The Network Monkey

The Network Monkey

Series - Basic Packet Filters on Netware 5.x
Written by: Jim Huddle CNE, CNE5, CBS, MCSE, send e-mail

Last time (#001 in the series) I told you about the DHCPCLNT.NLM which Novell included with Netware 5.x. There was a quick procedure showing how to configure the server to use the NLM.

Now that you are connected, everything is great, yes? Well, no, it isn’t. You’ve got a nice, wide pipe to the Internet and it doesn’t take any of your PC’s resources to work. The only problem is that wide pipe is also wide open to all the nasty children of evil out there. Even though Netware’s security is legendary, it doesn’t by default stop malicious folks from trying to get to the Windows PCs you have behind the server. As set up, it’ll pass through just about everything that hits the Public NIC. Since most folks are running some form of Windows, this leaves a major security hole for those defenceless PCs on your private segment.

You’re going to need some packet filtering to begin the process of safeguarding your inner network. You start by loading FILTSERV.NLM at the console prompt. This sets up the environment for packet filtering. Next enter IPFLT and press Enter. Now type in FILTCFG and press Enter. From there select Configure TCP/IP Filters-Packet Forwarding Filters. Change Status to Enabled. Under Action, make sure Deny Packet in Filter List is selected. Under Filters and Exceptions you can create packet filters which will leave your system as open as you like, or nail it down so it will be practically invisible to outsiders.

I’ll go through adding a Filter here that denies ping requests coming to the Public NIC. If you’re really keen to nail down your system packet wise, then I recommend the book by Craig Johnson (he's a Novell Support connection SysOp) called Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions (http://www.caledonia.net). Just about everything I know on this subject comes from this book.

Select Filters and make sure it says (List of Denied Packets), then press Enter. The screen which appears will be the same whether you are creating a Filter or Filter Exception. The top window shows the filter highlighted by the bottom window. Press the Insert key. This calls the Define Filter window. Leave the Source Interface Type and Destination Interface Type with the default of Interface. Next select the Source and Destination Interface. A couple of points to note here: the Source Interface is the origin of the packet type you are filtering; the Destination Interface is the NIC that receives the packet.

Leave the Source Interface with the default of <All Interfaces> and change the Destination Interface to Public (or whatever you’ve named the external NIC). Arrow key down to Packet Type and hit Enter. As you’ll see, Novell has kindly created a long list of packet types for you. Scroll down and locate the packet type "icmp". Press Enter and Packet Type will show icmp. Leave the other fields as they are, except for Comment because you may want to add a description. Press Escape and Yes to save the filter. Press Escape until you are prompted to exit FILTCFG and select Yes.

Back at the console prompt, enter UNLOAD IPFLT and press Enter. To test the filter, get a friend on a remote network to ping your external address (check the DHCPCLNT information screen to get your current address). With IPFLT unloaded it should answer your friend’s query. Type IPFLT at the console prompt. This should activate all filters in place. Have your friend try another ping. He or she will get zip for an answer. The Public interface will pass the packet to the TCP/IP stack and the stack, using the filters in place, will determine that the ping packet should just be discarded. Pretty slick huh?

To see what else you need to block, you can point your browser to a couple of web sites that will scan your connection for vulnerabilities. The first is http://scan.sygatetech.com. This is run by the folks at Sybergen who sell security software. The other is http://www.grc.com. This is the home of Gibson Research. You may remember Steve Gibson from using his Spinrite product back in the MFM/RLL hard disk days. He still sells Spinrite, updated for current drives, but he's also expanded his efforts into the security area. Click the Shield's Up image to get to his scanning engine. When you’ve completed scans from either of these sites you’re going to be very afraid. However, you will know what you need add in the way of filters to protect your system.

Done it again, I’m over my word limit. Next time, some really neat stuff about Netware 6.

Letters to the Editor are welcome and occasionally abused in public. Send e-mail to: whine@kickstartnews.com