To build firewall under AIX is sample, but as each host based firewall should be done careful
1. Prerequisites
To start firewall in AIX you need few packages to be installed:
- bos.msg.en_US.net.ipsec
- bos.net.ipsec.keymgt
- bos.net.ipsec.rte
- clic.rte.kernext
- clic.rte.lib
2. Start/Stop
to start the firewall its need to execute (as root) the follow command
/usr/sbin/mkdev -c ipsec -t 4
/usr/sbin/mkfilt -v 4 -u -z P
to stop it exec this command
/usr/sbin/rmdev -l ipsec_v4
The above commands are for IPv4. For IPv6 read the manual pages from IBM
3. Write first rule
Let permit ssh access to this machine from everywhere and log entire activity
genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d my_local_IP -M 255.255.255.255 -g Y -c tcp -o any -p 0 -O eq -P 22 -r B -w I -l Y -f Y -i all
But we want to stop all the rest communications
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d my_local_IP -M 255.255.255.255 -g Y -c tcp -o any -p 0 -O any -P 0 -r B -w I -l N -f Y -i all
and activate the rules
mkfilt -v4 –u
4. Check the activated rule
lsfilt -v 4 -O
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both both no all packets 0 all
2 *** Dynamic filter placement rule for IKE tunnels *** no
3 permit 0.0.0.0 0.0.0.0 my_local_IP 255.255.255.255 yes tcp any 0 eq 22 both both yes all packets 0 all
4 deny 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both no all packets 0 all </p>
5. Final conclusion
This article is just a sample example how to build the firewall. For more detailed information please consult AIX documentation
Grow UFS in Solaris
One discussion in toolbox.com give me the idea to write this article. The subject was full root (/) filesystem and how to extend it. Most of the participants do not believe this is possible, but i will demonstrate how to do it. My demonstration is based on Oracle Solaris 10 Generic_142910-17 i386.
1. What is my OS
# showrev
Hostname: sun02
Hostid: 10b69b13
Release: 5.10
Kernel architecture: i86pc
Application architecture: i386
Hardware provider:
Domain:
Kernel version: SunOS 5.10 Generic_142910-17
2. Check the map of harddisk
# prtvtoc /dev/dsk/c1t0d0s2
* /dev/dsk/c1t0d0s2 partition map
<snip>
* First Sector Last
* Partition Tag Flags Sector Count Sector Mount Directory
0 2 00 16065 2104515 2120579 /
1 4 00 2570400 6297480 8867879 /usr
2 5 00 0 33495525 33495524
3 3 01 11309760 1060290 12370049
8 1 01 0 16065 16064
As you can see I have some unallocated cylinders after each partition (/. /usr and swap) and this is done on time of installation for the reason of demonstration.
3. Check the exact sizes of filesystems
# df -k / /usr
Filesystem kbytes used avail capacity Mounted on
/dev/dsk/c1t0d0s0 1019856 377425 581240 40% /
/dev/dsk/c1t0d0s1 3100362 2251708 786647 75% /usr
# swap -l
swapfile dev swaplo blocks free
/dev/dsk/c1t0d0s3 30,3 8 1060280 1060280
4. Create two control files, filled with random bytes for control of the integrity of filesystems
# dd if=/dev/urandom of=/checkfileroot bs=1024 count=10240
10240+0 records in
10240+0 records out
# dd if=/dev/urandom of=/usr/checkfileusr bs=1024 count=10240
10240+0 records in
10240+0 records out
5. And get checksums ot the files
# digest -a sha1 /checkfileroot /usr/checkfileusr
(/checkfileroot) = c5ee33c68b147c58e6190a99a647a9baf35581a8
(/usr/checkfileusr) = 77bb739b734ab01a43578479ec4a3abe92e6c4bd
6. Extend slice 0, 1 and 3 with some amount of cylinders
# format
Searching for disks...done
AVAILABLE DISK SELECTIONS:
0. c1t0d0 <DEFAULT cyl 2085 alt 2 hd 255 sec 63>
/pci@0,0/pci1000,30@10/sd@0,0
Specify disk (enter its number): 0
selecting c1t0d0
[disk formatted]
Warning: Current Disk has mounted partitions.
/dev/dsk/c1t0d0s0 is currently mounted on /. Please see umount(1M).
/dev/dsk/c1t0d0s1 is currently mounted on /usr. Please see umount(1M).
/dev/dsk/c1t0d0s3 is currently used by swap. Please see swap(1M).
