2014年12月18日 星期四

Solaris 11 DNS Client 設定

Solaris 11  DNS Client 設定

檢查現有的DNS Client 設定
root@s11:~# svccfg -s network/dns/client listprop config
config                      application
config/value_authorization astring     solaris.smf.value.name-service.dns.client

更新 DNS Client 設定
root@s11:~# svccfg -s network/dns/client setprop config/nameserver = net_address: "(168.95.1.1  8.8.8.8)"

root@s11:~# svccfg -s network/dns/client setprop config/domain = astring: test.com.tw


root@s11:~# svccfg -s network/dns/client setprop config/search = astring: '("test.com.tw" "test1.com.tw")'


設定名稱解析順序
root@s11:~# svccfg -s name-service/switch setprop config/ipnodes = astring: '("files dns")'
root@s11:~# svccfg -s name-service/switch setprop config/host = astring: '("files dns")'




檢視DNS Client變更的設定
root@s11:~# svccfg -s network/dns/client listprop config
config                      application
config/value_authorization astring     solaris.smf.value.name-service.dns.client
config/nameserver          net_address 168.95.1.1 8.8.8.8
config/domain              astring     test.com.tw
config/search              astring     "test.com.tw" "test1.com.tw"
root@s11:~#


檢視nsswitch變更的設定
root@s11:~# svccfg -s name-service/switch listprop config
config                      application
config/default             astring     files
config/value_authorization astring     solaris.smf.value.name-service.switch
config/printer             astring     "user files"
config/ipnodes             astring     "files dns"
config/host                astring     "files dns"

匯出DNS Client 設定組態
root@s11:~# svcadm enable dns/client

root@s11:~# more /etc/resolv.conf                                    (此時檢視/etc/resolv.conf並不存在)
/etc/resolv.conf: No such file or directory

root@s11:~#  nscfg export svc:/network/dns/client:default
root@s11:~# more /etc/resolv.conf                                     (此時檢視/etc/resolv.conf已建立)

#
# _AUTOGENERATED_FROM_SMF_V1_
#
# WARNING: THIS FILE GENERATED FROM SMF DATA.
#   DO NOT EDIT THIS FILE.  EDITS WILL BE LOST.
# See resolv.conf(4) for details.

domain  test.com.tw
search  test.com.tw test1.com.tw
nameserver      168.95.1.1
nameserver      8.8.8.8
root@s11:~#


root@s11:~# svcadm refresh name-service/switch
root@s11:~# cat /etc/nsswitch.conf

#
# _AUTOGENERATED_FROM_SMF_V1_
#
# WARNING: THIS FILE GENERATED FROM SMF DATA.
#   DO NOT EDIT THIS FILE.  EDITS WILL BE LOST.
# See nsswitch.conf(4) for details.

passwd: files
group:  files
hosts:  files dns
ipnodes:        files dns
networks:       files
protocols:      files




root@s11:~# nscfg import -f name-service/switch:default
root@s11:~# nscfg import -f dns/client:defaul






===================分隔線 =========================================
此設定reboot 設定會清除

I. DNS client setup

1. 設定network/dns/client  SMF 服務 

# svccfg -s network/dns/client
svc:/network/dns/client> setprop config/search = astring: ("test.com.tw""test1.com.tw")
svc:/network/dns/client> setprop config/nameserver = net_address: (168.95.1.1 8.8.8.8)
svc:/network/dns/client> exit

2. 開啟 DNS client 服務 (第一次使用需要設定)

#svcadm enable -r dns/client

3.重啟/更新 DNS client 服務 (當設定完成或是有任何更新時)

#svcadm refresh dns/client

#svcadm restart dns/client

4. 檢查設定完成後/etc/resolv.conf 是否有更新(出現紅字部份)

# more /etc/resolv.conf
#
# _AUTOGENERATED_FROM_SMF_V1_
#
# WARNING: THIS FILE GENERATED FROM SMF DATA.
#   DO NOT EDIT THIS FILE.  EDITS WILL BE LOST.
# See resolv.conf(4) for details.

search           cht.com.tw cht1.com.tw
nameserver      xx.xx.xx.xx
nameserver      yy.yy.yy.yy
---

II.  設定Name service switch 使用 DNS

1. 設定 system/name-service/switch SMF 服務

# svccfg -s system/name-service/switch
svc:/system/name-service/switch> setprop config/host = astring: "files dns"
svc:/system/name-service/switch>end

2.  .重啟/更新 name-service/switch 服務

#svcadm refresh name-service/switch

#svcadm restart  name-service/switch

3. 檢查設定完成後/etc/nsswitch.conf檔,出現紅字部份的更新)

# more /etc/nsswitch.conf

#
# _AUTOGENERATED_FROM_SMF_V1_
#
# WARNING: THIS FILE GENERATED FROM SMF DATA.
#   DO NOT EDIT THIS FILE.  EDITS WILL BE LOST.
# See nsswitch.conf(4) for details.

passwd: files
group:  files
hosts:  files dns
ipnodes:        files dns

.

最後nslookup試試看DNS是否解析





2014年12月3日 星期三

Solaris 11 SSH 登入慢

Solaris 11 SSH login slow


# vi /etc/ssh/sshd_config
加入下面三行

LookupClientHostnames no
VerifyReverseMapping no
GSSAPIAuthentication no

# svcadm restart ssh

2014年11月17日 星期一

Solaris 11 ipfilter 防火牆


啟動客制policy: (指定ipf執行時參照的設定檔,如果沒有設定此部份,必須每次手動啟動設定擋
# svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"
# svccfg -s ipfilter:default listprop firewall_config_default/policy
firewall_config_default/policy astring     custom
# svccfg -s ipfilter:default setprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/ipf.conf"
# svccfg -s ipfilter:default listprop firewall_config_default/custom_policy_file
firewall_config_default/custom_policy_file astring /etc/ipf/ipf.conf
客制policy 檔案:
Run the firewall service:
# svcadm refresh ipfilter:default
# svcs -a | grep ipfilterdisabled Sep_20 svc:/network/ipfilter:default
# svcs -xv svc:/network/ipfilter:default
svc:/network/ipfilter:default (IP Filter)
 State: disabled since September 20, 2013 12:21:20 PM PDT
Reason: Disabled by an administrator.
 See: http://support.oracle.com/msg/SMF-8000-05
 See: man -M /usr/share/man -s 5 ipfilter
Impact: This service is not running.
# svcadm enable svc:/network/ipfilter:default
# svcs -xv svc:/network/ipfilter:default
svc:/network/ipfilter:default (IP Filter)
 State: online since September 23, 2013 05:46:51 AM PDT
 See: man -M /usr/share/man -s 5 ipfilter
 See: /var/svc/log/network-ipfilter:default.log
Impact: None.


啟動 IP Filter服務
# svcadm enable network/ipfilter


關閉封包過濾及允許所有的網路上的封包.
# ipf –D

啟動 IP Filter.
# ipf -E


Activate packet filtering.
# ipf -f filename

(Optional) Activate NAT.
# ipnat -f filename


可以由複製/etc/nwam/loc/NoNet/ipf.conf 範例
# cp /etc/nwam/loc/NoNet/ipf.conf /etc/ipf/ipf





移除kernel中啟動的rule.
# ipf -Fa
這個指令會將所有的封包過濾rule 停用.

移除流入封包過濾rule.
# ipf -Fi
這個指令會將所有流入的封包過濾rule 停用.

移除流出封包過濾
# ipf -Fo
        這個指令會將所有流出的封包過濾rule 停用.






Some Commonly used ipf commands
==================================

ipf -E                          : Enable ipfilter when running
                                : for the first time.
                                : (Needed for ipf on Tru64)

ipf -f /etc/ipf/ipf.conf        : Load rules in /etc/ipf/ipf.conf file
                                : into the active firewall.

ipf -Fa -f /etc/ipf/ipf.conf    : Flush all rules, then load rules in
                                : /etc/ipf/ipf.conf into active firwall.

ipf -Fi                         : Flush all input rules.

ipf -I -f /etc/ipf/ipf.conf     : Load rules in /etc/ipf/ipf.conf file
                                : into inactive firewall.

ipf -V                          : Show version info and active list.

ipf -s                          : Swap active and inactive firewalls.

ipfstat                         : Show summary

ipfstat -i                      : Show input list

ipfstat -o                      : Show output list

ipfstat -hio                    : Show hits against all rules

ipfstat -t -T 5                 : Monitor the state table and refresh every  
                                : 5 seconds. Output is similiar to      
                                : 'top' monitoring the process table.

Monitoring
=============


ipmon -s S                      : Watch state table.

ipmon -sn                       : Write logged entries to syslog, and
                                : convert back to hostnames and servicenames.

ipmon -s [file]                 : Write logged entries to some file.

ipmon -Ds                       : Run ipmon as a daemon, and log to
                                : default location. 
                                : (/var/adm/messages for Solaris , maybe.)
                                : (/var/log/syslog for Tru64)



參考文件:
http://blog.ls-al.com/solaris-ipfilter-pools/
http://blog.ls-al.com/solaris-11-firewall/