[15315] in bugtraq
Using IP Filter to protect FW-1 4.0 (fwd)
daemon@ATHENA.MIT.EDU (Darren Reed)
Mon Jun 12 13:45:32 2000
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <200006121455.AAA25391@cairo.anu.edu.au>
Date: Tue, 13 Jun 2000 00:55:25 +1000
Reply-To: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
From: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
Forwarded message:
>
> To use IP Filter to protect Firewall-1 4.0 running on Solaris,
> you will need to download "pfil" and IP Filter:
>
> ftp://coombs.anu.edu.au/pub/net/ip-filter/pfil-1.4.tar.gz
> ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.5alpha5.tar.gz
>
> Inside pfil-1.4.tar.gz, there is a diff file for Firewall-1:
> S25fw1boot.diff
> you will need to apply this diff to the rc script in /etc/rcS.d.
> Be sure to remove any "leftovers" that patch leaves behind - e.g.
> S25fw1boot.orig - lest something undesired is run at boot time.
>
> Then compile & install pfil, followed by IP Filter. You *must* reboot
> after installing both pfil and IP Filter. To verify that IP Filter is
> enabled in manner to protect FW-1, after the system has rebooted, you
> should login and do the following (for example):
>
> strconf < /dev/le
>
> Which should show you:
>
> fw
> pfil
> le
>
> Likewise, if you do "ndd /dev/pfil qif_status", you should see something
> like this:
>
> ifname ill q OTHERQ num sap hl len nr nw
> QIF1 00000000 f5cebc18 f5cebc74 1 806 0 0 0 38
> le0 f595cf20 f5b27410 f5b2746c 0 800 14 0 29208 8101
>
> You should then make this the only line in /etc/opt/ipf/ipf.conf:
>
> block in all with frags
>
> and then run the following:
>
> /sbin/ipf -F a -f /etc/opt/ipf/ipf.conf
>
> This will block all those naughty IP fragment packets. This will impact
> use of the Internet if path MTU discovery is not available end-to-end and
> packets end up fragmented. If you want to log them:
>
> block in log all with frags
>
> FW-1 4.0 Observations.
> ----------------------
> FW-1 Attempts to autopush itself onto all network devices. Unfortunately,
> it does this in /etc/rcS.d, which can lead to it not being able to achieve
> this for devices like PPP (ipdptp) if /usr is a separate partition to /.
>
> If you add a new type of network card to the host, FW-1 will not protect
> that device unless its driver is listed in /etc/fw.boot/ifdev.
>
> ndd and FW-1
> *DO NOT* use ndd with Firewall-1.
> "ndd /dev/fw0 \?" (for example) will cause a crash.
>
> Darren
>
> p.s. Many thanks to Peter C. for making this possible!
>
