Solaris Operating Environment by default is configured to both accept and send  the ICMP Redirect messages. According to RFCs, only a router or a gateway device should send an ICMP Redirect message and any other hosts should only be able to receive the ICMP Redirects. If the Solaris server is not acting as a Router or a Gateway then sending ICMP Redirect message should be disabled. The same applies to accepting ICMP Redirect messages if the solaris server is not required to receive ICMP Redirect messages (say a single Router/Gateway network/subnets scenario) as a malicous hacker could send fake ICMP redirect messages to modify the routing table on the host and potentialy cause a Denial of Service attack.

Show and Disable ICMP Redirect message accept option

To see if accepting ICMP Redirects are enabled in Solaris,

In IPv4

root@solaris# ndd -get /dev/ip ip_ignore_redirect
0

In IPv6 then

root@solaris# ndd -get /dev/ip ip6_ignore_redirect
0

The "0" indicates that the host is configured to accept ICMP Redirect messages and "1" indicates it is being disabled

To disable the ICMP Redirect accept option,

In IPv4

root@solaris# ndd -set /dev/ip ip_ignore_redirect 1

In IPv6

root@solaris# ndd -set /dev/ip ip6_ignore_redirect 1

Show and Disable ICMP Redirect message send option

To see if sending ICMP Redirects are enabled in Solaris,

If you are using IPv4

root@solaris# ndd -get /dev/ip ip_send_redirects
1

If you are using IPv6 then

root@solaris# ndd -get /dev/ip ip6_send_redirects
1

The "1" indicates that the host is configured to send ICMP Redirect messages and "0" indicates it is being disabled

To disable the option,

In IPv4

root@solaris# ndd -set /dev/ip ip_send_redirects 0

In IPv6

root@solaris# ndd -set /dev/ip ip6_send_redirects 0

The above ndd -set commands dynamically update the ICMP Redirect send/receive options on the host. However, to ensure that the settings are applied at the boot time (say the next time when the server reboots) then edit the startup script /etc/rc2.d/S69inet and modify values accordingly.

Alternatively, you can download the nddconfig script and install on your server. This script can be used to adjust most of the ndd parameters for security purpose.

The script can be downloaded here (need an Sunsolve account)

http://www.sun.com/blueprints/tools/

To install the nddconfig script

Untar the downloaded nddconfig.tar file

root@solaris# tar -xvf nddconfig.tar

Copy the nddconfig file to /etc/init.d/ directory

root@solaris# cp nddconfig /etc/init.d/nddconfig

Change the file permissions to 744

root@solaris# chmod 744 /etc/init.d/nddconfig

Change the file ownership to root(user) and sys (grooup)

root@solaris# chown root:sys /etc/init.d/nddconfig

Create a hard link as follows:

root@solaris# ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig

This should help.

Did you like it? Why not leave us a comment??

Domain Name Service (DNS) is a system which translates the meaningful Hostnames and Domain Names into valid IP Addresses. A DNS Client or a Resolver is a host or a network device which queries the DNS servers for various resource records like the IP Address for a host like a Mail Server.

If you configure your Solaris Server as a DNS client then you need to add the DNS servers which the resolver on the server query for various DNS records in the file

/etc/resolv.conf

The following is an example of a sample /etc/resolv.conf

$ cat /etc/resolv.conf

domain example.com
nameserver 10.10.10.1
nameserver 10.10.10.2
nameserver 10.10.10.3

search example.com example.co.uk example.net

where

domain – specifies the local domain. A search for a host in the domain can simply be done with the hostname without the Domain suffix.

nameserver – specifies the IP Address to it as a DNS server. There can be more than one DNS server specified by the nameserver keyword (one per line) listed in the file.

search – specifies a list of local domains to search for the hosts. This process is slow and generates a lot of traffic.

This is the most commonly found configuration on DNS clients or Resolvers. More advanced configurations include

sortlist – Sort the IP Addresses returned to the resolver
options -  Allows additional configurations to modify resolver variables.

For a detailed man page, click here

The Default Gateway or the Default Router is the IP address (IPv4) to which all the traffic to any target destination(s) which does not have a route in the Routing Table of the server will be forwarded.

This Default Gateway is maintained in the file

/etc/defaultrouter [IPv4 only]

This IP Address should be in the same network or the subnet as that of the server itself.

If you wish to add or edit the Default Gateway or the Default Router in Sun Solaris, edit /etc/defaultrouter file and update the IP Address. One entry per line for one or more default gateways (very unlikely to have muktiple default gateways).

This file is read at the boot time and hence the server needs to be rebooted for the changes to take effect.

Instead of rebooting the server, update the Kernel IP Routing table first by deleting the existing Default Gateway or Default Router (if any) and then adding the new IP address.

