Just a note,
On solaris, the syntax is ndd -set /dev/ip ignore_redirect 1
FYI,
CryptoTech
Lance Spitzner wrote:
> On Fri, 9 Feb 2001, Hartmann, Josef wrote:
>
> > Well,
> >
> > if the firewall has multiple interfaces and behind these there are different
> > nets than the one directly connected to the firewall, routed has to run,
> > doesn't it?
>
> No it does not (nor should it ever for a firewall). Best practices for
> a firewall are to use staticly assigned routes only. The use of dynamic
> routing protocols (such as routed, OSPF, etc) add additional risk. If
> a routing protocol absolutely must be used, ensure you take steps to
> mitigate the risk, such as authentication and rule base filtering.
>
> In the case of Solaris, all routing protocols are disabled by default
> if you assign a static, default route in the file /etc/defaultrouter.
> This is considered best practices for a Solaris based firewall.
>
> I also recommend you set the kernel so it ignores all ICMP redirects,
> which can also update your route table. This can be done by setting
> the following upon every reboot.
>
> ndd -set ip_ignore_redirect 1
>
> The command "netstat -s" will give you TCP/UDP/ICMP stats on your
> system, including ICMP redirect.
>
> firewall $netstat -s
>
> UDP
> udpInDatagrams = 15246 udpInErrors = 0
> udpOutDatagrams = 41529
>
> TCP tcpRtoAlgorithm = 4 tcpRtoMin = 400
> tcpRtoMax = 60000 tcpMaxConn = -1
> tcpActiveOpens = 7968 tcpPassiveOpens = 335
> tcpAttemptFails = 1676 tcpEstabResets = 60
> tcpCurrEstab = 1 tcpOutSegs =201722
> tcpOutDataSegs =174112 tcpOutDataBytes =40820318
> tcpRetransSegs = 222 tcpRetransBytes = 1729
> tcpOutAck = 27605 tcpOutAckDelayed = 8140
> tcpOutUrg = 0 tcpOutWinUpdate = 1
> tcpOutWinProbe = 1 tcpOutControl = 16756
> tcpOutRsts = 1676 tcpOutFastRetrans = 0
> tcpInSegs =260020
> tcpInAckSegs =158866 tcpInAckBytes =40826680
> tcpInDupAck = 10030 tcpInAckUnsent = 0
> tcpInInorderSegs =143841 tcpInInorderBytes =16119948
> tcpInUnorderSegs = 0 tcpInUnorderBytes = 0
> tcpInDupSegs = 32 tcpInDupBytes = 0
> tcpInPartDupSegs = 0 tcpInPartDupBytes = 0
> tcpInPastWinSegs = 0 tcpInPastWinBytes = 0
> tcpInWinProbe = 0 tcpInWinUpdate = 1
> tcpInClosed = 0 tcpRttNoUpdate = 2
> tcpRttUpdate =152336 tcpTimRetrans = 10
> tcpTimRetransDrop = 0 tcpTimKeepalive = 766
> tcpTimKeepaliveProbe= 459 tcpTimKeepaliveDrop = 17
> tcpListenDrop = 0 tcpListenDropQ0 = 0
> tcpHalfOpenDrop = 0 tcpOutSackRetrans = 0
>
> IP ipForwarding = 1 ipDefaultTTL = 255
> ipInReceives =9991936 ipInHdrErrors = 0
> ipInAddrErrors = 0 ipInCksumErrs = 0
> ipForwDatagrams =9716892 ipForwProhibits = 1
> ipInUnknownProtos = 0 ipInDiscards = 0
> ipInDelivers =276641 ipOutRequests =257106
> ipOutDiscards = 0 ipOutNoRoutes = 0
> ipReasmTimeout = 60 ipReasmReqds = 0
> ipReasmOKs = 0 ipReasmFails = 0
> ipReasmDuplicates = 0 ipReasmPartDups = 0
> ipFragOKs = 0 ipFragFails = 0
> ipFragCreates = 0 ipRoutingDiscards = 0
> tcpInErrs = 0 udpNoPorts = 703
> udpInCksumErrs = 0 udpInOverflows = 0
> rawipInOverflows = 0
>
> ICMP icmpInMsgs = 120 icmpInErrors = 0
> icmpInCksumErrs = 0 icmpInUnknowns = 0
> icmpInDestUnreachs = 39 icmpInTimeExcds = 0
> icmpInParmProbs = 0 icmpInSrcQuenchs = 0
> icmpInRedirects = 0 icmpInBadRedirects = 0
> icmpInEchos = 81 icmpInEchoReps = 0
> icmpInTimestamps = 0 icmpInTimestampReps = 0
> icmpInAddrMasks = 0 icmpInAddrMaskReps = 0
> icmpInFragNeeded = 0 icmpOutMsgs = 1580
> icmpOutDrops = 6 icmpOutErrors = 0
> icmpOutDestUnreachs = 99 icmpOutTimeExcds = 1481
> icmpOutParmProbs = 0 icmpOutSrcQuenchs = 0
> icmpOutRedirects = 0 icmpOutEchos = 0
> icmpOutEchoReps = 0 icmpOutTimestamps = 0
> icmpOutTimestampReps= 0 icmpOutAddrMasks = 0
> icmpOutAddrMaskReps = 0 icmpOutFragNeeded = 0
> icmpInOverflows = 0
> IGMP:
> 0 messages received
> 0 messages received with too few bytes
> 0 messages received with bad checksum
> 0 membership queries received
> 0 membership queries received with invalid field(s)
> 0 membership reports received
> 0 membership reports received with invalid field(s)
> 0 membership reports received for groups to which we belong
> 0 membership reports sent
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
