4. It should be used by executing it as: SunOS5/replace (verify what it wants to do) and then: SunOS5/replace -f ======================================================================= Note: if you install Solaris 10 via Jumpstart and you want to remove Sun's version of ipfilter via Profile commands, eg: package SUNWipfr delete # Sun IP Filter package SUNWipfu delete # Sun IP filter then the Jumpstart install will complain that these are required packages and won't remove them. Bummer. 0) Go get the latest version of ipfilter and pfil from Darren's website: http://coombs.anu.edu.au/~avalon/ip_fil4.1.13.tar.gz http://coombs.anu.edu.au/~avalon/pfil-2.1.10.tar.gz Note: pfil can be a PITA to find on the ipfilter webpage. Try looking in: http://coombs.anu.edu.au/~avalon/ipf-mentat.html 1) Note the type of the network interface that your machine has: ifconfig -a The network interfaces are to the left of the colons. You should see "lo0" (aka, loopback) and one or more other interfaces, eg "hme0" or "ce0" or "bge0". If you have a bge interface (eg, SunFire V210), then you may have NAT problems with ipfilter unless you add the following to /etc/system: set ip:dohwcksum=0 This turns off hardware checksumming, which is on by default with bge interfaces. 2) Note the versions of the Sun software you are about to remove, check the status of Sun's version of ipfilter and pfil (per Darren's advice on the list), then disable them: To note the version numbers and other information: modinfo | grep pfil pkginfo | grep ipf modinfo | grep ipf pkginfo -l SUNWipfr pkginfo -l SUNWipfu To check the status: svcs -x ipfilter svcs -x pfil If either of these commands gives errors, then you should get the problems fixed before proceeding further. If you can't figure it out, then call Sun support because it is Sun's version. :) Also check that Sun's version of pfil loads correctly: ifconfig ce0 modlist (use your network interface) and see if pfil is in the list between "ip" and your network interface. If it isn't, then check that your interface type is uncommented in /etc/ipf/pfil.ap, reboot, try again. Don't proceed further until you are convinced that Sun's version of ipfilter/pfil is working correctly. 3) Export your service configurations for pfil and ipfilter, in case they get zapped and you need them back later: svccfg export network/pfil > /var/tmp/pfil.svc svccfg export network/ipfilter > /var/tmp/ipfilter.svc See the troubleshooting discussion at the bottom as to why you might need this. For Sun Installs of Solaris 10 2006-01 or later you will need this. 4) Disable the two services: svcadm -v disable pfil svcadm -v disable ipfilter and reboot. 5) Check that the kernel modules are not loaded after the reboot: modinfo | grep ipf modinfo | grep pfil You should get no output. Note that with Solaris 10-03/05 with Sun Update Connection installed and patches installed from that, I had a near impossible time modunloading pfil on some machines. Even in single-user mode, it would not unload, saying "can't unload the module: Device busy". However it would meekly disappear on other systems. Strange. I did step 6 below, rebooted, pfil still loaded. Then I did step 5 and pfil finally went away. 6) Save copies of some of the Sun ipfilter files before removing the Sun packages -- removing the Sun packages will remove these files and you will need them to launch the public domain versions of pfil and ipfilter. So save a copy: cp /lib/svc/method/pfil /lib/svc/method/pfil.dist cp /lib/svc/method/ipfilter /lib/svc/method/ipfilter.dist cp /etc/ipf/pfil.ap /etc/ipf/pfil.ap.dist cp /usr/sbin/pfild /usr/sbin/pfild.dist Note! In this writeup, you should NOT have to fiddle with these files (ie, change paths) but if you do then you will know what you changed. 7) Remove the Sun IP filter packages: pkgrm SUNWipfu pkgrm SUNWipfr Reboot, otherwise pfil will complain when you install it. Then get pfild back into place, else ipfilter will not start later on: cp /usr/sbin/pfild.dist /usr/sbin/pfild 8) Did the /lib/svc/method files for pfil and ipfilter get removed after the pkgrm? If so, then get these files back in place: cp /lib/svc/method/pfil.dist /lib/svc/method/pfil cp /lib/svc/method/ipfilter.dist /lib/svc/method/ipfilter Otherwise pfil and ipfilter won't start later on. 9) Build and install pfil 2.1.x and ipfilter 4.1.x per the instructions that come in the tarfiles. Follow the instructions carefully. Make sure the previous pfil driver is unloaded before attempting to install pfil 2.1.x. NOTE!!! Make sure that PFILDEBUG is removed from the pfil Makefile before building and installing pfil. If pfil is in debug mode then network performance (eg, backups) will take a hit. Thanks to Andrew Wenlang Zhu for this tip. After installation, remove the Solaris 9 era startup scripts because they are not needed (you will be using svcadm because of the files you saved in step 3 instead): rm /etc/rc2.d/S65ipfboot rm /etc/rc2.d/S10pfil rm /etc/rcS.d/S10pfil rm /etc/init.d/ipfboot rm /etc/init.d/pfil NOTE!!! The config files for the public-domain version live in /etc/opt/ipf, while Sun's config files live in /etc/ipf. This can lead to confusion, because the svc files that you saved in step 3 still refer to Sun's config file path. You should use /etc/ipf for the sake of consistency with Solaris 10. 10) Get pfil configured for you network devices. You have two choices here: (a) Copy the public domain version of the pfil config file to the Sun directory (this version should already be configured properly for your machine), or (b) Edit the Sun version of the pfil config file and uncomment the network devices for your system. Both choices rely on the fact that pfil will be started via Sun's svc scripts. Choice (a) involves: # cp /etc/ipf/pfil.ap /etc/ipf/pfil.ap.dist # cp /etc/opt/pfil/iu.ap /etc/ipf/pfil.ap Choice (b, recommended) involves: # cp /etc/ipf/pfil.ap.dist /etc/ipf/pfil.ap # vi /etc/ipf/pfil.ap (uncomment appropriate devices) Then enable the pfil service: # svcadm -v enable pfil Make sure that the service started by checking the kernel modules: # modinfo | grep pfil 188 139a8f8 6450 - 1 pfil (pfil Streams module 2.1.8) 188 139a8f8 6450 229 1 pfil (pfil Streams driver 2.1.8) This should show the public-domain version, not Sun's version. If you have problems, take a look at /lib/svc/method/pfil. Make sure that the PFILAP variable matches the network device config file. Also check again that the public-domain version of pfil loads into the tcp/ip stack correctly: ifconfig ce0 modlist (use your network interface) and see if pfil is in the list between "ip" and your network interface. If it isn't, then check that your interface type is uncommented in /etc/ipf/pfil.ap, reboot, try again. If pfil still does not appear in the modlist output, then your service configurations for pfil and ipfilter (step 3) probably got zapped. If you get the output: # svcadm -v enable pfil svcadm: Pattern 'pfil' doesn't match any instances for either pfil or ipfilter, then your service configurations are gone and need to be revived from the exported copies in /var/tmp, eg: svccfg -v import /var/tmp/pfil.svc svccfg -v import /var/tmp/ipfilter.svc after this, do a "svcs -x" and/or a reboot and look for further problems. Before rebooting, see if you have /etc/ipf/ipf.conf. If you don't then at least do touch /etc/ipf/ipf.conf then reboot. 11) Get ipfilter ready to go. Put your ipf.conf and ipnat.conf files in the Sun ipfilter config file directory structure: # cp [someplace]/ipf.conf /etc/ipf # cp [someplace]/ipnat.conf /etc/ipf Edit these files as needed. Then enable the ipfilter service: # svcadm -v enable ipfilter If you have problems, look at /lib/svc/method/ipfilter and make sure that the variables specifying file paths matches where you put your config files. NOTE!!! The configuration files for your public-domain version of ipfilter now live where Sun expects them to be (/etc/ipf) and not where the public-domain version expects them to be (/etc/opt/ipf). If you are used to the public-domain version, you might want to consider a symlink like so: ln -s /etc/opt/ipf /etc/ipf 12) Time to see if things work. Reboot from the system console so you can see what complaints might appear there. If you see the complaint "ipfilter: pfil not configured for firewall/NAT operation" during the reboot, then pfil didn't start. Go back to step 9 and figure out what you did wrong. Possible mistakes include: * uncommenting the wrong device in /etc/ipf/pfil.ap * editing /etc/opt/pfil/iu.ap instead of /etc/ipf/pfil.ap * no /lib/svc/method/pfil file. See step 6. Also type "svcs -x" and see what that says. 13) Check that pfil is in place. First, see that the pfil kernel modules are loaded: # modinfo | grep pfil 101 7ba76000 6450 - 1 pfil (pfil Streams module 2.1.8) 101 7ba76000 6450 229 1 pfil (pfil Streams driver 2.1.8) Then make sure that pfil is in the right place in your network device's configuration list: # ifconfig [driver] modlist (eg, bge0 in this case) 0 arp 1 ip 2 pfil <--- this better be there, before the device name 3 bge If you see these two things, then pfil is ok. 14) Check to see that ipfilter is in place and working. First check that the kernel module got loaded: # modinfo | grep ipf 161 7b6e0000 3a288 228 1 ipf (IP Filter: v4.1.8) Check that ipmon is running so that ipfilter complaints get to syslog: # ps -ef | grep ipmon (ipmon process should be running) Check that your ipfilter rules got loaded: #ipfstat -ioh (your ipfilter rules should show up and the counters should be nonzero after a while). If it says that you have empty filter sets, then you put ipf.conf in the wrong directory. Review