黑基网 首页 服务器 Linux 查看内容

Solaris和IP Filter软件包搭建防火墙的详细步骤

2005-6-12 08:26| 投稿: Linux

摘要: Solaris can make a great firewall OS if properly install and h...
Solaris can make a great firewall OS if properly install and harden. Hardware can be a Sparc box with a 2nd network interface or a x86 box with dual NIC. Solaris 2.x CDs - free for education and non-commercial use from Sun website. I got my Solaris 8 copy from Sun booth at Linux Expo in San Jose last August 2000. Here are the necessary steps to brew you own firewall box with Solaris (1) OS: (a) Boot and install just the "core" distribution from Solaris CD. These steps should be easy within GUI or menu driven... - Define which interfe is public (untrust) or private (trust) - Fill in hostname and appropriate IPs for each interface - Dont connect or activate your connection to the untrust network untill you have installed IPFilter (b) Additional packages are required in order for GNU gcc to work: SUNWhea SUNWsrh SUNWbtool SUNWscpu SUNWtoo SUNWlibm SUNWsprot SUNWarc By selecting core installation, there is no volume management (vold) for automounting your CD when you stick one in. You have to mount the CD by hand: # mount -F hsfs /dev/dsk/c0t6d0s0 /mnt where t6 is my CDROM SCSI ID. It is different if you are on a x86 box and IDE. Check your system with "dmesg". Once the CD is mounted, cd to /mnt/Solaris_8/Product and copy the above package into /tmp # cp -R SUNWhea /tmp ... # cp -R SUNWarc /tmp Use pkgadd to install these package to your system: # cd /tmp # pkgadd -d . (c) Patches: download & install the lastest Recommended patch batch from http//sunsolve.sun.com - ftping: # ftp sunsolve.sun.com login: ftp passwd: ftp ftp> cd /pub/patches ftp> bin ftp> hash ftp> get 8_Recommended.zip ftp> bye - installing: # unzip 8_Recommended.zip ... # cd 8_Recommended # ./install_cluster ... # reboot (you can reboot now or wait until afer step #2) (d) Turn on journaling feature for UFS To avoid lengthy fsck after an unclean shutdown or power outtage, one can turn on journaling on UFS simply by adding "logging" in the mount option: # /etc/vfstab # #device device mount FS fsck mount mount #to mount to fsck point type pass at boot options # /dev/md/dsk/d1 /dev/md/rdsk/d1 /RAID ufs 2 yes logging (2) Hardening & removing unnescessary services: - use pkgrm to remove any package that not being use, for example: # pkginfo | grep -i pcmcia system SUNWpcelx 3COM EtherLink III PCMCIA Ethernet Driver system SUNWpcmci PCMCIA Card Services, (Root) system SUNWpcmcu PCMCIA Card Services, (Usr) system SUNWpcmem PCMCIA memory card driver system SUNWpcser PCMCIA serial card driver system SUNWpsdpr PCMCIA ATA card driver If there is no PCMCIA in the sytem, just remove them: # pkgrm SUNWpcelx SUNWpcmci SUNWpcmcu SUNWpcmem SUNWpcser SUNWpsdpr - set TCP_STRONG_ISS=2 in /etc/default/inetinit: # vi /etc/default/inetinit - turn off inetd: # rm /etc/rc2.d/S72inetsvc # ln -s /etc/init.d/inetsvc /etc/rc2.d/S72inetsvc then comment out the inetd (last line) in /etc/init.d/inetsvc and null out inetd services: # mv /etc/inet/inetd.conf /etc/inet/inetd.conf.ORIG - remove un-nescessary services: # mv /etc/rc2.d/S71ldap.client /etc/rc2.d/_S71ldap.client # mv /etc/rc2.d/S71rpc /etc/rc2.d/_S71rpc # mv /etc/rc2.d/S73nfs.client /etc/rc2.d/_S73nfs.client # mv /etc/rc2.d/S74autofs /etc/rc2.d/_S74autofs # mv /etc/rc2.d/S74nscd /etc/rc2.d/_S74nscd # mv /etc/rc2.d/S88sendmail /etc/rc2.d/_S88sendmail ... - To protect against possible buffer overflow (or stack smashing) attacks, add the following to lines to /etc/system. set noexec_user_stack=1 set noexec_user_stack_log=1 - Modified /etc/init.d/inetinit (or some other startup script ) to set some IP parameters to harden more: ### Set kernel parameters for /dev/ip ndd -set /dev/ip ip_respond_to_echo_broadcast 0 ndd -set /dev/ip ip_forward_directed_broadcasts 0 ndd -set /dev/ip ip_respond_to_timestamp 0 ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0 ndd -set /dev/ip ip_forward_src_routed 0 ndd -set /dev/ip ip_ignore_redirect 