Configuring a Solaris 2.6 or Solaris 7 Desktop Computer for Use as an Inova Host

  1. Create the files /etc/default/telnetd and /etc/default/ftpd.  Each of these files should contain a single line that reads:

    BANNER=""
     

  2. Add the following lines at the end of the file /etc/system :

    set noexec_user_stack=1
    set noexec_user_stack_log=1
    set nfssrv:nfs_portmon=1
    set priority_paging=1
     

  3. Add the following lines at the end of the file /etc/init.d/inetinit :

    /usr/sbin/ndd -set /dev/ip ip_forwarding 0
    /usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0
    /usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
    /usr/sbin/ndd -set /dev/ip ip_strict_dst_multihoming 1
    /usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0
    /usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
    /usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1
    /usr/sbin/ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
    /usr/sbin/ndd -set /dev/ip ip_send_redirects 0
    /usr/sbin/ndd -set /dev/ip ip_ire_pathmtu_interval 300000
    /usr/sbin/ndd -set /dev/tcp tcp_mss_def 546
    /usr/sbin/ndd -set /dev/tcp tcp_smallest_nonpriv_port 2050
    /usr/sbin/ndd -set /dev/udp udp_smallest_anon_port 8192
    /usr/sbin/ndd -set /dev/udp udp_largest_anon_port 32767
     

  4. Change the last line of the file /etc/init.d/inetsvc to read:

    /usr/sbin/inetd -s -t &
     

  5. Remove start up scripts from /etc/init.d /etc/rc0.d /etc/rc1.d /etc/rc2.d /etc/rc3.d , and  /etc/rcS.d  as follows:

    in /etc/init.d :

    mkdir NO
    mv audit NO/NOaudit
    mv autoinstall NO/NOautoinstall
    mv cachefs.daemon NO/NOcachefs.daemon
    mv cachefs.root NO/NOcachefs.root
    mv cacheos NO/NOcacheos
    mv cacheos.finish NO/NOcacheos.finish
    mv init.dmi NO/NOinit.dmi
    mv init.snmpdx NO/NOinit.snmpdx
    mv initpcmcia NO/NOinitpcmcia
    mv pcmcia NO/NOpcmcia
    mv sendmail NO/NOsendmail
    mv sysid.net NO/NOsysid.net
    mv tsquantum NO/NOtsquantum
    mv xntpd NO/NOxntpd

     

    in /etc/rc0.d , and /etc/rc1.d :

    mkdir no
    mv K07dmi no/noK07.dmi
    mv K07snmpdx no/noK07snmpdx
    mv K33audit no/noK33audit
    mv K36sendmail no/noK36sendmail
    mv K40xntpd no/noK40xntpd

     

    in /etc/rc2.d :

    mkdir no
    mv K07dmi no/noK07.dmi
    mv K07snmpdx no/noK07snmpdx
    mv S30sysid.net no/noS30sysid.net
    mv S72autoinstall no/noS72autoinstall
    mv S73cachefs.daemon no/noS73cachefs.daemon
    mv S74xntpd no/noS74xntpd
    mv S88sendmail no/noS88sendmail
    mv S93cacheos.finish no/noS93cacheos.finish
    mv S99audit no/noS99audit
    mv S99tsquantum no/noS99tsquantum

     

    in /etc/rc3.d :

    mkdir no
    mv S76snmpdx no/noS76snmpdx
    mv S77dmi no/noS77.dmi

     

    in /etc/rcS.d :

    mkdir no
    mv K07dmi no/noK07.dmi
    mv K07snmpdx no/noK07snmpdx
    mv K33audit no/noK33audit
    mv K36sendmail no/noK36sendmail
    mv K40xntpd no/noK40xntpd
    mv S10initpcmcia no/noS10initpcmcia
    mv S35cacheos.sh no/noS35cacheos.sh
    mv S41cachefs.root no/noS41cachefs.root

     

    The resulting directories should now read:

    /etc/init.d:

    ANNOUNCE       coreadm      keymap        power             syslog
    MOUNTFSYS      cron         lp            rc.vnmr           ufs_quota
    NO             devfsadm     mcd           rootusr           utmpd
    PRESERVE       devlinks     mkdtab        rpc               volmgt
    README         drvconfig    nfs.client    savecore
    RMTMPFILES     dtlogin      nfs.server    standardmounts
    autofs         inetinit     nscd          sysetup
    buildmnttab    inetsvc      spc           sysid.sys

     

    /etc/rc0.d:

