ppl, а что? fw-1 не позволяет дропать фрагнутые пакеты без разбора?
---------- Forwarded message ----------
Date: Tue, 13 Jun 2000 00:33:40 +1000 (Australia/NSW)
From: Darren Reed <firstname.lastname@example.org>
Subject: Using IP Filter to protect FW-1 4.0
To use IP Filter to protect Firewall-1 4.0 running on Solaris,
you will need to download "pfil" and IP Filter:
Inside pfil-1.4.tar.gz, there is a diff file for Firewall-1:
you will need to apply this diff to the rc script in /etc/rcS.d.
Be sure to remove any "leftovers" that patch leaves behind - e.g.
S25fw1boot.orig - lest something undesired is run at boot time.
Then compile & install pfil, followed by IP Filter. You *must* reboot
after installing both pfil and IP Filter. To verify that IP Filter is
enabled in manner to protect FW-1, after the system has rebooted, you
should login and do the following (for example):
strconf < /dev/le
Which should show you:
Likewise, if you do "ndd /dev/pfil qif_status", you should see something
ifname ill q OTHERQ num sap hl len nr nw
QIF1 00000000 f5cebc18 f5cebc74 1 806 0 0 0 38
le0 f595cf20 f5b27410 f5b2746c 0 800 14 0 29208 8101
You should then make this the only line in /etc/opt/ipf/ipf.conf:
block in all with frags
and then run the following:
/sbin/ipf -F a -f /etc/opt/ipf/ipf.conf
This will block all those naughty IP fragment packets. This will impact
use of the Internet if path MTU discovery is not available end-to-end and
packets end up fragmented. If you want to log them:
block in log all with frags
FW-1 4.0 Observations.
FW-1 Attempts to autopush itself onto all network devices. Unfortunately,
it does this in /etc/rcS.d, which can lead to it not being able to achieve
this for devices like PPP (ipdptp) if /usr is a separate partition to /.
If you add a new type of network card to the host, FW-1 will not protect
that device unless its driver is listed in /etc/fw.boot/ifdev.
ndd and FW-1
*DO NOT* use ndd with Firewall-1.
"ndd /dev/fw0 \?" (for example) will cause a crash.
p.s. Many thanks to Peter C. for making this possible!
"inet-admins" Internet access mailing list. Maintained by East Connection ISP.
Mail "unsubscribe inet-admins" to Majordomo@info.east.ru if you want to quit.
Archive is accessible on http://info.east.ru/rus/inetadm.html