NetMAXFAQ :
Advanced Configuration
address-suppressed
Answers in this category:
How do I execute a third-party program on startup (whenever the server reboots), without having to run it from the command line?
I have a multiport modem (I/O) card, and need to configure tty ports for it.
How do I stop sendmail from starting up?
How do I stop NetMAX from overwriting my custom configurations?
How do I stop Appletalk from starting up?
How do I disable the NetMAX Splash Screen?
How do I fix an error in rc.sysinit?
How do I stop SAMBA from starting up?
If I don't have a firewall, how should I lockdown my NetMAX?
How do I configure my web/email server behind a NAT'd firewall?
How do I automate the processing of my Traffic Monitor Report.
How do I get started using MySQL?
How do I delete the partitons on a secondary hard disk with NetMAX?
How do I implement Proxy ARP on my NetMAX machine?
NetMAXFAQ : Advanced Configuration :
How do I execute a third-party program on startup (whenever the server reboots), without having to run it from the command line?
address-suppressed
address-suppressed
NetMAXFAQ : Advanced Configuration :
I have a multiport modem (I/O) card, and need to configure tty ports for it.
address-suppressed
address-suppressed
NetMAXFAQ : Advanced Configuration :
How do I stop sendmail from starting up?
address-suppressed
To do this, you should edit the /etc/rc.d/init.d/sendmail file.
Add the following line to the beginning of this file:
exit 0
That's a zero, not an oh.
So the beginning of the file should read:
#!/bin/sh exit 0 #
address-suppressed
NetMAXFAQ : Advanced Configuration :
How do I stop NetMAX from overwriting my custom configurations?
address-suppressed
Instructions for entries in this file are included in the file as comments.
Note: NetMAX will no longer write to these files. So any changes in NetMAX that would result in NetMAX writing configuration changes to these files will
be ineffective. Use this feature at your own risk.
address-suppressed
NetMAXFAQ : Advanced Configuration :
How do I stop Appletalk from starting up?
address-suppressed
To do this, you should edit the /etc/rc.d/init.d/atalk file.
Add the following line to the beginning of this file:
exit 0
That's a zero, not an oh.
So the beginning of the file should read:
#!/bin/sh exit 0 #
address-suppressed
NetMAXFAQ : Advanced Configuration :
How do I disable the NetMAX Splash Screen?
address-suppressed
linux nosplash
If you want/need to permanently disable the Splash Screen follow the instructions below.
Note: If you make a mistake editing the rc.sysinit file your NetMAX MAY NOT BOOT. Double check your changes before you reboot the NetMAX.
- From the command line: As root edit the /etc/rc.d/rc.sysinit file as
shown below.
- Or From the NetMAX Interface Home | Personal | Files Management Click on root. Click on the paging control pull down menu (upper left) and select Show All. Click on etc. Click on rc.d. Click on rc.sysinit. Approximately four screens down in the file edit the following lines as shown below.
Originally:
if [ -n "$SPLASH" ]; then /usr/netmax/bin/splash -l -t 300 & fi
Change To:
#if [ -n "$SPLASH" ]; then # /usr/netmax/bin/splash -l -t 300 & #fi
Saves Changes and Reboot the NetMAX.
Also see: How do I fix an error in rc.sysinit?
address-suppressed
NetMAXFAQ : Advanced Configuration :
How do I fix an error in rc.sysinit?
address-suppressed
linux single
After the system boots attempt to edit /etc/rc.sysinit if you get an error trying to save changes enter the following command:
mount -n -o remount,rw /
Fix any errors in /etc/rc.sysinit and reboot the NetMAX into normal mode.
address-suppressed
NetMAXFAQ : Advanced Configuration :
How do I stop SAMBA from starting up?
address-suppressed
To do this, you should edit the /usr/netmax/etc/rc.d/cifs.sh file.
Add the following line to the beginning of this file:
exit 0
That's a zero, not an oh.
So the beginning of the file should read:
#!/bin/sh exit 0 #
address-suppressed
NetMAXFAQ : Advanced Configuration :
If I don't have a firewall, how should I lockdown my NetMAX?
address-suppressed
address-suppressed
Login to your machine as root.
