Getting FTP to work in Solaris 10, RE: config vs. firewall

Similar Messages

• Java downloading function FtpClien.get() do not work in Solaris 10

  I wrote a java ftp code using java class provided by sun (sun.net.ftp.FtpClient). It worked nicely in Solaris8. After new update from Solaris8 to Solaris10, this function does not work anymore. Specifically this function "TelnetInputStream in = ftpClient.get(remotefilename)" does not work. It stucks there forever enven without giving an exception. Does anyone know this problem?
  Thanks
  P.S. I still can use the java function "ftpclient.put()".

  http://forum.java.sun.com/thread.jspa?threadID=5276131
  (never mind that this OpenSPARC forum is utterly wrong for your question)

• I've had an iWeb site running for 4 months and I publish a monthly newsletter. Since August I've been unable to republish. The test connection under FTP settings works but I get an error message when I try to upload newsletter. Am I missing something mis

  I've had an iWeb site running for 4 months and I publish a monthly newsletter. Since August I've been unable to republish. The test connection under FTP settings works but I get an error message when I try to upload newsletter. Am I missing something?

  Where are you hosting the site a what are you using to upload the site files to the server?
  OT

• FTP Clients on E72: can't get any to work

  Hello again.
  So, I've been trying to get FTP Client functionality on my Nokia E72. I guess I'm just doing something wrong, but I cannot figure it out.
  I tried:
  * SIC! FTP (native Symbian App)
  * PaderSyncFTP (Java)
  * MobyExplorer (Java)
  None of the applications work on my E72. They do work however (with the same SIM card) on my Nokia 6120 classic.
  The applications seemingly try to connect on the E72, however it never actually initiates a packet data connection at all. As if there wouldn't be an application trying to access the Internet.. I also tried to set up WLAN as my primary access point. Works for everything else, but not for those FTP clients.
  I tried several FTP servers on different ports (21, 666, 667). All work on 6120 classic, none work on E72. Also tried to switch from passive to active mode to no avail.
  Funny thing is: When I use my PuTTY SSH Client on E72 to just probe an FTP servers port, that works! I can see the connection attempt in my FTP Servers logfile, and I can see the Server responding in PuTTY!! But with the actual FTP clients i never even get out into the network, wether I try to use WLAN or 3.5G..
  I'm lost. Everything else works. SSH2 using PuTTY works, Skype works, webbrowsing works.
  What could be prohibiting all those FTP clients from initiating a connection?! For MobyExplorer I even tried all of its four "connection modes" that they have for "buggy firmwares". Doesn't make a difference at all.
  Also: Those apps never ask for an Access Point on the E72, even if the AP is configured to do so.
  I have no idea what to do...  Any advice would be appreciated! Maybe it's just some strange configuration issue..
  Thanks.

  k-lite is a free codec that makes windows media player 11 work and it has its own player.
  T430u, x301, x200T, x61T, x61, x32, x41T, x40, U160, ThinkPad Tablet 1838-22R, Z500 touch, Yoga Tab 2 Windows 8.1, Yoga Tablet 3 Pro
  Did someone help you today? Press the star on the left to thank them with a Kudo!
  If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"!
  If someone helped you today, pay it forward. Help Someone Else!
  English Community   Deutsche Community   Comunidad en Español   Русскоязычное Сообщество

• Problems getting a static ip working in solaris 10

  Hi,
  I hope this is the right forum for this question..
  I have a Broadcom BCME95751 ethernet adapter, interface bcme0, and the problem is that when i configure it using DHCP it works OK. But when I want a static ip by putting the ip in hostname.bcme0 it gives me this in bootup(pasted only the interesting bits):
  bcme0 : Broadcom NetXtreme Gigabit Ethernet BCM95751 (Copper) is detected
  NOTICE: bcme0 : No Link
  bcme0 is /pci@0,0/pci8086,2660@1c/pci1297,fb95@0
  svc.startd[7]: [ID 652011 daemon.warning] svc:/network/physical:default: Method "/lib/svc/method/net-physical" failed with exit status 96
  NOTICE: bcme0 : Link is Up (100Mbps, Full Duplex, Rx & Tx Flow Control ON)
  And after bootup when i type "ifconfig bcme0" it shows that it's plumbed but IP is 0.0.0.0
  If i do for example "ifconfig bcme0 192.168.1.10 netmask 255.255.255.0 up" after bootup, i can get it to work just fine! But for some reason it doesnt want to assign the ip during bootup.
  Is it possible that the link becomes active ("Link is Up") after a short delay, it fails to assign the IP? Is it possible to delay it somehow. DHCP works for some weird reason, maybe because it waits to get the IP?
  I hope someone would have some ideas on this, i'm new to solaris and pretty frustrated with this. Don't want to configure the interface by hand after every reboot :)
  Thanks!
  Teddie

  But when I want
  a static ip by putting the ip in hostname.bcme0 it
  gives me this in bootup(pasted only the interesting
  bits):As the filename hostname.bcme0 already suggests you don't enter an IP adress there but a hostname. The IP adres is then picked up by checking the hostname against /etc/inet/hosts.
  You might want to check out http://docs.sun.com/app/docs/doc/816-4554/816-4554#hic for more information on this matter.

