Transcript Unix Linux Administration II
Unix Linux Administration III
Class 2: Perl scalars. Solaris 11 bootstrap process. Working with IPF.
Agenda
Review class 1 Review homework Perl introduction lab.
Perl scalars Solaris bootstrap review The Solaris firewall, IPF.
Review:
SUN – Stanford University Network Solaris 11 released 11/11.
Solaris support for x86 and Sparc chipsets.
User management similar to Linux /usr/sbin/useradd|userdel|groupadd|groupdel Shell initialization reads: .bash_profile .bash_login and .profile in that order. Non interactive shells read .bashrc by default.
SMF is the intended replacement for /etc/init.d scripts.
svcs -a
Review
primary configuration options fixed network configuration reactive network configuration reactive networks or Automatic try to use DHCP services. They preferred wired to wireless connections. Ipconfig has been replaced by dladm and ipadm.
#dladm show-phys #ipadm show-addr Set the default gateway using the route command.
#roupte –p add default ###.###.###.### configuration updates like the name service, nsswitch, hostname are managed using SMF Files like /etc/hosts and /etc/resolv.conf exist for backward compatibility but should not edited directly.
Perl review
Perl is an interpreted langauge like shell.
Perl is good at working with large text files and data sets.
Perl has no built in limitiations.
Perl tries to make it possible to write perl as we might speak. Perl requires a semi-colon at the end of each line.
Homework review
Account creation.
SSH certificate based authentication.
Assign root role New A record in your zone.
Updated .bashrc and .bash_profile
Disable uwst15 account.
In class lab 1c
We are going to run through a quick lab to be sure we have some Perl basics completed.
Lab notes for this session can be found here: http://www.ulcert.uw.edu
-> Class Content -> InClass labs ->
Q3, Class 2, Unit 1
What we are going to cover: Perl scalars What you should leave this session with: How Perl handles individuals objects Working with scalars
Return to Perl
Remember Perl is: Another interpreted language. Perl is greedy, it will consume any and all memory available. Perl is very common in the IT world. Perl is good for tasks that seem a little more complex than what you want to tackle with shell.
Syntactic Sugar: Free Format
White space (spaces, tabs, linefeeds, carriage returns, form feeds) are optional between tokens (unless two tokens together can be mistaken for a third token c = a + b; c=a+b; c = a + b ;
Comments & Line Ending
Comments Character: ‘#’ symbol Comment goes until the end of the line Does NOT have to start a line # This is a comment line # This is also a comment line c = a + b; # Comment lines can even go after All lines should end with the semicolon (;) character
Miscellaneous
PERL counts starting at Zero, not One True & False Done via string comparison False A String of Zero Length A String consisting of the single character “0” True Anything Else
What is Scalar Data?
Simplest Type of Data the PERL uses Number: 123, 0x144, 6.023e23
String of Characters: ‘abc’, ‘123’, Websters Scalar Data (Value) can be placed in Scalar variable, and be operated upon by scalar operations and functions
Numbers
All numbers are stored (and operated on) as double precision floating point values Can be written in the “standard” formats Integers: 1, 273, 1094304204 Decimals: 3.14, 99.44, 20.01
Exponential Notation: 6.02E23, 1.23e5
Octal: 0377 Hex: 0xff, 0Xa1
Strings
Sequences of 8 bit values Can use the entire 256 value character set No distinction between ASCII 32 - ASCII 126 and the rest Lengths can run from zero, an empty string, up to the memory capacity of the machine
Literals
Literals are how values are represented Numbers as shown in previous examples Strings: Single or Double Quotes Single Quotes: No variable expansion To get a ‘ in the variable use: \’ To get a \ in the variable use: \\
Double Quoted Literals
Variable Expansion Strong “Backslash” quoting \t: tab character \n: newline character \f: form feed character \\: \ character \ ”: “ character
Scalar Operators
Numeric Addition: a + b Subtraction: a - b Multiplication: a * b Division: a / b Exponential: a ** b Modulus: a % b Logical Numeric Less Than: < Less Than or Equal: <= Equal: == Greater Than: > Greater Than or Equal: >= Not Equal: !=
Scalar Operators --continued--
