[Veritas-bu] Solaris 9 hosts.allow question

I did get some answers from Veritas. I didn't think it would be this quick
or detailed, but it all makes sense. Here is what Veritas has said about
hosts.allow entries for Solaris 9. 

Because of the built in security on Solaris 9, anything not in hosts.allow
is automatically denied, explaining the need for bpcd, vnetd, and bpjava.
The ALL statement pertains to several media servers/masters. This allows any
NetBackup server to contact/connect to the client. IP's can be used to
ensure only specific NB servers are allowed access. Bpjava, both entries are
to allow the NB java gui to be pulled off of that client. Again, specific
ip's can be used. Vnetd is an acronym, which stands for Veritas Network
Daemon. All three of these processes are specified in the services file, and
specific ports are also defined. 

To validate/invalidate this statement by Veritas, I have been running tests
all night with this configuration. The conclusion is:bpcd MUST be in
/etc/hosts.allow on a Solaris 9 NB client. Bpjava-msvc, bpjava-susvc, and
vnetd is not needed in the client hosts.allow. These three processes have
already been defined in the services and inetd.conf files during NB client
install. I ran a backup on a Solaris 9 client and restored back to that
client with only the bpcd entry in the hosts.allow. That was successful.
Also, with only the bpcd entry, I was able to pull the java gui off the
client


-Dwayne

I Sense much NT in you...
NT leads to bluescreen..
bluescreen leads to downtime.. 
downtime leads to suffering...
NT is the path to the darkside... 
Powerful Unix is... 

Unix Jedi








-----Original Message-----
From: Lue-Fook-Sang, Andre [mailto:andre.lue-fook-sang AT thomson DOT com]
Sent: Wednesday, November 03, 2004 6:48 PM
To: Brzozowski, Dwayne; 'veritas-bu AT mailman.eng.auburn DOT edu'
Subject: Re: [Veritas-bu] Solaris 9 hosts.allow question


Have you tried just the networks you have clients on
eg. 
bpcd: 172.30.10, 176.12.5

Andre' Lue-Fook-Sang
Thomson One Security Engineer
Technical Operations - Production Support
Thomson Financial
Tel: 212-510-3943
Fax: 212-510-4498


-----Original Message-----
From: veritas-bu-admin AT mailman.eng.auburn DOT edu
<veritas-bu-admin AT mailman.eng.auburn DOT edu>
To: 'veritas-bu AT mailman.eng.auburn DOT edu' <veritas-bu AT 
mailman.eng.auburn DOT edu>
Sent: Wed Nov 03 18:59:42 2004
Subject: [Veritas-bu] Solaris 9 hosts.allow question

Hi,
I hope someone has run across this before. I have a Solaris 9 NetBackup
4.5FP4 master, with a mix of Solaris 8 (mainly) and several Solaris 9
clients. Currently, to make backups work on a Solaris 9 client, I have the
following entry in the hosts.allow (client side):

bpcd: ALL
bpjava-msvc: ALL in one port
bpjava-susvc: ALL out the other
vnetd: ALL

My question is, do I need the ALL statement on each line, or just the
netbackup master name on each line. My internal security group is looking
for a definitive answer on if/why the ALL statement has to be there. Also,
if anyone knows, why doesn't this have to be in the hosts.allow for Solaris
8 clients? Any help would be greatly appreciated!



-Dwayne

Dwayne J. Brzozowski
Department of Veterans Affairs
Night Shift Supervisor-Unix Group
Austin Automation center
(512)326-6728 work
dwayne.brzozowski AT mail.va DOT gov
_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu