模板
教程
环境
性能
功能
管理
Solaris和IP Filter软件包搭建防火墙的详细步骤(1)
Solaris和IP Filter软件包搭建防火墙的详细步骤
Solaris can make a great firewall OS if properly install and harden.
Hardware can be a Sparc box with a 2nd network interface or a x86 box with dual NIC.
Solaris 2.x CDs - free for education and non-commercial use from Sun website.
I got my Solaris 8 copy from Sun booth at Linux Expo in San Jose last August 2000.
Here are the necessary steps to brew you own firewall box with Solaris
(1) OS:
(a) Boot and install just the "core" distribution from Solaris CD.
These steps should be easy within GUI or menu driven...
- Define which interfe is public (untrust) or private (trust)
- Fill in hostname and appropriate IPs for each interface
- Dont connect or activate your connection to the untrust network
untill you have installed IPFilter
(b) Additional packages are required in order for GNU gcc to work:
SUNWhea
SUNWsrh
SUNWbtool
SUNWscpu
SUNWtoo
SUNWlibm
SUNWsprot
SUNWarc
By selecting core installation, there is no volume management (vold)
for automounting your CD when you stick one in. You have to mount
the CD by hand:
# mount -F hsfs /dev/dsk/c0t6d0s0 /mnt
where t6 is my CDROM SCSI ID. It is different if you are on a x86
box and IDE. Check your system with "dmesg".
Once the CD is mounted, cd to /mnt/Solaris_8/Product and copy the
above package into /tmp
# cp -R SUNWhea /tmp
...
# cp -R SUNWarc /tmp
Use pkgadd to install these package to your system:
# cd /tmp
# pkgadd -d .
(c) Patches: download & install the lastest Recommended patch batch from
http//sunsolve.sun.com
- ftping:
# ftp sunsolve.sun.com
login: ftp
passwd: ftp
ftp> cd /pub/patches
ftp> bin
ftp> hash
ftp> get 8_Recommended.zip
ftp> bye
- installing:
# unzip 8_Recommended.zip
...
# cd 8_Recommended
# ./install_cluster
...
# reboot (you can reboot now or wait until afer step #2)
(d) Turn on journaling feature for UFS
To avoid lengthy fsck after an unclean shutdown or power outtage, one
can turn on journaling on UFS simply by adding "logging" in the mount
option:
# /etc/vfstab
#
#device device mount FS fsck mount mount
#to mount to fsck point type pass at boot options
#
/dev/md/dsk/d1 /dev/md/rdsk/d1 /RAID ufs 2 yes logging
(2) Hardening & removing unnescessary services:
- use pkgrm to remove any package that not being use, for example:
# pkginfo | grep -i pcmcia
system SUNWpcelx 3COM EtherLink III PCMCIA Ethernet Driver
system SUNWpcmci PCMCIA Card Services, (Root)
system SUNWpcmcu PCMCIA Card Services, (Usr)
system SUNWpcmem PCMCIA memory card driver
system SUNWpcser PCMCIA serial card driver
system SUNWpsdpr PCMCIA ATA card driver
If there is no PCMCIA in the sytem, just remove them:
# pkgrm SUNWpcelx SUNWpcmci SUNWpcmcu SUNWpcmem SUNWpcser SUNWpsdpr
- set TCP_STRONG_ISS=2 in /etc/default/inetinit:
# vi /etc/default/inetinit
- turn off inetd:
# rm /etc/rc2.d/S72inetsvc
# ln -s /etc/init.d/inetsvc /etc/rc2.d/S72inetsvc
then comment out the inetd (last line) in /etc/init.d/inetsvc
and null out inetd services:
# mv /etc/inet/inetd.conf /etc/inet/inetd.conf.ORIG
- remove un-nescessary services:
# mv /etc/rc2.d/S71ldap.client /etc/rc2.d/_S71ldap.client
# mv /etc/rc2.d/S71rpc /etc/rc2.d/_S71rpc
# mv /etc/rc2.d/S73nfs.client /etc/rc2.d/_S73nfs.client
# mv /etc/rc2.d/S74autofs /etc/rc2.d/_S74autofs
# mv /etc/rc2.d/S74nscd /etc/rc2.d/_S74nscd
# mv /etc/rc2.d/S88sendmail /etc/rc2.d/_S88sendmail
...
- To protect against possible buffer overflow (or stack smashing)
attacks, add the following to lines to /etc/system.
set noexec_user_stack=1
set noexec_user_stack_log=1
- Modified /etc/init.d/inetinit (or some other startup script ) to
set some IP parameters to harden more:
### Set kernel parameters for /dev/ip
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
ndd -set /dev/ip ip_forward_directed_broadcasts 0
ndd -set /dev/ip ip_respond_to_timestamp 0
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
ndd -set /dev/ip ip_forward_src_routed 0
ndd -set /dev/ip ip_ignore_redirect 1
- Have a look at Sun own tool on network security which include all
of the above ndd settings - highly recommended:
http://www.sun.com/blueprints/tools/nddconfig
