<bragging>Which is what I said in the first place:)</bragging>
Another note is that runnning (dynamic?? I guess) routing protocols like
VRRP can be a very good thing on a firewall:) Hence the nokia
implementation.
--Paul
On Fri, 9 Feb 2001, Simon Hornby wrote:
>
>
> To just add a small but possibly useful tidbit of information, if for some
> reason you do not want to have a default route on your firewall, the
> existance of the file /etc/notrouter on solaris will also prevent any
> routing protocol from running, without setting a default route.
>
> Simon
>
> (With apologies to Lance for sending this direct to him rather than the list
> first time round.)
>
> >From: Lance Spitzner <[EMAIL PROTECTED]>
> >To: "Hartmann, Josef" <[EMAIL PROTECTED]>
> >CC: [EMAIL PROTECTED]
> >Subject: RE: [FW1] how to disable RIP on sun ultra 10 solaris?
> >Date: Fri, 9 Feb 2001 09:36:11 -0600 (CST)
> >
> >
> >On Fri, 9 Feb 2001, Hartmann, Josef wrote:
> >
> > > Well,
> > >
> > > if the firewall has multiple interfaces and behind these there are
> >different
> > > nets than the one directly connected to the firewall, routed has to run,
> > > doesn't it?
> >
> >No it does not (nor should it ever for a firewall). Best practices for
> >a firewall are to use staticly assigned routes only. The use of dynamic
> >routing protocols (such as routed, OSPF, etc) add additional risk. If
> >a routing protocol absolutely must be used, ensure you take steps to
> >mitigate the risk, such as authentication and rule base filtering.
> >
> >In the case of Solaris, all routing protocols are disabled by default
> >if you assign a static, default route in the file /etc/defaultrouter.
> >This is considered best practices for a Solaris based firewall.
> >
> >I also recommend you set the kernel so it ignores all ICMP redirects,
> >which can also update your route table. This can be done by setting
> >the following upon every reboot.
> >
> >ndd -set ip_ignore_redirect 1
> >
> >The command "netstat -s" will give you TCP/UDP/ICMP stats on your
> >system, including ICMP redirect.
> >
> >firewall $netstat -s
> >
> >
> >UDP
> > udpInDatagrams = 15246 udpInErrors = 0
> > udpOutDatagrams = 41529
> >
> >TCP tcpRtoAlgorithm = 4 tcpRtoMin = 400
> > tcpRtoMax = 60000 tcpMaxConn = -1
> > tcpActiveOpens = 7968 tcpPassiveOpens = 335
> > tcpAttemptFails = 1676 tcpEstabResets = 60
> > tcpCurrEstab = 1 tcpOutSegs =201722
> > tcpOutDataSegs =174112 tcpOutDataBytes =40820318
> > tcpRetransSegs = 222 tcpRetransBytes = 1729
> > tcpOutAck = 27605 tcpOutAckDelayed = 8140
> > tcpOutUrg = 0 tcpOutWinUpdate = 1
> > tcpOutWinProbe = 1 tcpOutControl = 16756
> > tcpOutRsts = 1676 tcpOutFastRetrans = 0
> > tcpInSegs =260020
> > tcpInAckSegs =158866 tcpInAckBytes =40826680
> > tcpInDupAck = 10030 tcpInAckUnsent = 0
> > tcpInInorderSegs =143841 tcpInInorderBytes =16119948
> > tcpInUnorderSegs = 0 tcpInUnorderBytes = 0
> > tcpInDupSegs = 32 tcpInDupBytes = 0
> > tcpInPartDupSegs = 0 tcpInPartDupBytes = 0
> > tcpInPastWinSegs = 0 tcpInPastWinBytes = 0
> > tcpInWinProbe = 0 tcpInWinUpdate = 1
> > tcpInClosed = 0 tcpRttNoUpdate = 2
> > tcpRttUpdate =152336 tcpTimRetrans = 10
> > tcpTimRetransDrop = 0 tcpTimKeepalive = 766
> > tcpTimKeepaliveProbe= 459 tcpTimKeepaliveDrop = 17
> > tcpListenDrop = 0 tcpListenDropQ0 = 0
> > tcpHalfOpenDrop = 0 tcpOutSackRetrans = 0
> >
> >IP ipForwarding = 1 ipDefaultTTL = 255
> > ipInReceives =9991936 ipInHdrErrors = 0
> > ipInAddrErrors = 0 ipInCksumErrs = 0
> > ipForwDatagrams =9716892 ipForwProhibits = 1
> > ipInUnknownProtos = 0 ipInDiscards = 0
> > ipInDelivers =276641 ipOutRequests =257106
> > ipOutDiscards = 0 ipOutNoRoutes = 0
> > ipReasmTimeout = 60 ipReasmReqds = 0
> > ipReasmOKs = 0 ipReasmFails = 0
> > ipReasmDuplicates = 0 ipReasmPartDups = 0
> > ipFragOKs = 0 ipFragFails = 0
> > ipFragCreates = 0 ipRoutingDiscards = 0
> > tcpInErrs = 0 udpNoPorts = 703
> > udpInCksumErrs = 0 udpInOverflows = 0
> > rawipInOverflows = 0
> >
> >ICMP icmpInMsgs = 120 icmpInErrors = 0
> > icmpInCksumErrs = 0 icmpInUnknowns = 0
> > icmpInDestUnreachs = 39 icmpInTimeExcds = 0
> > icmpInParmProbs = 0 icmpInSrcQuenchs = 0
> > icmpInRedirects = 0 icmpInBadRedirects = 0
> > icmpInEchos = 81 icmpInEchoReps = 0
> > icmpInTimestamps = 0 icmpInTimestampReps = 0
> > icmpInAddrMasks = 0 icmpInAddrMaskReps = 0
> > icmpInFragNeeded = 0 icmpOutMsgs = 1580
> > icmpOutDrops = 6 icmpOutErrors = 0
> > icmpOutDestUnreachs = 99 icmpOutTimeExcds = 1481
> > icmpOutParmProbs = 0 icmpOutSrcQuenchs = 0
> > icmpOutRedirects = 0 icmpOutEchos = 0
> > icmpOutEchoReps = 0 icmpOutTimestamps = 0
> > icmpOutTimestampReps= 0 icmpOutAddrMasks = 0
> > icmpOutAddrMaskReps = 0 icmpOutFragNeeded = 0
> > icmpInOverflows = 0
> >IGMP:
> > 0 messages received
> > 0 messages received with too few bytes
> > 0 messages received with bad checksum
> > 0 membership queries received
> > 0 membership queries received with invalid field(s)
> > 0 membership reports received
> > 0 membership reports received with invalid field(s)
> > 0 membership reports received for groups to which we belong
> > 0 membership reports sent
> >
> >
> >
> >================================================================================
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> >================================================================================
>
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
>
>
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
>
--
--Paul
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
