User`s guide

ManualsBrandsProtogate ManualsComputer equipmentFreeway 3112

Protogate Freeway Security Features User’s Guide (SFUG) Appendix A. Sample rc.startsra File

# export TARGET2=192.168.1.2

export NTP_SERVER=192.168.1.1

export NTP_SERVERB=192.168.1.2

# setup to write any core files to the read-write /var/ partition

sysctl kern.corefile=/var/%N_%P.core

# sysctl net.inet.tcp.keepidle=300000

# sysctl net.inet.tcp.keepintvl=60000

# sysctl net.inet.tcp.always_keepalive=1

# For security: disable all pkt forwarding,

# using both sysctl and the firewall;

# disallow sending or receiving of any packet

# which is not sourced or destined directly

# to this Freeway;

# also disallow sending of ICMP "time exceeded"

# packets, which could be used by traceroute

# to discover information about the network.

sysctl net.inet.ip.forwarding=0

sysctl net.inet6.ip6.forwarding=0

ipfw add 20100 deny ip from not me to not me

ipfw add 20200 deny icmp from me to any icmptypes 11

# For security: deny all access to timestamp info via ICMP packets

ipfw add 20300 deny icmp from any to any icmptypes 13

ipfw add 20400 deny icmp from any to any icmptypes 14

# For security: deny all access to unnecessary ports

ipfw add 21000 deny tcp from any to me 23 # telnet

ipfw add 21100 deny tcp from any to me 80 # http

ipfw add 21200 deny tcp from any to me 513 # login

ipfw add 21300 deny tcp from any to me 514 # shell

# ipfw add 21400 deny tcp from any to me 20 # ftp-data

# ipfw add 21500 deny tcp from any to me 21 # ftp

# ipfw add 21600 deny tcp from any to me 8208 # Freeway daemon

# For security: Turn telnet and rlogin off in inetd.conf, too

if [ -f /read_only_mounts ]; then

mount -u -o rw / 2>/dev/null

mv /ro/etc/inetd.conf /ro/etc/inetd.conf.prev

sed -e "s/^t/#t/g" /ro/etc/inetd.conf.prev |sed -e "s/^l/#l/g" > /ro/etc/inetd.conf

if [ -f /read_only_mounts ]; then

mount -u -o ro / 2>/dev/null

# For security: Disallow direct root or shell login via ssh

if /usr/bin/grep -- "^[^#]

PermitRootLogin no" /ro/etc/ssh/sshd_config >/dev/null; then

echo "SSH already disallows root/shell login -- will not modify again."

else

if [ -f /read_only_mounts ]; then

mount -u -o rw / 2>/dev/null

echo "PermitRootLogin no" > /ro/etc/ssh/sshd_config

echo "Banner /etc/motd" >> /ro/etc/ssh/sshd_config

echo "Subsystem sftp /usr/libexec/sftp-server" >> /ro/etc/ssh/sshd_config

Protogate DC-908-3004A 29