To be able to use the smitty Firewall screens, and especially to activate rules, root must have these lines in its stanza in /etc/security/user fwadmmask = -1 (Might also be 1048575) fwlogonmode = 3 I was getting the message root is not authorized to logon to the firewall in host mode. if fwlogonmode wasn't equal to 3, and root does not have authorization for the following functional group: Traffic Control. or root does not have authorization for the following functional group: Users. when trying to do stuff. -------------------------------------------------------------- The readable version of the firewall rules are at /etc/security/fwfilters.cfg, but be aware that this file isn't really used. It's simply generated for humans when the firewall rules are "activated". -------------------------------------------------------------- There are 4 types of Firewall Objects. 1) Networks: Specifies - I.P. Address - Subnet Mask 2) Rules: Specifies - Action (Permit or Deny) - Protocol (all, tcp, tcp/ack, udp, icmp, ...) - Source Port (Any, =, not =, <, >, >= ...) - Destination Port (same as above) - Interface (Both, secure, non-secure, specific) - Routing (Both, local (i.e. Incoming, meaning source=not FW machine & destination=FW machine, or outgoing, meaning source=FW machine & destination=not FW machine), route (meaning source=not FW machine and destination=not FW machine) - Direction (both, inbound, outbound) - Log Control (yes or no) - Frag(mentation) Control (yes, no, only, headers) Applies to Packets | S E T T I N G of This Type | Yes | No | Only | Headers --------------------------+-----+----+------+--------- Non-Fragments | X | X | | X Fragment Headers | X | | X | X Fragments Without Headers | X | X | | Data packets can become fragmented when they're too big. A problem I had once was from patgate (my FW machine), I was NFS-mounting & reading a large file. The fragmented UDP packets were being denied due to the "Deny nonsecure Syslog" rule which had "Yes". I changed it to "Headers" and fixed things. 3) Services: Contains a list of Rules Describes Flow <--- or ---> Other things typically not done are Can override - log - frag control and Specify - tunnel id - Control by time of day or weekday. 4) Connections: Defines - Source Network Object - Destination Network Object Contains a list of Services. -------------------------------------------------------------- The firewall logs are typically kept at /var/adm/sng/logs, and are archived nightly by a cron job, /usr/bin/fwlogmgmt -l to close out the daily log, or /usr/bin/fwlogmgmt -a to archive them. To list the archive file to see what files are inside, ar vt fwreg_l4.log.a To retrieve one of those files, ar vx fwreg_l4.log.a 980318fwreg_l4.log.Z To uncompress it, zcat 980318fwreg_l4.log.Z > 980318fwreg_l4.log -------------------------------------------------------------- Notes from when I installed the Firewall 3.2.1.0 code on eagle on 2/17/1999. Had to first install Netscape.nav.rte 3.0.0.0 (stolen from the Patent Server site) and Java.rte (on AIX 4.3.1 install CD). Then installed FW.base 3.2.1.0 FW.libraries 3.2.1.0 FW.cfgcli 3.2.1.0 FW.report 3.2.1.0 Visited /etc/inetd.conf, replaced the original ftpd line to use the wuftpd I was working on. Started up inetd. To fix the root user, I went into smitty ... and - IBM e-Network Firewall for AIX - Users - Change - User Name = root and changed Change IBM Firewall Users Type or select values in entry fields. Press Enter AFTER making all desired changes. [Entry Fields] User Full Name [] * User Name root * Authority Level Firewall Administrator * Secure interface shell /bin/ksh * Non-Secure interface shell /bin/ksh Change User Password no * Local Login Authentication password * Secure FTP Authentication deny * Non-Secure FTP Authentication password <-- Had to change. * Secure Telnet Authentication password * Non-Secure Telnet Authentication password <-- Had to change. * Secure IP Authentication password * Non-Secure IP Authentication password * Secure Administration Authentication password * Non-Secure Administration Authentication deny SecureNet key [] The following fields only apply to authentication by password * Number of FAILED LOGINS before user account is loc [0] <- Had to fill in. ked * Days to WARN USER before password expires [30] <- Had to fill in. * Number of Passwords before reuse [20] <- Had to fill in. * Weeks before password reuse [26] <- Had to fill in. * Weeks between password EXPIRED and LOCKOUT [4] <- Had to fill in. * Password Maximum Age [26] <- Had to fill in. * Password Minimum Length [6] <- Had to fill in. * Password Minimum Alpha characters [1] <- Had to fill in. * Days to WARN USER before password expires [1] <- Had to fill in. * Password Maximum repeated characters [2] <- Had to fill in. * Password Minimum different characters [1] <- Had to fill in. Note that there are 2 "Days to WARN USER before password expires" lines. This is a bug. The second one is really "Password Minimum Other characters" Even after that, I still had to chuser rlogin=true root to be able to telnet in. ----------------------------------------------------------------------------------- Fix /etc/security/user to remove everybody's login=false & rlogin=false lines that SNG put in. ----------------------------------------------------------------------------------- Added /etc/rc.local call back into /etc/inittab. ----------------------------------------------------------------------------------- Commented