[ Pobierz całość w formacie PDF ]
.The easiest way to install these files is to use the command:make installThis command uses information in the Makefile to place the objects in the correct place.Theprocess is shown in the following command sequence:pc# make installif [ ! -d /usr/local/etc ]; then mkdir /usr/local/etc; fifor a in config lib auth smap smapd netacl plug-gw ftp-gw tn-gw rlogin-gw http-gw; do ( cd $a; echo install:  pwd ; make install ); doneinstall: /usr/tis/fwtk/configif [ ! -f /usr/local/etc/netperm-table ]; then cp netperm-table /usr/local/etc; chmod 644 /usr/local/etc/netperm-table; fiinstall: /usr/tis/fwtk/libinstall: /usr/tis/fwtk/authif [ -f /usr/local/etc/authsrv ]; then mv /usr/local/etc/authsrv /usr/local/etc/authsrv.old; ficp authsrv /usr/local/etcchmod 755 /usr/local/etc/authsrvif [ -f /usr/local/etc/authmgr ]; then mv /usr/local/etc/authmgr /usr/local/etc/authmgr.old; ficp authmgr /usr/local/etcchmod 755 /usr/local/etc/authmgrif [ -f /usr/local/etc/authload ]; then mv /usr/local/etc/authload/usr/local/etc/authload.old; ficp authload /usr/local/etcchmod 755 /usr/local/etc/authloadif [ -f /usr/local/etc/authdump ]; then mv /usr/local/etc/authdump/usr/local/etc/authdump.old; ficp authdump /usr/local/etcchmod 755 /usr/local/etc/authdumpinstall: /usr/tis/fwtk/smapif [ -f /usr/local/etc/smap ]; then mv /usr/local/etc/smap /usr/local/etc/smap.old; ficp smap /usr/local/etcchmod 755 /usr/local/etc/smapinstall: /usr/tis/fwtk/smapdif [ -f /usr/local/etc/smapd ]; then mv /usr/local/etc/smapd /usr/local/etc/smapd.old; ficp smapd /usr/local/etcchmod 755 /usr/local/etc/smapdinstall: /usr/tis/fwtk/netaclif [ -f /usr/local/etc/netacl ]; then mv /usr/local/etc/netacl /usr/local/etc/netacl.old; ficp netacl /usr/local/etcchmod 755 /usr/local/etc/netaclinstall: /usr/tis/fwtk/plug-gwif [ -f /usr/local/etc/plug-gw ]; then mv /usr/local/etc/plug-gw /u322 Part II: Gaining Access and Securing the Gatewaysr/local/etc/plug-gw.old; ficp plug-gw /usr/local/etcchmod 755 /usr/local/etc/plug-gwinstall: /usr/tis/fwtk/ftp-gwif [ -f /usr/local/etc/ftp-gw ]; then mv /usr/local/etc/ftp-gw /usr/local/etc/ftp-gw.old; ficp ftp-gw /usr/local/etcchmod 755 /usr/local/etc/ftp-gwinstall: /usr/tis/fwtk/tn-gwif [ -f /usr/local/etc/tn-gw ]; then mv /usr/local/etc/tn-gw /usr/local/etc/tn-gw.old; ficp tn-gw /usr/local/etcchmod 755 /usr/local/etc/tn-gwinstall: /usr/tis/fwtk/rlogin-gwif [ -f /usr/local/etc/rlogin-gw ]; then mv /usr/local/etc/rlogin-gw /usr/local/etc/rlogin-gw.old; ficp rlogin-gw /usr/local/etcchmod 755 /usr/local/etc/rlogin-gwinstall: /usr/tis/fwtk/http-gwif [ -f /usr/local/etc/http-gw ]; then mv /usr/local/etc/http-gw /usr/local/etc/http-gw.old; ficp http-gw /usr/local/etcchmod 755 /usr/local/etc/http-gwWith the Toolkit successfully installed and compiled, the next step is the security policy andthe configuration of the Toolkit.Preparing for ConfigurationWhen configuring the Toolkit, the first step is to turn off all unnecessary services that arerunning on the system that will affect your firewall.This requires that you have some level ofUnix knowledge regarding the system startup procedure and services for your system.Forexample, you may have to:Edit the /etc/inetd.conf fileEdit the system startup scripts such as /etc/rc /etc/rc2.d/* and othersEdit the operating system configuration to disable unnecessary kernel-based servicesYou can use the ps command to see that a number of services are in operation.The followingoutput shows such services on a sample system:pc# ps -auxUSER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMANDroot 442 0.0 1.7 144 240 p0 R+ 3:34AM 0:00.04 ps -auxroot 1 0.0 1.7 124 244 ?? Is 3:02AM 0:00.08 /sbin/init --root 2 0.0 0.1 0 12 ?? DL 3:02AM 0:00.01 (pagedaemon)root 15 0.0 6.0 816 888 ?? Is 3:03AM 0:00.47 mfs -o rw -s 1How to Build a Firewall 323root 36 0.0 1.5 124 220 ?? Ss 3:03AM 0:00.21 syslogdroot 40 0.0 1.2 116 176 ?? Ss 3:03AM 0:00.06 routed -qroot 77 0.0 0.5 72 72 ?? Ss 3:03AM 0:00.34 updateroot 79 0.0 1.6 284 232 ?? Is 3:03AM 0:00.08 cronroot 85 0.0 0.3 72 36 ?? I 3:03AM 0:00.01 nfsiod 4root 86 0.0 0.3 72 36 ?? I 3:03AM 0:00.01 nfsiod 4root 87 0.0 0.3 72 36 ?? I 3:03AM 0:00.01 nfsiod 4root 88 0.0 0.3 72 36 ?? I 3:03AM 0:00.01 nfsiod 4root 91 0.0 1.0 96 144 ?? Is 3:03AM 0:00.07 rwhodroot 93 0.0 1.3 112 180 co- I 3:03AM 0:00.05 rstatdroot 95 0.0 1.3 128 192 ?? Is 3:03AM 0:00.07 lpdroot 97 0.0 1.3 104 184 ?? Ss 3:03AM 0:00.13 portmaproot 102 0.0 1.6 332 224 ?? Is 3:03AM 0:00.05 (sendmail)root 108 0.0 1.4 144 200 ?? Is 3:03AM 0:00.11 inetdroot 117 0.0 2.1 228 300 co Is+ 3:03AM 0:00.90 -csh (csh)root 425 0.0 2.0 156 292 ?? S 3:33AM 0:00.15 telnetdchrish 426 0.0 2.1 280 304 p0 Ss 3:33AM 0:00.26 -ksh (ksh)root 440 0.4 1.9 220 280 p0 S 3:34AM 0:00.17 -su (csh)root 0 0.0 0.1 0 0 ?? DLs 3:02AM 0:00.01 (swapper)pc#By editing the /etc/inetd.conf file so that it resembles the following output, you can reduce thenumber of active processes.This reduces the load on the system and, more importantly, doesnot accept TCP connections on unnecessary ports.## Internet server configuration database## BSDI $Id: inetd.conf,v 2.1 1995/02/03 05:54:01 polk Exp $# @(#)inetd.conf 8 [ Pobierz całość w formacie PDF ]