• Using solaris 11 x86 I do not get usb audio in firefox or additions where can I redirect the internal audio to usb audio? Audio works through solaris

  I upgraded to Solaris 11 x86 and Firefox 3.6.10. I have sound through Solaris but not through Firefox or any of the add-ons.
  I am using USB speakers which work with Solaris Rythmbox. How can I redirect Firefox audio to my USB speakers?

  It works fine, thank you. There is one glitch when I turn off my system and on the next day the audio is missing again. Applying the dsp to dsp 0 reboot and then back to dsp1 reboot I get the audio back.
  Is there any way to restart the process?

• Can't get syslog to work

  I have been trying to get syslog to work to accept logging from my router (which is directed to syslog to the IP address of my primary Mac), but with no success.
  I've gone through Aaron Adams' procedures:
  http://www.aaronadams.net/index.php/2005/06/02/configuringsyslogd_to_accept_logsfrom
  I've edited my /etc/syslog.conf file:
  .err;kern.;auth.notice;authpriv,remoteauth,install.none;mail.crit /dev/console
  *.notice;authpriv,remoteauth,ftp,install.none;kern.debug;mail.criti /var/log/system.log
  # COMMENT this out for now to see any local4 messages on system log?
  # ;local4.none
  # Send messages normally sent to the console also to the serial port.
  # To stop messages from being sent out the serial port, comment out this line.
  #.err;kern.;auth.notice;authpriv,remoteauth.none;mail.crit /dev/tty.serial
  # The authpriv log file should be restricted access; these
  # messages shouldn't go to terminals or publically-readable
  # files.
  authpriv.*;remoteauth.crit /var/log/secure.log
  lpr.info /var/log/lpr.log
  mail.* /var/log/mail.log
  ftp.* /var/log/ftp.log
  netinfo.err /var/log/netinfo.log
  install.* /var/log/install.log
  install.* @127.0.0.1:32376
  local0.* /var/log/ipfw.log
  *.emerg *
  local0.* /var/log/Airport.log
  local4.* /var/log/local4.log
  # DEBUG: what happens on the other local facilities?
  local1.* /var/log/local1.log
  local2.* /var/log/local2.log
  local3.* /var/log/local3.log
  local5.* /var/log/local5.log
  local6.* /var/log/local6.log
  local7.* /var/log/local7.log
  I've re-loaded /System/Library/LaunchDaemons/com.apple.syslogd.plist, and edited /etc/daily.local, and those mechanisms are working, but always local4.log is an empty file. Empty log files exist in /var/log:
  $ ls -al /var/log | grep "local"
  -rw-r--r-- 1 root wheel 0 Dec 11 11:56 local1.log
  -rw-r--r-- 1 root wheel 41975 Mar 16 16:38 local2.log
  -rw-r--r-- 1 root wheel 0 Dec 11 11:56 local3.log
  -rw-r--r-- 1 root wheel 0 Mar 20 03:15 local4.log
  -rw-r--r-- 1 root wheel 0 Dec 11 11:56 local5.log
  -rw-r--r-- 1 root wheel 0 Dec 11 11:56 local6.log
  -rw-r--r-- 1 root wheel 0 Dec 11 11:56 local7.log
  netstat shows two syslog connections:
  $netstat -f inet -a | grep "syslog"
  udp4 0 0 *.syslog .
  udp46 0 0 *.syslog .
  But a port scan (Apple network Utility) from another LAN computer doesn't show port 514 open. I am not running Apple's software firewall.
  It seems to me that without port 514 open, I'll never get anything, but how do I open it. I had assumed that all of the syslog set-up gyrations would cause it to be open.
  Any ideas?
  G4 "Gigabit" Dual-500   Mac OS X (10.4.8)   1.5GB RAM, 1TB internal, SCSI, 802.11g, USB2.0

