Systems and Workgroups: A Guide for
CAUTION: The configuration processes in this section change the security properties of your system. When enabling services, protocols, and ports, careful consideration must be given to the impact to your network and system security.
EnablingTo make sure
1.Discover your current lockdown state.
•If you are using Bastille 3.0 or later, create a configuration report. The report will be created in /var/opt/sec_mgmt/bastille/log/Assessment/
#bastille
•If you are using a version of Bastille earlier than 3.0, get the latest configuration file used by Bastille.
#bastille
NOTE: If you get the message
NOTE: The system is in its
there is no need to proceed with this configuration, as daemons, services, and ports required by
2.Copy the last configuration file used or the assessment report to a place of your choice.
3.Bring up the latest configuration in the Bastille GUI.
# bastille
4.Make sure the settings in your configuration file for the following daemons and services are set to No. Note that if you have to change a setting from Yes to No, you will likely be required to enable that daemon or service on your system in order to use it. After you have made changes, save the configuration file to a place of your choice.
Would you like to deactivate the NFS server on this system Would you like to deactivate NIS client programs?
Should Bastille ensure inetd's bootp service does not run on this system? Should Bastille ensure inetd's TFTP service does not run on this system?
5.To update your firewall or have Bastille create a new one:
a.Backup your /etc/opt/ipf/ipf.conf file to a place of your choice.
b.Update the port information for the
•Add the words keep frags to the end of the udp outgoing rule line so it looks like pass out quick proto udp all keep state keep frags
•Remove or
block in quick proto udp from any to any port = portmap
•Add the following lines after the End allow outgoing rules section.
# ports required for
############################################################
pass in log quick proto udp from any to any port = 69 keep state
pass in log quick proto udp from any port = 68 to any port = 67 keep state pass in log quick proto udp from any port = 1068 to any port = 1067 keep state pass in log quick proto tcp/udp from any to any port = 2049 keep frags
90 Security