|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] how to disable RIP on sun ultra 10 solaris?
Just a note, On solaris, the syntax is ndd -set /dev/ip ignore_redirect 1 FYI, CryptoTech Lance Spitzner wrote: > On Fri, 9 Feb 2001, Hartmann, Josef wrote: > > > Well, > > > > if the firewall has multiple interfaces and behind these there are different > > nets than the one directly connected to the firewall, routed has to run, > > doesn't it? > > No it does not (nor should it ever for a firewall). Best practices for > a firewall are to use staticly assigned routes only. The use of dynamic > routing protocols (such as routed, OSPF, etc) add additional risk. If > a routing protocol absolutely must be used, ensure you take steps to > mitigate the risk, such as authentication and rule base filtering. > > In the case of Solaris, all routing protocols are disabled by default > if you assign a static, default route in the file /etc/defaultrouter. > This is considered best practices for a Solaris based firewall. > > I also recommend you set the kernel so it ignores all ICMP redirects, > which can also update your route table. This can be done by setting > the following upon every reboot. > > ndd -set ip_ignore_redirect 1 > > The command "netstat -s" will give you TCP/UDP/ICMP stats on your > system, including ICMP redirect. > > firewall $netstat -s > > UDP > udpInDatagrams = 15246 udpInErrors = 0 > udpOutDatagrams = 41529 > > TCP tcpRtoAlgorithm = 4 tcpRtoMin = 400 > tcpRtoMax = 60000 tcpMaxConn = -1 > tcpActiveOpens = 7968 tcpPassiveOpens = 335 > tcpAttemptFails = 1676 tcpEstabResets = 60 > tcpCurrEstab = 1 tcpOutSegs =201722 > tcpOutDataSegs =174112 tcpOutDataBytes =40820318 > tcpRetransSegs = 222 tcpRetransBytes = 1729 > tcpOutAck = 27605 tcpOutAckDelayed = 8140 > tcpOutUrg = 0 tcpOutWinUpdate = 1 > tcpOutWinProbe = 1 tcpOutControl = 16756 > tcpOutRsts = 1676 tcpOutFastRetrans = 0 > tcpInSegs =260020 > tcpInAckSegs =158866 tcpInAckBytes =40826680 > tcpInDupAck = 10030 tcpInAckUnsent = 0 > tcpInInorderSegs =143841 tcpInInorderBytes =16119948 > tcpInUnorderSegs = 0 tcpInUnorderBytes = 0 > tcpInDupSegs = 32 tcpInDupBytes = 0 > tcpInPartDupSegs = 0 tcpInPartDupBytes = 0 > tcpInPastWinSegs = 0 tcpInPastWinBytes = 0 > tcpInWinProbe = 0 tcpInWinUpdate = 1 > tcpInClosed = 0 tcpRttNoUpdate = 2 > tcpRttUpdate =152336 tcpTimRetrans = 10 > tcpTimRetransDrop = 0 tcpTimKeepalive = 766 > tcpTimKeepaliveProbe= 459 tcpTimKeepaliveDrop = 17 > tcpListenDrop = 0 tcpListenDropQ0 = 0 > tcpHalfOpenDrop = 0 tcpOutSackRetrans = 0 > > IP ipForwarding = 1 ipDefaultTTL = 255 > ipInReceives =9991936 ipInHdrErrors = 0 > ipInAddrErrors = 0 ipInCksumErrs = 0 > ipForwDatagrams =9716892 ipForwProhibits = 1 > ipInUnknownProtos = 0 ipInDiscards = 0 > ipInDelivers =276641 ipOutRequests =257106 > ipOutDiscards = 0 ipOutNoRoutes = 0 > ipReasmTimeout = 60 ipReasmReqds = 0 > ipReasmOKs = 0 ipReasmFails = 0 > ipReasmDuplicates = 0 ipReasmPartDups = 0 > ipFragOKs = 0 ipFragFails = 0 > ipFragCreates = 0 ipRoutingDiscards = 0 > tcpInErrs = 0 udpNoPorts = 703 > udpInCksumErrs = 0 udpInOverflows = 0 > rawipInOverflows = 0 > > ICMP icmpInMsgs = 120 icmpInErrors = 0 > icmpInCksumErrs = 0 icmpInUnknowns = 0 > icmpInDestUnreachs = 39 icmpInTimeExcds = 0 > icmpInParmProbs = 0 icmpInSrcQuenchs = 0 > icmpInRedirects = 0 icmpInBadRedirects = 0 > icmpInEchos = 81 icmpInEchoReps = 0 > icmpInTimestamps = 0 icmpInTimestampReps = 0 > icmpInAddrMasks = 0 icmpInAddrMaskReps = 0 > icmpInFragNeeded = 0 icmpOutMsgs = 1580 > icmpOutDrops = 6 icmpOutErrors = 0 > icmpOutDestUnreachs = 99 icmpOutTimeExcds = 1481 > icmpOutParmProbs = 0 icmpOutSrcQuenchs = 0 > icmpOutRedirects = 0 icmpOutEchos = 0 > icmpOutEchoReps = 0 icmpOutTimestamps = 0 > icmpOutTimestampReps= 0 icmpOutAddrMasks = 0 > icmpOutAddrMaskReps = 0 icmpOutFragNeeded = 0 > icmpInOverflows = 0 > IGMP: > 0 messages received > 0 messages received with too few bytes > 0 messages received with bad checksum > 0 membership queries received > 0 membership queries received with invalid field(s) > 0 membership reports received > 0 membership reports received with invalid field(s) > 0 membership reports received for groups to which we belong > 0 membership reports sent > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
