From: Lance Spitzner <[email protected]>
To: "Hartmann, Josef" <[email protected]>
CC: [email protected]
Subject: RE: [FW1] how to disable RIP on sun ultra 10 solaris?
Date: Fri, 9 Feb 2001 09:36:11 -0600 (CST)
On Fri, 9 Feb 2001, Hartmann, Josef wrote:
> Well,
>
> if the firewall has multiple interfaces and behind these there are
different
> nets than the one directly connected to the firewall, routed has to run,
> doesn't it?
No it does not (nor should it ever for a firewall). Best practices for
a firewall are to use staticly assigned routes only. The use of dynamic
routing protocols (such as routed, OSPF, etc) add additional risk. If
a routing protocol absolutely must be used, ensure you take steps to
mitigate the risk, such as authentication and rule base filtering.
In the case of Solaris, all routing protocols are disabled by default
if you assign a static, default route in the file /etc/defaultrouter.
This is considered best practices for a Solaris based firewall.
I also recommend you set the kernel so it ignores all ICMP redirects,
which can also update your route table. This can be done by setting
the following upon every reboot.
ndd -set ip_ignore_redirect 1
The command "netstat -s" will give you TCP/UDP/ICMP stats on your
system, including ICMP redirect.
firewall $netstat -s
UDP
udpInDatagrams = 15246 udpInErrors = 0
udpOutDatagrams = 41529
TCP tcpRtoAlgorithm = 4 tcpRtoMin = 400
tcpRtoMax = 60000 tcpMaxConn = -1
tcpActiveOpens = 7968 tcpPassiveOpens = 335
tcpAttemptFails = 1676 tcpEstabResets = 60
tcpCurrEstab = 1 tcpOutSegs =201722
tcpOutDataSegs =174112 tcpOutDataBytes =40820318
tcpRetransSegs = 222 tcpRetransBytes = 1729
tcpOutAck = 27605 tcpOutAckDelayed = 8140
tcpOutUrg = 0 tcpOutWinUpdate = 1
tcpOutWinProbe = 1 tcpOutControl = 16756
tcpOutRsts = 1676 tcpOutFastRetrans = 0
tcpInSegs =260020
tcpInAckSegs =158866 tcpInAckBytes =40826680
tcpInDupAck = 10030 tcpInAckUnsent = 0
tcpInInorderSegs =143841 tcpInInorderBytes =16119948
tcpInUnorderSegs = 0 tcpInUnorderBytes = 0
tcpInDupSegs = 32 tcpInDupBytes = 0
tcpInPartDupSegs = 0 tcpInPartDupBytes = 0
tcpInPastWinSegs = 0 tcpInPastWinBytes = 0
tcpInWinProbe = 0 tcpInWinUpdate = 1
tcpInClosed = 0 tcpRttNoUpdate = 2
tcpRttUpdate =152336 tcpTimRetrans = 10
tcpTimRetransDrop = 0 tcpTimKeepalive = 766
tcpTimKeepaliveProbe= 459 tcpTimKeepaliveDrop = 17
tcpListenDrop = 0 tcpListenDropQ0 = 0
tcpHalfOpenDrop = 0 tcpOutSackRetrans = 0
IP ipForwarding = 1 ipDefaultTTL = 255
ipInReceives =9991936 ipInHdrErrors = 0
ipInAddrErrors = 0 ipInCksumErrs = 0
ipForwDatagrams =9716892 ipForwProhibits = 1
ipInUnknownProtos = 0 ipInDiscards = 0
ipInDelivers =276641 ipOutRequests =257106
ipOutDiscards = 0 ipOutNoRoutes = 0
ipReasmTimeout = 60 ipReasmReqds = 0
ipReasmOKs = 0 ipReasmFails = 0
ipReasmDuplicates = 0 ipReasmPartDups = 0
ipFragOKs = 0 ipFragFails = 0
ipFragCreates = 0 ipRoutingDiscards = 0
tcpInErrs = 0 udpNoPorts = 703
udpInCksumErrs = 0 udpInOverflows = 0
rawipInOverflows = 0
ICMP icmpInMsgs = 120 icmpInErrors = 0
icmpInCksumErrs = 0 icmpInUnknowns = 0
icmpInDestUnreachs = 39 icmpInTimeExcds = 0
icmpInParmProbs = 0 icmpInSrcQuenchs = 0
icmpInRedirects = 0 icmpInBadRedirects = 0
icmpInEchos = 81 icmpInEchoReps = 0
icmpInTimestamps = 0 icmpInTimestampReps = 0
icmpInAddrMasks = 0 icmpInAddrMaskReps = 0
icmpInFragNeeded = 0 icmpOutMsgs = 1580
icmpOutDrops = 6 icmpOutErrors = 0
icmpOutDestUnreachs = 99 icmpOutTimeExcds = 1481
icmpOutParmProbs = 0 icmpOutSrcQuenchs = 0
icmpOutRedirects = 0 icmpOutEchos = 0
icmpOutEchoReps = 0 icmpOutTimestamps = 0
icmpOutTimestampReps= 0 icmpOutAddrMasks = 0
icmpOutAddrMaskReps = 0 icmpOutFragNeeded = 0
icmpInOverflows = 0
IGMP:
0 messages received
0 messages received with too few bytes
0 messages received with bad checksum
0 membership queries received
0 membership queries received with invalid field(s)
0 membership reports received
0 membership reports received with invalid field(s)
0 membership reports received for groups to which we belong
0 membership reports sent
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================