    K00ANNOUNCE      K35volmgt    K39spc       K41autofs        K43inet
    K10dtlogin       K36utmpd     K40cron      K41nfs.client    K83devfsadm
    K19rc.vnmr       K37power     K40nscd      K41rpc           no
    K28nfs.server    K39lp        K40syslog    K42inetsvc

     

    /etc/rc1.d:

    K00ANNOUNCE      K36utmpd    K40cron      K41rpc          no
    K10dtlogin       K37power    K40nscd      K42inetsvc
    K28nfs.server    K39lp       K40syslog    K43inet
    K35volmgt        K39spc      K41autofs    S01MOUNTFSYS

     

    /etc/rc2.d::

    K28nfs.server    S71rpc           S75cron        S85power
    README           S71sysid.sys     S75savecore    S88utmpd
    S01MOUNTFSYS     S72inetsvc       S76nscd        S92volmgt
    S05RMTMPFILES    S73nfs.client    S80PRESERVE    S99dtlogin
    S20sysetup       S74autofs        S80lp no
    S69inet          S74syslog        S80spc

     

    /etc/rc3.d:

    README    S15nfs.server    S19rc.vnmr    no
     

    /etc/rcS.d:

    K10dtlogin       K39spc       K42inetsvc              S42coreadm
    K28nfs.server    K40cron      K43inet                 S50devfsadm
    K35volmgt        K40nscd      README                  S70buildmnttab.sh
    K36utmpd         K40syslog    S30rootusr.sh           no
    K37power         K41autofs    S33keymap.sh
    K39lp            K41rpc       S40standardmounts.sh

    Note that all of this will have to be checked whenever a Solaris patches are installed because some of these patches add new versions of the scripts that were removed above.
     

  6. Do the following commands to eliminate keyserver launching:

    cd /usr/sbin
    mv keyserv NOkeyserv

    This is another thing that has to be checked when Solaris patches are applied because some patches add new versions of this file.
     

  7. Do the following commands to eliminate login prompts directed to the serial ports:

    grep -v /usr/lib/saf/sac /etc/inittab > /etc/inittab.new
    mv /etc/inittab.new /etc/inittab
    chown root:sys /etc/inittab
    chmod 644 /etc/inittab

     

