Dear managers,
I am considering to use Jeff Mogul's screend sofware as a building block
for our firewall system.
we are in the process of moving from DecStations MIPS/Ultrix to Alpha/OSF1
and we have got back some 5000/200 boxes with additional Turbo Channel Ethernet
adapters as well : so it can be an economically effective choice.
Anyway, I have some questions unresolved on this matter and I request
your help, here they are (newbee questions as you will see !) :
1) On a 5000/200 under Ultrix 4.4, is there a reason to use the screend
package from gatekeeper.dec.com /pub/misc/vixie/screend/screend.tar.Z
instead of the screend stuff delivered as part of Ultrix distribution ?
The README says : << It is functionally a bit more evolved ... >>
What about this evolution ? Does it implies Ultrix kernel modification ?
2) The README file of the package suggest to add the following options to the kernel :
options GWSCREEN
pseudo-device gwscreen
options GATEWAY
options IPFORWARDING=1
but the Ultrix screend(8) man page only suggest to add
pseudo-device gwscreen
Am I missing something ??? Who is right ? I have check with kvar that
IPFORWARDING was set by default in my Ultrix kernel ... should I add the
other lines ?
3) Does screend protects from source-routing packets ? And how ? Does it block IP
options as a whole or selectively ? Is it optional ?
4) Does screend allows filtering based on the source port ?
5) Does screend distinguish between "red" Internet interface and "blue" internal
LAN interface on a DecStation with 2 Ethernet attachments ?
The purpose of this question is to know if anti-spoofing (ie rejecting "local"
packets in disguise which could appear at the inbound "red" interface) can be done
on the machine running screend or must be done at our internet provider router level.
(as suggested in Cheswick/Bellovin book for the "choke" machine).
6) The README file suggest to run routed. Is it mandatory (and why ?) and even wise ?
7) Can I give to the 2 interfaces IP adresses from the same net (class B in our case)
but different subnets or should I use yet another network (class C, hopefully !) ?
I once read a reply from Brent Chapman about problems at network boundaries ...
8) I have "played" a little with screend on a 5000/200 in this configuration :
---------------------------
----------------------| 5000/200 |-----------------------------
---------------------------
^ ^ ^ ^
| | | |
DMZ or "red" "red" interface "blue" interface local or "blue"
network IP name : red IP name : blue network
I have configured /etc/screend.conf to allow packets from blue to red and to block
traffic from red to blue. Despite of this setting, a machine belonging to the "red"
network can still reach (eg telnet) IP address blue. How does it come ?
How can we block access to blue ?
Perhaps is it due to the fact that screend intercepts packets between ip_intr which
determines if the packet is meant for "this host" (regardless of the interface) and
ip_forward (which route the packet) ?
9) Finally, is there around commercial routers (Cisco, BayNetworks, ...) which meet
all of these criteria (interface distinction, no source-route, destination AND
source filtering, logging capabilities, ...) ?
This leads in fact to a fairly long list of questions !
If some of them are FAQ, please forgive me and give me the pointers.
I post this mail to the firewalls, alpha-osf-managers and decstation-managers lists.
Thanks in advance for your help,
Regards,
+--------------------------------------------------------------+
| Herve DEMARTHE %^) E-Mail: demarthe_at_alpha.cad.cea.fr |
| CEA/DSM/DRFC/STEP Tel: +33 42257527 Fax: +33 42252661 |
| CEN Cadarache Bt 506 13108 St Paul Lez Durance FRANCE |
| <<< Apprentiz de todo, Maestro de nada ... >>> |
| All opinions expressed herein are mine and not those of CEA. |
+--------------------------------------------------------------+
Received on Wed Mar 08 1995 - 09:43:54 NZDT