User`s guide
Chapter 6. Hardening a Freeway
This chapter shows how to use some of the capabilities of a Freeway to increase security. Many of the examples are
taken from the sample rc.startsra file shown in (Section A.1.
The techniques used to enhance security can be grouped into these categories:
• sysctl settings (
Section 6.1 below)
• Firewall settings (
Section 6.1 below)
• Turn off unnecessary services (Section 6.2 and Section 6.3)
• Setup NTP (Network Time Daemon) (
Section 6.4)
• Disable SNMP (Simple Network Management Protocol) (
Section 6.5)
• Secure the webserver (Section 6.6)
• Setup system logging (
Section 6.7 and Section 6.8)
• Setup system-event auditing (Section 6.9)
6.1. Freeway Firewall Settings
Figure 6-1 is an example section of a Freeway rc.startsra file which sets some sysctl specifiers and creates
some firewall rules to enhance the Freeway security.
Figure 6-1. Freeway Firewall Settings
# For security: disable all pkt forwarding,
# using both sysctl and the firewall;
# disallow sending or receiving of any packet
# which is not sourced or destined directly
# to this Freeway;
# also disallow sending of ICMP "time exceeded"
# packets, which could be used by traceroute
# to discover information about the network.
sysctl net.inet.ip.forwarding=0
sysctl net.inet6.ip6.forwarding=0
ipfw add 20100 deny ip from not me to not me
ipfw add 20200 deny icmp from me to any icmptypes 11
# For security: deny all access to timestamp info via ICMP packets
ipfw add 20300 deny icmp from any to any icmptypes 13
ipfw add 20400 deny icmp from any to any icmptypes 14
# For security: deny all access to unnecessary ports
ipfw add 21000 deny tcp from any to me 23 # telnet
ipfw add 21100 deny tcp from any to me 80 # http
ipfw add 21200 deny tcp from any to me 513 # login
ipfw add 21300 deny tcp from any to me 514 # shell
# ipfw add 21400 deny tcp from any to me 20 # ftp-data
# ipfw add 21500 deny tcp from any to me 21 # ftp
# ipfw add 21600 deny tcp from any to me 8208 # Freeway daemon
18