Firewalls: Re: FW-1 - less secure ?

Firewalls
(September 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: FW-1 - less secure ?
From:	Jean-Christophe Touvet <jct @ EdelWeb . fr>
Date:	Mon, 30 Sep 1996 10:19:59 +0200
To:	Darren Reed <avalon @ coombs . anu . edu . au>
Cc:	klynn @ cyberspace . com (DOA), Firewalls @ greatcircle . com
In-reply-to:	<199609290830 . BAA03610 @ miles . greatcircle . com>

> Interestingly, I heard some gossip recently that Checkpoint (& Sun)
> weren't sure if Firewall-1 (or any firewall with FW-1 installed) could
> "Fail safe".

 Not really a failing condition, but if you're running FW1 at least on SunOS
(didn't try it with Solaris), *never* go from multi-user to single-user mode
(for example when you want to do a level 0 dump) without disconnecting the
machine from the network or issuing an adb command to disable IP forwarding.
Note that booting single-user is safe, since network interfaces are not
initialized.

 SunOS/FW1 hint: compile your kernel with IP forwarding disabled (-1). Add an
adb command (W1) at the end of fwstart script to enable IP forwarding only
when fw module is loaded, and add the reverse adb command (W0) at the
beginning of fwstop script. You might also wrap your shutdown command.

    -JCT-

Follow-Ups:

Re: FW-1 - less secure ?
From: Jean-Francois Zwobada <zwobada @ apogee-com . fr>

References:

FW-1 - less secure ?
From: Darren Reed <avalon @ coombs . anu . edu . au>

Indexed By Date	Previous:	Re: FW-1 - less secure ? From: Jean-Francois Zwobada <zwobada @ apogee-com . fr>
Indexed By Date	Next:	Re: intranet applets From: Bruno . Gillet @ France . Sun . COM (Bruno Gillet - Sun France Training)
Indexed By Thread	Previous:	Re: FW-1 - less secure ? From: Jean-Francois Zwobada <zwobada @ apogee-com . fr>
Indexed By Thread	Next:	Re: FW-1 - less secure ? From: Jean-Francois Zwobada <zwobada @ apogee-com . fr>