  8. Edit /etc/inet/inetd.conf so that it reads as follows:

    #
    #ident "@(#)inetd.conf 1.33 98/06/02 SMI" /* SVr4.0 1.5 */
    #
    #
    # Configuration file for inetd(1M). See inetd.conf(4).
    #
    # To re-configure the running inetd process, edit this file, then
    # send the inetd process a SIGHUP.
    #
    # Syntax for socket-based Internet services:
    # <service_name> <socket_type> <proto> <flags> <user> <server_pathname> <args>
    #
    # Syntax for TLI-based Internet services:
    #
    # <service_name> tli <proto> <flags> <user> <server_pathname> <args>
    #
    # Ftp and telnet are standard Internet services.
    #
    ftp stream tcp nowait root /usr/sbin/in.ftpd in.ftpd -l
    telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd
    #
    # Tnamed serves the obsolete IEN-116 name server protocol.
    #
    #name dgram udp wait root /usr/sbin/in.tnamed in.tnamed
    #
    # Shell, login, exec, comsat and talk are BSD protocols.
    #
    #shell stream tcp nowait root /usr/sbin/in.rshd in.rshd
    #login stream tcp nowait root /usr/sbin/in.rlogind in.rlogind
    #exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd
    #comsat dgram udp wait root /usr/sbin/in.comsat in.comsat
    #talk dgram udp wait root /usr/sbin/in.talkd in.talkd
    #
    # Must run as root (to read /etc/shadow); "-n" turns off logging in utmp/wtmp.
    #
    #uucp stream tcp nowait root /usr/sbin/in.uucpd in.uucpd
    #
    # Tftp service is provided primarily for booting. Most sites run this
    # only on machines acting as "boot servers."
    #
    tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot
    #
    # Finger, systat and netstat give out user information which may be
    # valuable to potential "system crackers." Many sites choose to disable
    # some or all of these services to improve security.
    #
    #finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd
    #systat stream tcp nowait root /usr/bin/ps ps -ef
    #netstat stream tcp nowait root /usr/bin/netstat netstat -f inet
    #
    # Time service is used for clock synchronization.
    #
    #time stream tcp nowait root internal
    #time dgram udp wait root internal
    #
    # Echo, discard, daytime, and chargen are used primarily for testing.
    #
    #echo stream tcp nowait root internal
    #echo dgram udp wait root internal
    #discard stream tcp nowait root internal
    #discard dgram udp wait root internal
    #daytime stream tcp nowait root internal
    #daytime dgram udp wait root internal
    #chargen stream tcp nowait root internal
    #chargen dgram udp wait root internal
    #
    #
    # RPC services syntax:
    # <rpc_prog>/<vers> <endpoint-type> rpc/<proto> <flags> <user> \
    # <pathname> <args>
    #
    # <endpoint-type> can be either "tli" or "stream" or "dgram".
    # For "stream" and "dgram" assume that the endpoint is a socket descriptor.
    # <proto> can be either a nettype or a netid or a "*". The value is
    # first treated as a nettype. If it is not a valid nettype then it is
    # treated as a netid. The "*" is a short-hand way of saying all the
    # transports supported by this system, ie. it equates to the "visible"
    # nettype. The syntax for <proto> is:
    # *|<nettype|netid>|<nettype|netid>{[,<nettype|netid>]}
    # For example:
    # dummy/1 tli rpc/circuit_v,udp wait root /tmp/test_svc test_svc
    #
    # Solstice system and network administration class agent server
    #100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind
    #
    # Rquotad supports UFS disk quotas for NFS clients
    #
    #rquotad/1 tli rpc/datagram_v wait root /usr/lib/nfs/rquotad rquotad
    #
    # The rusers service gives out user information. Sites concerned
    # with security may choose to disable it.
    #
    #rusersd/2-3 tli rpc/datagram_v,circuit_v wait root /usr/lib/netsvc/rusers/rpc.rusersd rpc.rusersd
    #
    # The spray server is used primarily for testing.
    #
    #sprayd/1 tli rpc/datagram_v wait root /usr/lib/netsvc/spray/rpc.sprayd rpc.sprayd
    #
    # The rwall server allows others to post messages to users on this machine.
    #
    #walld/1 tli rpc/datagram_v wait root /usr/lib/netsvc/rwall/rpc.rwalld rpc.rwalld
    #
    # Rstatd is used by programs such as perfmeter.
    #
    rstatd/2-4 tli rpc/datagram_v wait root /usr/lib/netsvc/rstat/rpc.rstatd rpc.rstatd
    #
    # The rexd server provides only minimal authentication and is often not run
    #
    #rexd/1 tli rpc/tcp wait root /usr/sbin/rpc.rexd rpc.rexd
    #
    # rpc.cmsd is a data base daemon which manages calendar data backed
    # by files in /var/spool/calendar
    #
    #
    # Sun ToolTalk Database Server
    #
    #100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd
    #
    # UFS-aware service daemon
    #
    #ufsd/1 tli rpc/* wait root /usr/lib/fs/ufs/ufsd ufsd -p
    #
    # Sun KCMS Profile Server
    #
    #100221/1 tli rpc/tcp wait root /usr/openwin/bin/kcms_server kcms_server
    #
    # Sun Font Server
    #
    #fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs
    #
    # CacheFS Daemon
    #
    #100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd
    #
    # Kerbd Daemon
    #
    #kerbd/4 tli rpc/ticlts wait root /usr/sbin/kerbd kerbd
    #
    # Print Protocol Adaptor - BSD listener
    #
    printer stream tcp nowait root /usr/lib/print/in.lpd in.lpd
    #
    # GSS Daemon
    #
    #100234/1 tli rpc/ticotsord wait root /usr/lib/gss/gssd gssd
    #dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
    #100068/2-5 dgram rpc/udp wait root /usr/dt/bin/rpc.cmsd rpc.cmsd
    #536870916/1 dgram rpc/udp wait root /opt/SUNWvts/bin/sunvts /opt/SUNWvts/bin/sunvts -g

    If you do not have a printer or plotter connected directly to the NMR host computer, you should also comment out the line that reads:
    printer stream tcp nowait root /usr/lib/print/in.lpd in.lpd
    If you are not running CDE, you should also comment out the line that reads:
    rstatd/2-4 tli rpc/datagram_v wait root /usr/lib/netsvc/rstat/rpc.rstatd rpc.rstatd
    Regrettably, the CDE services bar starts stdperfmeter which depends on rpc.rstatd .  I have not yet found a way around that problem.
     

