[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] how to disable RIP on sun ultra 10 solaris?
<bragging>Which is what I said in the first place:)</bragging> Another note is that runnning (dynamic?? I guess) routing protocols like VRRP can be a very good thing on a firewall:) Hence the nokia implementation. --Paul On Fri, 9 Feb 2001, Simon Hornby wrote: > > > To just add a small but possibly useful tidbit of information, if for some > reason you do not want to have a default route on your firewall, the > existance of the file /etc/notrouter on solaris will also prevent any > routing protocol from running, without setting a default route. > > Simon > > (With apologies to Lance for sending this direct to him rather than the list > first time round.) > > >From: Lance Spitzner <[email protected]> > >To: "Hartmann, Josef" <[email protected]> > >CC: [email protected] > >Subject: RE: [FW1] how to disable RIP on sun ultra 10 solaris? > >Date: Fri, 9 Feb 2001 09:36:11 -0600 (CST) > > > > > >On Fri, 9 Feb 2001, Hartmann, Josef wrote: > > > > > Well, > > > > > > if the firewall has multiple interfaces and behind these there are > >different > > > nets than the one directly connected to the firewall, routed has to run, > > > doesn't it? > > > >No it does not (nor should it ever for a firewall). Best practices for > >a firewall are to use staticly assigned routes only. The use of dynamic > >routing protocols (such as routed, OSPF, etc) add additional risk. If > >a routing protocol absolutely must be used, ensure you take steps to > >mitigate the risk, such as authentication and rule base filtering. > > > >In the case of Solaris, all routing protocols are disabled by default > >if you assign a static, default route in the file /etc/defaultrouter. > >This is considered best practices for a Solaris based firewall. > > > >I also recommend you set the kernel so it ignores all ICMP redirects, > >which can also update your route table. This can be done by setting > >the following upon every reboot. > > > >ndd -set ip_ignore_redirect 1 > > > >The command "netstat -s" will give you TCP/UDP/ICMP stats on your > >system, including ICMP redirect. > > > >firewall $netstat -s > > > > > >UDP > > udpInDatagrams = 15246 udpInErrors = 0 > > udpOutDatagrams = 41529 > > > >TCP tcpRtoAlgorithm = 4 tcpRtoMin = 400 > > tcpRtoMax = 60000 tcpMaxConn = -1 > > tcpActiveOpens = 7968 tcpPassiveOpens = 335 > > tcpAttemptFails = 1676 tcpEstabResets = 60 > > tcpCurrEstab = 1 tcpOutSegs =201722 > > tcpOutDataSegs =174112 tcpOutDataBytes =40820318 > > tcpRetransSegs = 222 tcpRetransBytes = 1729 > > tcpOutAck = 27605 tcpOutAckDelayed = 8140 > > tcpOutUrg = 0 tcpOutWinUpdate = 1 > > tcpOutWinProbe = 1 tcpOutControl = 16756 > > tcpOutRsts = 1676 tcpOutFastRetrans = 0 > > tcpInSegs =260020 > > tcpInAckSegs =158866 tcpInAckBytes =40826680 > > tcpInDupAck = 10030 tcpInAckUnsent = 0 > > tcpInInorderSegs =143841 tcpInInorderBytes =16119948 > > tcpInUnorderSegs = 0 tcpInUnorderBytes = 0 > > tcpInDupSegs = 32 tcpInDupBytes = 0 > > tcpInPartDupSegs = 0 tcpInPartDupBytes = 0 > > tcpInPastWinSegs = 0 tcpInPastWinBytes = 0 > > tcpInWinProbe = 0 tcpInWinUpdate = 1 > > tcpInClosed = 0 tcpRttNoUpdate = 2 > > tcpRttUpdate =152336 tcpTimRetrans = 10 > > tcpTimRetransDrop = 0 tcpTimKeepalive = 766 > > tcpTimKeepaliveProbe= 459 tcpTimKeepaliveDrop = 17 > > tcpListenDrop = 0 tcpListenDropQ0 = 0 > > tcpHalfOpenDrop = 0 tcpOutSackRetrans = 0 > > > >IP ipForwarding = 1 ipDefaultTTL = 255 > > ipInReceives =9991936 ipInHdrErrors = 0 > > ipInAddrErrors = 0 ipInCksumErrs = 0 > > ipForwDatagrams =9716892 ipForwProhibits = 1 > > ipInUnknownProtos = 0 ipInDiscards = 0 > > ipInDelivers =276641 ipOutRequests =257106 > > ipOutDiscards = 0 ipOutNoRoutes = 0 > > ipReasmTimeout = 60 ipReasmReqds = 0 > > ipReasmOKs = 0 ipReasmFails = 0 > > ipReasmDuplicates = 0 ipReasmPartDups = 0 > > ipFragOKs = 0 ipFragFails = 0 > > ipFragCreates = 0 ipRoutingDiscards = 0 > > tcpInErrs = 0 udpNoPorts = 703 > > udpInCksumErrs = 0 udpInOverflows = 0 > > rawipInOverflows = 0 > > > >ICMP icmpInMsgs = 120 icmpInErrors = 0 > > icmpInCksumErrs = 0 icmpInUnknowns = 0 > > icmpInDestUnreachs = 39 icmpInTimeExcds = 0 > > icmpInParmProbs = 0 icmpInSrcQuenchs = 0 > > icmpInRedirects = 0 icmpInBadRedirects = 0 > > icmpInEchos = 81 icmpInEchoReps = 0 > > icmpInTimestamps = 0 icmpInTimestampReps = 0 > > icmpInAddrMasks = 0 icmpInAddrMaskReps = 0 > > icmpInFragNeeded = 0 icmpOutMsgs = 1580 > > icmpOutDrops = 6 icmpOutErrors = 0 > > icmpOutDestUnreachs = 99 icmpOutTimeExcds = 1481 > > icmpOutParmProbs = 0 icmpOutSrcQuenchs = 0 > > icmpOutRedirects = 0 icmpOutEchos = 0 > > icmpOutEchoReps = 0 icmpOutTimestamps = 0 > > icmpOutTimestampReps= 0 icmpOutAddrMasks = 0 > > icmpOutAddrMaskReps = 0 icmpOutFragNeeded = 0 > > icmpInOverflows = 0 > >IGMP: > > 0 messages received > > 0 messages received with too few bytes > > 0 messages received with bad checksum > > 0 membership queries received > > 0 membership queries received with invalid field(s) > > 0 membership reports received > > 0 membership reports received with invalid field(s) > > 0 membership reports received for groups to which we belong > > 0 membership reports sent > > > > > > > >================================================================================ > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > >================================================================================ > > _________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > -- --Paul ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|