- 论坛徽章:
- 0
|
http://docs.style.net/os/solaris/common/SunScreen-v3.2.txt
SunScreen v3.2 on Solaris 9 QuickStart v1.03
============================================
[August 16th, 2002 / kspinka@style.net]
1. Install SunScreen v3.2
=========================
1. If you did not already install SunScreen with the Solaris 9 installer,
you must install it. It is located on disc 2 of the Solaris 9
Software distribution in Solaris_9/ExtraValue/CoBundled/SunScreen_3.2/.
To install it from the command line, run "install -nodisplay".
2. After the installation, there may be a list of packages that are
not installed, but required in order for SunScreen to run. You can
find them on disc 1 of the Solaris 9 Software distribution in
Solaris_9/Product/ and add them by running "pkgadd -d . [package_name]".
3. Reboot
2. Configure SunScreen v3.2
===========================
1. Run "ssadm configure" and complete the questionaire.
This command initializes a default set of operating parameters for
the packet filter.
---
Choose routing mode because stealth only offers the advantage of
not creating an interface that responds to layer 3 (i.e. plumbing
the interface with ifconfig), which we will of course have to do in
order to have IP connectivity on the host. Choose local
administration only, to avoid exposing the administration system.
Choose "permissive" for the default policy, we will customize this later.
---
2. Run "ssadm edit Initial" to begin editing the packet filter.
This command starts the command line editor for the "Initial"
configuration set. You can maintain many seperate configurations.
---
You should see a prompt "edit>;" where you can issue commands. Try
the command "list rules" or "list services" to get an idea of how this
works. Issue "delete rule 1" to remove the default rule installed by
the initial configure script. We will add just a bare minimum to get
ssh access to our box, but permit all outgoing traffic. Next, issue
"add ADDRESS self HOST 192.168.1.10 COMMENT "this host"". Because
this packet filter uses an object concept to refer to entities, we
need to declare, at the minimum our self so we can refer to it later.
Be sure to replace the example IP address with that of your host.
Now, issue:
add rule ssh * self ALLOW LOG SUMMARY COMMENT "allow ssh from anywhere"
add rule ping * * ALLOW COMMENT "icmp echo"
add rule netbios * * DENY COMMENT "drop these MS broadcasts, but don't log them"
add rule * localhost * ALLOW COMMENT "allow outgoing flows to be setup"
add rule * * self DENY LOG DETAIL COMMENT "drop & log all other packets"
We now have a very restrictive, but very functional rule base. Verify
your configuration by issuing "verify" then you may proceed to save it
by issuing "save". We are done with the edits for now, so issue "quit",
---
3. Run "ssadm activate Initial" to turn on your new ruleset.
3. Using Logs
=============
1. Run "ssadm log get | ssadm logdump -i - logwhy 256" to access the current
log of all dropped packets. If you want to see all log entries, including
packets that were logged and permited through, omit the "logwhy 256".
4. Dynamic Network Address Translation (NAT)
============================================
For demonstration purposes, we will assume that you have two network adapters, and
that you are trying to translate packets from your "internal" network interface,
172.16.10.1/24, to an Internet routable IP address on your "public" network interface.
Simply adjust the references of the 172.16.10.0 network and hosts to match your
network configuration.
1. Run "ssadm edit Initial"
---
Issue:
add ADDRESS "ifInternal" HOST 172.16.10.1
add ADDRESS "ipPublic" GROUP { localhost } { ifInternal }
add ADDRESS "netInternal" RANGE 172.16.10.2 172.16.10.255
add ADDRESS "ipInternet" GROUP { * } { netInternal }
add NAT DYNAMIC "netInternal" "ipInternet" "ipPublic" "ipInternet"
save
quit
---
2. Then you will need to reactivate your screen by typing "ssadm activate Initial"
[EOF] |
|
免费注册
发表于 2003-01-24 09:43