  9. If you are not behind a firewall (you really should be), you should get and compile IPFilter for your system. You should then have it run with the rule set:
         # /etc/ipf.rules
         # IPFilter rule set for Inova host computer with two ethernet interfaces
         # and unprotected by a firewall, a really bad idea, but this can help.
         # Assumes hme0 is the external interface and hme1 is the ethernet to
         # the Inova console.
         # Definitions:
         #     $MYIP$   the exact internet ip address of the host computer
         #     $MYNET$  the first three of the four sets of numbers in the
         #               exact internet ip address of the host computer.
         #
         # default policy
         #
         block in  all
         block out all
         #
         # allow loopback to work
         #
         pass  in  quick on lo0 all
         pass  out quick on lo0 all
         #
         # Allow Inova console to have full access on hme1
         #
         pass  in  quick on hme1 all
         pass  out quick on hme1 all
         #
         # Now, block all sorts of problems from here on out.
         #
         # Block problem packet types
         #
         block in     quick           all             with opt lsrr
         block in     quick           all             with opt ssrr
         block in     quick proto tcp all             with short
         block in log quick proto tcp from any to any flags FUP     # Block & log this OS fingerprinting
         #
         # Block usages that support the NMR console.  These should never be
         # taken from the internet.
         #
         block in quick proto tcp/udp from any to any port = 67             #bootps
         block in quick proto tcp/udp from any to any port = 68             #bootpc
         block in quick proto tcp/udp from any to any port = 69             #tftp
         #
         # Block problematic services.
         #
         block in quick proto tcp/udp from any to any port = sunrpc         #portmap
         block in quick proto tcp/udp from any to any port = msp            #msp?
         block in quick proto tcp/udp from any to any port = 1109           #kpop
         block in quick proto tcp/udp from any to any port = 1127           #SUP debug
         block in quick proto tcp/udp from any to any port = 1495           #cvc
         block in quick proto tcp/udp from any to any port = 1524           #ingres lock
         block in quick proto tcp/udp from any to any port = 1525           #prospero
         block in quick proto tcp/udp from any to any port = 1645           #radius
         block in quick proto tcp/udp from any to any port = 1646           #radius acct.
         block in quick proto tcp/udp from any to any port = 1760           #www-ldap-gw
         block in quick proto tcp/udp from any to any port = 2049           #nfs
         block in quick proto tcp/udp from any to any port = 2105           #kerberos rlogin
         block in quick proto tcp/udp from any to any port = 2108           #k-init
         block in quick proto tcp/udp from any to any port = 2111           #k X
         block in quick proto tcp/udp from any to any port = 2112           #k ip
         block in quick proto tcp/udp from any to any port = 2120           #K auth
         block in quick proto tcp/udp from any to any port = 2627           #webster dict.
         block in quick proto tcp/udp from any to any port = 4045           #lockd
         block in quick proto tcp/udp from any to any port = 5002           #radio free ethernet
         block in quick proto tcp/udp from any to any port = 5680           #Kana-Kanji server
         block in quick proto tcp     from any to any port 5999 >< 6010     # No X
         block in quick proto tcp/udp from any to any port = 6112           #dtspc
         block in quick proto tcp/udp from any to any port = 7100           #font server
         block in quick proto tcp/udp from any to any port = 7326           #internet CB
         block in quick proto tcp/udp from any to any port = 26740          #hunt (6)
         #
         # Rules for incoming traffic on hme0 
         #
         # Antispoofing incoming rules
         #
         block in     quick on hme0 from          0.0.0.0/8 to any
         block in     quick on hme0 from          2.0.0.0/8 to any
         block in     quick on hme0 from          5.0.0.0/8 to any
         block in     quick on hme0 from         10.0.0.0/8 to any
         block in     quick on hme0 from      20.20.20.0/24 to any
         block in     quick on hme0 from         23.0.0.0/8 to any
         block in     quick on hme0 from         27.0.0.0/8 to any
         block in     quick on hme0 from         31.0.0.0/8 to any
         block in     quick on hme0 from         67.0.0.0/8 to any
         block in     quick on hme0 from         68.0.0.0/6 to any
         block in     quick on hme0 from         72.0.0.0/5 to any
         block in     quick on hme0 from         80.0.0.0/4 to any
         block in     quick on hme0 from         96.0.0.0/3 to any
         block in     quick on hme0 from        127.0.0.0/8 to any
         block in     quick on hme0 from       128.0.0.0/16 to any
         block in     quick on hme0 from      128.66.0.0/16 to any
         block in     quick on hme0 from     169.254.0.0/16 to any
         block in log quick on hme0 from      172.16.0.0/12 to any
         block in     quick on hme0 from     191.255.0.0/16 to any
         block in     quick on hme0 from       192.0.0.0/16 to any
         block in log quick on hme0 from     192.168.0.0/16 to any
         block in     quick on hme0 from        197.0.0.0/8 to any
         block in     quick on hme0 from        201.0.0.0/8 to any
