电脑技术学习

Solaris和IP Filter软件包搭建防火墙的详细步骤

dn001
Solaris can make a great firewall OS if properly install and harden.

Hardware can be a Sparc box with a 2nd network interface or a x86 box with dual NIC.

Solaris 2.x CDs - free for education and non-commercial use from Sun website.
I got my Solaris 8 copy from Sun booth at Linux Expo in San Jose last August 2000.

Here are the necessary steps to brew you own firewall box with Solaris

(1) OS:
(a) Boot and install just the "core" distribution from Solaris CD.
These steps should be easy within GUI or menu driven...
- Define which interfe is public (untrust) or private (trust)
- Fill in hostname and appropriate IPs for each interface
- Dont connect or activate your connection to the untrust network
untill you have installed IPFilter

(b) Additional packages are required in order for GNU gcc to work:

SUNWhea
SUNWsrh
SUNWbtool
SUNWsCPU
SUNWtoo
SUNWlibm
SUNWsprot
SUNWarc

By selecting core installation, there is no volume management (vold)
for automounting your CD when you stick one in. You have to mount
the CD by hand:

# mount -F hsfs /dev/dsk/c0t6d0s0 /mnt

where t6 is my CDROM SCSI ID. It is different if you are on a x86
box and IDE. Check your system with "dmesg".

Once the CD is mounted, cd to /mnt/Solaris_8/Product and copy the
above package into /tmp

# cp -R SUNWhea /tmp
...
# cp -R SUNWarc /tmp

Use pkgadd to install these package to your system:

# cd /tmp
# pkgadd -d .

(c) Patches: download & install the lastest Recommended patch batch from
http//sunsolve.sun.com
- ftping:
# ftp sunsolve.sun.com
login: ftp
passwd: ftp

ftp> cd /pub/patches
ftp> bin
ftp> hash
ftp> get 8_Recommended.zip
ftp> bye

- installing:
# unzip 8_Recommended.zip
...
# cd 8_Recommended
# ./install_cluster
...
# reboot (you can reboot now or wait until afer step #2)

(d) Turn on journaling feature for UFS

To avoid lengthy fsck after an unclean shutdown or power outtage, one
can turn on journaling on UFS simply by adding "logging" in the mount
option:

# /etc/vfstab
#
#device device mount FS fsck mount mount
#to mount to fsck point type pass at boot options
#
/dev/md/dsk/d1 /dev/md/rdsk/d1 /RAID ufs 2 yes logging

(2) Hardening & removing unnescessary services:

- use pkgrm to remove any package that not being use, for example:

# pkginfo | grep -i pcmcia
system SUNWpcelx 3COM EtherLink III PCMCIA Ethernet Driver
system SUNWpcmci PCMCIA Card Services, (Root)
system SUNWpcmcu PCMCIA Card Services, (Usr)
system SUNWpcmem PCMCIA memory card driver
system SUNWpcser PCMCIA serial card driver
system SUNWPSdpr PCMCIA ATA card driver

If there is no PCMCIA in the sytem, just remove them:

# pkgrm SUNWpcelx SUNWpcmci SUNWpcmcu SUNWpcmem SUNWpcser SUNWpsdpr

- set TCP_STRONG_ISS=2 in /etc/default/inetinit:
# vi /etc/default/inetinit

- turn off inetd:

# rm /etc/rc2.d/S72inetsvc
# ln -s /etc/init.d/inetsvc /etc/rc2.d/S72inetsvc

then comment out the inetd (last line) in /etc/init.d/inetsvc
and null out inetd services:

# mv /etc/inet/inetd.conf /etc/inet/inetd.conf.ORIG

- remove un-nescessary services:

# mv /etc/rc2.d/S71ldap.clIEnt /etc/rc2.d/_S71ldap.client
# mv /etc/rc2.d/S71rpc /etc/rc2.d/_S71rpc
# mv /etc/rc2.d/S73nfs.client /etc/rc2.d/_S73nfs.client
# mv /etc/rc2.d/S74autofs /etc/rc2.d/_S74autofs
# mv /etc/rc2.d/S74nscd /etc/rc2.d/_S74nscd
# mv /etc/rc2.d/S88sendmail /etc/rc2.d/_S88sendmail
...

