building solaris-based enterprise-class router-firewall project

rossonieri#1

hi guys,

it was interesting enough to learn about logical-routers and virtual-routers which also happens to be my interest on learning solaris zones nor solaris virtualization.

i'm just wondering if you guys interested to share a solaris project here : we learn to build an enterprise-level firewall utilizing solaris zones capability (or if we cant do that, we could use xen as an alternative approach).

so, who will join the rock band?

here are few resources from Sun on Solaris zones :
BigAdmin: Solaris Containers (Zones)

and, as a starter - we could use webmin as our tool to do it fast, and later - we break the whole steps one by one?
Webmin

our goals :
1. build a basic solaris machine, mine is a x86 Solaris 10 VMWare emulated with couple of NICs.
2. build the zones, learn how they work for a while,
3. put some basic static routing for a test drive, learn their work too,
4. put some basic ipfilter - on the zones *if possible*, do the test & analyze it
5. put some dynamic routing *if possible*

and, if - that is if, this project can be done successfully, that FreeBSD XEN emulation seems always intimidating

consider a collaboration please

rossonieri#1

ok, now we move on to break our 1 week crash course subject down 1 by 1, shall we?

day #1
install & configure a basic solaris 10 system.

requirement :
1. vmware-server as our lab tool
i have it under ubuntu 7.10 with 1GB RAM, single physical NIC

optional though, you can use any of your favorite virtualization software like below :
- qemu http://www.qemu.org/
- virtualpc http://www.microsoft.com/downloads/details.aspx?FamilyId=04D26402-3199-48A3-AFA2-2DC0B40A73B6

as long as they support multiple NICs config.

2. solaris 10 source
my newest solaris source was only a solaris SXCE nevada which i've requested from sun back

at 2006/07 - cant remember it

the download site : http://opensolaris.org/os/downloads/

3. create a basic solaris guest on the vmware-server
mine is 8GB disk, 512MB RAM, 3 NICs in bridge-mode,
using 3 NICs = we want to create a router-firewall right?

so the scenario we'll going to get is like this (under VMWare-server) :
pcn0 = global, LAN
pcn1 = WAN
pcn2 = DMZ

install using basic console/text session - much easier, faster & economic,
and since we only want to create routing & firewalling system - we can discard those JDE & GNOME desktop feature (optional, as you like) - so at least we have a little bit stripped
down machine, but just dont forget to check that we need the zone and webmin apps for this lab purpose.

the zone package is SUNWluzone
the webmin package is SUNWwebminr

by default both package will be installed under full software package installation.

a full solaris 10 documentation :
http://docs.sun.com/app/docs/coll/47.16

solaris zone-specific introduction is here :
http://docs.sun.com/app/docs/doc/817-1592/zone?a=view
(we should read this part - a lot of useful information to understand the zone architecture)

at this stage, we only need one NIC enable - so that we can do remote administration to configure the rest of the setup & use the sshd.

after installation,
1. check our installed NICs :

# /usr/bin/X11/scanpci -v|grep AMD
 Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]
 Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]
 Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]

2. check the sshd, zone & webmin package :

# pkginfo -l|grep webmin
   PKGINST:  SUNWwebminr
    VENDOR:  www.webmin.com
   PKGINST:  SUNWwebminu
    VENDOR:  www.webmin.com
# pkginfo -l|grep zone
   PKGINST:  SUNWluzone
      NAME:  Live Upgrade (zones support)
      DESC:  Live Upgrade (zones support)
   PKGINST:  SUNWzoner
   PKGINST:  SUNWzoneu
# pkginfo -l|grep sshd
   PKGINST:  SUNWsshdr
   PKGINST:  SUNWsshdu

3. by default the sshd & webmin service are offline, so we should configure them to run :

# svcs -a|grep ssh
offline         14:08:33 svc:/network/ssh:default
# svcs -a|grep webmin
offline         14:08:35 svc:/application/management/webmin:default

the sshd config file is under /etc/ssh
the webmin setup executable is under /usr/sfw/bin/webminsetup -> just hit enter, and answer

the question carefully

just dont forget to make backup copies before editing.