         block in     quick on hme0 from    204.152.64.0/23 to any
         block in     quick on hme0 from        224.0.0.0/3 to any
         #
         # Anti-broadcast incoming rules
         #
         block in     quick on hme0 from 255.255.255.255/32 to any    # No broadcast.
         block in     quick on hme0 from     $MYNET$.255/32 to any
         block in     quick on hme0 from       $MYNET$.0/32 to any
         #
         # Anti-self masquerade rule
         #
         block in log quick on hme0 from $MYIP$/32          to any    # You are not me!
         #
         # Make this, "Don't call us.  We'll call you!"
         # Technically, we could have dispensed with the rules above, but you
         # may want to add some pass rules below to permit local usages.
         # Since you are without a firewall, you probably should only
         # allow ssh from outside.
         #
         # Any local policy rules for incoming traffic should go here.
         #
         block in     quick on hme0 all
         #
         # Rules for outgoing traffic on hme0
         #
         # Anti-spoofing outgoing rules.  These make the system less desirable
         # and less useful to system crackers.
         #
         block out quick on hme0 from !$MYIP$/32 to any                   # Must be from my address
         block out quick on hme0 from   any      to       0.0.0.0/8
         block out quick on hme0 from   any      to       2.0.0.0/8
         block out quick on hme0 from   any      to       5.0.0.0/8
         block out quick on hme0 from   any      to      10.0.0.0/8
         block out quick on hme0 from   any      to   20.20.20.0/24
         block out quick on hme0 from   any      to      23.0.0.0/8
         block out quick on hme0 from   any      to      27.0.0.0/8
         block out quick on hme0 from   any      to      31.0.0.0/8
         block out quick on hme0 from   any      to      67.0.0.0/8
         block out quick on hme0 from   any      to      68.0.0.0/6
         block out quick on hme0 from   any      to      72.0.0.0/5
         block out quick on hme0 from   any      to      80.0.0.0/4
         block out quick on hme0 from   any      to      96.0.0.0/3
         block out quick on hme0 from   any      to     127.0.0.0/8
         block out quick on hme0 from   any      to    128.0.0.0/16
         block out quick on hme0 from   any      to   128.66.0.0/16
         block out quick on hme0 from   any      to  169.254.0.0/16
         block out quick on hme0 from   any      to   172.16.0.0/12
         block out quick on hme0 from   any      to  191.255.0.0/16
         block out quick on hme0 from   any      to    192.0.0.0/16
         block out quick on hme0 from   any      to  192.168.0.0/16
         block out quick on hme0 from   any      to     197.0.0.0/8
         block out quick on hme0 from   any      to     201.0.0.0/8
         block out quick on hme0 from   any      to 204.152.64.0/23
         block out quick on hme0 from   any      to     224.0.0.0/3
         #
         # Anti-broadcast LAN rules
         # Must allow broadcast on $MYNET$.255/32 and on 255.255.255.255/32 for ARP.
         #
         block out quick on hme0 from   any      to    $MYNET$.0/32
         #
         # Anti-self masquerade LAN rules
         #
         block out quick on hme0 from   any      to       $MYIP$/32    # Don't send to self.
         #
         # LAN out going rules which you may want to change to reflect your policy:
         #
         # 1. Allow tcp out to accepted address ranges as telnet, ftp, ssh, and http
         #
         # 2. Allow printing to approved printers ONLY.
         #
         # 3. Allow udp out to domain
         #
         # 4. Allow ping out.
         #
         # Note:  Since our exact IP address was already required above, do not need
         #        specify it here.
         # 
         pass  out           quick on hme0 proto tcp     from any                     to $MYNET$.0/24 port = 515    keep state
         block out log       quick on hme0 proto tcp/udp from any                     to any          port = 515                   #lp only to ours
         pass  out           quick on hme0 proto tcp/udp from any                     to any          port = 53     keep state
         pass  out log first quick on hme0 proto tcp     from any                     to any          port = 80     keep state
         pass  out log first quick on hme0 proto tcp     from any                     to any          port 19 >< 22 keep state
         #
         # This next allows active ftp out, along with telenet and ssh.
         #
         pass  out log first quick on hme0 proto tcp     from any port 19 >< 24       to any          port > 1024   keep state
         #
         # This next allows passive ftp such as is done with web servers.
         # X already blocked and not a threat.
         #
         pass  out log first quick on hme0 proto tcp     from any port 32800 >< 36000 to any                        keep state
         #
         # ping is last
         #
         pass  out           quick on hme0 proto icmp    from any                     to any          icmp-type 8   keep state
         block out log       quick on hme0               all                                                                          # block everything else forever and log it!
    
    
  10. Reboot the host computer at this point.  Because the number of boot scripts has been reduced to those essential for an Ultra 5 or an Ultra 10 acting as an Inova console host, the booting itself should go faster.  Because a number of daemons have been eliminated from the loading, more memory space will be available as well.