[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Adaptive Firewall (Was re: Qube Hacked)
- Subject: Re: [cobalt-users] Adaptive Firewall (Was re: Qube Hacked)
- From: "Wim Dieke" <w.dieke@xxxxxxxxx>
- Date: Wed May 14 14:46:00 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
> >Wim Dieke wrote:
> > > So if you need any help, you can mail me or the list.
> >
> >Any URLs with how-to's on setting it up?
> >
> >tim
>
> http://pkgmaster.com/
> http://pkgmaster.com/howto/cobalt_firewall_howto.shtml
>
Actually, the url's point to a basic firewall setup, not the adaptive firewall.
First of all: sorry for the bad english, i'm from the Netherlands, so it is not my native speach :)
Here you can find the general url for the firewall http://www.sun.com/hardware/serverappliances/qube3/adaptive.html
The basic principle is
1) make a list of services you want to have incoming and outgoing. Things like SSH,FTP,HTTP etc.
2) Install the firewall package (http://www.sun.com/hardware/serverappliances/pdfs/manuals/adaptive.installguide.pdf)
3) Read the manual
4 configure the firewall.
Remember that this firewall is restrictive. so if you do not configure a service, it will not be open to the public. Also you do not need to open up high ranges of ports. The firewall dynamicly opens high ports on demand.
The 4th Bit is the most hard. One should perhaps start with the "outgoing only" example. It puts outside world open for the internal network so workstations behind the firewall can use the internet, but keeps all traffic from outside out.
Start with looking around, check where the services you listed in point 1) are resided in the tree on the left. On the right there are checkboxes for the services, radiobuttons for incoming/outgoing and 2 textboxes. The general principle is: select incoming, select the services, select the local servers on the left box, select remote clients on the right box. Then select outgoing, the services, and the local clients on the left, the remote servers on the right. A * means all IP adresses possible. You can enter a IP range by using the format: ww.xx.yy.zz/nn where nn is a netblok ( for help on netbloks: http://jodies.de/ipcalc )
For services not listed in the tree on the left, you can make a custom rule. Select custom protocols from the firewall menu. Press ADD, choose incoming or outgoing, choose protocol type (tcp/udp etc, see note furtheron) and choose port number. Enter the server and client editboxes.
The custom protocol types "standard" are: (from the manual)
********************** ADAPTIVE FIREWALL MANUAL ************
Custom protocols are based on a port number and a protocol type. Here are the
most common protocol types:
. TCP Session
. UDP Session
. UDP Query/Response
. UDP Packet Dst Spec
. UDP Packet Src Spec
. Raw IP Packet
TCP Session The firewall will pass TCP packets that contain the specified
destination port if the packets are transmitted between the locations entered in the
Local and Remote boxes.
UDP Session The firewall will pass UDP packets that contain the specified
destination port if the packets are transmitted between the locations entered in the
Local and Remote boxes. The source port can be any port. After the initial packet
has passed, subsequent UDP packets in a UDP session are passed if the client
side port is the original source port and the server side port is the source port of
the initial UDP response packet.
UDP Query/Response This is similar to a UDP session, but the destination that
receives the source's packet usually only responds with one or two packets and
then the session ends.
UDP Packet Dst Spec This permits the firewall to pass UDP packets in one
direction between the locations listed in the Local and Remote text boxes if the
destination port matches what is specified.
UDP Packet Src Spec Same as above except the source port must match what is
specified in the Port/Protocol box.
Raw IP Packet This is used to allow IP packets that are not defined by the TCP,
UDP or ICMP protocols. When you select this option, the Port/Protocol box
implies that a protocol will be entered. When one of the other options are
selected, the Port/Protocol box implies that a port will be entered.
********************** ADAPTIVE FIREWALL MANUAL ************
The problems i ran into where:
1) Not knowing that Raw IP Packet means that you don't put a port in the port field, but a packet type.
2) Placing enters/tabs/spaces after the IP Adresses in the client /server boxes breaks the firewall (you will know when to).
3) Updating the kernel of the Qube. This last one is kinda tricky since the firewall checks the kernel version you have. Normally no problem, but the last kernel update (C35) screwed things up a bit. The update you will see now in bluelinq works by the way.
4) The adaptive firewall is a RESTRICTIVE firewall. So if you DON'T configure access, then the service will be shut down ! This is the oposite of the basic firewall and that makes this one a bit more protective.
5) Remember allways: Once you open a port or service temporarily, you will forget about it and leave it open. For sure. Everyone does this. So IF you want temporary access, make a note in your (electronic) agenda/calender to disable access again.
Also be carefull to save firewall files! Always make backups of working configurations before changes.
And the last advise: Get to know the basic firewall also. It's a second perimiter around your internal network. 2 lines of defense are better than one and the two don't bite eachother.
oh, before i forget: Keep asking questions ;)
Hope this helps,
Wim.