The following discussion of changes made to the firewall host software also applies to any host made publicly accessible, such as the WWW server and FTP server shown in the screened subnet example in Figure 5-3.
Note: Do not connect your hardware to the external network until you make the changes described in this section. When you have finished the procedures, reboot your firewall system to ensure that all changes take effect. Many of these changes do not take effect until the system is rebooted.
Follow this procedure to turn off automatic IP packet forwarding:
Change the line
int ipforwarding = 1;
to
int ipforwarding = 0;
# autoconfig -f
This creates a /unix.install file, which becomes the new /unix after the system is rebooted.
# netstat -s -p ip | grep forwarding
You should see the following:
0 packets forwarded (forwarding disabled)
If you do not see this message, repeat steps 1 through 5 until you do. (Be sure that your root filesystem has enough disk space so that the /unix.install file is being created correctly. See autoconfig(1M) for more information.)
Note: These services are being disabled on the firewall only. Services that are commented out in the system files on the firewall may still be available on your internal network--you just can't use them on the firewall host.
exec stream tcp nowait root /usr/etc/rexecd rexecd bootp dgram udp wait root /usr/etc/bootp bootp rstatd/1-3 dgram rpc/udp wait root /usr/etc/rpc.rstatd rstatd walld/1 dgram rpc/udp wait root /usr/etc/rpc.rwalld rwalld rusersd/1 dgram rpc/udp wait root /usr/etc/rpc.rusersd rusersd rquotad/1 dgram rpc/udp wait root /usr/etc/rpc.rquotad rquotad bootparam/1 dgram rpc/udp wait root /usr/etc/rpc.bootparamd bootparam ypupdated/1 stream rpc/tcp wait root /usr/etc/rpc.ypupdated ypupdated rexd/1 stream rpc/tcp wait root /usr/etc/rpc.rexd rexd
In other words, they should look like this:
#exec stream tcp nowait root /usr/etc/rexecd rexecd #bootp dgram udp wait root /usr/etc/bootp bootp #rstatd/1-3 dgram rpc/udp wait root /usr/etc/rpc.rstatd rstatd #walld/1 dgram rpc/udp wait root /usr/etc/rpc.rwalld rwalld #rusersd/1 dgram rpc/udp wait root /usr/etc/rpc.rusersd rusersd #rquotad/1 dgram rpc/udp wait root /usr/etc/rpc.rquotad rquotad #bootparam/1 dgram rpc/udp wait root /usr/etc/rpc.bootparamd bootparam #ypupdated/1 stream rpc/tcp wait root /usr/etc/rpc.ypupdated ypupdated #rexd/1 stream rpc/tcp wait root /usr/etc/rpc.rexd rexd
If you want details on the services you are disabling, refer to their reference pages. For example, refer to rexecd(1M) for more information on the rexecd daemon.
ftp stream tcp nowait root /usr/etc/ftpd ftpd -la telnet stream tcp nowait root /usr/etc/telnetd telnetd shell stream tcp nowait root /usr/etc/rshd rshd login stream tcp nowait root /usr/etc/rlogind rlogind tftp dgram udp wait guest /usr/etc/tftpd tftpd -s \ /usr/local/boot /usr/etc/boot
If you comment them out (totally disable them), they should look like this:
#ftp stream tcp nowait root /usr/etc/ftpd ftpd -l #telnet stream tcp nowait root /usr/etc/telnetd telnetd #shell stream tcp nowait root /usr/etc/rshd rshd #login stream tcp nowait root /usr/etc/rlogind rlogind #tftp dgram udp wait guest /usr/etc/tftpd tftpd -s \ /usr/local/boot /usr/etc/boot
To be safe, it is best to disable all those services with the comment character as shown above. (Doing so means, however, that the host can only be accessed from the local console.) Of these services, enabling rshd is probably the most dangerous, and tftpd is almost never required on a firewall. Regarding ftpd, refer to "IRIX Admin: Networking and Mail." If, however, you must include any of these services, change them as indicated below so that they record a log of their use in the file /var/adm/SYSLOG:
ftp stream tcp nowait root /usr/etc/ftpd ftpd -ll shell stream tcp nowait root /usr/etc/rshd rshd -Lal tftp dgram udp wait guest /usr/etc/tftpd tftpd -s -l -h /dev/null
Note the logging options added to each daemon invocation. (For more information, refer to the reference page for any daemon you modify.)
The telnetd and rlogind entries have not been included here because remote logins can (and should) be controlled with the use of one-time passwords. One-time passwords are just that--a password that can be used once to gain access, but any future use of that same password is disallowed. There are various ways to implement one-time passwords, and how (and if) you use them at your site depends on your need for remote login capability and the degree to which you want to authenticate such logins. Refer to the Firewalls and Internet Security book referenced in "Books".
finger stream tcp nowait guest /usr/etc/fingerd fingerd -S
Or, to be more secure, you can configure fingerd with the -f option, to return just a message file. In the following example, a message has been placed in /etc/fingerd.message:
finger stream tcp nowait guest /usr/etc/fingerd fingerd -f \ /etc/fingerd.message
The contents of /etc/fingerd.message might say something like:
Thank you for your interest in XYZ company. Please contact us at xyz.email.address or 1-800-XYZ-PHON for more information.
This message is then returned for any finger access.
# killall -HUP inetd
Check to see if there are any /etc/hosts.equiv or $HOME/.rhosts files. These files can be configured to allow remote access without password protection, and should not be allowed on a firewall host. Refer to hosts.equiv(4) for more information.
Refer to "Password Administration" for details on host access password security.
For example, suppose you create a /etc/config/portmap.options file with the following entries:
-a 192.0.2.0 -a 192.14.12.0This restricts access to firewall host RPC services to hosts on the Class C networks 192.0.2 and 192.13.12.
The syntax for the -a option allows you to specify multiple network masks, network addresses, and host addresses. As usual, the fewer hosts or networks allowed access, the better the security. Refer to the reference page portmap(1M) for more information.
# versions remove nfs.sw.nis
Caution: You should not run NIS on a firewall. If you must run NIS, be sure the server is secure and have the clients run ypbind with the -ypsetme option which provides some minimal security.
# chkconfig nfs off
rw=hostname
option to limit read-write access to a specific host, or you can use the access=client
option to limit mounting to specified hosts. Refer to the reference page for exports(4) for more information.
Log files are sensitive information and are best not stored on the firewall host. Refer to syslogd(1M) for information on how to forward syslog messages from the firewall host to a trusted host inside the firewall.
You can use the versions command to display a list of system files modified since installation. For example:
# versions changed Configuration Files m = modified since initial installation ? = modification unknown blank = file is as originally installed /etc/init.d/netsite m /etc/init.d/netsite.O m /etc/init.d/netsite.N m /etc/uucp/Devices /etc/uucp/Devices.N m /var/X11/xdm/Xsession.dt /var/X11/xdm/Xsession.dt.O /var/X11/xdm/xdm-config <etc>You can also use the versions -m command to list only modified installed files. Refer to versions(1M) for more information.