FORMAT MENU:
disk - select a disk
type - select (define) a disk type
partition - select (define) a partition table
current - describe the current disk
format - format and analyze the disk
fdisk - run the fdisk program
repair - repair a defective sector
label - write label to the disk
analyze - surface analysis
defect - defect list management
backup - search for backup labels
verify - read and display labels
save - save new disk/partition definitions
inquiry - show vendor, product and revision
volname - set 8-character volume name
!<cmd> - execute <cmd>, then return
quit
format> p
PARTITION MENU:
0 - change `0' partition
1 - change `1' partition
2 - change `2' partition
3 - change `3' partition
4 - change `4' partition
5 - change `5' partition
6 - change `6' partition
7 - change `7' partition
select - select a predefined table
modify - modify a predefined partition table
name - name the current table
print - display the current table
label - write partition map and label to the disk
!<cmd> - execute <cmd>, then return
quit
partition> 0
Part Tag Flag Cylinders Size Blocks
0 root wm 1 - 131 1.00GB (131/0/0) 2104515
Enter partition id tag[root]:
Enter partition permission flags[wm]:
Enter new starting cyl[1]:
Enter partition size[2104515b, 131c, 131e, 1027.60mb, 1.00gb]: 140c
partition> 1
Part Tag Flag Cylinders Size Blocks
1 usr wm 160 - 551 3.00GB (392/0/0) 6297480
Enter partition id tag[usr]:
Enter partition permission flags[wm]:
Enter new starting cyl[160]:
Enter partition size[6297480b, 392c, 551e, 3074.94mb, 3.00gb]: 400c
partition> 3
Part Tag Flag Cylinders Size Blocks
3 swap wu 704 - 769 517.72MB (66/0/0) 1060290
Enter partition id tag[swap]:
Enter partition permission flags[wu]:
Enter new starting cyl[704]:
Enter partition size[1060290b, 66c, 769e, 517.72mb, 0.51gb]: 80c
partition> la
Ready to label disk, continue? y
partition> q
FORMAT MENU:
disk - select a disk
type - select (define) a disk type
partition - select (define) a partition table
current - describe the current disk
format - format and analyze the disk
fdisk - run the fdisk program
repair - repair a defective sector
label - write label to the disk
analyze - surface analysis
defect - defect list management
backup - search for backup labels
verify - read and display labels
save - save new disk/partition definitions
inquiry - show vendor, product and revision
volname - set 8-character volume name
!<cmd> - execute <cmd>, then return
quit
format> q
7. And the moment of true, extend root (/) filesystem
# growfs -M / /dev/rdsk/c1t0d0s0
Warning: 5748 sector(s) in last cylinder unallocated
/dev/rdsk/c1t0d0s0: 2249100 sectors in 367 cylinders of 48 tracks, 128 sectors
1098.2MB in 23 cyl groups (16 c/g, 48.00MB/g, 11648 i/g)
super-block backups (for fsck -F ufs -o b=#) at:
32, 98464, 196896, 295328, 393760, 492192, 590624, 689056, 787488, 885920,
1279648, 1378080, 1476512, 1574944, 1673376, 1771808, 1870240, 1968672,
2067104, 2165536
8. Then grow /usr
# growfs -M /usr /dev/rdsk/c1t0d0s1
Warning: 624 sector(s) in last cylinder unallocated
/dev/rdsk/c1t0d0s1: 6426000 sectors in 1046 cylinders of 48 tracks, 128 sectors
3137.7MB in 66 cyl groups (16 c/g, 48.00MB/g, 5824 i/g)
super-block backups (for fsck -F ufs -o b=#) at:
32, 98464, 196896, 295328, 393760, 492192, 590624, 689056, 787488, 885920,
5512224, 5610656, 5709088, 5807520, 5905952, 6004384, 6102816, 6201248,
6291488, 6389920
9. And swap
# swap -d /dev/dsk/c1t0d0s3
/dev/dsk/c1t0d0s3 was dump device --
invoking dumpadm(1M) -d swap to select new dump device
dumpadm: no swap devices are available
# swap -a /dev/dsk/c1t0d0s3
operating system crash dump was previously disabled --
invoking dumpadm(1M) -d swap to select new dump device
# dumpadm -d swap
Dump content: kernel pages
Dump device: /dev/dsk/c1t0d0s3 (swap)
Savecore directory: /var/crash/sun02
Savecore enabled: yes
Save compressed: on
For the swap I just delete and add it again. And update dump device, this is important. Of course it is not always possible just to delete virtual memory on production, but its possible to play with creation of new swap device, delete old, add old and delete new. This can take long time on production system, but its relatively safe operation
10. So, let check again the sizes of filesystems
# df -k / /usr
Filesystem kbytes used avail capacity Mounted on
/dev/dsk/c1t0d0s0 1090677 387745 641741 38% /
/dev/dsk/c1t0d0s1 3163878 2262020 839851 73% /usr
# swap -l
swapfile dev swaplo blocks free
/dev/dsk/c1t0d0s3 30,3 8 1285192 1285192
As you can see they are bigger that few minutes a go
11. But what is the situation with control files
# digest -a sha1 /checkfileroot /usr/checkfileusr
(/checkfileroot) = c5ee33c68b147c58e6190a99a647a9baf35581a8
(/usr/checkfileusr) = 77bb739b734ab01a43578479ec4a3abe92e6c4bd
As you can see they are the same
12. Et voila, we successfully extend our filesystems on the fly. By the way in official Oracle Solaris documentations you can see this
--------------
LIMITATIONS
Only UFS file systems (either mounted or unmounted) can be expanded using the growfs command. Once a file system is expanded, it cannot be decreased in size. The following conditions prevent you from expanding file systems: When acct is activated and the accounting file is on the target device. When C2 security is activated and the logging file is on the target file system. When there is a local swap file in the target file system. When the file system is root (/), /usr, or swap.