The most important command you will be using is the netstat command, to see what ports you have services running on.
netstat -tupan localhost
Make sure that you haven't configured the localhost alias to point to a different machine other than your own.
If you are going to disable telnet services, you will want to do all of this at the console, and not from within a telnet session.
Run the above netstat command to see what services you have open. By default, you should have:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 727/inetd tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 3032/sendmail: acce tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 3002/slapd tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 2981/httpd-users tcp 0 0 10.254.1.99:80 0.0.0.0:* LISTEN 2981/httpd-users tcp 0 0 10.254.1.99:53 0.0.0.0:* LISTEN 2922/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2922/named tcp 0 0 0.0.0.0:548 0.0.0.0:* LISTEN 2881/afpd tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 727/inetd tcp 0 0 0.0.0.0:109 0.0.0.0:* LISTEN 727/inetd tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 727/inetd tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 727/inetd tcp 0 0 0.0.0.0:79 0.0.0.0:* LISTEN 727/inetd tcp 0 0 0.0.0.0:70 0.0.0.0:* LISTEN 727/inetd tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 2573/smbd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2464/portmap tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN 1417/xdm tcp 0 0 0.0.0.0:5150 0.0.0.0:* LISTEN 1142/httpd tcp 0 0 0.0.0.0:513 0.0.0.0:* LISTEN 727/inetd tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 727/inetd udp 0 0 0.0.0.0:53 0.0.0.0:* 2922/named udp 0 0 10.254.1.99:53 0.0.0.0:* 2922/named udp 0 0 127.0.0.1:53 0.0.0.0:* 2922/named udp 0 0 10.254.1.99:138 0.0.0.0:* 2558/nmbd udp 0 0 10.254.1.99:137 0.0.0.0:* 2558/nmbd udp 0 0 0.0.0.0:138 0.0.0.0:* 2558/nmbd udp 0 0 0.0.0.0:137 0.0.0.0:* 2558/nmbd udp 0 0 0.0.0.0:111 0.0.0.0:* 2464/portmap udp 0 0 0.0.0.0:177 0.0.0.0:* 1417/xdm udp 0 0 0.0.0.0:161 0.0.0.0:* 1408/snmpd udp 0 0 0.0.0.0:520 0.0.0.0:* 760/routed
You want to look at the Local Address column, which shows which local address and which port the internet service is running on. The PID/Program Name column is also invaluable at finding out which service is running on this port and where we might turn it off at.
Your services will almost definately be listed in a different order than the ones here. But you should see the same services.
We're going to start at the top, and work our way down. The first thing that we find is a service running on port 23 (the standard telnet port). If you're unsure what a port is usually used for, you can always look up the port number in the services file with the following command:
grep " 23/" /etc/services
The space and slash just avoid us from getting services for 223, or 231 with our grep command.
You can also look and see what program is using the PID 721:
psg 721
This actually shows us that inetd is controlling this service. Inetd is just a daemon that handles a lot of other daemons. Whenever a Program Name starts with "in.", it usually means that the program is being run with tcpwrappers. The reason is because tcpwrappers usually replaces the old daemon with it's own, and names the new one in.daemon. Inet daemons handled by inetd are configured with the /etc/inetd.conf file.
If you're not going to use telnetd, you can stop inetd from making it available by commenting out the line in your /etc/inetd.conf file that starts the daemon. You comment lines out by using a pound sign (#) as the first character of the line.
So change this line:
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
To read:
#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
As long as we're in here, lets shut down every inet daemon that we don't plan on using. So I'll comment out the following lines as well:
#gopher stream tcp nowait root /usr/sbin/tcpd gn #shell stream tcp nowait root /usr/sbin/tcpd in.rshd #login stream tcp nowait root /usr/sbin/tcpd in.rlogind #finger stream tcp nowait root /usr/sbin/tcpd in.fingerd #ftp stream tcp nowait root /usr/netmax/sbin/in.ftpd in.ftpd -l -a #imap stream tcp nowait root /usr/netmax/libexec/imapd imapd #pop2 stream tcp nowait root /usr/netmax/libexec/ipop2d ipop2d #pop3 stream tcp nowait root /usr/netmax/libexec/ipop3d ipop3d
Basically this is going to shut down all of the inet daemons started by inetd. If you are using your server as a mail server, you probably don't want to comment out imap, pop2, or pop3. If you are using your server as an ftp server, you probably don't want to comment out ftp. If you are doing this from a telnet session, you definately don't want to comment out telnet. If you don't know what the other services are, you probably don't need them. Ensure that you save your changes to this file, after modifying it.
