Unix Linux Administration III

Unix Linux Administration III Class 4: NTP and Findutils. IPF the Solaris firewall. Perl subroutines.

Agenda • Review last lecture. • Review homework • Findutils and NTP • IPF the Solaris firewall • Perl subroutines.

Review: • ZFS - Zettabyte file system • storage pools, used to aggregate devices and abstract the user from the end actual device. Similar to adding memory to a machine, the hosts simply sees the new memory and allocates it as necessary. • ZFS - transactional, copy on write standard such that data is either completed or rejected in each instance providing an almost incorruptible file system • Checksums used for verification and data recovery all of which is transparent to the user.

Review: • ZFS supports raid and mirroring to provide for seamless recovery from disk errors • ZFS provides for snapshots or ready-only copies. These are simple and fast to create. • ZFS file systems are simple to create and maintain. • ZFS is bootable as of Solaris 10/2008 release. • To create a ZFS file system create the storage pool and then create a ZFS file system on that object. • These file systems can be dynamically created and destroyed.

Review: • list = ordered data; array = perl variable • every array holds a list but every list is not an array. • list (1,2,3) or ("value1", "value2",) or ($a, $b) • list constructor operator ... (1...10) • qw avoids need for commas and quotes in many cases. qw( a b c) • array variable names are same as for scalar except we use an @ symbol to define an array. • @new_array = (1,2,3) • you can use one list to assign values to another • ($a, $b, $c) = (1, 2, 3); or • ($a, $b) = ($b, $a); • if you try this with an array it should be last otherwise the other values will be undefined.

Review: • You can call any element in an array using $array[<position>] e.g. $array[2] points to the 3rd element in @array. • Create array slices using @array[1,2]. (array of an array). • Push and pop, impact the end of an arry. • Shift and unshift work at the start of the array. • foreach $value (@array) { print $value\n"; }; • Use reverse and sort to manage array data (ascii based). • Chomp works on arrays; removing element newlines. • you can use <STDIN> to obtain array data. chomp (@input = <STDIN>); • interpolation with arrays works just as you expect.

Q3, Class 4, Unit 1 What we are going to cover: • Findutils and NTP. What you should leave this session with: • How to enable Findutils • NTP client and server setup overview • Basic ntp client configuration.

A few minor Solaris updates. Solaris as you may have noticed does not provide a locate function by default. However findutils can help to bridge that gap.

findutils Findulits provides a variety of tools including : glocate and gupdatedb We can use gupdatedb to create an index of the file system but we should pass it a list of file systems to avoid such as proc, tmpfs and others. Once indexed initially it is a good idea to schedule updates nightly.

Findutils cont. We will install findutils using opencsw. Findutils will be installed under /opt/csw/ Findutils provides gnu versions of locate, updatedb, xargs and find. You can add links for locate, updatedb, etc. or you can add /opt/csw/gnu to your PATH. http://www.gnu.org/software/findutils

Findutils cont. updatedb is used to index or catalog your file system so that you can quickly and easily find files. To do this you want to keep an up to date index. You can create the initial index running “gupdatedb”. To avoid indexing transient file systems use –prunefs e.g. gupdatedb --prunefs="devfs proc mntfs tmpfs objfs fd hgfs" prunefs means DO NOT index

Findutils cont. running gupdatedb should also work but may index files that are temporary in nature. You may also want to schedule a cron job to maintain the locate database for you. Consider syntax similar to the last example using --prunefs

Solaris sudo and your editor. Sudo will overwrite your EDITOR value to ed by default. To change this add the following line to your sudoers file. Defaults env_keep+=EDITOR Next set your EDITOR environment variable export EDITOR=vi Now try sudo crontab -e

NTP for Solaris For Solaris 10 you may find there is no default ntp.conf file. As such you will need to configure and enable it manually. Under /etc/inet you will find sample ntp.conf files for the server and the client. You can copy the ntp.client file to ntp.conf add some ntp servers and define a drift file. e.g. server 0.rhel.pool.ntp.org

NTP: configure and enable • sudo mv ntp.client ntp.conf • sudo vi ntp.conf • server 0.north-america.pool.ntp.org • driftfile /var/ntp/ntp.drift • Create drift file • Check the ntp service (svcs –xv ntp) • Enable ntp (sudo svcadm enable ntp)

A few more NTP comments When using the server keyword in your ntp.conf file the server will use the first ntp server to respond. If you switch to pool your service will check all members of the pool. Using the keyword iburst will force your ntp client to synchronize almost immediately. If you want to see which servers you are leveraging use ntpq –p The server with an asterisk is the one you are synchronized with.

