Solaris

Solaris

[Bernhard Duebi]

Hello,

I think Solaris is a great OS, but the x86 version lacks HW support.
I think XEN could be the solution. XEN does the HW stuff (via Linux) and
Solaris does the rest. Ok, Solaris will loose some scalability if it
can't talk to the HW directly, but who wants to build a RDBMS server
with dozens of cpus on XEN ?

Are there any SUN Solaris people on the list ?
Or, when Solaris will be published as OpenSource, are there people who
wants to port Solaris to XEN ?

Cheers
Bernhard




-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt

Multi source/destination ip address

[Marcin Giedz]

Hello...

Today I have stopped on next problem. I've just want to block almost all 
connection on 80 port in my router with destination list's addresses. 
"Almost" because some connection are forwarded to another router in my LAN. 
So this is the rule:

iptables -A FORWARD -p tcp -port 80 -d ! 192.168.131.0/24 && 192.168.110.0/24 
-j  DROP

But it doesn't work.... in iptables spec. -d is only connect with single 
address not list. I found also iprange extension but it doesn't suit me. Is 
it possible to have list destination/source addresses in iptables rule?

Thanks,
Marcin

solaris

[dave frost]

is netfilter available for solars ? any docs on this would be apreciated

cheers

dave

Re: solaris

[Filip Sneppe]

Hi Dave,

On Mon, 21 Feb 2005 14:53:11 +0000, dave frost
<dj.frost@blueyonder.co.uk> wrote:
> is netfilter available for solars ? any docs on this would be apreciated
> 

No it's not, and it will very likely never be available on Solaris, or any
other OS besides Linux, as it's built into the kernel's network code, and this
kernel network code is too different from one Unix flavor to another.

Regards,
Filip

Re: Multi source/destination ip address

[Jose Maria Lopez Hernandez]

El lun, 21-02-2005 a las 15:33 +0100, Marcin Giedz escribió:
> Hello...
> 
> Today I have stopped on next problem. I've just want to block almost all 
> connection on 80 port in my router with destination list's addresses. 
> "Almost" because some connection are forwarded to another router in my LAN. 
> So this is the rule:
> 
> iptables -A FORWARD -p tcp -port 80 -d ! 192.168.131.0/24 && 192.168.110.0/24 
> -j  DROP
> 
> But it doesn't work.... in iptables spec. -d is only connect with single 
> address not list. I found also iprange extension but it doesn't suit me. Is 
> it possible to have list destination/source addresses in iptables rule?
> 
> Thanks,
> Marcin

iptables -N MYDROPCHAIN
iptables -A FORWARD -p tcp -port 80 -j MYDROPCHAIN
iptables -A MYDROPCHAIN -d 192.168.131.0/24 -j RETURN
iptables -A MYDROPCHAIN -d 192.168.110.0/24 -j RETURN
iptables -A MYDROPCHAIN -j DROP

Regards.

-- 

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: solaris

[mdpeters]

Sun is about to release the Solaris source code to the open community. This 
changes things a bit.

Best regards,

Michael D. Peters
Director of Security Services
CISSP
Lazarus Alliance Inc.
M: 502-767-3448
O: 502-231-8017 x8
H: 502-231-6923
F: 502-231-5347

michael.peters@lazarusalliance.com
www.lazarusalliance.com



----- Original Message ----- 
From: "Filip Sneppe" <filip.sneppe@gmail.com>
To: "dave frost" <dj.frost@blueyonder.co.uk>
Cc: "netfilter" <netfilter@lists.netfilter.org>
Sent: Monday, February 21, 2005 9:59 AM
Subject: Re: solaris


> Hi Dave,
>
> On Mon, 21 Feb 2005 14:53:11 +0000, dave frost
> <dj.frost@blueyonder.co.uk> wrote:
>> is netfilter available for solars ? any docs on this would be apreciated
>>
>
> No it's not, and it will very likely never be available on Solaris, or any
> other OS besides Linux, as it's built into the kernel's network code, and 
> this
> kernel network code is too different from one Unix flavor to another.
>
> Regards,
> Filip
>
> 

