[rescue] Putting an insecure machine on a network

Mike F lists at ibrew.net
Tue Mar 21 15:38:25 CST 2006 

Sheldon T. Hall wrote:
>  Mike F says ...
>   
>> Sheldon T. Hall wrote:
>>     
>>> In any case, adding the SUNW packages let me build IPFilter, even 
>>> though two of Mike F's listed packages don't seem to be 
>>> part of Solaris 7.
>>>
>>> However, the doco for ip_fil3.4.35 indicates that running "make 
>>> package" will build a package (maybe it does, no error messages 
>>> anyway) and kick off pkgadd to install it.  It certainly 
>>> doesn't do the 
>>> latter, and I can't figure out which of the zillion files 
>>> and directories holds or _is_ the alledged package.
>>>       
>>  
>> The package should be somewhere under the directory in which 
>> you built it; it'll be something like "ipf.pkg".
>> pkgadd -d  `find ./ -name *.pkg`  should do what you need.
>>     
>
> ... And it does!
>
> Hot damn.  You da man.
>
> Now, just one more little question....
>
> The box on which you just solved my ipfilter installation issues has two NICs.
> The built-in le0 is on my 192.168.0.0 network, with a gateway of 192.168.0.1
> providing access to the internet.
>
> I want to use the hme0 add-in NIC to provide access for the insecure laptop.
> I'd like for it to be in some completely different subnet (say 10.0.0.0/8),
> and to have access through the Solaris box _only_ to 192.168.0.1.  No access
> to th Solaris box itself, and no access to the rest of my 192.168.0.0/24
> network.
>
>   

Should be doable.

You'll want to do `ndd -set /dev/tcp ip_forwarding 1` to set forwarding
between the 2 interfaces (and maybe put it in an init script to persist
between reboots.)

Then you'll have to write your ipf.conf. This should be easy because
your needs are pretty simple :-)

ipf.conf:

# Start with default-deny rules
block in all
block out all
#Allow traffic on internal interface hme0 from internal host 10.0.0.2 to
internet gateway 192.168.0.1 with destination port xx
pass in quick on hme0 proto tcp from 10.0.0.2 to 192.168.0.1 port = xx
keep state
pass out quick on le0 proto tcp from 10.0.0.2 to 192.168.0.1 port = xx
keep state

That should do what you want to do. Let me know how it goes (or if it
doesn't :)

> I _thought_ I knew how to do this, but it seems I don't.  Can you endure
> giving me a tad more help on this?
>
> Thanks.
>
> -Shel
I've been looking at iptables a little lately, and I can tell you
ipfilter and pf are an absolute joy compared to iptables. Talk about
painful...

- Mike

More information about the rescue mailing list