Cover V11, I07



Questions and Answers

Amy Rich

Thanks to Darren Dunham for pointing out an omission in the May issue. When discussing how to set up Solaris for printing to an HP printer, I neglected to mention that Solaris 8 doesn't actually ship with a bootpd. You can use the one available from HP in the jetdirect package. Other operating systems that come with their own bootpd can be configured without additional software, though. You can also use the dhcpd that comes with Solaris, but the required configuration steps are different.

Q At work we have a SonicWall VPN, and a number of home users have SonicWall's VPN client installed on their home PCs and working fine. We also have a cablemodem user with one dynamic IP that needs to access the network. Instead of having his PC hooked up to the cablemodem directly, he has a Solaris 8 machine acting as a gateway for his RFC1918 LAN. He only wants to use the VPN client on one of his PCs, though. The Solaris box is using ipfilter to do packet filtering and one to many NAT for various types of hardware on his LAN. Unfortunately, since he's doing NAT, he can't get his PC to talk to our VPN box. I took a look at the ipfilter package and the mailing list and FAQ, but there doesn't seem to be any clear-cut advice on how to set this up, if it's even possible. Do you have any pointers on how we could get this user connected to our VPN?

A The SonicWall VPN uses IPSec to create the connection between your office and your home users. Some background information about IPSec will probably help you understand the solution to the NAT issue. For some basic definitions, I'll quote from the IPSec RFC ( Other RFCs that you may want to take a close look at include:

AH: RFC2402 --,

ESP: RFC2406 --, and

ISAKMP key-exchange --

IPSec is designed to provide interoperable, high-quality, cryptographically based security for IPv4 and IPv6. The set of security services offered includes access control, connectionless integrity, data origin authentication, protection against replays (a form of partial sequence integrity), confidentiality (encryption), and limited traffic-flow confidentiality. These services are provided at the IP layer, offering protection for IP and/or upper-layer protocols.

These objectives are met through the use of two traffic security protocols -- the Authentication Header (AH) and the Encapsulating Security Payload (ESP) -- and through the use of cryptographic key management procedures and protocols.

  • The IP Authentication Header (AH) provides connectionless integrity, data origin authentication, and an optional anti-replay service.
  • The Encapsulating Security Payload (ESP) protocol may provide confidentiality (encryption), and limited traffic flow confidentiality. It also may provide connectionless integrity, data origin authentication, and an anti-replay service. (One or the other set of these security services must be applied whenever ESP is invoked.)
  • Both AH and ESP are vehicles for access control, based on the distribution of cryptographic keys and the management of traffic flows relative to these security protocols.
These protocols may be applied alone or in combination with each other to provide a desired set of security services in IPv4 and IPv6. Each protocol supports two modes of use: transport mode and tunnel mode. In transport mode the protocols provide protection primarily for upper-layer protocols; in tunnel mode, the protocols are applied to tunneled IP packets.

A transport mode SA is a security association between two hosts. In IPv4, a transport mode security protocol header appears immediately after the IP header and any options, and before any higher-layer protocols (e.g., TCP or UDP). In IPv6, the security protocol header appears after the base IP header and extensions, but may appear before or after destination options, and before higher-layer protocols. In the case of ESP, a transport-mode SA provides security services only for these higher-layer protocols, not for the IP header or any extension headers preceding the ESP header. In the case of AH, the protection is also extended to selected portions of the IP header, selected portions of extension headers, and selected options (contained in the IPv4 header, IPv6 Hop-by-Hop extension header, or IPv6 Destination extension headers). For more details on the coverage afforded by AH, see the AH specification.

A tunnel mode SA is essentially an SA applied to an IP tunnel. Whenever either end of a security association is a security gateway, the SA MUST be tunnel mode. Thus an SA between two security gateways is always a tunnel mode SA, as is an SA between a host and a security gateway.

For a tunnel mode SA, there is an "outer" IP header that specifies the IPSec processing destination, plus an "inner" IP header that specifies the (apparently) ultimate destination for the packet. The security protocol header appears after the outer IP header, and before the inner IP header. If AH is employed in tunnel mode, portions of the outer IP header are afforded protection (as above), as well as all of the tunneled IP packet (i.e., all of the inner IP header is protected, as well as higher layer protocols). If ESP is employed, the protection is afforded only to the tunneled packet, not to the outer header.

The SonicWall VPNs can be configured using either AH or ESP. What the above discussion of AH and ESP boils down to is that, if the SonicWall is configured to use AH, your user cannot access it through a one to many NAT (IP masquerading). AH specifies a cryptographic checksum across portions of the IP header, including the IP addresses. IP masquerading modifies the source IP address for outbound packets and the destination IP address for inbound packets. Since your user's Solaris box can't participate in the encryption key exchange, it can't generate the correct cryptographic checksums for the modified IP headers. The modified IP packets traveling through your user's Solaris gateway will be discarded by the SonicWall as invalid, because they fail the cryptographic checksum test.

