[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Adaptive Firewall (Was re: Qube Hacked)
- Subject: Re: [cobalt-users] Adaptive Firewall (Was re: Qube Hacked)
- From: Malcolm McLeary <mmcleary@xxxxxxx>
- Date: Wed May 14 16:00:01 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
on 15/5/03 5:35 AM, David Lucas wrote:
> At 02:16 PM 5/14/2003, you wrote:
>> Wim Dieke wrote:
>>> So if you need any help, you can mail me or the list.
>>
>> Any URLs with how-to's on setting it up?
>>
>> tim
>
> http://pkgmaster.com/
> http://pkgmaster.com/howto/cobalt_firewall_howto.shtml
That link is for the basic firewall, not the Adaptive Firewall.
I thought the Adaptive Firewall came with a PDF manual.
As for the instructions at pkgmaster ... they are insufficient for actually
getting a firewall to work in a typical Qube3 installation.
The rules shown allow external access to the listed services, but fail to
allow internal access to external services. As most Qube3 installations
provide gateway facilities for a LAN, such a config will stop LAN users
accessing anything on the internet.
On the surface it would appear that no outbound traffic is being blocked, so
it should work, but the problem is the return traffic from the remote host
will be blocked. Return traffic will be coming back to unprivileged ports
1025 to 66535. Now it would appear that opening up all these ports is a
problem, but the point is the traffic will be coming from known ports so
specific input rules can be applied.
Getting DNS to work is a bit more complex.
You also need to include some rules to allow the Active Monitoring to work.
Further the Qube3 VPN facility and the Basic Firewall are "basically"
incompatible unless you adopt a policy of accept everything unless
explicitly denied.
I prefer to be a little more explicit and have separate rule sets for each
of the ethernet interfaces and deal with UDP and TCP as appropriate.
Cheers, Malcolm