  Your question about local4 got me to dig further into a few things.
  Aaron Adams has a couple of good posts on how to set up the syslog.conf and daily actions:
  http://www.aaronadams.net/index.php/2005/06/02/configuringsyslogd_to_accept_logsfrom
  But the following article is what got me on the local4 bandwagon (I don't know why it assumes local4 would be used):
  http://www.macosxhints.com/article.php?story=20060327074531639
  As we now know nothing happens on local4 unless it is specifically set up to do so. The following article has the best big-picture summary and references on how to handle logs from different sources (i.e., setting up syslog to redirect messages from the IP address of my router to a special log:
  http://macosx.com/forums/howto-faqs/47791-howto-syslog-remote-events-etc.html
  Anyway, to make a long story short, the router IS actually sending to syslog (I was expecting messages in local4 and never saw anything in syslog because it only shows *.notice and above, and the router mainly spews out *.info. It took a bunch of playing with tcpdump to figure it out (I can't seem to get tcpflow to show UDP, even though the man page says it uses the same library and expresions as tcpdump). So everything is good now, messages are coming in to a special log and overwhelming syslog, logs get rotated properly overnight, with some filtering I get the distilled info I want, and via GeekTool even see it on my desktop in real-time. Thanks for your help!

• Can not get wiki to work

  Hey there,
  I have been trying to set up Leopard server for over a week. I can not get DNS, Open Directory and Wiki to work for me. This is my 5th instal. The first attempt, I went with standard thinking that the ease of use would be an asset, but then after getting it going I realized that there was no FTP access with standard, which was not an option.
  INSTAL 2: I reformatted and went ahead with the advanced server this time around. In no time I had FTP; AFP; iChat and web services running fine. Then when I went to set up wiki i realized that I had to have DNS and Open Directory running before that would work. I guess that I should of read up on that one... I had actually created all of my users and groups in local directory which seemed to work fine for ftp; afp and ichat for a few days but I really wanted to get the wiki going.
  INSTAL 3: I reformatted, set up DNS (or at least I thought I did) Open Directory and then recreated all of my users and groups in Open directory. I quickly got afp running; then ftp and ichat (jabber) with no issues. But when I went ahead with wiki, I could not get it to work properly. I could log into the wiki from my LAN using the local domain name that I had chosen but could not get it to work when I would attempt to do it from home using my dyndns.org account which forwards to my office IP which is mapped through router port 80 to my servers local IP. When doing this I was taken to: http://myurl.dyndns.org/groups/workgroup/
  I got the message:
  "Not Found
  404: No group with that name (workgroup) hosted on this server"
  If I click on "Groups" the error goes away and I see my wiki group but if I clicked on it I would get:
  "Not Found
  404: No group with that name (marcato) hosted on this server"
  When I went back to the office I could still get at my wiki by going to my local url: minserver.local and then selecting groups and then clicking on the desired wiki and then logging in. I then tried to accessing it using the machine's local IP since that is essentially what is happening when I come in from the WAN side using my dyndns.org account. So i typed in its local address and got the 404 error. When I click on groups again, just like when I was home coming in over the WAN, I get the same message. Why would I be seeing the group but not able to log in to it. Why would it allow me to access and use the Wiki from the LAN using miniserver.local but not using the machine's static Local IP address?
  I then decided to go watch all of Sean Collin's videos on Leopard Server in oder to get a handle on this.
  INSTAL 4: Walked through everything with Sean's video up to getting DNS set up. It failed! At this point I was frustrated so I decided to throw in the towel on Advanced. I got out my old tiger installer and set up ftp on another older G4 and then went for INSTAL 5. This time I reverted back to Standard, got all of the services running fine but as soon as I got home I ran into the same issue with the wiki. I could not access it from outside of the Office LAN. I went through and opened every port recommended and still nothing. Then, in efforts to try to make it work and in frustration of the limitations of the Standard interface I upgraded the configuration from standard to advanced to see if I could get to the bottom of this. I went back to reading a bunch more stuff about Mac Server and found the Sudo Changeip -checkhostname. It gave me the proper IP of the server as well as the proper hostname but said that the DNS was not working properly and needed to be repaired. I tried a few hacks I found online but still could not get the DNS going properly
  I am not sure what to do now. In an ideal world I would love to get leopard Advanced running properly so that I could host the wiki, afp, ftp, and ichat (jabber) from the same machine. But no matter what I try I can not seem to wrap my head around DNS. Even if I could do it with Standard and keep the ftp on the old mac with tiger... This is frustrating since I feel really confident with setting up everything else, I just do not seem to be able to get DNS to work properly which I assume has to do with the problem with the wiki not working from the WAN.
  Can someone please help me here?