1. What is my OS
# showrev
Hostname: sun02
Hostid: 10b69b13
Release: 5.10
Kernel architecture: i86pc
Application architecture: i386
Hardware provider:
Domain:
Kernel version: SunOS 5.10 Generic_142910-17
2. Check the map of harddisk
# prtvtoc /dev/dsk/c1t0d0s2
* /dev/dsk/c1t0d0s2 partition map
<snip>
* First Sector Last
* Partition Tag Flags Sector Count Sector Mount Directory
0 2 00 16065 2104515 2120579 /
1 4 00 2570400 6297480 8867879 /usr
2 5 00 0 33495525 33495524
3 3 01 11309760 1060290 12370049
8 1 01 0 16065 16064
As you can see I have some unallocated cylinders after each partition (/. /usr and swap) and this is done on time of installation for the reason of demonstration.
3. Check the exact sizes of filesystems
# df -k / /usr
Filesystem kbytes used avail capacity Mounted on
/dev/dsk/c1t0d0s0 1019856 377425 581240 40% /
/dev/dsk/c1t0d0s1 3100362 2251708 786647 75% /usr
# swap -l
swapfile dev swaplo blocks free
/dev/dsk/c1t0d0s3 30,3 8 1060280 1060280
4. Create two control files, filled with random bytes for control of the integrity of filesystems
# dd if=/dev/urandom of=/checkfileroot bs=1024 count=10240
10240+0 records in
10240+0 records out
# dd if=/dev/urandom of=/usr/checkfileusr bs=1024 count=10240
10240+0 records in
10240+0 records out
5. And get checksums ot the files
# digest -a sha1 /checkfileroot /usr/checkfileusr
(/checkfileroot) = c5ee33c68b147c58e6190a99a647a9baf35581a8
(/usr/checkfileusr) = 77bb739b734ab01a43578479ec4a3abe92e6c4bd
6. Extend slice 0, 1 and 3 with some amount of cylinders
# format
Searching for disks...done
AVAILABLE DISK SELECTIONS:
0. c1t0d0 <DEFAULT cyl 2085 alt 2 hd 255 sec 63>
/pci@0,0/pci1000,30@10/sd@0,0
Specify disk (enter its number): 0
selecting c1t0d0
[disk formatted]
Warning: Current Disk has mounted partitions.
/dev/dsk/c1t0d0s0 is currently mounted on /. Please see umount(1M).
/dev/dsk/c1t0d0s1 is currently mounted on /usr. Please see umount(1M).
/dev/dsk/c1t0d0s3 is currently used by swap. Please see swap(1M).
