Modifying Network Parameters in Solaris 10

Modifying Network Parameters in Solaris 10
My reference: The Center for Internet Security (Solaris 10 Benchmarks v4.0). To get the SMF service to run correctly, do the following:

mkdir -m 755 /var/svc/method
chown root:sys /var/svc/method
cd /var/svc/method

cat > cis_netconfig.sh << END #!/sbin/sh #IPv4 source route forwarding is disabled ndd -set /dev/ip ip_forward_src_routed 0 #IPv6 source route forwarding is disabled ndd -set /dev/ip ip6_forward_src_routed 0 #Reverse source routed packets are disabled ndd -set /dev/tcp tcp_rev_src_routes 0 #Forwarding broadcasts are disabled ndd -set /dev/ip ip_forward_directed_broadcasts 0 #Unestablished tcp connection queue are disabled ndd -set /dev/tcp tcp_conn_req_max_q0 4096 #Established tcp connection queue are disabled ndd -set /dev/tcp tcp_conn_req_max_q 1024 #Respond to ICMP timestamp request are disabled ndd -set /dev/ip ip_respond_to_timestamp 0 #Respond to ICMP broadcast timestamp request is disabled ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0 #Respond to ICMP netmask request is disabled ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0 #Respond to ICMP echo broadcast is disabled ndd -set /dev/ip ip_respond_to_echo_broadcast 0 #The ARP cache cleanup interval is disabled ndd -set /dev/arp arp_cleanup_interval 60000 #The ARP IRE scan rate is set to 60000 (milliseconds "1 min") ndd -set /dev/ip ip_ire_arp_interval 60000 #The IPv4 ICMP redirect is disabled ndd -set /dev/ip ip_ignore_redirect 1 #The IPv6 ICMP redirect is disabled ndd -set /dev/ip ip6_ignore_redirect 1 #Extended TCP reserved ports is set to port 6112 ndd -set /dev/tcp tcp_extra_priv_ports_add 6112 #IPv4 strict multihoming system drops any packets that appear to originate from a network attached to another interface ndd -set /dev/ip ip_strict_dst_multihoming 1 #IPv6 strict multihoming system drops any packets that appear to originate from a network attached to another interface ndd -set /dev/ip ip6_strict_dst_multihoming 1 #ICMPv4 redirects are disabled ndd -set /dev/ip ip_send_redirects 0 #ICMPv6 redirects are enabled ndd -set /dev/ip ip6_send_redirects 1 END chown root:sys ./* chmod 555 ./* Now create the service manifest for /var/svc/method/cis_netconfig.sh cat > cis_netconfig.xml << END

END

Now it is time to import the SMF service, by performing the following: svccfg import cis_netconfig.xml.

When the system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date.

Note that we are creating a new script that will be executed at boot time to reconfigure various network parameters.

The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh will run on every system reboot to set the network parameters appropriately.

If this hinders functionality, disable this service by perform the following: svcadm -v disable svc:/site/cis_netconfig:default