Strings Concatenation: “abc” . “def” Yields “abcdef” Repetition: “abc” x 3 Yields “abcabcabc” If the value after the “x” is not an integer it is rounded downward Logical String Less Than: lt Less Than or Equal: le Equal: eq Greater Than: gt Greater Than or Equal: ge Not Equal: ne
Operator Precedence & Associativity
Precedence Different operators operate at different levels of precedence Multiplication happens before addition 2 + 3 * 5 = 17 (not 25) See table 2-2 on page 31 for a complete list Associatively If the same operators occur in an expression they happen either left to-right or right-to-left 72 / 12 / 3 = 2 (not 18) Division goes left-to right See table 2-2 on page 31 for a complete list
Converting numbers to strings
If a numeric value is called for (i.e. A + B) then strings are converted to numbers: All leading and trailing white space and non numeric values are dropped. “ 12.345Fred123” will be converted to “12.345” If a character string is required the numbers are converted to a string equivalent “X” . (4*5) yields X20
Scalar Variables
A Scalar variable is a container for holding one scalar value, either number or string All scalar variables begin with a dollar sign ($) and a letter After the first letter, numbers and underscores are allowed Case is preserved ($a is not $A) Limited to 255 characters
Scalar Operations & Functions
Assignment: $a = 123; May be used as a value as well as an operation $b = 4 + ($a = 3); a=3, b = 7 $a = $b = 10;
Scalar Operations & Functions
Binary Assignment: $a = $a + 5; Can be written as $a += 5; $string = $string . “abc”; Can be written as $string .= “abc” ALL BINARY OPERATORS CAN BE SHORTENED THIS WAY +, -, *, /, **, %, .
$string += “abc”
Scalar Operations & Functions
Auto-increment & Auto-decrement ++ and -- are used to increment or decrement a variable by a value of one Can be used as a prefix or suffix operator $a++ or ++$a both add one to the value of $a Prefix or suffix order only matters if the value is used as part of another expression $a = 5; $b = ++$a; Both $a and $b = 6 $a = 5; $b = $a++; $a = 6, $b = 5
Scalar Operations & Functions
chop Removes the last character of a string and returns its value $string = “Hello”; chop($string); $string is now “Hell” $string = “Hello”, $last = chop($string); $string is now “Hell” and $last is now “o” chomp is the same as chop, but it only removes newlines
Interpolation of Scalars into Strings
If a string is enclosed in double quotes “” variable interpolation occurs $a = ‘hello’; $b = “$a world”; yields $b = “hello world” Double substitutions DO NOT occur $a = ‘$c’; $c = ‘foo’; $b = “Hello $a”; yields $b = “Hello $c” , not $b = “Hello foo”
as a Scalar Value
Simple way to obtain a line of text from the user is to use
print "I found: $input\n";
Output with print
The most common way to output of scalar values is to use the print command print “Hello World”; print “The value is $value\n”; print ‘A series of $$$’; print (“Hello World”); Note the parenthesis are optional
The Undefined Value
Before a variable is assigned a value it has a state of ‘undef’ practically this means a variable with an undef state will return a zero if evaluated numerically or a zero length string if evaluated in a string context.
Both are considered false by Perl.
While Perl…
Just like shell, perl provides a while control structure. While ( argument ) { do X } $count = 0; while ( $count < 10 ) { $count += 1; print “count is now: $count\n”; };
Review:
white space between tokens is optional comments follow #, anywhere on the line.
Perl starts counting at Zero (0) undef, null string, and zero (0) all translate to false for Perl.
Scalar is the simplest data form in perl, single object, token, value.
Just like shell scripting single quotes means no interpolation and double quotes is just the opposite.
scalar operators: numeric: + - * / ** % logical: < <= == > >= !=
Review
There exists an operator precedence & associativity scalar assignments $scalar = value; auto-increment ++. auto-decrement - $a =5; $b = ++$a chop vs chomp last character, remove new lines obtaining data from the command line
false == undef, zero or null everything else is true.
while loops while (arg) { do X };
In class lab 2a
Lab notes for this session can be found here: http://www.ulcert.uw.edu
-> Class Content -> InClass labs ->
Q3, Class 2, Unit 2
What we are going to cover x86 and SPARC boot process What should you leave this session with: General overview of the boot process.
