NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] how to disable RIP on sun ultra 10 solaris?





To just add a small but possibly useful tidbit of information, if for some reason you do not want to have a default route on your firewall, the existance of the file /etc/notrouter on solaris will also prevent any routing protocol from running, without setting a default route.

Simon

(With apologies to Lance for sending this direct to him rather than the list first time round.)

From: Lance Spitzner <[email protected]>
To: "Hartmann, Josef" <[email protected]>
CC: [email protected]
Subject: RE: [FW1] how to disable RIP on sun ultra 10 solaris?
Date: Fri, 9 Feb 2001 09:36:11 -0600 (CST)


On Fri, 9 Feb 2001, Hartmann, Josef wrote:


> Well,
>
> if the firewall has multiple interfaces and behind these there are different
> nets than the one directly connected to the firewall, routed has to run,
> doesn't it?


No it does not (nor should it ever for a firewall).  Best practices for
a firewall are to use staticly assigned routes only.  The use of dynamic
routing protocols (such as routed, OSPF, etc) add additional risk.  If
a routing protocol absolutely must be used, ensure you take steps to
mitigate the risk, such as authentication and rule base filtering.

In the case of Solaris, all routing protocols are disabled by default
if you assign a static, default route in the file /etc/defaultrouter.
This is considered best practices for a Solaris based firewall.

I also recommend you set the kernel so it ignores all ICMP redirects,
which can also update your route table.  This can be done by setting
the following upon every reboot.

ndd -set ip_ignore_redirect 1

The command "netstat -s" will give you TCP/UDP/ICMP stats on your
system, including ICMP redirect.

firewall $netstat -s


UDP udpInDatagrams = 15246 udpInErrors = 0 udpOutDatagrams = 41529

TCP     tcpRtoAlgorithm     =     4     tcpRtoMin           =   400
        tcpRtoMax           = 60000     tcpMaxConn          =    -1
        tcpActiveOpens      =  7968     tcpPassiveOpens     =   335
        tcpAttemptFails     =  1676     tcpEstabResets      =    60
        tcpCurrEstab        =     1     tcpOutSegs          =201722
        tcpOutDataSegs      =174112     tcpOutDataBytes     =40820318
        tcpRetransSegs      =   222     tcpRetransBytes     =  1729
        tcpOutAck           = 27605     tcpOutAckDelayed    =  8140
        tcpOutUrg           =     0     tcpOutWinUpdate     =     1
        tcpOutWinProbe      =     1     tcpOutControl       = 16756
        tcpOutRsts          =  1676     tcpOutFastRetrans   =     0
        tcpInSegs           =260020
        tcpInAckSegs        =158866     tcpInAckBytes       =40826680
        tcpInDupAck         = 10030     tcpInAckUnsent      =     0
        tcpInInorderSegs    =143841     tcpInInorderBytes   =16119948
        tcpInUnorderSegs    =     0     tcpInUnorderBytes   =     0
        tcpInDupSegs        =    32     tcpInDupBytes       =     0
        tcpInPartDupSegs    =     0     tcpInPartDupBytes   =     0
        tcpInPastWinSegs    =     0     tcpInPastWinBytes   =     0
        tcpInWinProbe       =     0     tcpInWinUpdate      =     1
        tcpInClosed         =     0     tcpRttNoUpdate      =     2
        tcpRttUpdate        =152336     tcpTimRetrans       =    10
        tcpTimRetransDrop   =     0     tcpTimKeepalive     =   766
        tcpTimKeepaliveProbe=   459     tcpTimKeepaliveDrop =    17
        tcpListenDrop       =     0     tcpListenDropQ0     =     0
        tcpHalfOpenDrop     =     0     tcpOutSackRetrans   =     0

IP      ipForwarding        =     1     ipDefaultTTL        =   255
        ipInReceives        =9991936    ipInHdrErrors       =     0
        ipInAddrErrors      =     0     ipInCksumErrs       =     0
        ipForwDatagrams     =9716892    ipForwProhibits     =     1
        ipInUnknownProtos   =     0     ipInDiscards        =     0
        ipInDelivers        =276641     ipOutRequests       =257106
        ipOutDiscards       =     0     ipOutNoRoutes       =     0
        ipReasmTimeout      =    60     ipReasmReqds        =     0
        ipReasmOKs          =     0     ipReasmFails        =     0
        ipReasmDuplicates   =     0     ipReasmPartDups     =     0
        ipFragOKs           =     0     ipFragFails         =     0
        ipFragCreates       =     0     ipRoutingDiscards   =     0
        tcpInErrs           =     0     udpNoPorts          =   703
        udpInCksumErrs      =     0     udpInOverflows      =     0
        rawipInOverflows    =     0

ICMP    icmpInMsgs          =   120     icmpInErrors        =     0
        icmpInCksumErrs     =     0     icmpInUnknowns      =     0
        icmpInDestUnreachs  =    39     icmpInTimeExcds     =     0
        icmpInParmProbs     =     0     icmpInSrcQuenchs    =     0
        icmpInRedirects     =     0     icmpInBadRedirects  =     0
        icmpInEchos         =    81     icmpInEchoReps      =     0
        icmpInTimestamps    =     0     icmpInTimestampReps =     0
        icmpInAddrMasks     =     0     icmpInAddrMaskReps  =     0
        icmpInFragNeeded    =     0     icmpOutMsgs         =  1580
        icmpOutDrops        =     6     icmpOutErrors       =     0
        icmpOutDestUnreachs =    99     icmpOutTimeExcds    =  1481
        icmpOutParmProbs    =     0     icmpOutSrcQuenchs   =     0
        icmpOutRedirects    =     0     icmpOutEchos        =     0
        icmpOutEchoReps     =     0     icmpOutTimestamps   =     0
        icmpOutTimestampReps=     0     icmpOutAddrMasks    =     0
        icmpOutAddrMaskReps =     0     icmpOutFragNeeded   =     0
        icmpInOverflows     =     0
IGMP:
          0 messages received
          0 messages received with too few bytes
          0 messages received with bad checksum
          0 membership queries received
          0 membership queries received with invalid field(s)
          0 membership reports received
          0 membership reports received with invalid field(s)
          0 membership reports received for groups to which we belong
          0 membership reports sent



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

_________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.



================================================================================
    To unsubscribe from this mailing list, please see the instructions at
              http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.