  I have tried a bunch of hacks to try to get things working and still nothing. I actually find that the server is running really slow now so I am clearly going to be starting from skratch again. I will wait for some advice before I proceed. Here is what I have set up:
  1. I made a fake url using dyndns which routes to the IP address of the router at work. I want to be able to use this address to access the wiki from WAN
  2. I have the following ports opened and assigned to my servers LAN address:
  On TCP 113 113 10.0.1.22 Identification Protocol
  On TCP 88 88 10.0.1.22 Kerberos
  On TCP 106 106 10.0.1.22 Mac OS X Server Password Server
  On TCP 25 25 10.0.1.22 Mail service smtp
  On TCP 123 123 10.0.1.22 Network Time Protocol (NTP)
  On Both 311 311 10.0.1.22 Remote Server Admin / Workgroup
  On TCP 22 22 10.0.1.22 SSH
  On Both 3283 3283 10.0.1.22 Server ARD
  On Both 5900 5900 10.0.1.22 Server VNC ARD
  On UDP 500 500 10.0.1.22 VPN
  On UDP 1701 1701 10.0.1.22 VPN
  On TCP 1723 1723 10.0.1.22 VPN
  On UDP 4500 4500 10.0.1.22 VPN
  On UDP 170 170 10.0.1.22 VPN L2TP
  On Both 80 80 10.0.1.22 Web Server on Mini
  On TCP 625 625 10.0.1.22 Workgroup Manager
  On TCP 21 21 10.0.1.22 ftp
  On Both 8443 8443 10.0.1.22 iCal SSL
  On Both 8008 8008 10.0.1.22 ical server
  On TCP 5190 5190 10.0.1.22 ichat Server
  On TCP 5220 5220 10.0.1.22 ichat Server
  On TCP 5222 5222 10.0.1.22 ichat Server
  On TCP 5223 5223 10.0.1.22 ichat Server
  On TCP 5298 5298 10.0.1.22 ichat Server
  On UDP 5190 5190 10.0.1.22 ichat Server
  On UDP 5297 5297 10.0.1.22 ichat Server
  On UDP 5298 5298 10.0.1.22 ichat Server
  On UDP 5353 5353 10.0.1.22 ichat Server
  On UDP 5678 5678 10.0.1.22 ichat Server
  On UDP 16384-16403 10.0.1.22 ichat Server
  On Both 7777 7777 10.0.1.22 ichat Server file
  On TCP 5269 5269 10.0.1.22 ichat Server to Server
  On Both 5109 5109 10.0.1.22 istat for mini server
  On Both 16563 16563 10.0.1.119 pc
  On Both 8086 8086 10.0.1.22 wiki server
  On Both 8010 8010 10.0.1.22
  3. I am not sure what is meant exactly by a fully qualified domain. From what I understood in Sean's Collin's videos was that this was a url that I was to make up on my local network and that putting the . at the end made it FQDN. I choose: miniserver.local. Am I totally missing the mark here?
  Here are the parts of the set up where I am really confused:
  a. When setting up the server with Server Assistant, when it asks for Primary DNS and computer name. What am I supposed to put in here? I read one post that recommended that quiting the set-up assistant before this point and doing it manually?
  b. Once I get through the assistant and launch Server Admin, and sign into it using the servers local IP, get into DNS and go to add zones, I am REALLY CONFUSED.
  - I add my primary zone, What is the primary zone? What do I enter here? What about the name server? I do not understand the difference between these 2 things.
  c. Then I go to add my A record for the machine. What should its Machine name be? the same as the primary zone?
  What is the easiest way to get through this? I know that once I this is set up and I can get the wiki to work over the WAN that I am not going to have any problems with the rest. I don't even want to bind the computers to the server if I don't have to. I know that for ichat (jabber); afp and ftp that this is not required since every time I have attempted to get the server up these services worked every time without the binding.

• Ldap authentication not working for Solaris 8 host - Help!