The above quoted material from RFC2401 also states that you're going to need to use tunneling mode because the user's Solaris gateway is not an endpoint (the PC with the SonicWall client software on it), but a security gateway. So, the first step in making sure that your connection is going to work with your NAT user is to make sure that you have your SonicWall configured to do tunneled ESP. The following illustrates an example packet (from RFC2406):

Before applying ESP to an IPv4 packet:

|             | ext hdrs   |     |      |
| orig IP hdr | if present | TCP | Data |
After applying ESP to an IPv4 packet:

|  new IP hdr*  |     | orig IP hdr*  |     |      |   ESP   | ESP  |
| (any options) | ESP | (any options) | TCP | Data | Trailer | Auth |
                      |<------------ encrypted ------------->|
                |<-------------- authenticated ------------->|
* if present, construction of outer IP hdr/extensions and modification of inner IP hdr/extensions is discussed further in RFC2406.

Now, on the user's end, ipfilter is going to have to pass packets for the ESP protocol and for the ISAKMP key exchange. ESP is protocol number 50 and the user should have it already listed in /etc/protocols on the Solaris 8 machine. ISAKMP is UDP protocol number 500, but it's not generally listed in /etc/services by default under Solaris. Your user can either add it to /etc/services or he can use the number instead of the name in his ipfilter configuration file. I'm going to assume that your user employs a fairly restrictive set of filter rules, so he'll need to implicitly allow everything that he wants to pass through.

The following rules should work, as long as they appear before any rules that explicitly block the mentioned ports using the quick option (so no more rule processing takes place). In this example, hme0 is the internal LAN interface of his Solaris box and hme1 is the external interface that's attached to the cablemodem. would be the IP address of your SonicWall VPN, and would be the IP address of his PC with the SonicWall client installed.

# Let the ISAKMP key exchange take place between the client and the VPN
pass out quick on hme1 proto udp from port = 500 to port = 500
pass in quick on hme0 proto udp from port = 500 to10.1.1.1/32 port = 500
pass in quick on hme1 proto udp from port = 500 to port = 500
pass out quick on hme0 proto udp from port = 500 to port = 500

# Pass the encapsulated packets from the client to the VPN and back
pass in quick on hme1 proto esp from to
pass out quick on hme0 proto esp from to
pass out quick on hme1 proto esp from to
pass in quick on hme0 proto esp from to
Q Is there a canonical list of MAC vendor codes somewhere? I'm trying to identify a rogue machine that keeps transmitting on our corporate subnet and stealing another machine's IP address. I've snagged its MAC address, but my suspicion is that it's a Cisco box that another department owns. It would help narrow down the search and the list of possible culprits if I at least knew the vendor of the NIC.

A I believe that the IEEE has a complete list on their site:

It looks like Cisco has 175 registered prefixes listed. If you have your machines hooked up to a managed switch, you should be able to see what MAC addresses are being transmitted over each port. Then you can see what's connected to that port. If you're using a central hub, though, you're going to have a tough time nailing down your offender.

Q I need to copy all incoming mail from our mail server to another mail server to test the new virus/filtering software on that machine before we put it into production. It doesn't matter whether or not the mail all goes to one user or many users on the new machine, but the mail must be delivered properly on the old machine. I'm running sendmail 8.12.2. What's the best way to do this?

A You have a few options. The size of your user base, load on your current machine, and how much effort you want to spend learning new software will probably help determine which of these is best for you. The obvious answer is to set up an alias for everyone in /etc/aliases that does a local delivery and also sends the mail to your new server. This is prohibitive if you have a larger user base, though.

Along the same lines, you can use procmail ( as the local delivery agent on your existing mail server, and modify the system procmailrc file have it forward a copy of every mail to an account on the new mail server.

If you don't want to go the way of aliasing, you can try the copyuser hack from Robert Harker in your sendmail mc file. Put the following in the cf/hack directory of your sendmail source code:

VERSIONID('Copyright 1998, Robert Harker, Harker Systems')dnl
VERSIONID(',, 408-295-6239')dnl
VERSIONID('Permission granted to use this as long as this')dnl
VERSIONID('VERSIONID information is preserved and')dnl
VERSIONID('it is not included in a commercial product ')dnl

ifdef('_MAILER_smtp_',,'errprint('*** MAILER(smtp) must appear before copymail mailer')')dnl


R$+<@$+.NOCOPY.> $#esmtp $@$2 $:$1<@$2.>
R$+<@$+.> $#copymail $@nohostneeded $:$1<@$2.NOCOPY>
R$+<@$+> $#copymail $@nohostneeded $:$1<@$2.NOCOPY>

# Copy a message by sending it back to sendmail with an additional address:
#       copyuser
Mcopymail, P=/usr/sbin/sendmail, F=fmSDFMu,S=11/31,
R=ifdef('_ALL_MASQUERADE_', '21/31', '21'),A=sendmail  mailbackup $u
Edit your mc file to include the following line:

Create an alias for the address mailbackup that points to your new machine and recreate your aliases database. Recreate your file from the mc file and restart sendmail.

The best but most complex solution (as far as learning curve goes) would be to compile sendmail with milter ( support and use milter to copy mail over for each individual user. You'll also be able to capture outgoing mail as well as incoming if you use this solution. If you look in the sendmail src directory, there's an example milter listed in libmilter/README that will log all mail to a file. You could modify this for your purposes.

