Bugtraq mailing list archives
Using IP Filter to protect FW-1 4.0 (fwd)
From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Tue, 13 Jun 2000 00:55:25 +1000
Forwarded message:
To use IP Filter to protect Firewall-1 4.0 running on Solaris, you will need to download "pfil" and IP Filter: ftp://coombs.anu.edu.au/pub/net/ip-filter/pfil-1.4.tar.gz ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.5alpha5.tar.gz Inside pfil-1.4.tar.gz, there is a diff file for Firewall-1: S25fw1boot.diff you will need to apply this diff to the rc script in /etc/rcS.d. Be sure to remove any "leftovers" that patch leaves behind - e.g. S25fw1boot.orig - lest something undesired is run at boot time. Then compile & install pfil, followed by IP Filter. You *must* reboot after installing both pfil and IP Filter. To verify that IP Filter is enabled in manner to protect FW-1, after the system has rebooted, you should login and do the following (for example): strconf < /dev/le Which should show you: fw pfil le Likewise, if you do "ndd /dev/pfil qif_status", you should see something like this: ifname ill q OTHERQ num sap hl len nr nw QIF1 00000000 f5cebc18 f5cebc74 1 806 0 0 0 38 le0 f595cf20 f5b27410 f5b2746c 0 800 14 0 29208 8101 You should then make this the only line in /etc/opt/ipf/ipf.conf: block in all with frags and then run the following: /sbin/ipf -F a -f /etc/opt/ipf/ipf.conf This will block all those naughty IP fragment packets. This will impact use of the Internet if path MTU discovery is not available end-to-end and packets end up fragmented. If you want to log them: block in log all with frags FW-1 4.0 Observations. ---------------------- FW-1 Attempts to autopush itself onto all network devices. Unfortunately, it does this in /etc/rcS.d, which can lead to it not being able to achieve this for devices like PPP (ipdptp) if /usr is a separate partition to /. If you add a new type of network card to the host, FW-1 will not protect that device unless its driver is listed in /etc/fw.boot/ifdev. ndd and FW-1 *DO NOT* use ndd with Firewall-1. "ndd /dev/fw0 \?" (for example) will cause a crash. Darren p.s. Many thanks to Peter C. for making this possible!
Current thread:
- Concerning the LDAP Enabled Netscape FTP Server, (continued)
- Concerning the LDAP Enabled Netscape FTP Server Alfred Huger (Jun 27)
- Glftpd privpath bugs... +fix Raymond Dijkxhoorn (Jun 26)
- Re: Glftpd privpath bugs... +fix Scott (Jun 27)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - kernel Sergio Bruder (Jun 08)
- Sendmail & procmail local root exploits on Linux kernel up to 2.2.16pre5 Wojciech Purczynski (Jun 08)
- OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 09)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Phil Stracchino (Jun 10)
- IBM WebSphere JSP showcode vulnerability stuart.mcclure () FOUNDSTONE COM (Jun 11)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 12)
- Using IP Filter to protect FW-1 4.0 (fwd) Darren Reed (Jun 12)
- FreeBSD Security Advisory: FreeBSD-SA-00:25.alpha-dev-random FreeBSD Security Advisories (Jun 12)
- RFPolicy for vulnerability disclosure rain forest puppy (Jun 12)
- CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability Johannes Westerink (Jun 12)
- SmartFTP Daemon v0.2 Beta Build 9 - Remote Exploit Moritz Jodeit (Jun 13)
- Ethics ?? : Re: local root on linux 2.2.15 Gerrie (Jun 10)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENSSH Andreas Hasenack (Jun 10)
- Trustix Security Advisory Oystein Viggen (Jun 09)
- Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC Tom Yu (Jun 09)
- Remote DOS in linux rpc.lockd mmurray () FSCINTERNET COM (Jun 08)
- Re: Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC Mike Friedman (Jun 09)