FORMAT MENU:
disk - select a disk
type - select (define) a disk type
partition - select (define) a partition table
current - describe the current disk
format - format and analyze the disk
fdisk - run the fdisk program
repair - repair a defective sector
label - write label to the disk
analyze - surface analysis
defect - defect list management
backup - search for backup labels
verify - read and display labels
save - save new disk/partition definitions
inquiry - show vendor, product and revision
volname - set 8-character volume name
!<cmd> - execute <cmd>, then return
quit
format> p
PARTITION MENU:
0 - change `0' partition
1 - change `1' partition
2 - change `2' partition
3 - change `3' partition
4 - change `4' partition
5 - change `5' partition
6 - change `6' partition
7 - change `7' partition
select - select a predefined table
modify - modify a predefined partition table
name - name the current table
print - display the current table
label - write partition map and label to the disk
!<cmd> - execute <cmd>, then return
quit
partition> 0
Part Tag Flag Cylinders Size Blocks
0 root wm 1 - 131 1.00GB (131/0/0) 2104515
Enter partition id tag[root]:
Enter partition permission flags[wm]:
Enter new starting cyl[1]:
Enter partition size[2104515b, 131c, 131e, 1027.60mb, 1.00gb]: 140c
partition> 1
Part Tag Flag Cylinders Size Blocks
1 usr wm 160 - 551 3.00GB (392/0/0) 6297480
Enter partition id tag[usr]:
Enter partition permission flags[wm]:
Enter new starting cyl[160]:
Enter partition size[6297480b, 392c, 551e, 3074.94mb, 3.00gb]: 400c
partition> 3
Part Tag Flag Cylinders Size Blocks
3 swap wu 704 - 769 517.72MB (66/0/0) 1060290
Enter partition id tag[swap]:
Enter partition permission flags[wu]:
Enter new starting cyl[704]:
Enter partition size[1060290b, 66c, 769e, 517.72mb, 0.51gb]: 80c
partition> la
Ready to label disk, continue? y
partition> q
FORMAT MENU:
disk - select a disk
type - select (define) a disk type
partition - select (define) a partition table
current - describe the current disk
format - format and analyze the disk
fdisk - run the fdisk program
repair - repair a defective sector
label - write label to the disk
analyze - surface analysis
defect - defect list management
backup - search for backup labels
verify - read and display labels
save - save new disk/partition definitions
inquiry - show vendor, product and revision
volname - set 8-character volume name
!<cmd> - execute <cmd>, then return
quit
format> q
7. And the moment of true, extend root (/) filesystem
# growfs -M / /dev/rdsk/c1t0d0s0
Warning: 5748 sector(s) in last cylinder unallocated
/dev/rdsk/c1t0d0s0: 2249100 sectors in 367 cylinders of 48 tracks, 128 sectors
1098.2MB in 23 cyl groups (16 c/g, 48.00MB/g, 11648 i/g)
super-block backups (for fsck -F ufs -o b=#) at:
32, 98464, 196896, 295328, 393760, 492192, 590624, 689056, 787488, 885920,
1279648, 1378080, 1476512, 1574944, 1673376, 1771808, 1870240, 1968672,
2067104, 2165536
8. Then grow /usr
# growfs -M /usr /dev/rdsk/c1t0d0s1
Warning: 624 sector(s) in last cylinder unallocated
/dev/rdsk/c1t0d0s1: 6426000 sectors in 1046 cylinders of 48 tracks, 128 sectors
3137.7MB in 66 cyl groups (16 c/g, 48.00MB/g, 5824 i/g)
super-block backups (for fsck -F ufs -o b=#) at:
32, 98464, 196896, 295328, 393760, 492192, 590624, 689056, 787488, 885920,
5512224, 5610656, 5709088, 5807520, 5905952, 6004384, 6102816, 6201248,
6291488, 6389920
9. And swap
# swap -d /dev/dsk/c1t0d0s3
/dev/dsk/c1t0d0s3 was dump device --
invoking dumpadm(1M) -d swap to select new dump device
dumpadm: no swap devices are available
# swap -a /dev/dsk/c1t0d0s3
operating system crash dump was previously disabled --
invoking dumpadm(1M) -d swap to select new dump device
# dumpadm -d swap
Dump content: kernel pages
Dump device: /dev/dsk/c1t0d0s3 (swap)
Savecore directory: /var/crash/sun02
Savecore enabled: yes
Save compressed: on
For the swap I just delete and add it again. And update dump device, this is important. Of course it is not always possible just to delete virtual memory on production, but its possible to play with creation of new swap device, delete old, add old and delete new. This can take long time on production system, but its relatively safe operation
10. So, let check again the sizes of filesystems
# df -k / /usr
Filesystem kbytes used avail capacity Mounted on
/dev/dsk/c1t0d0s0 1090677 387745 641741 38% /
/dev/dsk/c1t0d0s1 3163878 2262020 839851 73% /usr
# swap -l
swapfile dev swaplo blocks free
/dev/dsk/c1t0d0s3 30,3 8 1285192 1285192
As you can see they are bigger that few minutes a go
11. But what is the situation with control files
# digest -a sha1 /checkfileroot /usr/checkfileusr
(/checkfileroot) = c5ee33c68b147c58e6190a99a647a9baf35581a8
(/usr/checkfileusr) = 77bb739b734ab01a43578479ec4a3abe92e6c4bd
As you can see they are the same
12. Et voila, we successfully extend our filesystems on the fly. By the way in official Oracle Solaris documentations you can see this
--------------
LIMITATIONS
Only UFS file systems (either mounted or unmounted) can be expanded using the growfs command. Once a file system is expanded, it cannot be decreased in size. The following conditions prevent you from expanding file systems: When acct is activated and the accounting file is on the target device. When C2 security is activated and the logging file is on the target file system. When there is a local swap file in the target file system. When the file system is root (/), /usr, or swap.
Subscribe to:
Posts (Atom)