out fwmaild & sockd lines in /etc/rc.tcpip. =================================================================================== =================================================================================== Notes from when I updated ar0135e0/1 to eNetwork Firewall 3.2.3.0 on 5/1/99. After the upgrade, I had to reset root's rlogin entry in /etc/security/user from false to true, so I can login. Also, amazingly, the Firewall code had changed root's SYSTEM clause from "compat" to "NONE", which allowed root to login without a password. Amazing! ----------------------------------------------------------------------------------- One note from the installp log said to "Run "fwxmigrate" to generate network objects." but immediately after that was this "NOTICE: You must reboot immediately following installation." When I tried running fwxmigrate both before and after rebooting, I got this error mesagge /etc/security/fwfilters.cfg.sng is required ----------------------------------------------------------------------------------- I had to go into /etc/rc.tcpip and - Comment out named. - Uncomment sendmail. - Uncomment phttpd to get http proxy server working. The only other difference between the old & new /etc/rc.tcpip was the old had sslrctd in it. The new one has sslrctd removed. Since I don't know what sslrctd is, I'll leave it like that for now. ----------------------------------------------------------------------------------- I had to go into /etc/inetd.conf - Change the way the shell service was commented out, from "# fw #shell ..." to simply "#shell ..." so that we can rearm NIM when we need to. - Reenable sshdfail. - Comment out ftp. - Comment out telnet. Other differences include - The old one had ssld enabled, the new one has it FW-commented out. I don't know what ssld is, so I left it that way. - The hardening process did a number to the ftp & tftp lines, but the bottom line is, it's all as it was before - all commented out. - The new one has sslrctd enabled, whatever that is. Perhaps it's a replacement for the old ssld (??). ----------------------------------------------------------------------------------- I had to go into /etc/rc.net and suprisingly, turn off ipforwarding. We don't want ar0135e0/1 to be a router. ----------------------------------------------------------------------------------- I had to go into /etc/inittab and put back in these 2 lines, which got removed. rclocal:2:wait:/etc/rc.local > /dev/console 2>&1 lft:2:respawn:/usr/sbin/getty /dev/lft0 /etc/rc.local in particular, has at least a route back to the 9. network, so you can ssh from your office again. ----------------------------------------------------------------------------------- I had to go into /etc/security/user and remove the login = false su = false rlogin = false lines for the 2 personal userids we have, kurowski & tgriffin. ----------------------------------------------------------------------------------- I noticed during the upgrade, the firewall code went through the /local directory and set the owner of unowned files and directories to root, which is fine with me, but will be undone the next time /local/bin/resynch.local.bin.sh decides to rewrite that directory. ----------------------------------------------------------------------------------- One part of the hardening process is to chmod 0000 /usr/bin/rcp, which prevents NIM from the CWS to work. But I already have this accounted for in the /local/bin/rearm-nim.sh script, where I chmod it back to 4554. ----------------------------------------------------------------------------------- Had problems with wrong error messages in the /var/adm/sng/logs/fwreg_l4.log file and other funkiness with messages. Called the Support Center and they had me download from testcase.boulder.ibm.com, the following two files to fix this problem, both from the /aix/fromibm directory, cat_323.tar.Z & cat_323.readme.txt. Essentially, it replaced a bunch of binaries to use the correct msg numbers. This fixed all the wrong messages. =================================================================================== =================================================================================== Notes from when I updated ar017[67]e0/1 to eNetwork Firewall 3.2.3.0 on 5/28/99. ----------------------------------------------------------------------------------- Created backups of different things in /tmp. I found this very usefull when I did ar0135e0 earlier this month. - cp -Rhp /etc /tmp/etc - ls -lR / > /tmp/ls-lR.of.slash - ls -lR /usr/bin > /tmp/ls-lR.of.usr.bin - ls -lR /usr/sbin > /tmp/ls-lR.of.usr.sbin - lslpp -L > /tmp/lslpp-L.before Just to checkpoint, I'm starting at AIX (bos.rte) | FW (FW.base) | ND -----------+---------------+--------------+------------------------ ar0176e0/1 | 4.2.1.0 ! 3.1.1.2 | intnd.nd.rte 2.0.0.0 ar0176e0/1 | 4.2.1.0 ! 3.1.1.2 | issaix.nd.rte 1.1.0.0 and I'm going to | 4.2.1.4 ! 3.2.3.0 + | issaix.nd.rte 1.1.0.0 ----------------------------------------------------------------------------------- =================================================================================== =================================================================================== Some notes on the firewall logs ... d=i/o = Direction p=TCP = Protocol r=r = Routing = Route | Local a=s = Interface = Secure | non-Secure f=n = Fragment T=0 = Tunnel ID e=n = Encryption l=44 = Length