  Greetings folks,
  I just recently migrated a host to use LDAP authentication. The only difference between this host and the rest of the hosts in the environment that I've converted to use LDAP is that this one is running Solaris 8.
  Here's the steps I took to migrate it (though, I used the same steps for another Sol8 host in another environment and it works fine):
  ldapclient -P stg -d mydomain.com -D cn=proxyagent,ou=profile,dc=mydomain,dc=com -w secret 192.168.1.69
  My /etc/nsswitch.conf looks like this:
  passwd: files ldap
  group: files ldap
  My /etc/pam.conf looks like this:
  login auth requisite pam_authtok_get.so.1
  login auth required pam_dhkeys.so.1
  login auth sufficient pam_unix_auth.so.1
  login auth required pam_ldap.so.1
  sshd auth requisite pam_authtok_get.so.1
  sshd auth sufficient pam_unix_auth.so.1
  sshd auth required pam_ldap.so.1
  other auth requisite pam_authtok_get.so.1
  other auth required pam_dhkeys.so.1
  other auth sufficient pam_unix_auth.so.1
  other auth required pam_ldap.so.1
  passwd auth sufficient pam_passwd_auth.so.1
  passwd auth required pam_ldap.so.1
  I've also cleared out the local user accounts for my human users, so there aren't any more passwd or shadow entries (yes, I ran pwconv). I also cleaned out the /etc/group entries for the same users. The machine appears to be configured properly, because I can run various DS commands that indicate this:
  hostname# getent passwd user1
  user1::1001:1001:User 1:/opt/home/user1:/bin/bash
  hostname# ldaplist -l passwd user1
  dn: uid=user1,ou=people,dc=mydomain,dc=com
  shadowFlag: 0
  userPassword: {crypt}(removed)
  uid: user1
  objectClass: posixAccount
  objectClass: shadowAccount
  objectClass: account
  objectClass: top
  cn: user1
  uidNumber: 1001
  gidNumber: 1001
  gecos: User 1
  homeDirectory: /opt/home/user1
  loginShell: /bin/bash
  However, in the end, actual logins to this host fail via ssh. Snooping the traffic reveals that all the right info is being handed back to the client, including the crypt'ed password hash, uid, etc. just like I see with other hosts that work.
  Any ideas?
  Thanks!
  Patrick

  I assume you have applied lastest kernel patch and 108993 to this Solaris8 machine, and its nss_ldap.so.1 and pam_ldap.so.1 are the same as the other Solaris8 LDAP clients that are working for ssh via LDAP auth.
  1) Please replace "objectClass: account" with "objectClass: person", I know SUN ONE DS5.2 likes "person".
  2) Did you test and verify telnet/ftp/su working? but SSH not working?
  3) If telnet/ftp/su all worked, and SSH (SUN-SSH or OpenSSH), make sure you have "UsePAM yes" in sshd_config and restart sshd.
  4) It is not a must I think but normally I will add "shadow: files ldap" to /etc/nsswitch.conf, restart nscd after that.
  5) Whenever ldapclient command is run and ldap_cachemgr is restarted, I usually also restart nscd and sshd after that, if not testing result may not be accurate as nscd is still remembering OLD stuffs cached which could be very misleading.
  6) You may use "ssh -v userid@localhost" to watch the SSH communications, on top of your usual "snoop"ing of network packets.
  7) Use the sample pam.conf that is meant for pam_ldap from Solaris 10 system admin guide with all the pam_unix_cred.so.1 lines commented out. This works for me, there is no sshd defintions as it will follow "other".
  http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view
  Gary

• FrameMaker 8.0p277 Generated PDF-to-PDF Links Don't Work On Solaris

  Currently I create a PDF of a book index pointing to several guides. The company logo in each guide's PDF provides a link back to the index.
  All the links worked on Solaris & Windows OSs. Now they do not work on Solaris. I get an error saying, "There was an error opening this document. The file cannot be found."
  All files are located in the same directory and they are all there.
  The only thing that I have changed is the source was in FrameMaker 7 and it is now in FrameMaker 8. I use Acrobat 9 Pro Extended 9.4.6 and I have the latest updates for both Acrobat and FrameMaker.
  I did some more digging and found a difference in the generated postscript file.
  FM8
  [/Rect[1409 2622 4926 2441]/Border[0 0 0] /Action << /Type /Action /S/GoToR /D /F /F << /Type/Filespec/UF <FEFF0063006D00690063002E007000640066> /F(cmic.pdf) >> >>  /Subtype /Link /ANN FmPD2
  FM7
  [/Rect[1830 2661 4578 2430]/Border[0 0 0]/Dest /F/Action/GoToR/File(cmic.pdf)/Subtype /Link /ANN FmPD2
  I am trying to get off of FM7 and it is counter productive to keep generating our final PDFs from FM7 just to get them to work.
  Has anyone else had this problem and know how to resolve it?

  Cross-file links in PDFs authored in FrameMaker 8 use Unicode-encoded file paths and file names, which are only supported in Windows Acrobat/Reader 8.x (MacOS Acrobat/Reader 7.x or later).
  As a result, cross-file links are not functional when the PDF is displayed in earlier Acrobat/Reader versions, even though the target PDFs files are present in the target location.
  While it is possible (through post-processing) to change the links so that they are backward-compatible, I suggest checking whether one of the Reader versions available for Solaris supports Unicode filenames and indicating that such a version is required to view the PDFs.
  Shlomo Perets
  MicroType, http://www.microtype.com
  FrameMaker/TCS training & consulting * FrameMaker-to-Acrobat TimeSavers/Assistants

• I was running Foxfire 3.6.9 and wanted to use FTP Program add-on and it did not appear to load but appeared but then would be installed but not run or appear under tools. So I deleted Foxfire 3.6.9 and down loaded to 3.5.9 so it could get FTP and it is do