Review: Locate and updatedb can be installed quickly using openCSW. sudo removes many environment variables but they can be maintained. NTP is not enabled by default Sample client and server NTP configurations are provided. pool vs server

In class lab 4a • Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->

Q3, Class 4, Unit 2 What we are going to cover: • The Solaris IPF firewall. What you should leave this session with: • IPF packet flow and controls. • How to administer your IPF firewall.

IPF • The Solaris firewall is based on an open-source project: IP Filter firewall. • The Solaris IPF Filter replaces the previous solution "SunScreen" as the default firewall solution. • IPF is a based on the open source IP Filter software written primarily by Darren Reed.

Basic IPF features • The Solaris firewall provides packet filtering by IP, port, protocol, network interface, and traffic direction. • The Solaris firewall can filter by individual source or destination or by a range of addresses. • The Solaris firewall can do NAT, PAT, and stateful packet inspection. • IPF supports both ipv4 and ipv6 networks.

NAT overview with IPF • NAT rules setup mapping rules that translate source and destination IP addresses into other internet or intranet addresses. NAT can be used to redirect traffic from one port to another port. • NAT will maintain the integrity of the packet during any modification or redirection applied to that packet. • NAT rules are created with using ipnat or by manually editing the ipnat.conf file. • We will not be working with NAT rules.

IPF address pools. • Address pools establish a single reference that is used to name a group of address/netmask pairs. • These pools reduce the time needed to match IP addresses to rules and assist in reducing complexity in large groups of addresses. • The address pool configurations that you want to be loaded at boot time should be kept in /etc/ipf/ippool.conf. • Address pool configurations can be loaded at any time using the ippool command.

Basic IPF configuration • As you may expect the Solaris IPF is managed by SMF (svc:/network/pfil and svc:network/ipfilter). • IPF configurations are stored in text files. • IPF is NOT enabled by default. To change this we will have to edit configuration files and manually activate IPF. • IPF supports the ideas of an active and inactive rule set. You can manage the inactive rule set using ipf -I, this rule set will not be used unless activated.

IPF configuration cont. • IPF can be used to provide firewall services or NAT services. • configuration files stored under /etc/ipf/ are read at boot. • examples are ipf.conf, ipnat.conf, ippool.conf • The Solaris firewall configuration abides by common UNIX conventions such as the # sign and ignoring extra white space.

IPF known issues • IP network multi-pathing (IPMP) supports stateless filtering only. • IPMP is the Solaris built-in load balancing fault-tolerance solution. • Sun Cluster configurations do NOT support filtering with IPF. • Filtering between zones is not supported by IPF, unless you enable loopback filtering.

The Solaris firewall - components The Solaris IP Filter (F/W) provides a set of user-level utilities programs and two kernel modules: • ipf • pfil ipf is the core packet filtering and NAT logic module. It uses the pfil module to hook into the system and access each IP packet.

The Solaris firewall - utilities ipf – used to add and remove rules ipfs – enables persistent rules, retained after reboot ipfstat – report on firewall stats ipmon – used for firewall logging ipnat – use to add and remove NAT rules ippool – used to manage info stored in IP pools subsystem.

The Solaris firewall – filter rules Basic syntax for rules is: • Action Direction Packet Rules are read top to bottom By default the rules are checked against all rules and the LAST match is applied. To block all traffic from one subnet • block in from 192.168.4.0/24 to any If no net-mask is given /32 is assumed.

Ipf filter rules • IPF processes the rules in their entirety and the LAST match takes effect. The default behavior for the IPF firewall is to ALLOW traffic, packets that do not match any rule are passed through the filter. • There are two exceptions to this process: if you use the "quick" keyword then the action for that rule is taken and no other rules are checked. • The other exception is related to the keyword "group" if a packet matches a rule containing the "group" keyword then only rules with the group are checked.

Solaris firewall “quick” The quick keyword provided by sun for the firewall changes the default behavior. Using this keyword causes the matched rule to be applied to the rule and no other rules checked. # block any short fragmented packets # which are very unlikely to be real. block in log quick all with short

Adding rules • rules can be added at the command line with ipf or via the configuration files. • You can manage the inactive ruleset using ipf -I, this rule set will not be used unless activated. *Remember rules stored under /etc/ipf/ are read in at boot time by default.

Basic rule syntax Rules are created using: action [in|out] option keyword, keyword. common actions include • block • pass • log • count - includes the packet in the filter statistics which can be viewed with ipfstat. • skip • auth • preauth

Rule sample • After action you must define either in or out as related to the packet being inbound or outbound. • Next you can apply an option but if you choose more than one option the order is important. • the same is true of all options applied at this point. • a simple rule sample might be • block in quick from 192.168.0.0./16 to any • This blocks any inbound packets from the 192.168/16 network.