To view the existing Kernel IP Routing table,

# netstat -rn

Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use     Interface
——————– ——————– —– —– ———- ———
192.168.1.0          192.168.1.10         U         1        195 hme0
224.0.0.0            192.168.1.10          U          1          0 hme0
default              192.168.1.1             UG        1        325
127.0.0.1            127.0.0.1               UH        5         92 lo0

Now, remove the dexisting default gateway;

# route delete default 172.1.1.1

Add the new Default Gateway using:

# route add default 192.168.1.1

This should help. For a detailed Man Page for /etc/defaultrouter click here.

Adding or editing the IP address on a Solaris 10 server is different from the previous versions of the OS (Solaris 9, Solaris 8 etc).

In the previous versions of the Solaris Operating System, you need to edit the /etc/hosts file and add/edit the entry for the IP address and the hostname.

Example:

192.168.1.1   sun1

However, in Solaris 10, you should edit the /etc/hosts file (a symlink to /etc/inet/hosts file) and the  /etc/inet/ipnodes file and add an entry for IP address and hostname.

Once done, restart the Network service using

# svcadm restart network/physical

or reboot the server for the changes to take effect.

Although, the /etc/inet/ipnodes files is primarily for IPv6 only, without adding an entry to the file, the IP address (IPv4) doesn't become active. This seems to be a known problem but the good news is this is now fixed in the Solaris 10 U4 (08/07 build).

Also, ensure that the /etc/netmasks file with the network ID and the netmask.

To add a Static Route in Sun Solaris operating system, you can use the route command. This will dynamically update the Kernel IP Routing table. However, when a server is restarted, these routes will be lost. To prevent this from happening, add a startup script S76static-routes with all the route commands for the static route that needs to persist. This will ensure that the route gets added at boot time.

To use the route command,

Syntax:

# route add [net|host] <Addr> netmask <Mask> [GatewayAddr|-interface ] <metric>

Example:

Add a network

# route add net 10.10.10.0 netmask 255.255.255.0 192.168.1.1 1

same as

# route add 10.10.10.0/24 192.168.1.1 1

Add a host

# route add host 1.1.1.1 netmask 255.255.255.0 192.168.1.1 1

same as

# route add 1.1.1.1/24 192.168.1.1 1

To route the traffic through an interface instead of an IP Gateway

# route add 1.1.1.1/24 -interface hme0

To check that the roots are added to Kernel IP Routing table,

# netstat -rn

Routing Table: IPv4
  Destination           Gateway           Flags  Ref   Use   Interface
——————– ——————– —– —– —— ———
192.168.1.0          192.168.1.1        U         1    273  hme0
224.0.0.0            192.168.1.1         U         1      0   hme0
default              192.168.1.1          UG        1    196

Static Routes at boot time

To make the routes available at boot time so the next time when the server reboots, the routes are still available. Add a startup script named as

/etc/rc2.d/S76static-routes

and add the required route commands as above.

Change the permissions for the file so that the file is executable by root.

# chmod 744 /etc/rc2.d/S76static-routes

This should help.

Have I missed something? Have I made a mistake? please let me know by leaving a comment!

IP packet forwarding is the process of routing packets between network interfaces on one system. A packet arriving on one network interface and addressed to a host on a different network is forwarded to the appropriate interface. While this is a job for the network router, Servers with multiple interfaces connected to different network can perform this action as well. This behaviour as a router is a default in Sun Solaris Operating Systems.

If your Sun Solaris server has multiple interfaces and is not intended to route packets between the networks it is connected to, then it is advisable to disable this option. This can be a potential target for a malicious hacker as this can potentially allow the hacker access to the network at the other side.

To disable this packet forwarding in Solaris, simply create the file

/etc/notrouter

and reboot the server. However, if reboot is not an option at this time, then usee the NDD command to disble the option:

To display the current status

# ndd /dev/ip ip_forwarding
1

0 is Disabled
1 is Enabled

To disable,

# ndd -set /dev/ip ip_forwarding 0

For IPv6

# ndd -set /dev/ip6 ip6_forwarding 0

This should disable. To confirm change,

# ndd /dev/ip ip_forwarding
0

# ndd /dev/ip6 ip6_forwarding
0

In Solaris 8 and later, IP forwarding can be enabled or disabled on a per interface basis. For example, if there are 3 hme NIC cards namely hme0,hme1,hme2 then assume, we allow IP Forwarding only from hme0 and disable on hme1 and hme2 then the following will help:

# ndd -set /dev/ip hme0:ip_forwarding 1
# ndd -set /dev/ip hme1:ip_forwarding 0
# ndd -set /dev/ip hme2:ip_forwarding 0

This should help