TCP/IP v4.1 Security - First Step
So, TCIP 4.1 for OS/2 (to be correct MPTN 5.3) has firewall included without any documentation.
But It was found that command system of firewall is very similar to AIX firewall one. The documentation for AIX can be found at hobbes.nmsu.edu (ipfwdocs.zip).
Taking all this together you can get next steps to start the firewall:
1. Check the existence of the next lines in you config.sys:
DEVICE=C:\MPTN\PROTOCOL\IPSEC.SYSIf you cant find them, then add them.
DEVICE=C:\MPTN\PROTOCOL\FWIP.SYS
DEVICE=C:\MPTN\PROTOCOL\CDMF.SYS
DEVICE=C:\MPTN\PROTOCOL\MD5.SYS
2. Create configuration files
%ETC%\fwsecad.cnf |
- list of 'secure' interfaces (Firewall for OS/2 differ two types of network interfaces: secure and non-secure Put one IP address a line. IP addresses not in file are non-secure. |
%ETC%\security\fwfiltrs.cnf |
- firewall rules list.
Here is example: deny 0.0.0.0 0.0.0.0 0 0 icmp any 0 any 0 both both inbound This line disable incoming ICMP packets |
3. To enable firewall enter:
cfgfilt -u -iYou may add this lines into you \MPTN\BIN\SETUP.CMD file to run your firewall each time the computer started.
inetcfg -s firewall 1
File fwfiltrs.cnf consist of lines, that represent 'rules'. After getting IP packet, firewall check the file up-to-down until it will find:
a) deny rule - packet skipedRule line consist of fields, divided with spaces:
b) permit rule - packet processed
c) EOF - packet skiped
1) Rule action.
Has the value permit or deny. Any IP packet that matches the other fields in the filter definition will either be passed or blocked depending on the value of this field.
2,3) Source address definition
Two dotted-decimal addresses. The first is the desired address, and the second is a mask. The filter uses these fields by applying the mask to the source address of the packet (the mask is applied as a bitwise AND - the same as for IP subnet address masks). If the result of the mask operation is equal to the desired address, the source is deemed to match. For example, to match any address beginning 192.3.4.0 you would specify "192.3.4.0 255.255.255.0".
4,5) Destination address definition
These fields are used in the same way as the source address definition to determine the allowable destination address(es) for the filter.
6)Protocol.
Defines the protocol type of the IP packet. It may have any of the following values:
any - doesn't care what the protocol isNote that as SNG can only refer to protocols by names, it can only have specific rules for the previous protocols, and it will not accept rules for other protocols (for example, protocol number 89 for OSPF).
icmp - matches ICMP requests only
udp - matches UDP packets only
tcp - matches TCP packets only
tcp/ack - matches only TCP packets that have the acknowledgment bit on
ipsp - matches only IPSP (IP security protocol, an IBM-specific protocol for the SNG secure tunnel)
7,8) Source port / ICMP Type
The first field specifies the type of operation, the second the desired port number (for ICMP packets it's the ICMP Type of message). The port operation field is an arithmetic operator field which can have values of: any, eq, neq, lt, gt, le or ge. The operator is applied to the desired port field, so, for example, if the two fields were gt 1023, we would only match packets with a source port number of 1024 or higher.
9,10) Destination port / ICMP Code
This pair of fields is used in the same way as the source port fields to define which destination port(s) we want the filter to match. For ICMP packets, it refers to the ICMP Code field.
11) Adapter
This defines which adapter the packet is flowing through:
secure12) Routing
non-secure
both (doesn't care which adapter its flowing through)
Defines whether the packet has a destination or source of the firewall, or whether the destination and source are both other machines, in which case the firewall is behaving as an IP router. Possible values are:
local (coming to or from the firewall itself)13) Direction
route (going through the firewall)
both (doesn't care about the packet's routing)
Defines whether the packet is coming into or going out of the specified adapter. Possible values are:
inboundAttention! Next optional fields must be set in the form of 'name=value'. Ex:
outbound
both (doesn't care which way it is going)
deny 0.0.0.0 0.0.0.0 0 0 icmp eq 8 any 8 both both inbound l=yes f=only t=0
14) Log Control (l)
This packet decides if the packet should be logged or not. The default for permitted packets is no and for denied packets is yes.no15) Fragmentation Control (f)
yes
The possibilities are:
yes - matches header, fragments and nonfragmented packets16) Tunnel ID(T)
no - matches only nonfragmented packets
only - matches only headers and fragments.
Identifies the tunnel through which the packet must be sent. The value 0 means do not use a tunnel.
If someone has something to add: tvv@pharma.viaduk.net
Интересные ссылки: Право закон - проблема соотношения права и закона.
Комментариев к странице: 0 | Добавить комментарий
Домой | Проект ядро Core/2 | Проект OS/4 Download | Новости | Гостевая книга | Подробно обо всем | Нужные программы | Проекты | OS/2 FAQ | Всячина | За и Против | Металлолом | #OS2Russian | RDM/2 | Весёлые картинки | Наша галерея | Доска объявлений | Карта сайта | ПОИСК | ФОРУМ