Difference between x86 and SPARC during boot.
The SPARC initial boot process
The instructions for the bootstrap procedure are stored in the boot Programmable read only Memory (PROM). Once power is provided to the host PROM will display system ID info and run self diagnostics to verify system hardware and memory. The system then attempts to auto-boot.
X86 initial boot process
The x86 systems do not have a PROM. These system use a BIOS and GRUB to perform the same initialization.
The BIOS will initialize CPU, Memory, and hardware. After the system starts to boot control is transferred to GRUB.
GRUB
Oracle Solaris uses GRUB as the boot loader for x86 systems. Starting with Solaris 11.1 GRUB 2 is the default version.
GRUB displays a list of boot options GRUB contains a command line interface where kernel and boot options can be modified GRUB can support multiple OS installations on the same host.
Boot process
SPARC platform
Boot PROM
Probe memory and CPU Probe bus devices Use boot values to boot OS Install console, display prompt Start the boot process.
x86 platform
BIOS
Initialize the CPU and memory Initialize hardware Load the boot loader GRUB Load boot archive into memory Display a menu of boot entries Select a boot entry to start the boot process.
Bootadm and the boot process.
Bootadm is used on both SPARC and x86 systems to create the boot archive. The boot archive is a subset of the root file system and contains core kernel modules.
This image file (boot archive) is mounted using in-memory disk The ramdisk then reads and executes the kernel contained within the system.
The kernel and the init process.
The kernel loads drivers and modules allowing the I/O system to load and the root file system to be mounted.
After control is passed to the kernel the system begins the init phase.
The init daemon reads /etc/default/init file to set environment variables for the shell that init invokes. By default this includes the CMASK and TZ variables.
Svc.startd and svc.configd
The primary function of the init process is to launch startd which starts configd. Both of these are SMF services. If either fails init will attempt to restart them.
Initializes the STREAMS modules for communication services.
The init process also configures the socket transport providers for network connections.
Standard boot process
Boot loader phase • The root filesystem boot archive is loaded from the default ZFS dataset Booter phase • The boot archive is read and executed.
• The boot archive is an image file that contains the files require for booting Ramdisk Phase • Ramdisk extracts the kernel image from the boot archive and executes it.
• On x86 systems GRUB loads the kernel file and the boot archive into memory.
Kernel Phase • System is initialized and a minimal root file system is mounted on the ramdisk • Kernel runs /sbin/init to start the init phase Init phase • init reads /etc/inittab for instructions on starting other processes, initializes stream modules and starts up the svc.startd daemon.
Svc.startd
phase • Startd starts the system services and boots the system to the appropriate milestone. This includes mounting files systems, network configuration and starting legacy RC scripts
SMF and svc.startd
Prior to Solaris 10 init and the init.d scripts would start all the processes and bring the system to the default “run-level”.
In Solaris 10/11 SMF and more precisely svc.startd is responsible for starting the system services.
Benefits of SMF
SMF will automatically restart failed services.
Provides a backup, restore and fallback process for changes to services.
Provides one method to enable and disable either temporarily or permanently services.
Provides a method to delegate services to non root users.
Allow for parallel starting and stopping of services.
Provide compatibility with legacy scripts.
Milestones vs run levels
SMF services are grouped together into “milestones” which are groupings of services. However, milestones do not replace “run-levels”. There are milestones that are equivalent to run-levels.
Milestone/single-user => single user Milestone/multi-user => run level 2 Milestone/multi-user-server => run level 3
Review
boot procedures stored in PROM launches self-diagnostics attempts auto-boot x86 systems do not have a PROM, they use a BIOS and GRUB instead.
Once the hardware is verified and the bootstrap process complete bootadm is used to create a boot archive boot archive mounted in-memory ramdisk reads and execute the kernel.
review
kernel load drivers and modules init phase started, init reads /etc/default/init to set environment variables.
init launches svc.startd which in turn starts svc.configd
SMF services have replaced the functionality previously supported by init.d and rc scripts.
run-levels are a collections of SMF services. They are similar but not a replacement for run levels.