1 - Have a look at Sun own tool on network security which include all of the above ndd settings - highly recommended: http://www.sun.com/blueprints/tools/nddconfig (3) Firewall (a) C compiler: - GNU gcc can be download from http://www.sunfreeware.com . - or download/try Eval Sun WorkShop CD (a must for 64bit) (b) IP Filter Firewall/NAT: (i) Download IPfilter from: http://coombs.anu.edu.au/~avalon/ip-filter.html (ii) compiling and installing ipf module: # make solaris # cd SunOS5 # make package Note: if you want to see the state table real time like the top utility, edit the Makefile to enable it. STATETOP_CFLAGS=-DSTATETOP STATETOP_INC=-I/usr/include STATETOP_LIB=-L/lib -lncurses I use the libcurses bundles in SUNWcsl and SUNWarc packages Just link these libs to libncurses in /usr/lib: libncurses.a -> libcurses.a libncurses.so.1 -> libcurses.so.1* libncurses.so -> libcurses.so.1* Once installed, you can run the cool utility "ipfstat -t" Note1.1: New release of ipf already have state top enable. Note2: If you want to have block all by default, change: POLICY=-DIPF_DEFAULT_PASS=FR_PASS to : POLICY=-DIPF_DEFAULT_PASS=FR_BLOCK (iii) turn on ip forwarding To enable your system to correctly forward IP packets from within your private network via NAT, you need to enable ip_forwarding on your NAT system. First check to see whether ip_forwarding is enabled via the ndd command: # ndd -get /dev/tcp ip_forwarding 0 The zero indicates ip_forwarding is not enabled in the kernel. To enable ip_forwarding, pass the following command to ndd: # ndd -set /dev/tcp ip_forwarding 1 You should now check that ip_forwarding is indeed enabled by checking as previously described, with the answer being the value "1". (iv) Now let's make this permanent uppon reboot. #/bin/rm /etc/rc2.d/S65ipfboot #ln -s /etc/init.d/ipfboot /etc/rc2.d/S65ipfboot Create a startup script /etc/init.d/ipforward #!/bin/sh case "$1" in start) echo "Activating IP Forwarding..." /usr/sbin/ndd -set /dev/tcp ip_forwarding 1 ;; stop) echo "De-activating IP Forwarding..." /usr/sbin/ndd -set /dev/tcp ip_forwarding 0 ;; *) echo "Usage: $0 (start|stop)" >&2 exit 1 ;; esac exit 0 Make it executable # chmod 744 /etc/init.d/ipforward Then link it as /etc/rc2.d/S69ipforward # ln -s /etc/init.d/ipforward /etc/rc2.d/S69ipforward Note: ipforwarding must run after ipf & inet (v) ipf and nat rules set: Create a file called /etc/opt/ipf/ipnat.conf. /etc/opt/ipf/ipf.conf is already exist and is empty. The file /etc/opt/ipf/ipf.conf is used to write your firewall rules, which is beyond the scope of this document. Check the IP Filter HOWTO page for more info: http://unixcircle.com/ipf (4) Installing OpenSSH (optional) One can go the easy way and just grab a binary package from http://www.sunfreeware.com or learn alot of stuff by hand-build: (in order). Make sure you read the README or INSTALL file that comes in each package: 1. Get & install Perl 2. Get & install zlib 3. Get & install OpenSSL 4. Get & install OpenSSH - Startup scrip for sshd, save it as /etc/rc3.d /S99sshd #!/sbin/sh # case "$1" in 'start') if [ -x /usr/local/sbin/sshd ]; then echo 'Starting Secure Shell: sshd'; /usr/local/sbin/sshd fi ;; 'stop') /usr/bin/pkill -x -u 0 sshd ;; *) echo "Usage: $0 { start | stop }" exit 1 ;; esac exit 0 - Then make it executable: # chmod 744 /etc/rc3.d/S99sshd (5) Config syslogd to send to a syslog server Make sure ipmon is run with option -Dsnxa in /etc/init.d/ipfboot To have ipmon login info to sysl
小编推荐:欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术,请 点击这里 注册黑基账号,公开课频道价值万元IT培训教程免费学,让您少走弯路、事半功倍,好工作升职加薪!



免责声明:本文由投稿者转载自互联网,版权归原作者所有,文中所述不代表本站观点,若有侵权或转载等不当之处请联系我们处理,让我们一起为维护良好的互联网秩序而努力!联系方式见网站首页右下角。


鲜花

握手

雷人

路过

鸡蛋

相关阅读

发表评论

最新评论

引用 游客 2017-11-30 14:55
sHY6Wz  <a href="http://loajhupfjcjk.com/">loajhupfjcjk</a>, [url=http://ytlbubtnyoic.com/]ytlbubtnyoic[/url], [link=http://qhksrxujurbu.com/]qhksrxujurbu[/link], http://xwedgkuxeruf.com/
引用 游客 2017-11-30 03:40
xoAqR3 http://www.LnAJ7K8QSpfMO2wQ8gO.com

查看全部评论(2)


新出炉

返回顶部