{"id":6060,"date":"2016-07-16T00:15:14","date_gmt":"2016-07-15T16:15:14","guid":{"rendered":"http:\/\/rmohan.com\/?p=6060"},"modified":"2016-07-16T00:15:14","modified_gmt":"2016-07-15T16:15:14","slug":"modifying-network-parameters-in-solaris-10","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=6060","title":{"rendered":"Modifying Network Parameters in Solaris 10"},"content":{"rendered":"<p>Modifying Network Parameters in Solaris 10<br \/>\nMy reference: The Center for Internet Security (Solaris 10 Benchmarks v4.0).  To get the SMF service to run correctly, do the following: <\/p>\n<p>mkdir -m 755 \/var\/svc\/method<br \/>\nchown root:sys \/var\/svc\/method<br \/>\ncd \/var\/svc\/method<\/p>\n<p>cat > cis_netconfig.sh << END\n#!\/sbin\/sh\n#IPv4 source route forwarding is disabled\nndd -set \/dev\/ip ip_forward_src_routed 0\n#IPv6 source route forwarding is disabled\nndd -set \/dev\/ip ip6_forward_src_routed 0\n#Reverse source routed packets are disabled\nndd -set \/dev\/tcp tcp_rev_src_routes 0\n#Forwarding broadcasts are disabled\nndd -set \/dev\/ip ip_forward_directed_broadcasts 0\n#Unestablished tcp connection queue are disabled\nndd -set \/dev\/tcp tcp_conn_req_max_q0 4096\n#Established tcp connection queue are disabled\nndd -set \/dev\/tcp tcp_conn_req_max_q 1024\n#Respond to ICMP timestamp request are disabled\nndd -set \/dev\/ip ip_respond_to_timestamp 0\n#Respond to ICMP broadcast timestamp request is disabled\nndd -set \/dev\/ip ip_respond_to_timestamp_broadcast 0\n#Respond to ICMP netmask request is disabled\nndd -set \/dev\/ip ip_respond_to_address_mask_broadcast 0\n#Respond to ICMP echo broadcast is disabled\nndd -set \/dev\/ip ip_respond_to_echo_broadcast 0\n#The ARP cache cleanup interval is disabled\nndd -set \/dev\/arp arp_cleanup_interval 60000\n#The ARP IRE scan rate is set to 60000 (milliseconds \"1 min\")\nndd -set \/dev\/ip ip_ire_arp_interval 60000\n#The IPv4 ICMP redirect is disabled\nndd -set \/dev\/ip ip_ignore_redirect 1\n#The IPv6 ICMP redirect is disabled\nndd -set \/dev\/ip ip6_ignore_redirect 1\n#Extended TCP reserved ports is set to port 6112\nndd -set \/dev\/tcp tcp_extra_priv_ports_add 6112\n#IPv4 strict multihoming system drops any packets that appear to originate from a network attached to another interface\nndd -set \/dev\/ip ip_strict_dst_multihoming 1\n#IPv6 strict multihoming system drops any packets that appear to originate from a network attached to another interface\nndd -set \/dev\/ip ip6_strict_dst_multihoming 1\n#ICMPv4 redirects are disabled\nndd -set \/dev\/ip ip_send_redirects 0\n#ICMPv6 redirects are enabled\nndd -set \/dev\/ip ip6_send_redirects 1\nEND\n\nchown root:sys .\/*\nchmod 555 .\/*\n\nNow create the service manifest for \/var\/svc\/method\/cis_netconfig.sh\n\ncat > cis_netconfig.xml << END\n<?xml version=\"1.0\"?><br \/>\n<!DOCTYPE service_bundle SYSTEM\n\"\/usr\/share\/lib\/xml\/dtd\/service_bundle.dtd.1\"><\/p>\n<p><service_bundle type='manifest' name='CIS:cis_netconfig'><\/p>\n<p><service\n  name='site\/cis_netconfig'\n  type='service'\n  version='1'><\/p>\n<p>  <create_default_instance enabled='true' \/><\/p>\n<p>  <single_instance \/><\/p>\n<p>  <dependency\n    name='usr'\n    type='service'\n    grouping='require_all'\n    restart_on='none'><br \/>\n    <service_fmri value='svc:\/system\/filesystem\/minimal' \/><br \/>\n  <\/dependency><\/p>\n<p><!-- Run ndd commands after network\/physical is plumbed. --><br \/>\n  <dependency\n    name='network-physical'\n    grouping='require_all'\n    restart_on='none'\n    type='service'><br \/>\n    <service_fmri value='svc:\/network\/physical' \/><br \/>\n  <\/dependency><\/p>\n<p><!-- but run the commands before network\/initial --><br \/>\n  <dependent\n    name='ndd_network-initial'\n    grouping='optional_all'\n    restart_on='none'><br \/>\n    <service_fmri value='svc:\/network\/initial' \/><br \/>\n  <\/dependent><\/p>\n<p>  <exec_method\n    type='method'\n    name='start'\n    exec='\/var\/svc\/method\/cis_netconfig.sh'\n    timeout_seconds='60' \/><\/p>\n<p>  <exec_method\n    type='method'\n    name='stop'\n    exec=':true'\n    timeout_seconds='60' \/><\/p>\n<property_group name='startd' type='framework'>\n    <propval name='duration' type='astring' value='transient' \/>\n  <\/property_group>\n<p>  <stability value='Unstable' \/><\/p>\n<p>  <template><br \/>\n    <common_name><br \/>\n      <loctext xml:lang='C'><br \/>\n          CIS Network Parameter Set<br \/>\n      <\/loctext><br \/>\n    <\/common_name><br \/>\n  <\/template><br \/>\n<\/service><\/p>\n<p><\/service_bundle><br \/>\nEND<\/p>\n<p>Now it is time to import the SMF service, by performing the following: svccfg import cis_netconfig.xml.<\/p>\n<p>When the system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in \/var\/svc\/manifest\/site if it has to be re-imported into the system at a later date.<\/p>\n<p>Note that we are creating a new script that will be executed at boot time to reconfigure various network parameters.<\/p>\n<p>The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh will run on every system reboot to set the network parameters appropriately.<\/p>\n<p>If this hinders functionality, disable this service by perform the following: svcadm -v disable svc:\/site\/cis_netconfig:default<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Modifying Network Parameters in Solaris 10 My reference: The Center for Internet Security (Solaris 10 Benchmarks v4.0). To get the SMF service to run correctly, do the following: <\/p>\n<p>mkdir -m 755 \/var\/svc\/method chown root:sys \/var\/svc\/method cd \/var\/svc\/method<\/p>\n<p>cat > cis_netconfig.sh cis_netconfig.xml [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[39],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6060"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6060"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6060\/revisions"}],"predecessor-version":[{"id":6061,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6060\/revisions\/6061"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6060"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6060"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6060"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}