This will stop the daemons from starting, but we need to shut them down, because they're already running for this session. So we want to SIGHUP inetd, so that it restarts, and rereads the /etc/inetd.conf file. Do this by running the following command:
signal_proc inetd HUP
We're going to run netstat again, and you'll see that there are a lot fewer ports open now:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 3760/httpd-users tcp 0 0 10.254.1.99:80 0.0.0.0:* LISTEN 3760/httpd-users tcp 0 0 0.0.0.0:5150 0.0.0.0:* LISTEN 3711/httpd tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 3032/sendmail: acce tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 3002/slapd tcp 0 0 10.254.1.99:53 0.0.0.0:* LISTEN 2922/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2922/named tcp 0 0 0.0.0.0:548 0.0.0.0:* LISTEN 2881/afpd tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 2573/smbd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2464/portmap tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN 1417/xdm udp 0 0 0.0.0.0:53 0.0.0.0:* 2922/named udp 0 0 10.254.1.99:53 0.0.0.0:* 2922/named udp 0 0 127.0.0.1:53 0.0.0.0:* 2922/named udp 0 0 10.254.1.99:138 0.0.0.0:* 2558/nmbd udp 0 0 10.254.1.99:137 0.0.0.0:* 2558/nmbd udp 0 0 0.0.0.0:138 0.0.0.0:* 2558/nmbd udp 0 0 0.0.0.0:137 0.0.0.0:* 2558/nmbd udp 0 0 0.0.0.0:111 0.0.0.0:* 2464/portmap udp 0 0 0.0.0.0:177 0.0.0.0:* 1417/xdm udp 0 0 0.0.0.0:161 0.0.0.0:* 1408/snmpd udp 0 0 0.0.0.0:520 0.0.0.0:* 760/routed
Let's start at the top again. We see that httpd-users is running on port 80, and is actually listening on two different IP addresses. This is the webserver that comes with the WebServer product. If you are only using your WebServer as a mail server, you may want to shut it down. This server is started in the /usr/netmax/etc/rc.d/http.sh script.
The first thing we need to do is disable the http_check script which checks to see if your http servers are running. Because otherwise, we'll shut them down, but they'll just be started back up. Note that this script also keeps the admin web server running. So it's potentially dangerous to do. But to stop http_check from running, we need to comment out the following line in the /etc/crontab file:
0,30 * * * * root /usr/netmax/bin/http_check.pl
So that it now reads:
#0,30 * * * * root /usr/netmax/bin/http_check.pl
Next, to stop http the server from starting, we want to edit the /usr/netmax/etc/rc.d/http.sh script so that the following lines:
start)
doAdmin
# An un-configured NetMAX does not run user web pages
if [ -f /tmp/.new ]; then exit 0; fi
if [ $enabled -eq 1 ]; then
/usr/netmax/bin/suidscript -U NMcmd_echo.nonewline ' apache(users)'
$BIN_U -f $CONF_U
fi
;;
are changed to read the following:
start)
doAdmin
# An un-configured NetMAX does not run user web pages
if [ -f /tmp/.new ]; then exit 0; fi
# if [ $enabled -eq 1 ]; then
# /usr/netmax/bin/suidscript -U NMcmd_echo.nonewline ' apache(users)'
# $BIN_U -f $CONF_U
# fi
;;
Ensure that you save these changes. We then need to shut the webserver down, since it's already running for this session. To do this, type the following command:
signal_proc httpd-users TERM 10
Let's run netstat again:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:5150 0.0.0.0:* LISTEN 3711/httpd tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 3032/sendmail: acce tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 3002/slapd tcp 0 0 10.254.1.99:53 0.0.0.0:* LISTEN 2922/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2922/named tcp 0 0 0.0.0.0:548 0.0.0.0:* LISTEN 2881/afpd tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 2573/smbd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2464/portmap tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN 1417/xdm udp 0 0 0.0.0.0:53 0.0.0.0:* 2922/named udp 0 0 10.254.1.99:53 0.0.0.0:* 2922/named udp 0 0 127.0.0.1:53 0.0.0.0:* 2922/named udp 0 0 10.254.1.99:138 0.0.0.0:* 2558/nmbd udp 0 0 10.254.1.99:137 0.0.0.0:* 2558/nmbd udp 0 0 0.0.0.0:138 0.0.0.0:* 2558/nmbd udp 0 0 0.0.0.0:137 0.0.0.0:* 2558/nmbd udp 0 0 0.0.0.0:111 0.0.0.0:* 2464/portmap udp 0 0 0.0.0.0:177 0.0.0.0:* 1417/xdm udp 0 0 0.0.0.0:161 0.0.0.0:* 1408/snmpd udp 0 0 0.0.0.0:520 0.0.0.0:* 760/routed
Starting at the top, we see that httpd is running on port 5150. This is the NetMAX web interface, which we DON'T want to shut down.
