Friday, November 20, 2009

Upgrade to Fedora 12 using preupgrade

Today I have upgraded my work laptop from Fedora 10 to Fedora 12 using 'preupgrade' and guess what everything went smooth and here I am currently blogging from Fedora 12 :)

Perhaps I have upgraded to Fedora 12 on both of my work and home laptops.

Here are the steps which I followed to upgrade to Fedora 12.

1. Fedora 12 upgrade requires quit some extra space on /boot partition (which is default 200MB with fedora install), before doing the upgrade first move all the extra kernels and leave only the last working one.

2. Adjust the number of reserved filesystem blocks on /boot partition using the command tune2fs. first need to identify the block device for your /boot file system. In the example below, /dev/sda1 is the block device for the /boot filesystem.

# mount | grep "/boot"
/dev/sda3 on /boot type ext4 (rw)

Now, adjust the number of reserved blocks for the /boot filesystem using the command tune2fs

# tune2fs -r 0 /dev/sda3

3. Finally run the preupgrade command to start fetching the packages while you continue to do your work, remember the downloading will takes times depending on your Internet pipe :)

# preupgrade

Or

sudo preupgrade

4. After download finish it will ask to reboot the system and then the installation process will begin which will again takes sometime. And then only one last reboot and here is the shiny Fedora 12 Constantine Desktop :)

5. Some packages may no longer be supported by the new release. You may wish to remove these packages because they will no longer get security updates, and they may cause later conflicts with supported packages. These can be identified with the following command:

package-cleanup --orphans

Saturday, November 14, 2009

Securing Solaris 10 Host using ipfilter

Although the “svc:/network/pfil:default” is enabled and online on a default Solaris 10 installation, no device driver has been configured for it. So that to enable IPFilter, you’ll need to configure “pfil” so that it gets autopushed for the network drivers for which you want to enable your firewall. And then the network interfaces will need to be plumbed or replumbed.

The point to note here is that IPFilter is enabled per network device driver (hme, ge, qfe,… ).

# vi /etc/ipf/pfil.ap

and uncomment there the specific drivers you are interested in, man ipf(1M) for more.

You now have 2 choices. One : reboot. At boot time, when the “pfil” service is started, the startup script /lib/svc/method/pfil will run the autopush command on the /etc/ipf/pfil.ap file before the network interfaces are confgured so that everything will work as expected. Note that the same script will also start IPFilter with a very restrictive set of rules to cover the window of vulnerability during the time network is initialized and the “ipfilter” service is started.


Second:

svcadm enable ipfilter

autopush -f /etc/ipf/pfil.ap
ifconfig bge0 unplumb
ifconfig bge0 plumb xxx.xx.xxx.xxx netmask 255.255.255.0 up


Now you are reading to write your firewall rules.

You will find some examples of the ipf.conf configuration file in /usr/share/ipfilter/examples. Just copy one of them over /etc/ipf/ipf.conf to start playing around.

Sample firewall rules.

#
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
#
# block all inbound packets.
#
block in from any to any
#
# pass through packets to and from localhost.
#
pass in from 127.0.0.1/32 to 127.0.0.1/32
#
# allow a variety of individual hosts to send any type of IP packet to any
# other host.
#
pass in from xxx.xx.xxx.xxx/32 to any
pass in from xxx.xx.xx.xxx/32 to any
#
# Allow all ICMP
pass in proto icmp from any to any

# Allow all Radius (the localhost running Radius software for authentication)
pass in proto udp from any to any port = 1812
pass in proto udp from any to any port = 1813
pass in proto tcp from any to any port = 1812
pass in proto tcp from any to any port = 1813

# Allow all from internal LAN
pass in from xx.xxx.xxx.0/24 to any

Enabling/Disabling ipf

ipf -D disable
ipf -E enable

ipf -Fa -f /etc/ipf/ipf.conf read the ipf.conf

man ipf(1M) for more on ipf