  I was running Foxfire 3.6.9 and wanted to use FTP Program add-on and it did not appear to load but appeared but then would be installed but not run or appear under tools. So I deleted Foxfire 3.6.9 and down loaded to 3.5.9 so it could get FTP and it is doing the same could not install. Even after I registered my copy. The last time I used this program it showed up under tools and worked great. any suggestions on whats going on and how I can get around this?.by ralphd3g

  Delete the files extensions.* (extensions.rdf, extensions.cache, extensions.ini) and compatibility.ini in the Firefox [[Profiles|profile folder]] to reset the extensions registry.
  See "Corrupt extension files": http://kb.mozillazine.org/Unable_to_install_themes_or_extensions
  If you see disabled extensions that are not compatible on the next start in "Tools > Add-ons > Extensions" then click the "Find Updates" button to do a compatibility check.

• Does "top" command work in Solaris?

  Does "top" command work in solaris?
  # uname -a
  SunOS rac1 5.10 Generic_120012-14 i86pc i386 i86pc
  # top
  top: not found
  Edited by: user11936985 on Aug 29, 2011 8:44 AM

  Top has two sections, the summary information at the top of the screen which gives load averages, process counts, etc. and a bottom section which lists the "top processes". The prstat command standard report is similar to the bottom section of top. So if that is what you need, then prstat is an adequate substitute. It doesn't report the information in top's summary section. On the other hand, prstat is actually a much more powerful tool than top, especially is you use some of the other options. For example, "prstat -a" gives you the "top process" report plus a summary report of usage by user. If you use "prstat -J" you get a top process report with a summary by project and "prstat -Z" gives a top process report with a summary by zone. You can use options like -v or -m to get more information on each process in the "top process" section. There are other options mentioned in the manual page.
  Top works and works well on Solaris. You can get a copy form sunfreeware and probably other sources as well. It doesn't come from Oracle with Solaris 10 (but does come with Solaris 11). If you're a Linux shop you might want it because it is familiar. However, you may want to look at prstat as well because it can provide some useful information that top does not.

• Ipfilter: does policy routing work on Solaris 10?

  Hello,
  - Does the ipf redirection (aka policy routing) feature work with the
  ipfilter that comes with Solaris 10?
  I would like to use the the ipf redirection statements "to
  interface:router_ip" or "reply-to interface:router_ip" as decribed in
  http://coombs.anu.edu.au/~avalon/ipf.new.txt
  (The syntax is mentionned in the BNF of the Solaris 10 ipf(4) man
  page, but the explanations there are lacking.)
  On a machine that has two interfaces, the purpose is to send output
  reply packets of a TCP session to the same interface that the input
  packets came from. The idea to use ipfilter to do this comes from the
  blog entry:
  Packets out of the wrong interface
  http://blogs.sun.com/carlson/entry/packets_out_of_the_wrong
  My first try was to use "reply-to" in a "keep state" rule:
  pass in quick on e1000g305000 reply-to e1000g305000:10.13.5.1 proto tcp from any to any port = 443 keep state keep frags group i_sso-test1
  Which I understand as "once a connection to port 443 starts on
  interface e1000g305000 send all reply packets to the same interface to
  the gateway 10.13.5.1"
  But it does not work; in the ipf log it shows that the rule matched:
  22:56:32.770690 e1000g305000 @i_sso-test1:1 p 10.194.17.11,5648 -> 10.13.5.181,443 PR tcp len 20 60 -S K-S K-F IN
  22:56:32.770783 e1000g0 @i_sso-test1:1 p 10.13.5.181,443 -> 10.194.17.11,5648 PR tcp len 20 44 -AS K-S K-F OUT
  But the reply packet is not seen on the router (10.13.5.1), nor does
  it get to 10.194.17.11 through another route (no firewall on that
  machine).
  My second try was to use two stateless rules, and to do "source port
  routing" for outgoing packets:
  pass in quick proto tcp from any to any port = 443 group i_sso-test1
  pass out quick on e1000g0 to e1000g305000:10.13.5.1 proto tcp from any port = 443 to any group o_sso-test1
  pass out quick proto tcp from any port = 443 to any group o_sso-test1
  Which I understand as "incoming packets to port 443 are allowed and
  outgoing packets from port 443, if passing on interface e1000g0, are
  redirected through interface e1000g305000 via the gateway 10.13.5.1,
  if not, are just allowed".
  It does not work either; in the ipf log it shows that both the in and
  the first out rules matched:
  23:09:00.591163 e1000g305000 @i_sso-test1:1 p 10.194.17.11,26080 -> 10.13.5.181,443 PR tcp len 20 60 -S IN
  23:09:00.591363 e1000g0 @o_sso-test1:1 p 10.13.5.181,443 -> 10.194.17.11,26080 PR tcp len 20 44 -AS OUT
  But again the reply packet seems to be lost in thin air.
  I have tried various other rules to no avail.
  - Should this work with ipfilter v4.1.9 (592) coming with Solaris 10
  u7?
  - Am I missing something in the configuration?
  - Shouldn't the ipf log show the outgoing reply packet twice? (Once on
  the "wrong" interface e1000g0 and once on the interface it is
  redirected to e1000g305000.) Or indicate in another manner that the
  redirection occurred (like it indicates K-S for "keep state")?
  Context:
  # netstat -rn
  Routing Table: IPv4
  Destination Gateway Flags Ref Use Interface
  default 10.194.7.1 UG 1 2407
  default 10.194.7.1 UG 1 5104 e1000g0
  10.13.5.0 10.13.5.181 U 1 5 e1000g305000:1
  10.194.7.0 10.194.7.81 U 1 3 e1000g0:2
  224.0.0.0 10.194.7.81 U 1 0 e1000g0:2
  127.0.0.1 127.0.0.1 UH 1 7 lo0:7
  # cat /etc/release
  Solaris 10 5/09 s10s_u7wos_08 SPARC
  Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
  Use is subject to license terms.
  Assembled 30 March 2009
  # ipf -V
  ipf: IP Filter: v4.1.9 (592)
  Kernel: IP Filter: v4.1.9
  Running: yes
  Log Flags: 0x70000000 = pass, block, nomatch
  Default: pass all, Logging: available
  Active list: 0
  Feature mask: 0x107
  If it matters, this is occuring in a Solaris 10 zone, whith virtual
  interfaces one of which uses 801.q tagging (vlan 305, subnet
  10.13.5.0/24), and the "router" is a Cisco ACE load balancer with
  interface 10.13.5.1 on the server side.
  Thanks in advance for your help in this matter!
  Best regards,
  Dominique
  Mr Dominique Petitpierre Email: User@Domain
  Division Informatique User=Dominique.Petitpierre
  University of Geneva Domain=unige.ch