The next item is sendmail running on port 25. If you don't want the NetMAX to be able to receive/relay email, then you can disable sendmail. Sendmail is started in the /etc/rc.d/init.d/sendmail file. To stop sendmail from starting, you want to add an "exit" to the beginning of the script. So you want to change the following lines:
#!/bin/sh # # sendmail This shell script takes care of starting and stopping # sendmail. # # chkconfig: 2345 80 30 # description: Sendmail is a Mail Transport Agent, which is the program \ # that moves mail from one machine to another. # processname: sendmail # config: /etc/sendmail.cf # pidfile: /var/run/sendmail.pid if [ -e /tmp/.new ]; then exit 0 fi
So that they now look like this:
#!/bin/sh # # sendmail This shell script takes care of starting and stopping # sendmail. # # chkconfig: 2345 80 30 # description: Sendmail is a Mail Transport Agent, which is the program \ # that moves mail from one machine to another. # processname: sendmail # config: /etc/sendmail.cf # pidfile: /var/run/sendmail.pid exit 0 if [ -e /tmp/.new ]; then exit 0 fi
Ensure that you save these changes. We then need to shut sendmail down, since it's already running for this session. To do this, type the following commands:
signal_proc sendmail KILL
rm -f /var/lock/subsys/sendmail
The next service we find in our netstat is slapd running on port 389. This is the LDAP services daemon. This service is started in the /usr/netmax/etc/rc.d/ldap.sh script. To stop slapd from starting, you want to add an "exit" to the beginning of the script. So you want to change the following lines:
#!/bin/sh # # $Id: 328,v 1.10 2003/07/07 15:46:51 nobody Exp nobody $ BIN="/usr/netmax/etc/ldap/slapd" CONF="/var/conf/slapd/myslapd.conf" PID="/var/run/slapd.pid"
So that they now look like this:
#!/bin/sh # # $Id: 328,v 1.10 2003/07/07 15:46:51 nobody Exp nobody $ exit 0 BIN="/usr/netmax/etc/ldap/slapd" CONF="/var/conf/slapd/myslapd.conf" PID="/var/run/slapd.pid"
Ensure that you save these changes. We then need to shut slapd down, since it's already running for this session. To do this, type the following command:
signal_proc slapd TERM 5
Let's do a netstat again:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:5150 0.0.0.0:* LISTEN 3711/httpd tcp 0 0 10.254.1.99:53 0.0.0.0:* LISTEN 2922/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2922/named tcp 0 0 0.0.0.0:548 0.0.0.0:* LISTEN 2881/afpd tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 2573/smbd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2464/portmap tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN 1417/xdm udp 0 0 0.0.0.0:53 0.0.0.0:* 2922/named udp 0 0 10.254.1.99:53 0.0.0.0:* 2922/named udp 0 0 127.0.0.1:53 0.0.0.0:* 2922/named udp 0 0 10.254.1.99:138 0.0.0.0:* 2558/nmbd udp 0 0 10.254.1.99:137 0.0.0.0:* 2558/nmbd udp 0 0 0.0.0.0:138 0.0.0.0:* 2558/nmbd udp 0 0 0.0.0.0:137 0.0.0.0:* 2558/nmbd udp 0 0 0.0.0.0:111 0.0.0.0:* 2464/portmap udp 0 0 0.0.0.0:177 0.0.0.0:* 1417/xdm udp 0 0 0.0.0.0:161 0.0.0.0:* 1408/ udp 0 0 0.0.0.0:520 0.0.0.0:* 760/routed
The next item that we see is named running on tcp and udp ports 53. In general, you don't want to shut down the named. The only reason you might want to do this is if you have the FileServer only. Still, you generally don't want to shut it down. But if you decide to, you want, it is started by the /usr/netmax/etc/rc.d/Named.sh script. To stop named from starting, you want to add an "exit" to the beginning of the script. So you want to change the following lines:
#!/bin/sh # # $Id: 328,v 1.10 2003/07/07 15:46:51 nobody Exp nobody $ BIN="/usr/sbin/named" CONFDIR="/etc/namedb" CONF="$CONFDIR/named.boot" BSDCONF="$CONFDIR/named.boot.bsd"
So that they now read:
