ESET gateway on solaris
This is on a Solaris 11.x x64 Intel box. In the examples I use example paths, usernames, and values in places, change them to what you actually have or it won’t work. I show this as root, however you get there. First you download and install the binary like:
su cd /export/home/whateveruseryouare/Downloads/ sh ./esets.i386.sol10.pkg.gz.bin (accept agreement)
If you get an error about not having echo in /usr/ucp/, make a symlink to the real one like:
ln -s /usr/bin/echo /usr/ucp/echo
Then try to sh the .bin again.
Now you have to edit the main config file and add the av update username and password you got with your order. NOTE: DON’T delete the leading #’s at the beginning of these lines, they’re not really used like commented lines like normal, well some are, but the ones you want to change still need the pound sign for some reason.
vi /etc/opt/esets/esets.cfg #av_update_username = "EAV-xxxxxxx" <- put the real one in the quotes #av_update_password = "xxxxxxxxx" <- put the real one in the quotes
Now import your license like:
/opt/eset/sbin/esets_lic --import /export/home/whateveruseryouare/Downloads/nod32.lic
Now start esets_daemon like:
Check to see if it’s running now like:
ps -A | grep esets 1676 ? 1:15 esets_da 15449 ? 0:00 esets_da
Note: you don’t see the whole process name, just the first 8 characters.
Now you have to configure the gateway itself, specifically which interface/IP/subnet it listens for your clients on, and enabling the gateway itself. You can run the setup script, but it throws errors. However, it does change the options you want in the config file. Either that or you can just edit the file itself and change the lines you want. It’s kind of nice to run the setup script and at least you can cut/paste the output into the esets.cfg file and have an idea of what you should be editing in that file. Also, the end of the script tries to implement a firewall (NAT) rule, which also fails. You run the setup script by doing:
Now you have to set up the Solaris firewall, so first take a look at what you have already running:
routeadm Configuration Current Current Option Configuration System State --------------------------------------------------------------- IPv4 routing disabled disabled IPv6 routing disabled disabled IPv4 forwarding disabled disabled IPv6 forwarding disabled disabled Routing services "route:default ripng:default" Routing daemons: STATE FMRI disabled svc:/network/routing/route:default disabled svc:/network/routing/rdisc:default disabled svc:/network/routing/legacy-routing:ipv4 disabled svc:/network/routing/legacy-routing:ipv6 disabled svc:/network/routing/ripng:default online svc:/network/routing/ndp:default
This means you need to enable IPv4 routing like:
routeadm -u -e ipv4-forwarding routeadm Configuration Current Current Option Configuration System State --------------------------------------------------------------- IPv4 routing disabled disabled IPv6 routing disabled disabled IPv4 forwarding enabled enabled ...
Notice now it says it’s enabled.
Now you have to add rules to the /etc/ipf/ipf.conf file. The rules below reflect my network, which almost certainly won’t be the same IP/subnet as yours, so change to reflect that. I have my network configured so that net0 is set to 172.16.50.xxx and I have another interface of en1/172.16.123.xxx. You can check yours by doing:
ifconfig -a lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 net0: flags=100001104843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,ROUTER,IPv4,PHYSRUNNING> mtu 1500 index 2 inet 172.16.50.xxx netmask ffffff00 broadcast 172.16.50.255 ether 0:c:29:6e:65:d8 net1: flags=100001104843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,ROUTER,IPv4,PHYSRUNNING> mtu 1500 index 3 inet 172.16.123.1 netmask ffffff00 broadcast 172.16.123.255 ether 0:c:29:6e:65:e2
So I want my upstream connection traffic to go through net0 and out to the Internet, and I want my local clients to connect to the Internet through my Solaris box on the net1 interface (and downstream switch), and they are on the 172.16.123.x IP/subnet.
map net1 172.16.123.0/24 -> 0/32 proxy port ftp ftp/tcp map net1 172.16.123.0/24 -> 0/32 portmap tcp/udp auto map net1 172.16.123.0/24 -> 0/32
Now restart your ipfilter and replumb your net1 interface like:
svcadm restart ipfilter ifconfig net1 unplumb ifconfig net1 172.16.123.1 netmask 255.255.255.0 up ifconfig -a
Now go to one of your client boxes and try to ping 172.16.123.1, you should be able to. You also should be able to ping the Internet.
Replace the username and password with the one you got with the license. This update might take awhile depending on your connection, just let it run and do something else for a bit.
/opt/esets/sbin/esets_update -u EAV-xxxxxx -p xxxxxxx Virus signature database has been updated successfully. Installed virus signature database version 10xxxx (xxxxxx)
Here’s how you see what processes are listening in Solaris. Unfortunately, you have to download and compile lsof, which is sort of irritating. There’s a link here. Once that’s installed, do:
lsof -i TCP | grep LISTEN