Re: solaris

[R. DuFresne]

On Mon, 21 Feb 2005, Filip Sneppe wrote:

> Hi Dave,
> 
> On Mon, 21 Feb 2005 14:53:11 +0000, dave frost
> <dj.frost@blueyonder.co.uk> wrote:
> > is netfilter available for solars ? any docs on this would be apreciated
> > 
> 
> No it's not, and it will very likely never be available on Solaris, or any
> other OS besides Linux, as it's built into the kernel's network code, and this
> kernel network code is too different from one Unix flavor to another.

sunscreen I beleive is the SUN alt for this, at least in sol9, I think
it's an addon <perhaps w/ cost under sol8>.  I have heard that ip filter
is part of the sol10 offering coming out.

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                        -Tom Robins <Still Life With Woodpecker>

Re: Multi source/destination ip address

[Sebastian Docktor]

Hi,



On Mon, Feb 21, 2005 at 04:59:53PM +0100, Jose Maria Lopez Hernandez wrote:
> El lun, 21-02-2005 a las 15:33 +0100, Marcin Giedz escribi??:
> > Hello...
> > 
> 
> iptables -N MYDROPCHAIN
> iptables -A FORWARD -p tcp -port 80 -j MYDROPCHAIN
> iptables -A MYDROPCHAIN -d 192.168.131.0/24 -j RETURN
> iptables -A MYDROPCHAIN -d 192.168.110.0/24 -j RETURN
> iptables -A MYDROPCHAIN -j DROP
>

Do I really need the -j RETURN Target, an the -j DROP Target in the Chain?
Because I am using also User defined Chainces, and I am only using
chainces without -j DROP only with -j ACCEPT  and I don't use the -j
RETURN Target.


Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source destination         
40101 8406K ACCEPT     all  --  *      *       0.0.0.0/0 0.0.0.0/0           state RELATED,ESTABLISHED 
 2908  265K ping_TRNW  all  --  *      *       0.0.0.0/0 0.0.0.0/0           
 2895  265K all_tcp_ins_inet  all  --  *      *       0.0.0.0/0 0.0.0.0/0           
 2340  231K all_udp_ins_inet  all  --  *      *       0.0.0.0/0 0.0.0.0/0           
 1007  134K ping_to_inet  all  --  *      *       0.0.0.0/0 0.0.0.0/0           
 1005  134K lo_tcp_out  all  --  *      *       0.0.0.0/0 0.0.0.0/0           
  974  132K lo_udp_out  all  --  *      *       0.0.0.0/0 0.0.0.0/0           
  872  124K LOG        all  --  *      *       0.0.0.0/0 0.0.0.0/0           LOG flags 0 level 4 prefix `OUTPUT-DENY  ' 
  872  124K REJECT     all  --  *      *       0.0.0.0/0 0.0.0.0/0           reject-with icmp-port-unreachable 

Chain all_tcp_ins_inet (1 references)
 pkts bytes target     prot opt in     out     source	destination         
  555 33300 ACCEPT     tcp  --  *      ppp0    0.0.0.0/0	0.0.0.0/0           state NEW tcp 

Chain all_udp_ins_inet (1 references)
 pkts bytes target     prot opt in     out     source	destination         
 1333 97563 ACCEPT     udp  --  *      ppp0    0.0.0.0/0	0.0.0.0/0           state NEW udp 



> Regards.
> 
> -- 
> 
> Jose Maria Lopez Hernandez
> Director Tecnico de bgSEC
> jkerouac@bgsec.com
> bgSEC Seguridad y Consultoria de Sistemas Informaticos
> http://www.bgsec.com
> ESPA??A
> 
> The only people for me are the mad ones -- the ones who are mad to live,
> mad to talk, mad to be saved, desirous of everything at the same time,
> the ones who never yawn or say a commonplace thing, but burn, burn, burn
> like fabulous yellow Roman candles.
>                 -- Jack Kerouac, "On the Road"
> 
> 
> 

-- 
Sebastian Docktor <sebi@tux-labor.de>

Solaris

[Larson, Timothy E.]

