RE: [FW1] how to disable RIP on sun ultra 10 solaris?

[hesselsp@FW1-NOSPAMashaman.dhs.org]

<bragging>Which is what I said in the first place:)</bragging>

Another note is that runnning (dynamic?? I guess) routing protocols like
VRRP can be a very good thing on a firewall:)  Hence the nokia
implementation.

--Paul 


On Fri, 9 Feb 2001, Simon Hornby wrote:

> 
> 
> To just add a small but possibly useful tidbit of information, if for some 
> reason you do not want to have a default route on your firewall, the 
> existance of the file /etc/notrouter on solaris will also prevent any 
> routing protocol from running, without setting a default route.
> 
> Simon
> 
> (With apologies to Lance for sending this direct to him rather than the list 
> first time round.)
> 
> >From: Lance Spitzner <lance@spitzner.net>
> >To: "Hartmann, Josef" <J.Hartmann@secunet.de>
> >CC: fw-1-mailinglist@lists.us.checkpoint.com
> >Subject: RE: [FW1] how to disable RIP on sun ultra 10 solaris?
> >Date: Fri, 9 Feb 2001 09:36:11 -0600 (CST)
> >
> >
> >On Fri, 9 Feb 2001, Hartmann, Josef wrote:
> >
> > > Well,
> > >
> > > if the firewall has multiple interfaces and behind these there are 
> >different
> > > nets than the one directly connected to the firewall, routed has to run,
> > > doesn't it?
> >
> >No it does not (nor should it ever for a firewall).  Best practices for
> >a firewall are to use staticly assigned routes only.  The use of dynamic
> >routing protocols (such as routed, OSPF, etc) add additional risk.  If
> >a routing protocol absolutely must be used, ensure you take steps to
> >mitigate the risk, such as authentication and rule base filtering.
> >
> >In the case of Solaris, all routing protocols are disabled by default
> >if you assign a static, default route in the file /etc/defaultrouter.
> >This is considered best practices for a Solaris based firewall.
> >
> >I also recommend you set the kernel so it ignores all ICMP redirects,
> >which can also update your route table.  This can be done by setting
> >the following upon every reboot.
> >
> >ndd -set ip_ignore_redirect 1
> >
> >The command "netstat -s" will give you TCP/UDP/ICMP stats on your
> >system, including ICMP redirect.
> >
> >firewall $netstat -s
> >
> >
> >UDP
> >         udpInDatagrams      = 15246     udpInErrors         =     0
> >         udpOutDatagrams     = 41529
> >
> >TCP     tcpRtoAlgorithm     =     4     tcpRtoMin           =   400
> >         tcpRtoMax           = 60000     tcpMaxConn          =    -1
> >         tcpActiveOpens      =  7968     tcpPassiveOpens     =   335
> >         tcpAttemptFails     =  1676     tcpEstabResets      =    60
> >         tcpCurrEstab        =     1     tcpOutSegs          =201722
> >         tcpOutDataSegs      =174112     tcpOutDataBytes     =40820318
> >         tcpRetransSegs      =   222     tcpRetransBytes     =  1729
> >         tcpOutAck           = 27605     tcpOutAckDelayed    =  8140
> >         tcpOutUrg           =     0     tcpOutWinUpdate     =     1
> >         tcpOutWinProbe      =     1     tcpOutControl       = 16756
> >         tcpOutRsts          =  1676     tcpOutFastRetrans   =     0
> >         tcpInSegs           =260020
> >         tcpInAckSegs        =158866     tcpInAckBytes       =40826680
> >         tcpInDupAck         = 10030     tcpInAckUnsent      =     0
> >         tcpInInorderSegs    =143841     tcpInInorderBytes   =16119948
> >         tcpInUnorderSegs    =     0     tcpInUnorderBytes   =     0
> >         tcpInDupSegs        =    32     tcpInDupBytes       =     0
> >         tcpInPartDupSegs    =     0     tcpInPartDupBytes   =     0
> >         tcpInPastWinSegs    =     0     tcpInPastWinBytes   =     0
> >         tcpInWinProbe       =     0     tcpInWinUpdate      =     1
> >         tcpInClosed         =     0     tcpRttNoUpdate      =     2
> >         tcpRttUpdate        =152336     tcpTimRetrans       =    10
> >         tcpTimRetransDrop   =     0     tcpTimKeepalive     =   766
> >         tcpTimKeepaliveProbe=   459     tcpTimKeepaliveDrop =    17
> >         tcpListenDrop       =     0     tcpListenDropQ0     =     0
> >         tcpHalfOpenDrop     =     0     tcpOutSackRetrans   =     0
> >
> >IP      ipForwarding        =     1     ipDefaultTTL        =   255
> >         ipInReceives        =9991936    ipInHdrErrors       =     0
> >         ipInAddrErrors      =     0     ipInCksumErrs       =     0
> >         ipForwDatagrams     =9716892    ipForwProhibits     =     1
> >         ipInUnknownProtos   =     0     ipInDiscards        =     0
> >         ipInDelivers        =276641     ipOutRequests       =257106
> >         ipOutDiscards       =     0     ipOutNoRoutes       =     0
> >         ipReasmTimeout      =    60     ipReasmReqds        =     0
> >         ipReasmOKs          =     0     ipReasmFails        =     0
> >         ipReasmDuplicates   =     0     ipReasmPartDups     =     0
> >         ipFragOKs           =     0     ipFragFails         =     0
> >         ipFragCreates       =     0     ipRoutingDiscards   =     0
> >         tcpInErrs           =     0     udpNoPorts          =   703
> >         udpInCksumErrs      =     0     udpInOverflows      =     0
> >         rawipInOverflows    =     0
> >
> >ICMP    icmpInMsgs          =   120     icmpInErrors        =     0
> >         icmpInCksumErrs     =     0     icmpInUnknowns      =     0
> >         icmpInDestUnreachs  =    39     icmpInTimeExcds     =     0
> >         icmpInParmProbs     =     0     icmpInSrcQuenchs    =     0
> >         icmpInRedirects     =     0     icmpInBadRedirects  =     0
> >         icmpInEchos         =    81     icmpInEchoReps      =     0
> >         icmpInTimestamps    =     0     icmpInTimestampReps =     0
> >         icmpInAddrMasks     =     0     icmpInAddrMaskReps  =     0
> >         icmpInFragNeeded    =     0     icmpOutMsgs         =  1580
> >         icmpOutDrops        =     6     icmpOutErrors       =     0
> >         icmpOutDestUnreachs =    99     icmpOutTimeExcds    =  1481
> >         icmpOutParmProbs    =     0     icmpOutSrcQuenchs   =     0
> >         icmpOutRedirects    =     0     icmpOutEchos        =     0
> >         icmpOutEchoReps     =     0     icmpOutTimestamps   =     0
> >         icmpOutTimestampReps=     0     icmpOutAddrMasks    =     0
> >         icmpOutAddrMaskReps =     0     icmpOutFragNeeded   =     0
> >         icmpInOverflows     =     0
> >IGMP:
> >           0 messages received
> >           0 messages received with too few bytes
> >           0 messages received with bad checksum
> >           0 membership queries received
> >           0 membership queries received with invalid field(s)
> >           0 membership reports received
> >           0 membership reports received with invalid field(s)
> >           0 membership reports received for groups to which we belong
> >           0 membership reports sent
> >
> >
> >
> >================================================================================
> >      To unsubscribe from this mailing list, please see the instructions at
> >                http://www.checkpoint.com/services/mailing.html
> >================================================================================
> 
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
> 
> 
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================
> 

-- 
--Paul



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================