#!/bin/sh # # $Id: 328,v 1.10 2003/07/07 15:46:51 nobody Exp nobody $ exit 0 BIN="/usr/sbin/named" CONFDIR="/etc/namedb" CONF="$CONFDIR/named.boot" BSDCONF="$CONFDIR/named.boot.bsd"
Ensure that you save these changes. We then need to shut named down, since it's already running for this session. To do this, type the following command:
/usr/netmax/bin/signal_proc named KILL 5
The next two items we see are afpd running on port 548 and smbd running on port 139. These are used for apple file sharing and windows filesharing. Unless you have the fileserver, you probably don't even want to use these services. And more than likely if you are using one, you're not using the other. In this case, we're going to shut them both down.
Apple talk is started in the /usr/netmax/etc/rc.d/ashare.sh script. To stop atalk from starting, you want to add an "exit" to the beginning of the script. So you want to change the following lines:
#!/bin/sh # # $Id: 328,v 1.10 2003/07/07 15:46:51 nobody Exp nobody $ BIN="/usr/netmax/atalk/etc/rc.atalk" CONF="/var/conf/atalk/atalkd.conf" APACHE_DIR="/var/conf/apache"
So that they now look like this:
#!/bin/sh # # $Id: 328,v 1.10 2003/07/07 15:46:51 nobody Exp nobody $ exit 0 BIN="/usr/netmax/atalk/etc/rc.atalk" CONF="/var/conf/atalk/atalkd.conf" APACHE_DIR="/var/conf/apache"
Ensure that you save these changes. We then need to shut afpd down, since it's already running for this session. To do this, type the following command:
/usr/netmax/atalk/etc/rc.atalk shutdown
Windows CIFS/SMB is started in the /usr/netmax/etc/rc.d/cifs.sh script. To stop smbd from starting, you want to add an "exit" to the beginning of the script. So you want to change the following lines:
#!/bin/sh # # $Id: 328,v 1.10 2003/07/07 15:46:51 nobody Exp nobody $ BINDIR="/usr/netmax/samba/bin" CONF="/var/conf/samba/smb.conf"
So that they now read:
#!/bin/sh # # $Id: 328,v 1.10 2003/07/07 15:46:51 nobody Exp nobody $ exit 0 BINDIR="/usr/netmax/samba/bin" CONF="/var/conf/samba/smb.conf"
Ensure that you save these changes. We then need to shut samba down, since it's already running for this session. To do this, type the following command:
/usr/netmax/bin/signal_proc smbd TERM 15
/usr/netmax/bin/signal_proc nmbd TERM 5
Let's do a netstat again:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:5150 0.0.0.0:* LISTEN 7381/httpd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2464/portmap tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN 1417/ udp 0 0 0.0.0.0:111 0.0.0.0:* 2464/portmap udp 0 0 0.0.0.0:177 0.0.0.0:* 1417/ udp 0 0 0.0.0.0:161 0.0.0.0:* 1408/ udp 0 0 0.0.0.0:520 0.0.0.0:* 760/routed
Starting at the top, we see that portmap is running on port 111. Portmap is started in the SysV init process. The easiest way to maintain these services is with the chkconfig program. To see what services are started by init and in what run level, you can type:
/sbin/chkconfig --list
You will see output like this:
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off keytable 0:off 1:off 2:on 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off random 0:off 1:on 2:on 3:on 4:on 5:on 6:off inet 0:off 1:off 2:off 3:on 4:on 5:on 6:off portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off routed 0:off 1:off 2:off 3:on 4:off 5:off 6:off rstatd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rusersd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rwhod 0:off 1:off 2:off 3:off 4:off 5:off 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off nfslock 0:off 1:off 2:off 3:off 4:off 5:off 6:off nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off lpd.old 0:off 1:off 2:off 3:off 4:off 5:off 6:off
Not all init scripts will show. But only ones that have been configured to be included in chkconfig. Luckily for us, the services we need are included.
We can see by the output, that portmap runs in runlevels 3-5. So we need to turn it off in those runlevels by running the following command:
/sbin/chkconfig --level 345 portmap off
As long as we're here, we might as well turn off routed too. If your NetMAX is not acting as a router, you can probably disable it. You will be disabling your NetMAX's ability to get RIP traffic from your router, which could effect routing behavior and routing warning messages.
/sbin/chkconfig --level 3 routed off
Let's run chkconfig again, to make sure that our changes took effect:
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off keytable 0:off 1:off 2:on 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off random 0:off 1:on 2:on 3:on 4:on 5:on 6:off inet 0:off 1:off 2:off 3:on 4:on 5:on 6:off portmap 0:off 1:off 2:off 3:off 4:off 5:off 6:off routed 0:off 1:off 2:off 3:off 4:off 5:off 6:off rstatd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rusersd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rwhod 0:off 1:off 2:off 3:off 4:off 5:off 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off nfslock 0:off 1:off 2:off 3:off 4:off 5:off 6:off nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off lpd.old 0:off 1:off 2:off 3:off 4:off 5:off 6:off
Great. Now we need to stop the two services since they are still running for this session. These servers are generally started with links to scripts in the /etc/rc.d/init.d directory. So to stop them, we'll type the following commands:
/etc/rc.d/init.d/portmap stop
/etc/rc.d/init.d/routed stop
Let's do a netstat again:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:5150 0.0.0.0:* LISTEN 7381/httpd tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN 1417/xdm udp 0 0 0.0.0.0:177 0.0.0.0:* 1417/xdm udp 0 0 0.0.0.0:161 0.0.0.0:* 1408/snmpd
Hey, we're almost done. The next two items are xdm and snmpd. You can shut down xdm if you're not using X windows for anything. You can also shut down snmpd because we're not expecting any system messages from other machines.
Xdm is started in the /usr/netmax/etc/rc.d/xdm.sh script. To stop xdm from starting, you want to add an "exit" to the beginning of the script. So you want to change the following lines:
#!/bin/sh # # $Id: 328,v 1.10 2003/07/07 15:46:51 nobody Exp nobody $ BIN1="/usr/local/bin/kdm" BIN2="/usr/X11R6/bin/xdm"
So that they now read:
#!/bin/sh # # $Id: 328,v 1.10 2003/07/07 15:46:51 nobody Exp nobody $ exit 0 BIN1="/usr/local/bin/kdm" BIN2="/usr/X11R6/bin/xdm"
Ensure that you save these changes. We then need to shut samba down, since it's already running for this session. To do this, type the following command:
/usr/netmax/bin/signal_proc xdm KILL
Snmpd is started in the /usr/netmax/etc/rc.d/snmp.sh script. To stop snmpd from starting, you want to add an "exit" to the beginning of the script. So you want to change the following lines:
#!/bin/sh # # $Id: 328,v 1.10 2003/07/07 15:46:51 nobody Exp nobody $ # PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/netmax/bin:/usr/local/bin" BIN="snmpd"
So that they now read:
#!/bin/sh # # $Id: 328,v 1.10 2003/07/07 15:46:51 nobody Exp nobody $ # exit 0 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/netmax/bin:/usr/local/bin" BIN="snmpd"
Ensure that you save these changes. We then need to shut samba down, since it's already running for this session. To do this, type the following command:
/usr/netmax/bin/signal_proc snmpd TERM 5
Let's do another netstat:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:5150 0.0.0.0:* LISTEN 7381/httpdHey wow! We're done.