Base ipf.conf • If there is no ipf.conf file the firewall acts as though the rule set is: • pass in all • pass out all • if you want to configure NAT or Pools use ipnat.conf or ippool.conf respectively. • To log all packets update the previous lines to: • pass in log on <interface> all • pass out log on <interface> all

Running a quick test • First view currently loaded rules • ipfstat -io • Remove current rule set and load a new rule set • ipf -Fa -f /etc/ipf/ipf.conf • Check status again. [ angus ~ ] $ sudo ipfstat -io pass out log on e1000g0 all pass in log on e1000g0 all

How to enable IPF • First you will need root access to enable IPF (or assume the appropriate role). • Next you will need to create a packet filtering rule set and any other rule sets you want to use such as a NAT rule set or address pool set. • Activate the IPF • svcadm enable network/ipfilter

IPF administration • If you have disabled the IPF you can re-enable it by forcing a reboot (drastic) or use the "ipf" with a -E followed by a -f <filename> to read in the configuration file. • ipf –E • ipf -f <filename> • You can disable or deactive packet filtering using: • ipf -Fa • This will remove the active rule set from the kernel • You can also deactivate incoming packet filtering rules • ipf -Fi • or outgoing packet filtering rules • ipf -Fo

IPF admin cont. • View active packet filtering using: • ipfstat -i # inbound rules • ipfstat -o # outbound rules • or both • ipfstat -io • Or if you have an inactive rule set you want to review: • ipfstat -I -io • If your rule set is not managed under /etc/ipf you can active this alternate rule set and deactivate the current rule set using -Fa -f filename • ipf -Fa -f filename • To just remove the current inbound or outbound rule set use -Fa. -a removes all filtering rules to just remove the inbound rules use -i or -o for just the outbound rules.

IPF admin cont. • You can switch between active and inactive rules sets using • ipf -s • This will force the inactive set active and vice versa. • use ipfstat -I -io and ipfstat -io to monitor the inactve and active ruleset respectively. • use ipfstat to view the state table, use -t for a top format output and -s for statistics • ipfstat -t, ipfstat -s

logging • Backup your /etc/sysconf.conf file and then add something like: # ipfilter log data (tab between columns, not spaces). local0.debug /var/log/ipf.log # ipf logs as local0 • Create the log file using touch • touch /var/log/ipf.log • Restart the syslog service • svcadm restart system-log

Logging continued. Once you have logging enabled you now need to define what to log. Remember one of the key words was "log". pass in log on e1000g0 all Now tail: /var/log/ipf.log

Review • based on IP filter firewall, written by Darren Reed. • replaces sunscreen as the default solution. • packet filtering by IP, port, protocol, network interface, and traffic direction. • supports NAT, PAT and stateful packet inspection. • managed using SMF (svcadm disable|enable pfil|ipfilter) svcs -x ipfilter • configurations stored in text files under /etc/pfil/. These are read in at boot. • IPF is the core filter tool. PFIL provides the system hooks. • utilities include, ipf, ipfs, ipfstat, ipmon, ipnat, ippool. • basic firewall syntax: action, direction, packet • block in from <address> to <address> all • Rules read from top to bottom, LAST match is applied. default ALLOW. • Exceptions to this rule for keywords quick and group.

Review • To Enable ipf will require root access or the appropriate role. Next create an ipf.conf rule set and finally activate ipf. • you can enable IPF using • ipf -E or using a specific configuration using ipf -f <filename>. • Disable using ipf -Fa • monitor ipf stats using ipfstat -t, ipfstat -s • enable logging, update sysconf.conf to include • local0.debug /var/log/ipf.log # tab between columns. • create the log file • sudo touch /var/log/ipf.log • restart syslog service • svcadm restart system-log • include "log" action in your ipf rules • pass in log on e1000g0 all

In class lab 4b • Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->

Q3, Class 4, Unit 3 What we are going to cover: • The Perl subroutines. What you should leave this session with: • How subroutines allow you to reuse code • Perl pragmas

Perl: subroutines Subroutines = user defined functions. Subroutines are identified with an ampersand (The & is usually optional). Just as we saw with Scalars ($) and Arrays (@), subroutines (&) can have the same name as one of these other variables without conflicting. However; this is may be confusing.

Subroutines: user defined functions Just like subroutines in other languages; a subroutine allows for the reuse of code in your script. Format: sub subroutine_name { statements; }; sub say_hello { print “Hello World\n”;};

Placing your subroutine Your sub can be anywhere in the script, location is unimportant. I tend to place my at the bottom of my scripts. If you have two subs with the same name in the same script, the last one wins. But if you have warning enabled you would be notified.

Calling all subs Ways you can invoke or call your subroutine. Add () to the end of the expression sub_routine(); $value = sub_routine(); &sub_routine; Older versions of perl may support do sub_routine but this has been depreciated.

Unix Linux Administration III