In class lab 2b
Lab notes for this session can be found here: http://www.ulcert.uw.edu
-> Class Content -> InClass labs ->
Q3, Class 2, Unit 3
What we are going to cover: The Solaris IPF firewall.
What you should leave this session with: IPF packet flow and controls.
How to administer your IPF firewall.
IPF
The Solaris firewall is based on an open source project: IP Filter firewall.
The Solaris IPF Filter replaces the previous solution "SunScreen" as the default firewall solution.
IPF is a based on the open source IP Filter software written primarily by Darren Reed.
Basic IPF features
The Solaris firewall provides packet filtering by IP, port, protocol, network interface, and traffic direction.
The Solaris firewall can filter by individual source or destination or by a range of addresses. The Solaris firewall can do NAT, PAT, and stateful packet inspection.
IPF supports both ipv4 and ipv6 networks.
NAT overview with IPF
NAT rules setup mapping rules that translate source and destination IP addresses into other internet or intranet addresses. NAT can be used to redirect traffic from one port to another port. NAT will maintain the integrity of the packet during any modification or redirection applied to that packet.
NAT rules are created with using ipnat or by manually editing the ipnat.conf file.
We will not be working with NAT rules.
IPF address pools.
Address pools establish a single reference that is used to name a group of address/netmask pairs. These pools reduce the time needed to match IP addresses to rules and assist in reducing complexity in large groups of addresses. The address pool configurations that you want to be loaded at boot time should be kept in /etc/ipf/ippool.conf.
Address pool configurations can be loaded at any time using the ippool command.
Basic IPF configuration
As you may expect the Solaris IPF is managed by SMF svc:network/ipfilter.
IPF configurations are stored in text files. IPF is NOT enabled by default. To change this we will have to edit configuration files and manually activate IPF.
IPF supports the ideas of an active and inactive rule set. You can manage the inactive rule set using ipf -I, this rule set will not be used unless activated.
IPF configuration cont.
IPF can be used to provide firewall services or NAT services.
configuration files stored under /etc/ipf/ are read at boot. examples are ipf.conf, ipnat.conf, ippool.conf
The Solaris firewall configuration abides by common UNIX conventions such as the # sign and ignoring extra white space.
The Solaris firewall - components
The Solaris IP Filter (F/W) provides a set of user-level utilities programs one kernel module: ipf ipf is the core packet filtering and NAT logic module. It uses the packet filter hooks to enable IP Filter. Prior to Solaris 10 7/07 ipf utilized the pfil kernel module for this functionality.
The Solaris firewall - utilities
ipf – used to add and remove rules ipfstat – report on firewall stats ipmon – used to open the log device and view logged packets ipnat – work with NAT rules and display NAT satistics. ippool – used to create and manage address pools.
Ndd – display current filtering parameters of the pfil STREAMS module.
The Solaris firewall – filter rules
Basic syntax for rules is: Action [in|out] option keyword, keyword. Rules are read top to bottom By default the rules are checked against all rules and the LAST match is applied.
To block all traffic from one subnet block in from 192.168.4.0/24 to any If no net-mask is given /32 is assumed.
Ipf filter rules
IPF processes the rules in their entirety and the LAST match takes effect. The default behavior for the IPF firewall is to ALLOW traffic, packets that do not match any rule are passed through the filter.
There are two exceptions to this process: if you use the "quick" keyword then the action for that rule is taken and no other rules are checked. The other exception is related to the keyword "group" if a packet matches a rule containing the "group" keyword then only rules with the group are checked.
Solaris firewall “quick”
The quick keyword provided by sun for the firewall changes the default behavior. Using this keyword causes the matched rule to be applied to the rule and no other rules checked.
# block any short fragmented packets # which are very unlikely to be real.
block in log quick all with short
Adding rules
rules can be added at the command line with ipf or via the configuration files.
You can manage the inactive ruleset using ipf -I, this rule set will not be used unless activated.
*Remember rules stored under /etc/ipf/ are read in at boot time by default.
Basic rule syntax
Rules are created using: action [in|out] option keyword, keyword.
common actions include block – prevent packet pass – allow packet log – log packet count - includes the packet in the filter statistics which can be viewed with ipfstat.
skip (number) – ignore X number of rules auth – request that the packet authentication be preformed by a user program.