make them start & running :

svcadm enable ssh
svcadm enable webmin

if anything went wrong - the status will say *maintenance* nor just still offline. we can use svcs -xv to see the problem details

if goes right :

# svcs -a|grep ssh
online         15:58:43 svc:/network/ssh:default
# svcs -a|grep webmin
online         15:58:35 svc:/application/management/webmin:default

4. check the webmin via remote browser :

hvvps://192.168.aa.bb:10000

if everything goes ok, then that was it - our day 1!!!

to be continue ...

i'm not an expert here, so i could need some help if there are mistakes

rossonieri#1

continue to day #2

after we successfully install, configure our firewall requirement (the sshd, the webmin) - now we continue to create zones. and our job now is to read the solaris zone documentation, shall we?

the basic idea of solaris zone probably like this :

----------------------
|                    |
|                    |
|                    |
----||----||----||----
   NIC#1   2     3

now, that box is our basic solaris system - and is called the global zone (global container) under solaris zone term.

by default, all the NICs (and any new additional NICs installed) belong to the global zone.

a child zone or called as non-global zone (that is the zone that we manually create) can have independent system resources or a shared one - that is controlled using system resource management function - but is beyond our scope for now

now, as our project : a 3-legs router-firewall,
so we create 2 additional zones beside the default global zone, and give each of the zone a NIC.

so that will be :
global zone (LAN), NIC#1
WAN zone, NIC#2
DMZ zone, NIC#3

just make sure that we can reach our solaris system in case anything went wrong - so that is why i prefer to put the LAN as the global zone and having the 1st NIC.

now the system will look like this :

----------------------
|        |---| |---| |
|global  |WAN| |DMZ| |
|        |   | |   | |
----||----||----||----
   NIC#1   2     3

we create those new zones using the webmin. the webmin's solaris zone module is installed under the system tab :

go to system > solaris zones

you'll be prompted that there are no zones configured. now we create them
WAN using NIC#2 : ip addr 10.0.0.1/24
DMZ using NIC#3 : ip addr 172.16.0.1/24

caution : dont put your NIC#1 here under the new zone.

just for verification,
the global zone (LAN) : ip addr your_LAN

the process will be straight forward, so i hope you get the idea. by default, all the zones reside under /zones directory.

if you use the cli - there are 3 main zone-related command :
1. zonename -> zonename listing
2. zonecfg -> to create new zones
3. zoneadm -> to administer the created zones

ok, after we created the non-global zones (additional WAN & DMZ), lets take a look :

# zoneadm list -vc
  ID NAME             STATUS     PATH                           BRAND    IP
   0 global           running    /                              native   shared
   2 DMZ              running    /zones/DMZ                     native   shared
   1 WAN              running    /zones/WAN                     native   shared

ok, looks good
now, try to logging in to the non-global zone :

#zlogin WAN

and, now - we take some obeservation how does the zone actually work.

that was it, our day#2!!!

to be continue ...

UnixGuy

this is very interesting, I never used Webmin (or any tool for that matter), and I've never used Solaris as a Firewall or Router either.

We usually configure zones to create machines for developers.


by the way, to check all your available network interfaces:

# dladm show-dev

And to see all your zones:

# zoneadm list -iv

looking forward your Router and Firewall configuration.


I have a machine already configure with two zones, I might copy your firewall and router config and test them

rossonieri#1

hi unixguy,

thanks for the support btw

what i dont get is i want to revise my day#1 post - but the page always got rejected?
there are a couple of things that i want to fix on the day#1 especially the webmin part.

UnixGuy

I have never ever worked on it.

But tell me what things do you want to edit ? or you mean you want to edit your post in the forum here?

rossonieri#1

updates,

after a massive documentations search, and pretty constructive discussions with Sun engineers - i'll continue the project after this b115 download.

a slight diagram modification - but overall scenario is very inspiring

cheers