/usr/ucb/cc.This is a "feature" of Solaris' STREAMS-based TCP/IP stack. Basically you have to add a rule allowing the TCP Reset to leave. So let's say that you want to return-rst on ident, port 113, so that sending mail doesn't give long delays, and IRC works:
#return-rst for identThe first rule just blocks with return-rst, the second rule allows packets out from port 113 with the RESET flag.
block return-rst in quick on ppp0 proto tcp from any to any port = 113
pass out quick on ppp0 proto tcp from any port = 113 to any flags R/RSFUP
/usr/ucb/cc.Sun has a compiler usually installed in /usr/ucb/cc. Unfortunately, it's a really expensive compiler that doesn't ship with Solaris by default. Fortunately, since Solaris 8, they've included gcc for you on the Solaris Companion CD, it's a package calledSFWgcc.
If you're using and older version of Solaris you can get gcc from SunFreeware.com.
You're most likely trying to use an IPF modules compiled as a 32-bit binary. You need to compile it as a 64-bit binary, so you must either use the cc with SUNWspro, or GCC 3.0 (see VII-5). GCC 2.x will NOT work. SUNWspro is available from Sun, you can get a demo license (please READ what you can and cannot do according to the demo license).
Type isainfo -vk. Note that Solaris x86 only runs in 32-bit mode.
GCC 2.x cannot make 64-bit executables. However, GCC 3.x can. GCC 3.x however is new, not feild tested, and thus the following procedure should be used at your own risk. Thanks to Eben, this is how to compile a SPARC 64-bit GCC 3.0.x that will compile 64-bit executables, starting with a a working 32-bit gcc 2.95.x. Eben would like to note that this procedure is based on a July 10th posting to gnu.gcc.help by Juergen Keil and Davide Higheley, sent to me by Ish Rattan.
Notes:
- For step 2 and 3 below you will need to have
/usr/local/gcc-3.0sparcv9/binbefore/usr/local/binin yourPATH, as is noted in the procedure.
- Step 3 is optional. You can use the 32-bit GCC that has the ability to make 64-bit binaries, but most people prefer to use a 64-bit binary to make 64-bit binaries.
Procedure:
- Step 1: Create 32-bit GCC 3.0 that can only make 32-bit binaries
# tcsh
# pwd
/usr/local/gcc-3.0
# mkdir gcc-3.0sparc
# cd gcc-3.0sparc
# ../../gcc-3.0/configure --prefix=/usr/local/gcc-3.0sparc --enable-languages=c
# make
# make install
- Step 2: Create 32-bit GCC 3.0 that can make 64-bit binaries
# cd ..
# mkdir gcc-3.0sparcv9
# cd gcc-3.0sparcv9
# echo $PATH
/usr/bin:/usr/sbin:/usr/ccs/bin:/usr/ccs/lib:/usr/include:/usr/ucb:/usr/local/bin
# setenv PATH /usr/local/gcc-3.0sparc/bin:{$PATH}
# ../../gcc-3.0/configure --prefix=/usr/local/gcc-3.0sparcv9 --enable-languages=c sparcv9-sun-solaris2
# make
# make install
- Step 3: Create 64-bit GCC 3.0 that can make 64-bit binaries
# setenv PATH /usr/local/gcc-3.0sparcv9/bin:{$PATH}
# cd ..
# rm -r gcc-3.0sparcv9
# mkdir gcc-3.0sparcv9
# cd gcc-3.0sparcv9
# ../../gcc-3.0/configure --prefix=/usr/local/gcc-3.0sparcv9 --enable-languages=c sparcv9-sun-solaris2
# make
# make install
You should then be able to use this new GCC to compile a 64-bit version of IP Filter!
Sun's Forte Compiler can make 64 bit modules. This compiler is not standard with the OS, you have to buy it separately. However, there is a "try-and-buy" version which you can install, and use for a limited time. You can get this time limited version on cdrom or you can download it from Sun.com. Note that the download is very large. Please READ what you can and cannot do according to the demo license.
Some generous individuals have made available precompiled IPF binaries for 64-bit machines. Try http://www.maraudingpirates.org/ipfilter/. You can also try using GCC 3.x (see VII-5).
First select "ipfx", and install that subpackage. When pkgadd completes, rerun pkgadd and then install the "ipf" sub-package.
No. IPF on Solaris only operates as a Layer 3 device (router). This means you need distinct subnets for each host interface.
Solaris's/etc/systemis consulted when booting, so you can modify IPF kernel parameters there, for example:
* * ipf: adjust the default tcp timeouts downward so that * idle (dead) and half closed states get killed off quicker. set ipf:fr_tcpidletimeout = 172800 set ipf:fr_tcphalfclosed = 7200 * * ipf: adjust the state table sizes so we have enough buckets. * IPSTATE_MAX (=fr_statemax) should be ~70% of IPSTATE_SIZE * IPSTATE_SIZE (=fr_statesize) has to be a prime number set ipf:fr_statemax = 7000 set ipf:fr_statesize = 10009 * * ipf: adjust the NAT table sizes so we have enough buckets. * generally you have fewer than 127 rules in ipnat.conf * so no need to waste memory for more. set ipf:ipf_nattable_sz = 10009 set ipf:ipf_natrules_sz = 127 set ipf:ipf_rdrrules_sz = 127 * * note that the timers run "2 ticks to a second", so * for example, written below is the following: * set ipf:fr_tcpidletimeout = 172800 * this sets the tcp idle connection timeout to * (172800/2) / 3600 = 24 hours. *
Solaris8 on Sparc is straightforward, however, doing this on Intel requires a tweak. Here's instructions for both platforms:
That should be it.
- Get Squid-2.4STABLE1
- Get and apply the 6 patches at http://www.squid-cache.org/Versions/v2/2.4/bugs/
save these as the-patch-filename.patch
$ for file in `ls *.patch`
> do
> echo "applying patch $file..."
> patch -p0 < $file
> done
- Edit out the ipv6 struct as described in http://marc.theaimsgroup.com/?l=ipfilter&m=99557783205895&w=2
Now for Solaris 8 on Sparc you are ready to go:
# ./configure --enable-ipf-transparent ; make
But for Solaris 8 on x86 you need two more steps...
- First solve the va_args issue with gcc 2.95.2 on x86
# diff -c src/client_side.c.orig src/client_side.c
*** src/client_side.c.orig Thu Jul 19 17:41:12 2001#
--- src/client_side.c Thu Jul 19 17:41:45 2001
***************
*** 37,42 ****
--- 37,45 ----
#if IPF_TRANSPARENT #if HAVE_SYS_IOCTL_H + #if defined(va_start) /* dirty hack. sol7/8 x86 + gcc 2.95.2 */ + #define _SYS_VARARGS_H + #endif #include#endif #include
- Next solve the #define free issue (WTF?)
# diff -c src/squid.h.orig src/squid.h
*** src/squid.h.orig Thu Jul 19 17:38:57 2001 --- src/squid.h Thu Jul 19 17:40:26 2001 *************** *** 403,411 **** #ifndef malloc #define malloc + #endif ! #ifndef free ! #define free + ! #endif #ifndef calloc #define calloc + #endif --- 403,411 ---- #ifndef malloc #define malloc + #endif ! //#ifndef free ! //#define free + ! //#endif #ifndef calloc #define calloc + #endif#
- Now finally for Solaris8 x86 you can
# ./configure --enable-ipf-transparent ; make
The loopback interface on Solaris is a "fake" interface. You cannot filter it, nor can you snoop it. This is for performacne reasons.