| Skip Navigation Links | |
| Exit Print View | |
|
Configuring and Administering Oracle Solaris 11.1 Networks Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Configuring and Administering Oracle Solaris 11.1 Networks Oracle Solaris 11.1 Information Library |
1. Planning the Network Deployment
2. Considerations When Using IPv6 Addresses
3. Configuring an IPv4 Network
Network Configuration (Task Map)
Before You Begin Network Configuration
Configuring Component Systems on the Network
IPv4 Autonomous System Topology
Setting Up System Configuration Modes
How to Configure a System for Local Files Mode
How to Configure a System for Network Client Mode
How to Set Up a Network Configuration Server
How to Configure an IPv4 Router
Routing Tables and Routing Types
How to Add a Static Route to the Routing Table
How to Create a Multihomed Host
Configuring Routing for Single-Interface Systems
How to Enable Static Routing on a Single-Interface Host
How to Enable Dynamic Routing on a Single-Interface System
How to Change the IPv4 Address and Other Network Configuration Parameters
Monitoring and Modifying Transport Layer Services
How to Log the IP Addresses of All Incoming TCP Connections
4. Enabling IPv6 on the Network
The transport layer protocols TCP, SCTP, and UDP are part of the standard Oracle Solaris package. These protocols typically need no intervention to run properly. However, circumstances at your site might require you to log or modify services that run over the transport layer protocols. Then, you must modify the profiles for these services by using the Service Management Facility (SMF), which is described in Chapter 1, Managing Services (Overview), in Managing Services and Faults in Oracle Solaris 11.1.
The inetd daemon is responsible for starting standard Internet services when a system boots. These services include applications that use TCP, SCTP, or UDP as their transport layer protocol. You can modify existing Internet services or add new services using the SMF commands. For more information about inetd, refer to inetd Internet Services Daemon.
Operations that involve the transport layer protocols include:
Logging of all incoming TCP connections
Adding services that run over a transport layer protocol, using SCTP as an example
Configuring the TCP wrappers facility for access control
For detailed information on the inetd daemon refer to the inetd(1M)man page.
For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
# inetadm -M tcp_trace=TRUE
The SCTP transport protocol provides services to application layer protocols in a fashion similar to TCP. However, SCTP enables communication between two systems, either or both of which can be multihomed. The SCTP connection is called an association. In an association, an application divides the data to be transmitted into one or more message streams, or multi-streamed. An SCTP connection can go to endpoints with multiple IP addresses, which is particularly important for telephony applications. The multihoming capabilities of SCTP are a security consideration if your site uses IP Filter or IPsec. Some of these considerations are described in the sctp(7P) man page.
By default, SCTP is included in the Oracle Solaris and does not require additional configuration. However, you might need to explicitly configure certain application layer services to use SCTP. Some example applications are echo and discard. The next procedure shows how to add an echo service that uses an SCTP one-to-one style socket.
Note - You can also use the following procedure to add services for the TCP and UDP transport layer protocols.
The following task shows how to add an SCTP inet service that is managed by the inetd daemon to the SMF repository. The task then shows how to use the Service Management Facility (SMF) commands to add the service.
For information about SMF commands, refer to SMF Command-Line Administrative Utilities in Managing Services and Faults in Oracle Solaris 11.1.
For syntactical information, refer to the man pages for the SMF commands, as cited in the procedure.
For detailed information about SMF refer to the smf(5) man page.
Before You Begin
Before you perform the following procedure, create a manifest file for the service. The procedure uses as an example a manifest for the echo service that is called echo.sctp.xml.
Use the following syntax for the service definition.
service-name |port/protocol | aliases
Go to the directory where the service manifest is stored and type the following:
# cd dir-name # svccfg import service-manifest-name
For a complete syntax of svccfg, refer to the svccfg(1M) man page.
Suppose you want to add a new SCTP echo service using the manifest echo.sctp.xml that is currently located in the service.dir directory. You would type the following:
# cd service.dir # svccfg import echo.sctp.xml
# svcs FMRI
For the FMRI argument, use the Fault Managed Resource Identifier (FMRI) of the service manifest. For example, for the SCTP echo service, you would use the following command:
# svcs svc:/network/echo:sctp_stream
Your output should resemble the following:
STATE STIME FMRI disabled 16:17:00 svc:/network/echo:sctp_stream
For detailed information about the svcs command, refer to the svcs(1) man page.
The output indicates that the new service manifest is currently disabled.
# inetadm -l FMRI
For detailed information about the inetadm command, refer to the inetadm(1M) man page.
For example, for the SCTP echo service, you would type the following:
# inetadm -l svc:/network/echo:sctp_stream
SCOPE NAME=VALUE
name="echo"
endpoint_type="stream"
proto="sctp"
isrpc=FALSE
wait=FALSE
exec="/usr/lib/inet/in.echod -s"
.
.
default tcp_trace=FALSE
default tcp_wrappers=FALSE# inetadm -e FMRI
For example, for the new echo service, you would type the following:
# inetadm | grep sctp_stream
.
.
enabled online svc:/network/echo:sctp_streamExample 3-7 Adding a Service That Uses the SCTP Transport Protocol
The following example shows the commands to use and the file entries required to have the echo service use the SCTP transport layer protocol.
$ cat /etc/services
.
.
echo 7/tcp
echo 7/udp
echo 7/sctp
# cd service.dir
# svccfg import echo.sctp.xml
# svcs network/echo*
STATE STIME FMRI
disabled 15:46:44 svc:/network/echo:dgram
disabled 15:46:44 svc:/network/echo:stream
disabled 16:17:00 svc:/network/echo:sctp_stream
# inetadm -l svc:/network/echo:sctp_stream
SCOPE NAME=VALUE
name="echo"
endpoint_type="stream"
proto="sctp"
isrpc=FALSE
wait=FALSE
exec="/usr/lib/inet/in.echod -s"
user="root"
default bind_addr=""
default bind_fail_max=-1
default bind_fail_interval=-1
default max_con_rate=-1
default max_copies=-1
default con_rate_offline=-1
default failrate_cnt=40
default failrate_interval=60
default inherit_env=TRUE
default tcp_trace=FALSE
default tcp_wrappers=FALSE
# inetadm -e svc:/network/echo:sctp_stream
# inetadm | grep echo
disabled disabled svc:/network/echo:stream
disabled disabled svc:/network/echo:dgram
enabled online svc:/network/echo:sctp_stream
The tcpd program implements TCP wrappers. TCP wrappers add a measure of security for service daemons such as ftpd by standing between the daemon and incoming service requests. TCP wrappers log successful and unsuccessful connection attempts. Additionally, TCP wrappers can provide access control, allowing or denying the connection depending on where the request originates. You can use TCP wrappers to protect daemons such as SSH, Telnet, and FTP. The sendmail application can also use TCP wrappers, as described in Support for TCP Wrappers From Version 8.12 of sendmail in Managing sendmail Services in Oracle Solaris 11.1.
For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
# inetadm -M tcp_wrappers=TRUE
This man page can be found in the /usr/sfw/man directory.
|