- Basic Packet Filters on Netware 5.x
by: Jim Huddle CNE, CNE5, CBS, MCSE, send
time (#001 in the series) I told you about the DHCPCLNT.NLM
which Novell included with Netware 5.x. There was a quick
procedure showing how to configure the server to use the NLM.
that you are connected, everything is great, yes? Well, no,
it isnt. Youve got a nice, wide pipe to the Internet
and it doesnt take any of your PCs resources to
work. The only problem is that wide pipe is also wide open
to all the nasty children of evil out there. Even though Netwares
security is legendary, it doesnt by default stop malicious
folks from trying to get to the Windows PCs you have behind
the server. As set up, itll pass through just about
everything that hits the Public NIC. Since most folks are
running some form of Windows, this leaves a major security
hole for those defenceless PCs on your private segment.
going to need some packet filtering to begin the process of
safeguarding your inner network. You start by loading FILTSERV.NLM
at the console prompt. This sets up the environment for packet
filtering. Next enter IPFLT and press Enter. Now type in FILTCFG
and press Enter. From there select Configure TCP/IP Filters-Packet
Forwarding Filters. Change Status to Enabled. Under Action,
make sure Deny Packet in Filter List is selected. Under Filters
and Exceptions you can create packet filters which will leave
your system as open as you like, or nail it down so it will
be practically invisible to outsiders.
go through adding a Filter here that denies ping requests
coming to the Public NIC. If youre really keen to nail
down your system packet wise, then I recommend the book by
Craig Johnson (he's a Novell Support connection SysOp) called
Novell BorderManager: A Beginners Guide to Configuring
Filter Exceptions (http://www.caledonia.net). Just about everything
I know on this subject comes from this book.
Filters and make sure it says (List of Denied Packets), then
press Enter. The screen which appears will be the same whether
you are creating a Filter or Filter Exception. The top window
shows the filter highlighted by the bottom window. Press the
Insert key. This calls the Define Filter window. Leave the
Source Interface Type and Destination Interface Type with
the default of Interface. Next select the Source and Destination
Interface. A couple of points to note here: the Source Interface
is the origin of the packet type you are filtering; the Destination
Interface is the NIC that receives the packet.
the Source Interface with the default of <All Interfaces>
and change the Destination Interface to Public (or whatever
youve named the external NIC). Arrow key down to Packet
Type and hit Enter. As youll see, Novell has kindly
created a long list of packet types for you. Scroll down and
locate the packet type "icmp". Press Enter and Packet
Type will show icmp. Leave the other fields as they are, except
for Comment because you may want to add a description. Press
Escape and Yes to save the filter. Press Escape until you
are prompted to exit FILTCFG and select Yes.
at the console prompt, enter UNLOAD IPFLT and press Enter.
To test the filter, get a friend on a remote network to ping
your external address (check the DHCPCLNT information screen
to get your current address). With IPFLT unloaded it should
answer your friends query. Type IPFLT at the console
prompt. This should activate all filters in place. Have your
friend try another ping. He or she will get zip for an answer.
The Public interface will pass the packet to the TCP/IP stack
and the stack, using the filters in place, will determine
that the ping packet should just be discarded. Pretty slick
see what else you need to block, you can point your browser
to a couple of web sites that will scan your connection for
vulnerabilities. The first is http://scan.sygatetech.com.
This is run by the folks at Sybergen who sell security software.
The other is http://www.grc.com. This is the home of Gibson
Research. You may remember Steve Gibson from using his Spinrite
product back in the MFM/RLL hard disk days. He still sells
Spinrite, updated for current drives, but he's also expanded
his efforts into the security area. Click the Shield's Up
image to get to his scanning engine. When youve completed
scans from either of these sites youre going to be very
afraid. However, you will know what you need add in the way
of filters to protect your system.
it again, Im over my word limit. Next time, some really
neat stuff about Netware 6.
to the Editor are welcome and occasionally abused in public.
Send e-mail to: firstname.lastname@example.org