The local tnrhdb(4) file on each computer is used to contact the network at boot time. For greater security, you can remove the 0.0.0.0 wildcard entry. However, you must replace it with every remote address that the host contacts at boot time.
In the Security Administrator role, open the Security Families tool in the Files scope.
See "To Open the Security Families Tool" for the steps in detail.
Double-click ALL, then select 0.0.0.0.
If you know all machines that this computer contacts, remove the wildcard entry by choosing Edit --> Delete.
To replace the wildcard entry, the following entries must be in the /etc/hosts or /etc/inet/ipnodes file, and in the tnrhdb database.
An entry for this system, the name service master, and the loopback address, 127.0.0.1
The install team added these entries during configuration.
An entry for every local IP address
The install team should have added these entries during configuration.
One or more router entries
If the name service client is a router, list all the routers with which it needs to communicate during boot. Include broadcast addresses.
If the name service client is not a router, create a fallback network entry, such as 192.168.113.0.
For a router, make the following entries by clicking Add --> Host(s).
Make sure all network interfaces are in the file. For example,
Host Name: trusted-gw IP Address: 192.168.112.111 Template: tsol |
Host Name: trusted IP Address: 192.168.113.111 Template: tsol |
Make an entry for every router that this host communicates with. This is most easily done when the network uses static routing. For example,
Host Name: gateway-2 IP Address: 192.168.112.12 Template: unclassified |
Host Name: gateway-3 IP Address: 192.168.113.12 Template: unclassified |
Make an entry for every broadcast and multicast address. For example,
Host Name: broadcast IP Address: 255.255.255.255 Template: admin_low |
Host Name: multicast IP Address: 224.0.0.2 Template: admin_low |
Host Name: broadcast-112 IP Address: 192.168.112.255 Template: tsol |
Host Name: broadcast-113 IP Address: 192.168.113.255 Template: tsol |
The following shows the local tnrhdb file with entries for a name service client with two interfaces. The client communicates with another network and routers.
192.168.112.111:tsol Interface 1 of this system 192.168.113.111:tsol Interface 2 192.168.113.5:tsol NIS+ master 192.168.113.6:tsol Audit server 192.168.113.8:tsol Mail server 192.168.112.255:tsol Subnet broadcast address 192.168.113.255:tsol Subnet broadcast address 127.0.0.1:tsol Loopback address 192.168.117.0:tsol Another Trusted Solaris network 192.168.112.12:unclassified Specific network router 192.168.113.12:unclassified Specific network router 224.0.0.2:unclassified Multicast address 255.255.255.255:admin_low Broadcast address |
If the host being configured is not a router, click Add --> Host(s) to create a fallback entry so that the host can find its router.
For example,
Click the Wildcard button IP Address: 192.168.113.0 Template: tsol |
For example, for a non-router on a dynamically configured network, the entries might look like:
192.168.113.99:tsol This system 192.168.113.5:tsol NIS+ master 192.168.113.0:tsol Subnet wildcard address 127.0.0.1:tsol Loopback address 192.168.117.0:tsol Another Trusted Solaris network 224.0.0.2:unclassified Multicast address 255.255.255.255:admin_low Broadcast address |
If a network that has Trusted Solaris hosts is assigned a wildcard template that is not a tsol template and the network has any tsol routers, then the administrator must assign the netmask entry the tsol template. For example,
192.168.112.98:tsol This system 192.168.112.0:confidential Subnet wildcard address 192.168.112.111:tsol TSOL router 255.255.255.255:tsol Broadcast address |
You may want to give the 0.0.0.0 tnrhdb(4) entry a different unlabeled template, such as the unclassified template from the default set of templates. The system then recognizes any computer not otherwise listed in its tnrhdb file as an unlabeled machine at the label unclassified. Choose Action --> Properties from the menu when 0.0.0.0 is selected to change the assigned template.
Many sites create an unlabeled template specifically for gateways, and assign the gateway template to all gateway systems. The following is an unlabeled template specifically for gateways,
unlab_gateway:host_type=unlabeled;\ def_label=[0x00010000000000000000000000000000000000000000000000000000000000000000];\ def_cl=0x00010000000000000000000000000000000000000000000000000000000000000000;\ forced_privs=empty;\ min_sl=0x00000000000000000000000000000000000000000000000000000000000000000000;\ max_sl=0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff;\ doi=0;\ ip_label=none;\ ripso_label=empty;\ ripso_error=empty; |
The backslashes above are for ease of reading. See "To Construct Templates for Hosts" for how to construct a template, and then assign it to the 0.0.0.0 wildcard.