step 9. You want things in /etc/ipf, not /etc/opt/ipf. Troubleshooting --------------- ==> If you had problems with pfil (step 12) and you don't see ipfilter working like above, then ipfilter got put into "maintenance mode" during one of the previous reboots because pfil was down. Do "svcs -a | grep pfil". If you see a legacy_run pfil, then you didn't delete an init script in step 9. If ipfilter is listed as maintenance in the first column, then you need to clear it out of maintenance mode: # svcadm -v clear ipfilter (reboot) Also do "svcs -vx". It will give you more information about the problem. Go take a look at the logs it will refer to in /var/svc/log. ==> If you are running on x86 and ipfilter does not start, it may be because the public-domain version got installed in /sbin instead of /usr/sbin. The start script (/lib/svc/method/ipfilter) expects files to be in /usr/sbin. The quick fix: # cd /sbin # mv ipf* /usr/sbin # mv ipnat /usr/sbin ==> If pfil starts but ipfilter does not (see /var/svc/log/network-ipfilter:default.log for details) then pfild may be missing. If you didn't save a copy of /usr/sbin/pfild, then you have some work to do to get it back. Grab a copy from another Solaris 10 system. Or dig out your Solaris 10 install CDs (or DVD) and mount them. Do: # cd /cdrom # find . -name 'SUNWipfu' -print When this directory is found, cd to /cdrom/[path]/SUNWipfu/archive, and grab the "none.bz2" file: # cp none.bz2 /tmp (none.bz2 contains the file you need) # cd /tmp # bunzip2 none.bz2 # cpio -id usr/sbin/pfild < none (use cpio to recover file) # cd /tmp/usr/sbin (where cpio put the file) # cp pfid /usr/sbin # cd /usr/sbin # chmod 555 pfild # chown root:bin pfild ==> If the services for pfil and/or ipfilter do not show up, ie you can do: svcs -a | grep pfil or svcs -a | grep ipf and you get no output, then the services have been wiped out of the service repository somehow (I had this happen on one machine, hence this note). First check that the svc start files in /lib/svc/method/pfil and /lib/svc/method/ipfilter exist. If they do, try starting them by hand to see if they work. In my case, pfil would not start because ipfilter was no longer listed as a service in the repository. Here is what I did to get myself out of this jam. I logged into another Solaris 10 system that already had pfil and ipfilter running. I did the following on both my working system and broken system to compare services: svccfg list > working.list (on the working system) svccfg list > broken.list (on the broken system) A "diff" of these two outputs showed: # diff working.list broken.list 23d22 < network/pfil 72d70 < network/ipfilter So, the services were missing on the broken system. I used the working system to recover these services, by doing the following on the working system: svccfg export network/pfil > pfil.svc svccfg export network/ipfilter > ipfilter.svc Then I moved the two outputs to the broken system and did: svccfg -v import pfil.svc svccfg -v import ipfilter.svc After this a "svccfg list" on the broken system showed that the two services were now listed. Then I did "svcs -x" to see if there were any other problems, fixed them, and rebooted to see if services started. ======================================================================= How to Revert to Sun's version of ipfilter and pfil You will need to disable pfil and ipfilter, and then pkgrm the public-domain versions of pfil and ipfilter. You will basically repeat steps 1-6 above. The step of removing the public-domain version is: pkgrm ipfx pkgrm ipf pkgrm pfil Now reinstall the Sun packages SUNWipfr and SUNWipfu (also check that SUNWipfh is installed too). From a jumpstart filesystem, for instance, # cd /net/jumpstart/OS/Solaris_10_2006-06/Solaris_10/Product # ls -ld SUNWipf* drwxrwsr-x 5 root staff 512 Jun 9 14:05 SUNWipfh drwxr-xr-x 5 root root 512 Jun 9 13:58 SUNWipfr drwxr-xr-x 5 root root 512 Jun 9 13:58 SUNWipfu # pkgadd -d . SUNWipfr SUNWipfu Ok, you probably think that you are done, just reboot and pfil/ipfilter will start, right? No way. The device drivers in /devices/pseudo will not be there, and pfil won't be able to start. You won't be able to use mknod to remake the devices by hand because /devices is a read-only filesystem that you cannot mess with, even in single-user mode. So how to recreate the missing devices? Add the following two lines into /etc/name_to_major: ipf 228 pfil 229 Put them in the proper numerical order within the file. Then do a reconfiguration reboot. The pseudo-devices will get remade, the Sun pfil and ipfilter kernel modules will load, and you should be in business. Do steps 14-16 above to make sure that the kernel modules got loaded, pfil is in the ifconfig stack, and your ipfilter rules are in use. =======================================================================