OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Using IP Filter to protect FW-1 4.0 (fwd)
From: Darren Reed (avalonCOOMBS.ANU.EDU.AU)
Date: Mon Jun 12 2000 - 09:55:25 CDT


Forwarded message:
>
> To use IP Filter to protect Firewall-1 4.0 running on Solaris,
> you will need to download "pfil" and IP Filter:
>
> ftp://coombs.anu.edu.au/pub/net/ip-filter/pfil-1.4.tar.gz
> ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.5alpha5.tar.gz
>
> Inside pfil-1.4.tar.gz, there is a diff file for Firewall-1:
> S25fw1boot.diff
> you will need to apply this diff to the rc script in /etc/rcS.d.
> Be sure to remove any "leftovers" that patch leaves behind - e.g.
> S25fw1boot.orig - lest something undesired is run at boot time.
>
> Then compile & install pfil, followed by IP Filter. You *must* reboot
> after installing both pfil and IP Filter. To verify that IP Filter is
> enabled in manner to protect FW-1, after the system has rebooted, you
> should login and do the following (for example):
>
> strconf < /dev/le
>
> Which should show you:
>
> fw
> pfil
> le
>
> Likewise, if you do "ndd /dev/pfil qif_status", you should see something
> like this:
>
> ifname ill q OTHERQ num sap hl len nr nw
> QIF1 00000000 f5cebc18 f5cebc74 1 806 0 0 0 38
> le0 f595cf20 f5b27410 f5b2746c 0 800 14 0 29208 8101
>
> You should then make this the only line in /etc/opt/ipf/ipf.conf:
>
> block in all with frags
>
> and then run the following:
>
> /sbin/ipf -F a -f /etc/opt/ipf/ipf.conf
>
> This will block all those naughty IP fragment packets. This will impact
> use of the Internet if path MTU discovery is not available end-to-end and
> packets end up fragmented. If you want to log them:
>
> block in log all with frags
>
> FW-1 4.0 Observations.
> ----------------------
> FW-1 Attempts to autopush itself onto all network devices. Unfortunately,
> it does this in /etc/rcS.d, which can lead to it not being able to achieve
> this for devices like PPP (ipdptp) if /usr is a separate partition to /.
>
> If you add a new type of network card to the host, FW-1 will not protect
> that device unless its driver is listed in /etc/fw.boot/ifdev.
>
> ndd and FW-1
> *DO NOT* use ndd with Firewall-1.
> "ndd /dev/fw0 \?" (for example) will cause a crash.
>
> Darren
>
> p.s. Many thanks to Peter C. for making this possible!
>