But let's reboot and do a netstat again, just to be sure.
`locate Reboot.sh`
***
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:5150 0.0.0.0:* LISTEN 7381/httpd
address-suppressed
NetMAXFAQ : Advanced Configuration :
How do I configure my web/email server behind a NAT'd firewall?
address-suppressed
This is also an implementation problem when people use our NetMAX FireWall Suite to NAT their internal network, and try to host a public webserver or email server behind the NAT on a non-NetMAX web or email server.
What causes the complexities are the following two competing issues:
- You need web and email clients on the Internet to resolve the FQDN of the web/email server to your firewall's public IP address.
- You need your web/email server and clients on your local network (behind the NAT) to resolve the FQDN of the web/email server to your web/email server's private IP address.
- If you are using a NetMAX FireWall to do the NAT and Traffic Rerouting, then you already have a second DNS server built into the FireWall. You probably want to allow your ISP to do your external DNS (be the primary name server for the domain name), then you can use the FireWall to do your internal DNS. Your ISP is responsible for resolving the FQDN to your firewall's public IP address for all of the Internet web clients that query them.
Simply add the domain name(s) that you're hosting on the webserver to your NetMAX FireWall and ensure to check the box "Act as the Primary Name Server for this Domain" (even though it's not the primary name server in the real world, it is for the internal network). This is done from Home|Network|Domains. For the primary IP address, you probably want to enter the private IP address of the web/email server, but it depends on what IP address you want the domain name (without a host name preceeding it) to resolve to. Also make sure and check the box "Use the InterNIC" from Home|Network|DNS, so that clients using this as their nameserver can resolve other non-local domain names.
Make sure that your web/email server and your internal clients are using the NetMAX FireWall's internal IP address as a domain name server, for resolution.
- If your NetMAX FireWall is the primary name server for your domain name, then you'll need some other internal domain name server. Because your NetMAX FireWall is already resolving the FQDN of the website to it's own public address for all the Internet web clients that query it.
If you have NetMAX Professional to host your internal web/email server, then you can use the DNS on it to provide your internal DNS.
Otherwise, for an inexpensive solution, you can purchase our NetMAX FireWall Suite product from a computer or bookstore near you. Just install the FireWall's license number on your NetMAX WebServer product to enable DNS on the WebServer machine. Then you can use that as your internal DNS.
In both of these cases, you're actually hosting your internal DNS on the same machine as your web/email server.
Of course, you may already have another domain name server available to you in the form of a Microsoft NT server, Linux server, etc, that you can use for your internal DNS.
Again, as in option 1, ensure that your web/email server and your internal clients are using this internal domain name server for resolution.
- The less "complicated" method is to just add the FQDN in your web/email server's and internal client's HOSTS file. For NetMAX WebServer products, and most unix machines this file is called /etc/hosts. For Windows machines, it is generally named \\Windows\hosts. Put the private IP address of the web/email server, followed by it's FQDN, in this file. Make sure that your resolver is set to use the hosts file before using DNS. This method is not recommended, as it requires more administration, even though it may be faster to configure.
You'll still need someone providing the external DNS for your web/email server, allowing other web/email clients on the Internet to resolve your FQDN to your firewall's public IP address.
Note: If you have only one external IP address, and are doing Traffic Rerouting, then you can only forward to one internal IP address. Which means that you have to do virtual hosting on your internal webserver to support hosting more than one domain name. If you want to do Traffic Rerouting to more than one internal IP address, then you need more than one external IP address on your NetMAX FireWall product (or whatever is doing your NAT).
Although Traffic Rerouting uses domain names to specify addresses, it is really IP based. If you have only one external IP, you can only route traffic to one internal IP, no matter how many domain names you set up.
address-suppressed
NetMAXFAQ : Advanced Configuration :
How do I automate the processing of my Traffic Monitor Report.
address-suppressed
To automate this process, simply run the following command from root's crontab:
/usr/netmax/bin/Report.pl -s mm/dd/yyyy -e mm/dd/yyyy </var/log/wwwlog.log
Where -s is followed by the start date, and -e is followed by the end date. Once this process completes, you can go to Home|Reports|Traffic Monitor Report, click on the LAST REPORT tab, and view the report generated by the results of your cronjob.
