Bugtraq mailing list archives

Using IP Filter to protect FW-1 4.0 (fwd)


From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Tue, 13 Jun 2000 00:55:25 +1000


Forwarded message:

To use IP Filter to protect Firewall-1 4.0 running on Solaris,
you will need to download "pfil" and IP Filter:

ftp://coombs.anu.edu.au/pub/net/ip-filter/pfil-1.4.tar.gz
ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.5alpha5.tar.gz

Inside pfil-1.4.tar.gz, there is a diff file for Firewall-1:
S25fw1boot.diff
you will need to apply this diff to the rc script in /etc/rcS.d.
Be sure to remove any "leftovers" that patch leaves behind - e.g.
S25fw1boot.orig - lest something undesired is run at boot time.

Then compile & install pfil, followed by IP Filter.  You *must* reboot
after installing both pfil and IP Filter.  To verify that IP Filter is
enabled in manner to protect FW-1, after the system has rebooted, you
should login and do the following (for example):

strconf < /dev/le

Which should show you:

fw
pfil
le

Likewise, if you do "ndd /dev/pfil qif_status", you should see something
like this:

ifname  ill      q        OTHERQ   num  sap     hl      len     nr      nw
QIF1    00000000 f5cebc18 f5cebc74 1    806     0       0       0       38
le0     f595cf20 f5b27410 f5b2746c 0    800     14      0       29208   8101

You should then make this the only line in /etc/opt/ipf/ipf.conf:

block in all with frags

and then run the following:

/sbin/ipf -F a -f /etc/opt/ipf/ipf.conf

This will block all those naughty IP fragment packets.  This will impact
use of the Internet if path MTU discovery is not available end-to-end and
packets end up fragmented.  If you want to log them:

block in log all with frags

FW-1 4.0 Observations.
----------------------
FW-1 Attempts to autopush itself onto all network devices.  Unfortunately,
it does this in /etc/rcS.d, which can lead to it not being able to achieve
this for devices like PPP (ipdptp) if /usr is a separate partition to /.

If you add a new type of network card to the host, FW-1 will not protect
that device unless its driver is listed in /etc/fw.boot/ifdev.

ndd and FW-1
*DO NOT* use ndd with Firewall-1.
"ndd /dev/fw0 \?" (for example) will cause a crash.

Darren

p.s. Many thanks to Peter C. for making this possible!



Current thread: