To just add a small but possibly useful tidbit of information, if for some
reason you do not want to have a default route on your firewall, the
existance of the file /etc/notrouter on solaris will also prevent any
routing protocol from running, without setting a default route.
Simon
(With apologies to Lance for sending this direct to him rather than the list
first time round.)
>From: Lance Spitzner <[EMAIL PROTECTED]>
>To: "Hartmann, Josef" <[EMAIL PROTECTED]>
>CC: [EMAIL PROTECTED]
>Subject: RE: [FW1] how to disable RIP on sun ultra 10 solaris?
>Date: Fri, 9 Feb 2001 09:36:11 -0600 (CST)
>
>
>On Fri, 9 Feb 2001, Hartmann, Josef wrote:
>
> > Well,
> >
> > if the firewall has multiple interfaces and behind these there are
>different
> > nets than the one directly connected to the firewall, routed has to run,
> > doesn't it?
>
>No it does not (nor should it ever for a firewall). Best practices for
>a firewall are to use staticly assigned routes only. The use of dynamic
>routing protocols (such as routed, OSPF, etc) add additional risk. If
>a routing protocol absolutely must be used, ensure you take steps to
>mitigate the risk, such as authentication and rule base filtering.
>
>In the case of Solaris, all routing protocols are disabled by default
>if you assign a static, default route in the file /etc/defaultrouter.
>This is considered best practices for a Solaris based firewall.
>
>I also recommend you set the kernel so it ignores all ICMP redirects,
>which can also update your route table. This can be done by setting
>the following upon every reboot.
>
>ndd -set ip_ignore_redirect 1
>
>The command "netstat -s" will give you TCP/UDP/ICMP stats on your
>system, including ICMP redirect.
>
>firewall $netstat -s
>
>
>UDP
> udpInDatagrams = 15246 udpInErrors = 0
> udpOutDatagrams = 41529
>
>TCP tcpRtoAlgorithm = 4 tcpRtoMin = 400
> tcpRtoMax = 60000 tcpMaxConn = -1
> tcpActiveOpens = 7968 tcpPassiveOpens = 335
> tcpAttemptFails = 1676 tcpEstabResets = 60
> tcpCurrEstab = 1 tcpOutSegs =201722
> tcpOutDataSegs =174112 tcpOutDataBytes =40820318
> tcpRetransSegs = 222 tcpRetransBytes = 1729
> tcpOutAck = 27605 tcpOutAckDelayed = 8140
> tcpOutUrg = 0 tcpOutWinUpdate = 1
> tcpOutWinProbe = 1 tcpOutControl = 16756
> tcpOutRsts = 1676 tcpOutFastRetrans = 0
> tcpInSegs =260020
> tcpInAckSegs =158866 tcpInAckBytes =40826680
> tcpInDupAck = 10030 tcpInAckUnsent = 0
> tcpInInorderSegs =143841 tcpInInorderBytes =16119948
> tcpInUnorderSegs = 0 tcpInUnorderBytes = 0
> tcpInDupSegs = 32 tcpInDupBytes = 0
> tcpInPartDupSegs = 0 tcpInPartDupBytes = 0
> tcpInPastWinSegs = 0 tcpInPastWinBytes = 0
> tcpInWinProbe = 0 tcpInWinUpdate = 1
> tcpInClosed = 0 tcpRttNoUpdate = 2
> tcpRttUpdate =152336 tcpTimRetrans = 10
> tcpTimRetransDrop = 0 tcpTimKeepalive = 766
> tcpTimKeepaliveProbe= 459 tcpTimKeepaliveDrop = 17
> tcpListenDrop = 0 tcpListenDropQ0 = 0
> tcpHalfOpenDrop = 0 tcpOutSackRetrans = 0
>
>IP ipForwarding = 1 ipDefaultTTL = 255
> ipInReceives =9991936 ipInHdrErrors = 0
> ipInAddrErrors = 0 ipInCksumErrs = 0
> ipForwDatagrams =9716892 ipForwProhibits = 1
> ipInUnknownProtos = 0 ipInDiscards = 0
> ipInDelivers =276641 ipOutRequests =257106
> ipOutDiscards = 0 ipOutNoRoutes = 0
> ipReasmTimeout = 60 ipReasmReqds = 0
> ipReasmOKs = 0 ipReasmFails = 0
> ipReasmDuplicates = 0 ipReasmPartDups = 0
> ipFragOKs = 0 ipFragFails = 0
> ipFragCreates = 0 ipRoutingDiscards = 0
> tcpInErrs = 0 udpNoPorts = 703
> udpInCksumErrs = 0 udpInOverflows = 0
> rawipInOverflows = 0
>
>ICMP icmpInMsgs = 120 icmpInErrors = 0
> icmpInCksumErrs = 0 icmpInUnknowns = 0
> icmpInDestUnreachs = 39 icmpInTimeExcds = 0
> icmpInParmProbs = 0 icmpInSrcQuenchs = 0
> icmpInRedirects = 0 icmpInBadRedirects = 0
> icmpInEchos = 81 icmpInEchoReps = 0
> icmpInTimestamps = 0 icmpInTimestampReps = 0
> icmpInAddrMasks = 0 icmpInAddrMaskReps = 0
> icmpInFragNeeded = 0 icmpOutMsgs = 1580
> icmpOutDrops = 6 icmpOutErrors = 0
> icmpOutDestUnreachs = 99 icmpOutTimeExcds = 1481
> icmpOutParmProbs = 0 icmpOutSrcQuenchs = 0
> icmpOutRedirects = 0 icmpOutEchos = 0
> icmpOutEchoReps = 0 icmpOutTimestamps = 0
> icmpOutTimestampReps= 0 icmpOutAddrMasks = 0
> icmpOutAddrMaskReps = 0 icmpOutFragNeeded = 0
> icmpInOverflows = 0
>IGMP:
> 0 messages received
> 0 messages received with too few bytes
> 0 messages received with bad checksum
> 0 membership queries received
> 0 membership queries received with invalid field(s)
> 0 membership reports received
> 0 membership reports received with invalid field(s)
> 0 membership reports received for groups to which we belong
> 0 membership reports sent
>
>
>
>================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>================================================================================
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
