September 21, 2021

ESET gateway on solaris

This is on a Solaris 11.x x64 Intel box. In the examples I use example paths, usernames, and values in places, change them to what you actually have or it won’t work. I show this as root, however you get there. First you download and install the binary like:

su
cd /export/home/whateveruseryouare/Downloads/
sh ./esets.i386.sol10.pkg.gz.bin
(accept agreement)

If you get an error about not having echo in /usr/ucp/, make a symlink to the real one like:

ln -s /usr/bin/echo /usr/ucp/echo

Then try to sh the .bin again.

Now you have to edit the main config file and add the av update username and password you got with your order. NOTE: DON’T delete the leading #’s at the beginning of these lines, they’re not really used like commented lines like normal, well some are, but the ones you want to change still need the pound sign for some reason.

vi /etc/opt/esets/esets.cfg
  #av_update_username = "EAV-xxxxxxx" <- put the real one in the quotes
  #av_update_password = "xxxxxxxxx" <- put the real one in the quotes

Now import your license like:

/opt/eset/sbin/esets_lic --import /export/home/whateveruseryouare/Downloads/nod32.lic

Now start esets_daemon like:

/etc/init.d/esets start

Check to see if it’s running now like:

ps -A | grep esets
  1676 ?           1:15 esets_da
  15449 ?          0:00 esets_da

Note: you don’t see the whole process name, just the first 8 characters.

Now you have to configure the gateway itself, specifically which interface/IP/subnet it listens for your clients on, and enabling the gateway itself. You can run the setup script, but it throws errors. However, it does change the options you want in the config file. Either that or you can just edit the file itself and change the lines you want. It’s kind of nice to run the setup script and at least you can cut/paste the output into the esets.cfg file and have an idea of what you should be editing in that file. Also, the end of the script tries to implement a firewall (NAT) rule, which also fails. You run the setup script by doing:

/opt/eset/sbin/esets_setup

Now you have to set up the Solaris firewall, so first take a look at what you have already running:

routeadm
              Configuration   Current              Current
                     Option   Configuration        System State
  ---------------------------------------------------------------
               IPv4 routing   disabled             disabled
               IPv6 routing   disabled             disabled
            IPv4 forwarding   disabled             disabled
            IPv6 forwarding   disabled             disabled
           Routing services   "route:default ripng:default"
  Routing daemons:
                      STATE   FMRI
                   disabled   svc:/network/routing/route:default
                   disabled   svc:/network/routing/rdisc:default
                   disabled   svc:/network/routing/legacy-routing:ipv4
                   disabled   svc:/network/routing/legacy-routing:ipv6
                   disabled   svc:/network/routing/ripng:default
                     online   svc:/network/routing/ndp:default

This means you need to enable IPv4 routing like:

routeadm -u -e ipv4-forwarding
routeadm
              Configuration   Current              Current
                     Option   Configuration        System State
  ---------------------------------------------------------------
               IPv4 routing   disabled             disabled
               IPv6 routing   disabled             disabled
            IPv4 forwarding   enabled              enabled
...

Notice now it says it’s enabled.

Now you have to add rules to the /etc/ipf/ipf.conf file. The rules below reflect my network, which almost certainly won’t be the same IP/subnet as yours, so change to reflect that. I have my network configured so that net0 is set to 172.16.50.xxx and I have another interface of en1/172.16.123.xxx. You can check yours by doing:

ifconfig -a
  lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000 
  net0: flags=100001104843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,ROUTER,IPv4,PHYSRUNNING> mtu 1500 index 2
        inet 172.16.50.xxx netmask ffffff00 broadcast 172.16.50.255
        ether 0:c:29:6e:65:d8 
  net1: flags=100001104843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,ROUTER,IPv4,PHYSRUNNING> mtu 1500 index 3
        inet 172.16.123.1 netmask ffffff00 broadcast 172.16.123.255
        ether 0:c:29:6e:65:e2

So I want my upstream connection traffic to go through net0 and out to the Internet, and I want my local clients to connect to the Internet through my Solaris box on the net1 interface (and downstream switch), and they are on the 172.16.123.x IP/subnet.

map net1 172.16.123.0/24 -> 0/32 proxy port ftp ftp/tcp
map net1 172.16.123.0/24 -> 0/32 portmap tcp/udp auto
map net1 172.16.123.0/24 -> 0/32

Now restart your ipfilter and replumb your net1 interface like:

svcadm restart ipfilter
ifconfig net1 unplumb
ifconfig net1 172.16.123.1 netmask 255.255.255.0 up
ifconfig -a

Now go to one of your client boxes and try to ping 172.16.123.1, you should be able to. You also should be able to ping the Internet.

updating eset

Replace the username and password with the one you got with the license. This update might take awhile depending on your connection, just let it run and do something else for a bit.

/opt/esets/sbin/esets_update -u EAV-xxxxxx -p xxxxxxx
  Virus signature database has been updated successfully.
  Installed virus signature database version 10xxxx (xxxxxx)

Here’s how you see what processes are listening in Solaris. Unfortunately, you have to download and compile lsof, which is sort of irritating. There’s a link here. Once that’s installed, do:

lsof -i TCP | grep LISTEN