It may be necessary for you to do this if running the Traffic Monitor Report, from the beginning, through the NetMAX Interface causes your login to timeout resulting in the report terminating before completion.
Even so, it is recommend that you keep your log files short by lowering the duration that they are stored, if the speed of your computer is unable to generate the log files in a timely manner.
You will need to add a -p option to the Report.pl command if you are using the NetMAX Proxy Caching Server, and want to include it's logs in the report.
/usr/netmax/bin/Report.pl -s mm/dd/yyyy -e mm/dd/yyyy -p </var/log/wwwlog.log
Please note that the only way to show TCP/UDP traffic in the Traffic Monitor Report correctly, if you are doing IP NAT, is by having your users use the Proxy Caching Server and including the -p parameter for this command.
The Traffic Monitor only monitors traffic passing through a network interface that is not destined for the network that the interface resides on. The reason why NAT'd traffic is not monitored is because it is destined for the NetMAX, and not for the Internet. The NetMAX is then acting more as a proxy than as a transparent router.
address-suppressed
NetMAXFAQ : Advanced Configuration :
How do I get started using MySQL?
address-suppressed
/etc/rc.d/init.d/mysqld start
You will also want to run this command, so that MySQL is started and stopped properly at the appropriate run levels when rebooting.
/sbin/chkconfig --level 345 mysqld on
The next step is to set your root MySQL password with the following:
/usr/bin/mysqladmin -u root password mypass
(Where mypass is the password that you want to use.)
That's it. You can now use the usual MySQL commands to access your MySQL database server. We have also compiled PHP with MySQL support and included Perl::DBI and Perl::DBD::mysql so that you can get started using the MySQL server with CGI.
For more information and full documentation on the MySQL server, please visit the official MySQL web site
NOTE: If you previously had MySQL installed on your NetMAX, you will want to remove the MySQL user and group that you had created in the NetMAX Interface, before upgrading to NetMAX 4.0. After the upgrade, you'll need to chown your database files to the new mysql user and group. If you had previously installed your database files in the default /var/lib/mysql directory, you can use this command:
chown -R mysql:mysql /var/lib/mysql
address-suppressed
NetMAXFAQ : Advanced Configuration :
How do I delete the partitons on a secondary hard disk with NetMAX?
- Boot the machine with the second hard drive installed.
- Obtain console access to the machine either via ssh or loging in at the server console.
- Switch users to root:
su - - Run the fdisk command:
fdisk device (where device is /dev/hdb or /dev/hdx corresponding to the second hard drive) - Use this tool to delete all the partitions. Press p to view the partitions, and d to delete them.
- When you are finished, press 'w' to write the table to disk and exit.
- Reboot the machine and you should be good to go.
address-suppressed
NetMAXFAQ : Advanced Configuration :
How do I implement Proxy ARP on my NetMAX machine?
address-suppressed
- First make sure your NetMAX is properly configured to be on the internet. Test this by pinging some web sites with the NetMAX.
- Under Network->Machines, add a machine for the computer that you will be routing traffic to. Specify the IP address that you want to assign it, and make sure to fill in the MAC address (or Hardware Address). This final step is the most important, as Proxy ARP will rely on this when routing traffic.
- Next, go to Network->Machine Groups, add a new group to use for Proxy ARP. Add the machine that you created in step 2 to this group.
- Navigate to Network->Routing->Bridge. This is where you will turn on bridging via Proxy ARP.
- For Proxy on Ethernet, choose your external network interface. This interface will be the one configured with an IP address and connected to your internet provider.
- The Physical Ethernet for Machines will be the network interface connected to your internal switch. All machines you are proxy arping for should also be connected to this switch.
- Choose the Machine Group you created during step 3 next. Add this entry, Store, and Commit the changes.
- Create firewall rules to allow the forwarding of traffic between the external interface and your proxy arped machine group. You will need forwarding rules on both the external interface as well as the interface the other machines are physically connected to.
- On machines you are Proxy Arping for, set their IP addresses to be what you specified for them when creating the Machine entry in the NetMAX interface.
- Set the default router for the machines being proxy arped to be the IP address of the external interface of the NetMAX machine. You should now be ready for testing.
address-suppressed