  I was saying
  If it matters, this is occurring in a Solaris 10 zone, whith virtual
  interfaces one of which uses 801.q tagging (vlan 305, subnet
  10.13.5.0/24),...Well, it turns out that 802.1q tagging does matter: packets redirected
  by an ipf policy based routing rule to an interface with tagging are
  not transmitted.
  In order to better see what was happening the ipf rules were extended
  like this (stateless case):
  @1 pass in quick on e1000g0 proto tcp from any to any port = 443 group i_sso-test1
  @2 pass in quick on e1000g305000 proto tcp from any to any port = 443 group i_sso-test1
  @1 pass out quick on e1000g0 to e1000g305000:10.13.5.1 proto tcp from 10.13.5.181/32 port = 443 to any group o_sso-test1
  @2 pass out quick on e1000g305000 to e1000g0:10.194.7.1 proto tcp from 10.194.7.81/32 port = 443 to any group o_sso-test1
  @3 pass out quick on e1000g305000 proto tcp from any port = 443 to any group o_sso-test1
  @4 pass out quick on e1000g0 proto tcp from any port = 443 to any group o_sso-test1Also, for the purpose of the demonstration, the zone configuration was
  modified to direct all packets to the same interface with tagging,
  thus having just one default route:
  zonecfg -z sso-test1 info net
  net:
          address: 10.13.5.181/24
          physical: e1000g305000
          defrouter: 10.13.5.1
  net:
          address: 10.194.7.81/24
          physical: e1000g305000
          defrouter: 10.13.5.1
  netstat -rn
  Routing Table: IPv4
    Destination           Gateway           Flags  Ref     Use     Interface
  default              10.194.7.1           UG        1       2867          
  default              10.13.5.1            UG        1         86 e1000g305000
  10.13.5.0            10.13.5.181          U         1          2 e1000g305000:1
  10.194.7.0           10.194.7.81          U         1          0 e1000g305000:3
  224.0.0.0            10.13.5.181          U         1          0 e1000g305000:1
  127.0.0.1            127.0.0.1            UH        1          7 lo0:7     (In this peculiar case the default route to 10.194.7.1 is an artifact
  displayed by netstat due to the zone isolation mechanism, but it is
  not actually used for routing at the zone level; the interface without
  tagging, e1000g0, is only displayed on the global zone where ipfilter
  operates)
  When testing from 10.194.17.11 with "telnet 10.13.4.180 443", it
  works. And one can see in the ipf logs that it is the third out rule
  that matched (@o_sso-test1:3), i.e. there was no redirection on
  another interface (proof that there is nothing wrong with the context
  setup):
  16:59:30.479660 e1000g305000 @i_sso-test1:2 p 10.194.17.11,2111 -> 10.13.5.181,443 PR tcp len 20 60 -S IN
  16:59:30.479844 e1000g305000 @o_sso-test1:3 p 10.13.5.181,443 -> 10.194.17.11,2111 PR tcp len 20 44 -AS OUT
  16:59:30.480182 e1000g305000 @i_sso-test1:2 p 10.194.17.11,2111 -> 10.13.5.181,443 PR tcp len 20 40 -A INWhen testing from 10.194.17.11 with "telnet 10.194.7.81 443", it works
  also. This time one can see in the ipf logs that it is the second out
  rule that matched (@o_sso-test1:2), i.e. there was redirection from
  e1000g305000 to e1000g0.
  16:59:41.247101 e1000g0 @i_sso-test1:1 p 10.194.17.11,3851 -> 10.194.7.81,443 PR tcp len 20 60 -S IN
  16:59:41.247206 e1000g305000 @o_sso-test1:2 p 10.194.7.81,443 -> 10.194.17.11,3851 PR tcp len 20 64 -AS OUT
  16:59:41.247508 e1000g0 @i_sso-test1:1 p 10.194.17.11,3851 -> 10.194.7.81,443 PR tcp len 20 52 -A INA packet capture confirms this and one can see in the capture the
  SYN-ACK reply packet go out on e1000g0.
  The reverse case, essentially the original setup shown in my first
  post, where the default route is the interface without tagging
  (e1000g0) and the reply packet matches the redirection rule from
  e1000g0 to the interface with tagging e1000g305000, the packet is lost
  (i.e. is not visible in the packet capture on either interface).
  Further tests with stateful redirection ("reply-to") show the same
  pattern (does not work when packets are redirected to an interface
  with tagging).
  It looks like it is a bug: may be ipfilter injects the redirected
  packet at a processing stage where it should already have a 802.1q tag
  but does not, or something similar; in the working case, ipfilter acts
  on a not yet tagged packet which can be used "as is" at the same
  processing stage on the non tagging interface, and thus is correctly
  transmitted.
  Conclusion: ipfilter policy based routing does work on Solaris 10u7,
  but, at least in my setup, not when redirection occurs to a 802.1q
  tagging interface.
  - Could somebody confirm this?
  - Is this a known bug? (I didn't find anything relevant on sunsolve or
  on the ipfilter mailing list)
  Edited by: kleinstein on Oct 1, 2009 4:22 AM
  Edited by: kleinstein on Oct 1, 2009 4:25 AM
  Edited by: kleinstein on Oct 1, 2009 4:30 AM
  Edited by: kleinstein on Oct 1, 2009 4:32 AM
  Edited by: kleinstein on Oct 1, 2009 4:37 AM
  Edited by: kleinstein on Oct 1, 2009 4:40 AM
  Edited by: kleinstein on Oct 1, 2009 4:41 AM

