JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Administration: IP Services     Oracle Solaris 10 1/13 Information Library
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Part I Introducing System Administration: IP Services

1.  Oracle Solaris TCP/IP Protocol Suite (Overview)

Part II TCP/IP Administration

2.  Planning Your TCP/IP Network (Tasks)

3.  Introducing IPv6 (Overview)

4.  Planning an IPv6 Network (Tasks)

5.  Configuring TCP/IP Network Services and IPv4 Addressing (Tasks)

What's New in This Chapter

Before You Configure an IPv4 Network (Task Map)

Determining Host Configuration Modes

Systems That Should Run in Local Files Mode

Network Configuration Servers

Systems That Are Network Clients

Mixed Configurations

IPv4 Network Topology Scenario

Adding a Subnet to a Network (Task Map)

Network Configuration Task Map

Configuring Systems on the Local Network

How to Configure a Host for Local Files Mode

How to Set Up a Network Configuration Server

Configuring Network Clients

How to Configure Hosts for Network Client Mode

How to Change the IPv4 Address and Other Network Configuration Parameters

Packet Forwarding and Routing on IPv4 Networks

Routing Protocols Supported by Oracle Solaris

IPv4 Autonomous System Topology

Configuring an IPv4 Router

How to Configure an IPv4 Router

Routing Tables and Routing Types

Configuring Routes

Configuring Multihomed Hosts

How to Create a Multihomed Host

Configuring Routing for Single-Interface Systems

How to Enable Static Routing on a Single-Interface Host

How to Enable Dynamic Routing on a Single-Interface Host

Monitoring and Modifying Transport Layer Services

How to Log the IP Addresses of All Incoming TCP Connections

How to Add Services That Use the SCTP Protocol

How to Use TCP Wrappers to Control Access to TCP Services

6.  Administering Network Interfaces (Tasks)

7.  Configuring an IPv6 Network (Tasks)

8.  Administering a TCP/IP Network (Tasks)

9.  Troubleshooting Network Problems (Tasks)

10.  TCP/IP and IPv4 in Depth (Reference)

11.  IPv6 in Depth (Reference)

Part III DHCP

12.  About DHCP (Overview)

13.  Planning for DHCP Service (Tasks)

14.  Configuring the DHCP Service (Tasks)

15.  Administering DHCP (Tasks)

16.  Configuring and Administering the DHCP Client

17.  Troubleshooting DHCP (Reference)

18.  DHCP Commands and Files (Reference)

Part IV IP Security

19.  IP Security Architecture (Overview)

20.  Configuring IPsec (Tasks)

21.  IP Security Architecture (Reference)

22.  Internet Key Exchange (Overview)

23.  Configuring IKE (Tasks)

24.  Internet Key Exchange (Reference)

25.  IP Filter in Oracle Solaris (Overview)

26.  IP Filter (Tasks)

Part V IPMP

27.  Introducing IPMP (Overview)

28.  Administering IPMP (Tasks)

Part VI IP Quality of Service (IPQoS)

29.  Introducing IPQoS (Overview)

30.  Planning for an IPQoS-Enabled Network (Tasks)

31.  Creating the IPQoS Configuration File (Tasks)

32.  Starting and Maintaining IPQoS (Tasks)

33.  Using Flow Accounting and Statistics Gathering (Tasks)

34.  IPQoS in Detail (Reference)

Glossary

Index

Monitoring and Modifying Transport Layer Services

The transport layer protocols TCP, SCTP, and UDP are part of the standard Oracle Solaris package. These protocols typically need no intervention to run properly. However, circumstances at your site might require you to log or modify services that run over the transport layer protocols. Then, you must modify the profiles for these services by using the Service Management Facility (SMF), which is described in Chapter 18, Managing Services (Overview), in Oracle Solaris Administration: Basic Administration.

The inetd daemon is responsible for starting standard Internet services when a system boots. These services include applications that use TCP, SCTP, or UDP as their transport layer protocol. You can modify existing Internet services or add new services using the SMF commands. For more information about inetd, refer to inetd Internet Services Daemon.

Operations that involve the transport layer protocols include:

For detailed information on the inetd daemon refer to the inetd(1M)man page.

How to Log the IP Addresses of All Incoming TCP Connections

  1. On the local system, assume the Network Management role or become superuser.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Set TCP tracing to enabled for all services managed by inetd.
    # inetadm -M tcp_trace=TRUE

How to Add Services That Use the SCTP Protocol

The SCTP transport protocol provides services to application layer protocols in a fashion similar to TCP. However, SCTP enables communication between two systems, either or both of which can be multihomed. The SCTP connection is called an association. In an association, an application divides the data to be transmitted into one or more message streams, or multi-streamed. An SCTP connection can go to endpoints with multiple IP addresses, which is particularly important for telephony applications. The multihoming capabilities of SCTP are a security consideration if your site uses IP Filter or IPsec. Some of these considerations are described in the sctp(7P) man page.