Q I've just inherited a Solaris 7 system that appears to be having some disk issues on /dev/rdsk/c0t0d0s0. The logs are showing bad blocks near the beginning of the partition. I've got a new disk on order, but I'm concerned that this machine is going to lose its super-block before the new disk gets here. In the event that this happens, I know that I can invoke fsck on an alternate super-block, but I need to know where that is. Is there any way to find out where the alternate super-blocks were stored when the filesystem was created? Are there any other file system parameters I should be concerned about?

A Though you can't, to my knowledge, actually reconstruct what the alternate super-blocks are from the existing disk, there's a good chance that you can make an educated guess. Unless someone specifically tweaked the settings when they ran newfs, you can have the system report the default options it would use when creating the slice:

newfs -N /dev/rdsk/c0t0d0s0
Example output for a 1G partition on an IBM 32G SCSI drive would look like:

/dev/rdsk/c0t1d0s0:    2102400 sectors in 292 cylinders of 20 tracks, 360 sectors
1026.6MB in 23 cyl groups (13 c/g, 45.70MB/g, 11008 i/g)
super-block backups (for fsck -F ufs -o b=#) at:
32, 94000, 187968, 281936, 375904, 469872, 563840, 657808, 751776,
845744, 939712, 1033680, 1127648, 1221616, 1315584, 1409552, 1503520,
1597488, 1691456, 1785424, 1879392, 1973360, 2067328,
If you want other default information, you can also add the -v flag. This will show you all of the default options that would be passed to mkfs for creation of slice 0:

newfs -Nv /dev/rdsk/c0t0d0s0
The example output for the same partition mentioned above would look like:

mkfs -F ufs -o N /dev/rdsk/c0t1d0s0 2102400 360 20 8192 1024 32 6 120 4096 t 0 -1 8 128
/dev/rdsk/c0t1d0s0:     2102400 sectors in 292 cylinders of 20 tracks, 360 sectors
1026.6MB in 23 cyl groups (13 c/g, 45.70MB/g, 11008 i/g)
super-block backups (for fsck -F ufs -o b=#) at:
32, 94000, 187968, 281936, 375904, 469872, 563840, 657808, 751776,
845744, 939712, 1033680, 1127648, 1221616, 1315584, 1409552, 1503520,
1597488, 1691456, 1785424, 1879392, 1973360, 2067328,
The values after the size (2102400) correspond to the following parameters:

Parameter (value as listed in above example, default value): Definition

sect (360, 32): The number of sectors per track on the disk.

ntrack (20, 16): The number of tracks per cylinder on the disk.

bsize (8192, 8192): Logical block size measured in bytes.

fragsize (1024, 1024): The smallest amount of disk space in bytes to allocate to a file. The value must be a power of 2 selected from the range 512 to the logical block size. If logical block size is 4096, legal values are 512, 1024, 2048, and 4096; if logical block size is 8192, 8192 is also a legal value.

cgsize (32, 16): The number of cylinders per cylinder group. The per-cylinder-group meta data must fit in a space no larger that that available in one logical filesystem block. If too large a cgsize is requested, it is decreased by the minimum amount necessary.

free (6, 10): The minimum percentage of free space to maintain in the file system. This space is off-limits to normal users. Once the file system is filled to this threshold, only the superuser can continue writing to the file system. This parameter can be subsequently changed using the tunefs command.

rps (120, 60): The rotational speed of the disk, measured in revolutions per second.

nbpi (4096, 2048): The number of bytes per inode, which specifies the density of inodes in the file system. The number is divided into the total size of the file system to determine the fixed number of inodes to create. It should reflect the expected average size of files in the file system. If fewer inodes are desired, a larger number should be used; to create more inodes, a smaller number should be given.

opt (s, t): Space or time optimization preference; s specifies optimization for space; t specifies optimization for time. This parameter may be subsequently changed with the tunefs command.

apc (0, 0): The number of alternates per cylinder to reserve for bad block replacement (SCSI devices only).

gap (-1, disk-type dependent): Rotational delay. The expected time (in milliseconds) to service a transfer completion interrupt and initiate a new transfer on the same disk. The value is used to decide how much rotational spacing to place between successive blocks in a file. This parameter can be subsequently changed using the tunefs command.

nrpos (8, 8): The number of different rotational positions in which to divide a cylinder group.

maxcontig (128, 7): The maximum number of blocks, belonging to one file, that will be allocated contiguously before inserting a rotational delay. For a 4K file system, the default is 14; for an 8K file system it is 7. This parameter can be subsequently changed using the tunefs command. This parameter also controls clustering. Regardless of the value of gap, clustering is enabled only when maxcontig is greater than 1. Clustering allows higher I/O rates for sequential I/O and is described in the tunefs man page.

Amy Rich, president of the Boston-based Oceanwave Consulting, Inc. (, has been a UNIX systems administrator for more than five years. She received a BSCS at Worcester Polytechnic Institute, and can be reached at: