### Set kernel parameters for /dev/ip
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
ndd -set /dev/ip ip_forward_directed_broadcasts 0
ndd -set /dev/ip ip_respond_to_timestamp 0
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
ndd -set /dev/ip ip_forward_src_routed 0
ndd -set /dev/ip ip_ignore_redirect 1
- Have a look at Sun own tool on network security which include all
of the above ndd settings - highly recommended:
http://www.sun.com/blueprints/tools/nddconfig
(3) Firewall
(a) C compiler:
- GNU gcc can be download from http://www.sunfreeware.com .
- or download/try Eval Sun WorkShop CD (a must for 64bit)
(b) IP Filter Firewall/NAT:
(i) Download IPfilter from:
http://coombs.anu.edu.au/~avalon/ip-filter.html
(ii) compiling and installing ipf module:
# make solaris
# cd SunOS5
# make package
Note: if you want to see the state table real time like the
top utility, edit the Makefile to enable it.
STATETOP_CFLAGS=-DSTATETOP
STATETOP_INC=-I/usr/include
STATETOP_LIB=-L/lib -lncurses
I use the libcurses bundles in SUNWcsl and SUNWarc packages
Just link these libs to libncurses in /usr/lib:
libncurses.a -> libcurses.a
libncurses.so.1 -> libcurses.so.1*
libncurses.so -> libcurses.so.1*
Once installed, you can run the cool utility "ipfstat -t"
Note1.1: New release of ipf already have state top enable.
Note2: If you want to have block all by default, change:
POLICY=-DIPF_DEFAULT_PASS=FR_PASS
to :
POLICY=-DIPF_DEFAULT_PASS=FR_BLOCK
(iii) turn on ip forwarding
To enable your system to correctly forward IP packets from
within your private network via NAT, you need to enable
ip_forwarding on your NAT system. First check to see whether
ip_forwarding is enabled via the ndd command:
# ndd -get /dev/tcp ip_forwarding
0
The zero indicates ip_forwarding is not enabled in the kernel.
To enable ip_forwarding, pass the following command to ndd:
# ndd -set /dev/tcp ip_forwarding 1
You should now check that ip_forwarding is indeed enabled by
checking as previously described, with the answer being the
value "1".
(iv) Now let"s make this permanent uppon reboot.
#/bin/rm /etc/rc2.d/S65ipfboot
#ln -s /etc/init.d/ipfboot /etc/rc2.d/S65ipfboot
Create a startup script /etc/init.d/ipforward
#!/bin/sh
case "$1" in
start)
echo "Activating IP Forwarding..."
/usr/sbin/ndd -set /dev/tcp ip_forwarding 1
stop)
echo "De-activating IP Forwarding..."
/usr/sbin/ndd -set /dev/tcp ip_forwarding 0
*)
echo "Usage: $0 (start|stop)" >&2
exit 1
esac
exit 0
Make it executable
# chmod 744 /etc/init.d/ipforward
Then link it as /etc/rc2.d/S69ipforward
# ln -s /etc/init.d/ipforward /etc/rc2.d/S69ipforward
Note: ipforwarding must run after ipf & inet
(v) ipf and nat rules set:
Create a file called /etc/opt/ipf/ipnat.conf.
/etc/opt/ipf/ipf.conf is already exist and is empty.
The file /etc/opt/ipf/ipf.conf is used to write your
firewall rules, which is beyond the scope of this document.
Check the IP Filter HOWTO page for more info:
http://unixcircle.com/ipf
(4) Installing OpenSSH (optional)
One can go the easy way and just grab a binary package from
http://www.sunfreeware.comor learn alot of stuff by hand-build:
(in order). Make sure you read the README or INSTALL file that
comes in each package:
1. Get & install Perl
2. Get & install zlib
3. Get & install OpenSSL
4. Get & install OpenSSH
- Startup scrip for sshd, save it as /etc/rc3.d /S99sshd
#!/sbin/sh
#
case "$1" in
"start")
if [ -x /usr/local/sbin/sshd ]; then
echo "Starting Secure Shell: sshd";
/usr/local/sbin/sshd
fi
"stop")
/usr/bin/pkill -x -u 0 sshd
*)
echo "Usage: $0 { start | stop }"
推荐阅读
- 魅族Pro7和Pro7 Plus双面屏怎么用?魅族小面屏的用处
- 朔月和望月是什么意思
- 辞藻和词藻是什么意思
- Solaris7 交流 --- 进程管理、进程控制及cron处理
- 谈夏普GX32的缺点
- Solaris数据备份命令
- 第十章:进程控制 Solaris系统管理培训
- 苦瓜棉铃虫的危害和防治
- Solaris10的革命性功能之一 Solaris 10 N1 Grid Container
- 劳动的意义和价值