By default, SCTP is included in the Oracle Solaris and does not require additional configuration. However, you might need to explicitly configure certain application layer services to use SCTP. Some example applications are echo and discard. The next procedure shows how to add an echo service that uses an SCTP one-to-one style socket.

Note - You can also use the following procedure to add services for the TCP and UDP transport layer protocols.

The following task shows how to add an SCTP inet service that is managed by the inetd daemon to the SMF repository. The task then shows how to use the Service Management Facility (SMF) commands to add the service.

Before You Begin

Before you perform the following procedure, create a manifest file for the service. The procedure uses as an example a manifest for the echo service that is called echo.sctp.xml.

  1. Log in to the local system with a user account that has write privileges for system files.
  2. Edit the /etc/services file and add a definition for the new service.

    Use the following syntax for the service definition.

    service-name |port/protocol | aliases
  3. Add the new service.

    Go to the directory where the service manifest is stored and type the following:

    # cd dir-name
# svccfg import service-manifest-name

    For a complete syntax of svccfg, refer to the svccfg(1M) man page.

    Suppose you want to add a new SCTP echo service using the manifest echo.sctp.xml that is currently located in the service.dir directory. You would type the following:

    # cd service.dir
# svccfg import echo.sctp.xml
  4. Verify that the service manifest has been added:
    # svcs FMRI

    For the FMRI argument, use the Fault Managed Resource Identifier (FMRI) of the service manifest. For example, for the SCTP echo service, you would use the following command:

    # svcs svc:/network/echo:sctp_stream

    Your output should resemble the following:

        STATE          STIME    FMRI
disabled       16:17:00 svc:/network/echo:sctp_stream

    For detailed information about the svcs command, refer to the svcs(1) man page.

    The output indicates that the new service manifest is currently disabled.

  5. List the properties of the service to determine if you must make modifications.
    # inetadm -l FMRI

    For detailed information about the inetadm command, refer to the inetadm(1M) man page.

    For example, for the SCTP echo service, you would type the following:

    # inetadm -l svc:/network/echo:sctp_stream
SCOPE    NAME=VALUE
             name="echo"
             endpoint_type="stream"
             proto="sctp"
             isrpc=FALSE
             wait=FALSE
             exec="/usr/lib/inet/in.echod -s"
         .
         .
         default  tcp_trace=FALSE
           default  tcp_wrappers=FALSE
  6. Enable the new service:
    # inetadm -e FMRI
  7. Verify that the service is enabled:

    For example, for the new echo service, you would type the following:

    # inetadm | grep sctp_stream
.
.
    enabled   online         svc:/network/echo:sctp_stream

Example 5-9 Adding a Service That Uses the SCTP Transport Protocol

The following example shows the commands to use and the file entries required to have the echo service use the SCTP transport layer protocol.

$ cat /etc/services
.
.
echo            7/tcp
echo            7/udp
echo            7/sctp

# cd service.dir

    # svccfg import echo.sctp.xml

# svcs network/echo*
    STATE          STIME    FMRI
    disabled       15:46:44 svc:/network/echo:dgram
    disabled       15:46:44 svc:/network/echo:stream
    disabled       16:17:00 svc:/network/echo:sctp_stream

# inetadm -l svc:/network/echo:sctp_stream
    SCOPE    NAME=VALUE
             name="echo"
             endpoint_type="stream"
             proto="sctp"
             isrpc=FALSE
             wait=FALSE
             exec="/usr/lib/inet/in.echod -s"
             user="root"
    default  bind_addr=""
    default  bind_fail_max=-1
    default  bind_fail_interval=-1
    default  max_con_rate=-1
    default  max_copies=-1
    default  con_rate_offline=-1
    default  failrate_cnt=40
    default  failrate_interval=60
    default  inherit_env=TRUE
    default  tcp_trace=FALSE
    default  tcp_wrappers=FALSE

# inetadm -e svc:/network/echo:sctp_stream

# inetadm | grep echo
    disabled  disabled       svc:/network/echo:stream
    disabled  disabled       svc:/network/echo:dgram
    enabled   online         svc:/network/echo:sctp_stream

How to Use TCP Wrappers to Control Access to TCP Services

The tcpd program implements TCP wrappers. TCP wrappers add a measure of security for service daemons such as ftpd by standing between the daemon and incoming service requests. TCP wrappers log successful and unsuccessful connection attempts. Additionally, TCP wrappers can provide access control, allowing or denying the connection depending on where the request originates. You can use TCP wrappers to protect daemons such as SSH, Telnet, and FTP. The sendmail application can also use TCP wrappers, as described in Support for TCP Wrappers From Version 8.12 of sendmail in System Administration Guide: Network Services.

  1. On the local system, assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in Oracle Solaris Administration: Basic Administration.

  2. Set TCP wrappers to enabled.
    # inetadm -M tcp_wrappers=TRUE
  3. Configure the TCP wrappers access control policy as described in the hosts_access(3) man page.

    This man page can be found in the /usr/sfw/man directory on the SFW CD-ROM, which is packaged along with the Oracle Solaris CD-ROM.

Copyright © 1999, 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next