- To protect against possible buffer overflow (or stack smashing)
attacks, add the following to lines to /etc/system.

set noexec_user_stack=1
set noexec_user_stack_log=1

- Modified /etc/init.d/inetinit (or some other startup script ) to
set some IP parameters to harden more:

### Set kernel parameters for /dev/ip
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
ndd -set /dev/ip ip_forward_directed_broadcasts 0
ndd -set /dev/ip ip_respond_to_timestamp 0
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
ndd -set /dev/ip ip_forward_src_routed 0
ndd -set /dev/ip ip_ignore_redirect 1

- Have a look at Sun own tool on network security which include all
of the above ndd settings - highly recommended:
http://www.sun.com/blueprints/tools/nddconfig

(3) Firewall

(a) C compiler:
- GNU gcc can be download from http://www.sunfreeware.com .
- or download/try Eval Sun WorkShop CD (a must for 64bit)

(b) IP Filter Firewall/NAT:
(i) Download IPfilter from:
http://coombs.anu.edu.au/~avalon/ip-filter.html

(ii) compiling and installing ipf module:
# make solaris
# cd SunOS5
# make package

Note: if you want to see the state table real time like the
top utility, edit the Makefile to enable it.

STATETOP_CFLAGS=-DSTATETOP
STATETOP_INC=-I/usr/include
STATETOP_LIB=-L/lib -lncurses

I use the libcurses bundles in SUNWcsl and SUNWarc packages
Just link these libs to libncurses in /usr/lib:

libncurses.a -> libcurses.a
libncurses.so.1 -> libcurses.so.1*
libncurses.so -> libcurses.so.1*

Once installed, you can run the cool utility "ipfstat -t"

Note1.1: New release of ipf already have state top enable.

Note2: If you want to have block all by default, change:

POLICY=-DIPF_DEFAULT_PASS=FR_PASS
to :
POLICY=-DIPF_DEFAULT_PASS=FR_BLOCK

(iii) turn on ip forwarding
To enable your system to correctly forward IP packets from
within your private network via NAT, you need to enable
ip_forwarding on your NAT system. First check to see whether
ip_forwarding is enabled via the ndd command:

# ndd -get /dev/tcp ip_forwarding
0

The zero indicates ip_forwarding is not enabled in the kernel.
To enable ip_forwarding, pass the following command to ndd:

# ndd -set /dev/tcp ip_forwarding 1

You should now check that ip_forwarding is indeed enabled by
checking as previously described, with the answer being the
value "1".


(iv) Now let's make this permanent uppon reboot.

#/bin/rm /etc/rc2.d/S65ipfboot
#ln -s /etc/init.d/ipfboot /etc/rc2.d/S65ipfboot

Create a startup script /etc/init.d/ipforward
#!/bin/sh
case "$1" in
start)
echo "Activating IP Forwarding..."
/usr/sbin/ndd -set /dev/tcp ip_forwarding 1


stop)
echo "De-activating IP Forwarding..."
/usr/sbin/ndd -set /dev/tcp ip_forwarding 0

*)
echo "Usage: $0 (start|stop)" >&2
exit 1

esac
exit 0

Make it executable
# chmod 744 /etc/init.d/ipforward

Then link it as /etc/rc2.d/S69ipforward
# ln -s /etc/init.d/ipforward /etc/rc2.d/S69ipforward

Note: ipforwarding must run after ipf & inet

(v) ipf and nat rules set:
Create a file called /etc/opt/ipf/ipnat.conf.
/etc/opt/ipf/ipf.conf is already exist and is empty.

The file /etc/opt/ipf/ipf.conf is used to write your
firewall rules, which is beyond the scope of this document.
Check the IP Filter HOWTO page for more info:
http://unixcircle.com/ipf

(4) Installing OpenSSH (optional)
One can go the easy way and just grab a binary package from
http://www.sunfreeware.com or learn alot of stuff by hand-build:
(in order). Make sure you read the README or INSTALL file that
comes in each package:

1. Get & install Perl
2. Get & install zlib
3. Get & install OpenSSL
4. Get & install OpenSSH

- Startup scrip for sshd, save it as /etc/rc3.d /S99sshd

#!/sbin/sh
#
case "$1" in
'start')
if [ -x /usr/local/sbin/sshd ]; then
echo 'Starting Secure Shell: sshd';
/usr/local/sbin/sshd
fi

'stop')
/usr/bin/pkill -x -u 0 sshd

*)
echo "Usage: $0 { start | stop }"
exit 1

esac
exit 0

- Then make it executable:
# chmod 744 /etc/rc3.d/S99sshd

(5) Config syslogd to send to a syslog server

Make sure ipmon is run with option -Dsnxa in /etc/init.d/ipfboot

To have ipmon login info to syslog you need to add the following
to /etc/syslog.conf

...
# IP Filter
# Log to local
local0.info;local0.err;local0.debug /var/log/ipflog
#
# Log to a dedicate syslog server
local0.info;local0.err;local0.debug ifdef('LOGhost', /var/log/ipflog, @loghost)
...

Remember syslog requires a tab instead of space

(6) Reboot and enjoy

标签: 防火墙