Either In or Out is required after “Action”.
Rule syntax cont.
After Action and either In or Out comes a keyword.
log – if the rule is the last match.
quick – execute rule and stop further checks on – only applied if packet moving in our out of the specified interface dup-to – copies the packet and send the duplicate out on the referenced interface to – moves the packet to an outbound queue.
If more than one is used it must be in this order.
Rule sample
Remember: After action you must define either in or out as related to the packet being inbound or outbound.
Next you can apply an option but if you choose more than one option the order is important.
the same is true of all options applied at this point.
A simple rule sample might be: block in quick from 192.168.0.0./16 to any This blocks inbound packets from 192.168.0.0/16.
Base ipf.conf
If there is no ipf.conf file the firewall acts as though the rule set is: pass in all pass out all if you want to configure NAT or Pools use ipnat.conf or ippool.conf respectively.
To log all packets update the previous lines to: pass in log on
Running a quick test
First view currently loaded rules ipfstat -io Remove current rule set and load a new rule set ipf -Fa -f /etc/ipf/ipf.conf
Check status again.
[ angus ~ ] $ sudo ipfstat -io pass out log on net0 all pass in log on net0 all
How to enable IPF
First you will need root access to enable IPF (or assume the appropriate role).
Next you will need to create a packet filtering rule set and any other rule sets you want to use such as a NAT rule set or address pool set.
Activate the IPF svcadm enable network/ipfilter
IPF administration
If you have disabled the IPF you can re-enable it by forcing a reboot (drastic) or use the "ipf" with a -E followed by a -f
ipf –E ipf -f
IPF admin cont.
View active packet filtering using: ipfstat -i # inbound rules ipfstat -o # outbound rules or both ipfstat -io Or if you have an inactive rule set you want to review: ipfstat -I -io If your rule set is not managed under /etc/ipf you can active this alternate rule set and deactivate the current rule set using -Fa -f filename ipf -Fa -f filename To just remove the current inbound or outbound rule set use -Fa. -a removes all filtering rules to just remove the inbound rules use -i or -o for just the outbound rules.
IPF admin cont.
You can switch between active and inactive rules sets using ipf -s This will force the inactive set active and vice versa.
use ipfstat -I -io and ipfstat -io to monitor the inactve and active ruleset respectively.
use ipfstat to view the state table, use -t for a top format output and -s for statistics ipfstat -t, ipfstat -s
logging
Backup your /etc/sysconf.conf file and then add something like: # ipfilter log data (tab between columns, not spaces).
local0.debug
/var/log/ipf.log
# ipf logs as local0 Create the log file using touch touch /var/log/ipf.log
Restart the syslog service svcadm restart system-log
Logging continued.
Once you have logging enabled you now need to define what to log.
Remember one of the key words was "log".
pass in
log
on net0 all Now tail: /var/log/ipf.log
Review
based on IP filter firewall, written by Darren Reed.
replaces sunscreen as the default solution.
packet filtering by IP, port, protocol, network interface, and traffic direction.
supports NAT, PAT and stateful packet inspection.
managed using SMF (svcadm disable|enable ipfilter) svcs -x ipfilter configurations stored in text files under /etc/ipf/. These are read in at boot.
IPF is the core filter tool.
utilities include, ipf, ipfs, ipfstat, ipmon, ipnat, ippool.
basic firewall syntax: action, direction, packet block in from
to all Rules read from top to bottom, LAST match is applied. default ALLOW.Exceptions to this rule for keywords quick and group.
Review
To Enable ipf will require root access or the appropriate role. Next create an ipf.conf rule set and finally activate ipf.
you can enable IPF using ipf -E or using a specific configuration using ipf -f
Disable using ipf -Fa monitor ipf stats using ipfstat -t, ipfstat -s enable logging, update sysconf.conf to include local0.debug
/var/log/ipf.log # tab between columns.
create the log file sudo touch /var/log/ipf.log
restart syslog service svcadm restart system-log include "log" action in your ipf rules pass in
log
on net0 all
In class lab 2c
Lab notes for this session can be found here: http://www.ulcert.uw.edu
-> Class Content -> InClass labs ->
Homework
Will be posted later this evening.