Setting up a firewall (IP filter) on Opensolaris

One thing you will want to set up as soon as possible after putting your server on the Internet is an IP filter. You don't want anyone to connect to any services, except to those that you explicitely permit - on a web server those typically are SSH, HTTP and HTTPS. In theory you wouldn't need such a filter, if you made sure that all the local services (MySQL, FastCGI servers, ...) listen only on the internal network interface, but better safe than sorry.

The IP filter software in Solaris is called ipfilter. Setting up the filter rules is controlled by the ipfilter service. This service offers several policies, some of which set up rules automatically depending on settings you make in SMF and which services are running. I don't want any magic, I just want to create my rules manually. This can be done with the custom policy.

Here is a simple example for a rule file (goes in /etc/ipf/ipf.conf):

# allow all traffic on loopback device
pass out quick on lo0 all
pass in quick on lo0 all
# allow all outgoing traffic
pass out quick from any to any keep state
# allow incoming TCP connections on a few ports (SSH, HTTP, HTTPs)
pass in quick proto tcp from any to any port = 22 keep state
pass in quick proto tcp from any to any port = 80 keep state
pass in quick proto tcp from any to any port = 443 keep state
# allow some types of incoming ICMP packets
pass in quick proto icmp from any to any icmp-type echo keep state
pass in quick proto icmp from any to any icmp-type timest keep state
# default: block all incoming
block in quick all

If you create /etc/ipf/ipf.conf and start ipfilter (pfexec svcadm enable ipfilter), it is supposed to be detected that you want to use the custom policy. For some reason that did not work for me, but I found instructions on how to do it manually in the svc.ipfd manpage:

1. Set custom policy
svccfg -s ipfilter:default setprop \
firewall_config_default/policy = astring: "custom"

2. Specify custom file
svccfg -s ipfilter:default setprop \
firewall_config_default/custom_policy_file = astring: \
"/etc/ipf/ipf.conf"

3. Refresh configuration

svcadm refresh ipfilter:default

Remember to use "pfexec" for entering all these commands.

You can check the status of the filter by running "pfexec ipfstat -io". This should display the rules that you described in your config file.

First tasks: setting up RAID, disabling GDM

The installation of Opensolaris 2009.06 is pretty straightforward. You can select the disk to install to, and that's it.

The first important task after the installation is setting up the mirrored ZFS root pool, which is the equivalent of a RAID1. The official install manual doesn't provide enough information for a beginner, but I found some good instructions here. To run the commands from the user account you created during the installation, use "pfexec" (roughly the equivalent of sudo on Linux).

The next thing you probably want to do is get rid of the X server. This can be done by disabling gdm, the Gnome display manager service:

pfexec svcadm disable gdm

svcadm is the main interface to SMF, which manages all the services that are running on the system.

In the next post I will explain how to set up ipfilter, the IP packet filtering service.

New Server OS: Opensolaris or Nexenta?

I run a few websites, mostly based on MySQL, Rails and a little bit PHP, with currently about 5 million page impressions per month. My old server, an Athlon XP4800 with 2 GB RAM, is starting to run out of reserves, so I want to upgrade. I chose an Intel i7 920 with 8 GB RAM and 2x 750 GB disk, rented at Hetzner for € 49 per month.

I have been using Ubuntu Linux on my servers until now, and although I have been pretty happy with it in general, I want to switch to OpenSolaris for the new one.

The main reason is the ZFS file system. It handles RAID (simple mirroring or RAID-5-like), partitioning, snapshots, online resizing, all in one tool. Forget messing around with md, LVM, xfs_growfs and all the other things that you need in Linux to handle storage. Forget hardware RAID controllers, forget worrying about whether it is safe to enable write caching, or how to make sure that your SQL server syncs data properly to the disk. ZFS takes care of all that for you. And on top it offers very convenient ways to snapshot and backup data, which, despite LVM, is still a pain in Linux.

The first decision was which of the (few) OpenSolaris distributions to use.

There's OpenSolaris, currently in version 2009.06. This is the real thing directly from the core team. It comes with a packaging system that offers packages for pretty much everything that you need on a webserver (MySQL, Apache, Ruby, PHP, memcached, ...).

Then there is Nexenta. It combines the Solaris kernel with a GNU userland and the Ubuntu packaging system.

If you want to try both versions yourself, just download the ISOs and run them in VMWare or another virtual machine.

Nexenta sounds like the perfect OpenSolaris variant for someone who already knows Ubuntu, but it still looks pretty "beta", and although Nexenta is used as the basis for a fairly popular commercial NAS solution (NexentaStor), I have not found a lot of evidence of people using it for regular servers. Also the mailing lists are not very busy. So, while Nexenta is definetely something to keep an eye on, for my current task I want something proven and reliable, so I chose the "regular" OpenSolaris.

A problem with OpenSolaris is, that there is no concept of quasi-automatic security updates like in most Linux distributions, where you can just run "apt-get update && apt-get upgrade" and you get the most recent fixes. This might seem like a show-stopper; but in my case, as I will be running only my own websites on a handful of software packages, few of which are exposed to potential attackers and some of which I have to install manually anyway, it is not really a problem.