• How can I get apropos to work?

  I can't get the unix command "apropos" to work. For example, when I type "apropos man", I get "man: nothing appropriate".
  Clearly the database that apropos uses is not built. Normally one uses the "makewhatis" command to build the database but I can't find that command in MAC OS X Tiger.
  Any ideas on how to get apropos to work?
  Where is "makewhatis"?
  Rob

  Just about every OS has its own opinion of where files should be. Mac OS X and Linux are just two examples. Solaris seems to think that /usr/lib/ is the right place
  In either case, locate is your friend:
  <pre class=command>$ locate makewhatis
  /usr/libexec/makewhatis
  /usr/libexec/makewhatis.local
  /usr/share/man/man8/makewhatis.8.gz
  /usr/share/man/man8/makewhatis.local.8.gz</pre>

• Does OSB 2.6 solaris10 (32 bit) work with  solaris 10(64 bit) also ?

  Hi,
  I want OSB 2.6 installer for solaris 10(64 bit). I found the installer for solaris 10(32 bit).
  Will it work on solaris 10(64 bit) also?
  If not, how can get it? As in the metalink it does not show download option for solaris 64 bit m/c.
  Please help..

  Don't know what a service id is, but you will need to be an oracle customer, which I assume you are if you are requesting old software.
  here is the link I use
  https://metalink2.oracle.com/metalink/plsql/f?p=130:14:5775706955868202591::::p14_database_id,p14_docid,p14_show_header,p14_show_help,p14_black_frame,p14_font:NOT,763603.1,1,1,1,helvetica
  cheers
  James