[-- Attachment #1: Type: text/plain, Size: 1891 bytes --]

Hello list,

I cannot get dash 0.5.4 to build on Solaris.  I've made a couple small
patches that may be a step in the right direction.


$ diff -u src/mkbuiltins.orig src/mkbuiltins
--- mkbuiltins.orig     Fri Jul 13 03:26:43 2007
+++ mkbuiltins  Tue Oct 21 14:27:30 2008
@@ -35,6 +35,7 @@
 #
 #      @(#)mkbuiltins  8.2 (Berkeley) 5/4/95

+opsys=$(uname -s)
 tempfile=tempfile
 if ! type tempfile > /dev/null 2>&1; then
        tempfile=mktemp
@@ -83,9 +84,17 @@
  */

 !
+
+if [ ${opsys} = "SunOS" ]; then
+sed 's/        -[a-z]*//' $temp2 | nl -v0 | sort -u -k 3,3 |
+tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ |
+       awk '{  printf "#define %s (builtincmd + %d)\n", $3, $1}'
+else # not SunOS
 sed 's/        -[a-z]*//' $temp2 | nl -v 0 | sort -u -k 3,3 |
 tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ |
        awk '{  printf "#define %s (builtincmd + %d)\n", $3, $1}'
+fi
+
 printf '\n#define NUMBUILTINS %d\n' $(wc -l < $temp2)
 echo '
 #define BUILTIN_SPECIAL 0x1


$ diff -u configure.ac.orig configure.ac
--- configure.ac.orig   Fri Jul 13 03:26:42 2007
+++ configure.ac        Tue Oct 21 14:37:12 2008
@@ -21,6 +21,7 @@
 dnl Checks for libraries.

 dnl Checks for header files.
+AC_CHECK_HEADERS(paths.h)

 dnl Checks for library functions.
 AC_CHECK_FUNCS(bsearch getpwnam getrlimit isalpha killpg mempcpy sigsetmask
\


After regenerating configure and such, I was then able to conditionally
include paths.h or define the constants in-place as needed in the 4 files
that use it, and dash would build.  (There's probably a better way to handle
this, but I was going for a quick check first.)  It would dump core as soon
I tried executing any command in it, though, so I think I've missed
something.


Thanks,
Tim

-- 
Tim Larson        AMT2 Unix Systems Administrator
    InterCall, a division of West Corporation

               Eschew obfuscation!

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 9455 bytes --]

RE: Solaris

[Larson, Timothy E.]

[-- Attachment #1: smime.p7m --]
[-- Type: application/x-pkcs7-mime, Size: 10250 bytes --]

RE: Solaris

[Larson, Timothy E.]

(My apologies if you receive this as a duplicate.  I got a strange error when sending.)

> I cannot get dash 0.5.4 to build on Solaris.  I've made a couple small
> patches that may be a step in the right direction.

These patches were not committed, so I am now working on 0.5.5.1 and
carrying them forward.  In addition to the two mentioned, there are an
additional 10 (or so) patches needed.  Mostly issues that seemed to be
related to C99 compliance: Solaris 9 doesn't have stdint.h, isblank()
function, etc.

If someone would care to review them, I'll drop them on my server.

Thanks,
Tim

--
      Tim Larson        AMT2 Unix Systems Administrator
          InterCall, a division of West Corporation

Be always sure you are right, then go ahead. - David Crockett

solaris

[Larson, Timothy E.]

I've been having problems building dash on Solaris for some time.  Is there anyone working on cross-platform issues?


Thanks,
Tim