[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] how to disable RIP on sun ultra 10 solaris?
On Fri, 9 Feb 2001, Hartmann, Josef wrote: > Well, > > if the firewall has multiple interfaces and behind these there are different > nets than the one directly connected to the firewall, routed has to run, > doesn't it? No it does not (nor should it ever for a firewall). Best practices for a firewall are to use staticly assigned routes only. The use of dynamic routing protocols (such as routed, OSPF, etc) add additional risk. If a routing protocol absolutely must be used, ensure you take steps to mitigate the risk, such as authentication and rule base filtering. In the case of Solaris, all routing protocols are disabled by default if you assign a static, default route in the file /etc/defaultrouter. This is considered best practices for a Solaris based firewall. I also recommend you set the kernel so it ignores all ICMP redirects, which can also update your route table. This can be done by setting the following upon every reboot. ndd -set ip_ignore_redirect 1 The command "netstat -s" will give you TCP/UDP/ICMP stats on your system, including ICMP redirect. firewall $netstat -s UDP udpInDatagrams = 15246 udpInErrors = 0 udpOutDatagrams = 41529 TCP tcpRtoAlgorithm = 4 tcpRtoMin = 400 tcpRtoMax = 60000 tcpMaxConn = -1 tcpActiveOpens = 7968 tcpPassiveOpens = 335 tcpAttemptFails = 1676 tcpEstabResets = 60 tcpCurrEstab = 1 tcpOutSegs =201722 tcpOutDataSegs =174112 tcpOutDataBytes =40820318 tcpRetransSegs = 222 tcpRetransBytes = 1729 tcpOutAck = 27605 tcpOutAckDelayed = 8140 tcpOutUrg = 0 tcpOutWinUpdate = 1 tcpOutWinProbe = 1 tcpOutControl = 16756 tcpOutRsts = 1676 tcpOutFastRetrans = 0 tcpInSegs =260020 tcpInAckSegs =158866 tcpInAckBytes =40826680 tcpInDupAck = 10030 tcpInAckUnsent = 0 tcpInInorderSegs =143841 tcpInInorderBytes =16119948 tcpInUnorderSegs = 0 tcpInUnorderBytes = 0 tcpInDupSegs = 32 tcpInDupBytes = 0 tcpInPartDupSegs = 0 tcpInPartDupBytes = 0 tcpInPastWinSegs = 0 tcpInPastWinBytes = 0 tcpInWinProbe = 0 tcpInWinUpdate = 1 tcpInClosed = 0 tcpRttNoUpdate = 2 tcpRttUpdate =152336 tcpTimRetrans = 10 tcpTimRetransDrop = 0 tcpTimKeepalive = 766 tcpTimKeepaliveProbe= 459 tcpTimKeepaliveDrop = 17 tcpListenDrop = 0 tcpListenDropQ0 = 0 tcpHalfOpenDrop = 0 tcpOutSackRetrans = 0 IP ipForwarding = 1 ipDefaultTTL = 255 ipInReceives =9991936 ipInHdrErrors = 0 ipInAddrErrors = 0 ipInCksumErrs = 0 ipForwDatagrams =9716892 ipForwProhibits = 1 ipInUnknownProtos = 0 ipInDiscards = 0 ipInDelivers =276641 ipOutRequests =257106 ipOutDiscards = 0 ipOutNoRoutes = 0 ipReasmTimeout = 60 ipReasmReqds = 0 ipReasmOKs = 0 ipReasmFails = 0 ipReasmDuplicates = 0 ipReasmPartDups = 0 ipFragOKs = 0 ipFragFails = 0 ipFragCreates = 0 ipRoutingDiscards = 0 tcpInErrs = 0 udpNoPorts = 703 udpInCksumErrs = 0 udpInOverflows = 0 rawipInOverflows = 0 ICMP icmpInMsgs = 120 icmpInErrors = 0 icmpInCksumErrs = 0 icmpInUnknowns = 0 icmpInDestUnreachs = 39 icmpInTimeExcds = 0 icmpInParmProbs = 0 icmpInSrcQuenchs = 0 icmpInRedirects = 0 icmpInBadRedirects = 0 icmpInEchos = 81 icmpInEchoReps = 0 icmpInTimestamps = 0 icmpInTimestampReps = 0 icmpInAddrMasks = 0 icmpInAddrMaskReps = 0 icmpInFragNeeded = 0 icmpOutMsgs = 1580 icmpOutDrops = 6 icmpOutErrors = 0 icmpOutDestUnreachs = 99 icmpOutTimeExcds = 1481 icmpOutParmProbs = 0 icmpOutSrcQuenchs = 0 icmpOutRedirects = 0 icmpOutEchos = 0 icmpOutEchoReps = 0 icmpOutTimestamps = 0 icmpOutTimestampReps= 0 icmpOutAddrMasks = 0 icmpOutAddrMaskReps = 0 icmpOutFragNeeded = 0 icmpInOverflows = 0 IGMP: 0 messages received 0 messages received with too few bytes 0 messages received with bad checksum 0 membership queries received 0 membership queries received with invalid field(s) 0 membership reports received 0 membership reports received with invalid field(s) 0 membership reports received for groups to which we belong 0 membership reports sent ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|