Solaris和IP Filter软件包搭建防火墙的详细步骤（2）

来源：作者：出处：巧巧读书 2006-04-24 进入讨论组

　　Solaris和IP Filter软件包搭建防火墙的详细步骤
(3) Firewall

(a) C compiler:
- GNU gcc can be download from http://www.sunfreeware.com .
- or download/try Eval Sun WorkShop CD (a must for 64bit)

(b) IP Filter Firewall/NAT:
(i) Download IPfilter from:
http://coombs.anu.edu.au/~avalon/ip-filter.html

(ii) compiling and installing ipf module:
# make solaris
# cd SunOS5
# make package

Note: if you want to see the state table real time like the
top utility, edit the Makefile to enable it.

STATETOP_CFLAGS=-DSTATETOP
STATETOP_INC=-I/usr/include
STATETOP_LIB=-L/lib -lncurses

I use the libcurses bundles in SUNWcsl and SUNWarc packages
Just link these libs to libncurses in /usr/lib:

libncurses.a -> libcurses.a
libncurses.so.1 -> libcurses.so.1*
libncurses.so -> libcurses.so.1*

Once installed, you can run the cool utility "ipfstat -t"

Note1.1: New release of ipf already have state top enable.

Note2: If you want to have block all by default, change:

POLICY=-DIPF_DEFAULT_PASS=FR_PASS
to :
POLICY=-DIPF_DEFAULT_PASS=FR_BLOCK

(iii) turn on ip forwarding
To enable your system to correctly forward IP packets from
within your private network via NAT, you need to enable
ip_forwarding on your NAT system. First check to see whether
ip_forwarding is enabled via the ndd command:

# ndd -get /dev/tcp ip_forwarding
0

The zero indicates ip_forwarding is not enabled in the kernel.
To enable ip_forwarding, pass the following command to ndd:

# ndd -set /dev/tcp ip_forwarding 1

You should now check that ip_forwarding is indeed enabled by
checking as previously described, with the answer being the
value "1".

(iv) Now let's make this permanent uppon reboot.

#/bin/rm /etc/rc2.d/S65ipfboot
#ln -s /etc/init.d/ipfboot /etc/rc2.d/S65ipfboot

Create a startup script /etc/init.d/ipforward
#!/bin/sh
case "$1" in
start)
echo "Activating IP Forwarding..."
/usr/sbin/ndd -set /dev/tcp ip_forwarding 1
;;

stop)
echo "De-activating IP Forwarding..."
/usr/sbin/ndd -set /dev/tcp ip_forwarding 0
;;
*)
echo "Usage: $0 (start|stop)" >&2
exit 1
;;
esac
exit 0

Make it executable
# chmod 744 /etc/init.d/ipforward

Then link it as /etc/rc2.d/S69ipforward
# ln -s /etc/init.d/ipforward /etc/rc2.d/S69ipforward

Note: ipforwarding must run after ipf & inet

(v) ipf and nat rules set:
Create a file called /etc/opt/ipf/ipnat.conf.
/etc/opt/ipf/ipf.conf is already exist and is empty.

The file /etc/opt/ipf/ipf.conf is used to write your
firewall rules, which is beyond the scope of this document.
Check the IP Filter HOWTO page for more info:
http://unixcircle.com/ipf

(4) Installing OpenSSH (optional)
One can go the easy way and just grab a binary package from
http://www.sunfreeware.com or learn alot of stuff by hand-build:
(in order). Make sure you read the README or INSTALL file that
comes in each package:

1. Get & install Perl
2. Get & install zlib
3. Get & install OpenSSL
4. Get & install OpenSSH

- Startup scrip for sshd, save it as /etc/rc3.d /S99sshd

#!/sbin/sh
#
case "$1" in
'start')
if [ -x /usr/local/sbin/sshd ]; then
echo 'Starting Secure Shell: sshd';
/usr/local/sbin/sshd
fi
;;
'stop')
/usr/bin/pkill -x -u 0 sshd
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
exit 0

- Then make it executable:
# chmod 744 /etc/rc3.d/S99sshd

(5) Config syslogd to send to a syslog server

Make sure ipmon is run with option -Dsnxa in /etc/init.d/ipfboot

To have ipmon login info to syslog you need to add the following
to /etc/syslog.conf

...
# IP Filter
# Log to local
local0.info;local0.err;local0.debug /var/log/ipflog
#
# Log to a dedicate syslog server
local0.info;local0.err;local0.debug ifdef('LOGHOST', /var/log/ipflog, @loghost)
...

Remember syslog requires a tab instead of space

(6) Reboot and enjoy（完）观看地址： http://www.qqread.com/net-saft/f989164081.html