Really nasty Solaris 11 install

I just installed two VMs with the Solaris 11 express (snv_151a) and when I turned off nwam, one worked and the second did not:

svcadm disable svc:/network/physical:nwam
svcadm enable svc:/network/physical:default

The network would come up, both ifconfig and netstat -rn showed reasonable values, but the machine would only ping iff nwam were turned on.

It turned out to be ipfiltering:


root@snarf:~# ping 172.16.1.2
ping: sendto Network is unreachable
root@snarf:~# ipfstat -io
block out log all
pass out quick on lo0 all
pass out quick proto udp from any to any port = bootps
block in log all
pass in quick on lo0 all
pass in quick proto udp from any to any port = bootpc
root@snarf:~# svcadm disable svc:/network/ipfilter
root@snarf:~# ping 172.16.1.2
172.16.1.2 is alive
root@snarf:~# ipfstat -io
empty list for ipfilter(out)
empty list for ipfilter(in)

It was not enabled on the first machine, but was on the second. I have no clue what I did differently in the first install.

11 Responses to “Really nasty Solaris 11 install”

  1. robroy says:

    Thanks! It helped me 🙂

  2. Chris says:

    Thanks, this helped me today. Ya gotta admit though, it’s a lot better default security profile then any other Solaris release before it.

    Now as long as Oracle does destroy Sun-Stuff.

    Thanks again!

    Chris

  3. Mikhail says:

    Thanks! it helped me too : )

  4. Otto says:

    Hey, you saved my evening! I wanted to start reading the 3000 manpages to get the error 😉

    Thanks!!

    Cheers,
    Otto

  5. Deepak says:

    Superb!!! …

    Really helped a lot

    Wasted almost 4 hrs figuring it out what was the issue
    so disabling ipfilter did the job

  6. knue says:

    Thank you SIR !

    Drove me almost nuts having not been able to switch my Notebook manually between NWAM wireless and a plugged Ethernet Configuration .

    I know it would probably be possible to have both / all connections managed by NWAM , but i have some “special” settings, so i preferred to do manually.

    Cheers

  7. Ravi Shanghavi says:

    Oh man, this was a huge gift. I spent the last little while fighting this config on my Solaris 11 express box. All I’d done was go from DHCP to static on this interface and all hell broke lose.. no idea how ipfiltering turned on in that switch. But I kept getting the same errors until I did the svcadm disable svc:/network/ipfilter command.. soon as I did. I could ping, and outside boxes could once again see the server! Thanks mate! Ravi Shanghavi, Ottawa

  8. Thanks! That saved me some troubleshooting as well!

    Interesting, when I create IP addresses via “ipadm” the service seems to re-enable itself.

    This is with Solaris 11.1.

  9. Seems that this is automatic turning on of the filtering is related to “locations” for networks.

    I had setup manual location switching, and this service came back on restart every time.

    After switching to auto and removing a location I had configured, it no longer automatically starts that service with closed “rules”.

    Could be related to “no network” mode, and preventing long timeouts by rejecting all traffic.

  10. Pavel says:

    Helped me too as well — with Solaris 11.1! Thanks!

  11. Mohammed Yousuf says:

    Thanks for sharing….Good work!!!

    From Solaris 11 onwards has new command to configure static ip address on VM boxes..

    Please find below useful article to configure static IP address specially during RAC configuration on laptop.

    http://www.oracle.com/technetwork/articles/servers-storage-admin/s11-network-config-1632927.html

    Hope this help!!.

    Thanks

    Mohammed.

Leave a Reply