Go to main content
Guida per la sicurezza di Oracle MiniCluster S7-2

Uscire dalla vista stampa

Aggiornato: Ottobre 2016
 
 

Verifica delle regole di firewall basate su host

Tutti gli ambienti computazionali, comprese le zone globali, le zone kernel e le zone non globali, vengono configurate in modo automatico con firewall IPFilter. Non è necessario alcun intervento manuale.

Per verificare i componenti IPFilter in uso, effettuare le operazioni riportate di seguito.

  1. Eseguire il login alla zona globale nel nodo 1 come utente mcinstall e assumere il ruolo root.

    Per le istruzioni di login Oracle ILOM, fare riferimento alla Guida all'amministrazione di Oracle MiniCluster S7-2.

    % ssh mcinstall@mc4-n1
    Password: ***************
    Last login: Tue Jun 28 10:47:38 2016 on rad/59
    Oracle Corporation      SunOS 5.11      11.3    June 2016
    Minicluster Setup successfully configured
    Unauthorized modification of this system configuration strictly prohibited
    mcinstall@mc4-n1:/var/home/mcinstall % su root
    Password: ***************
    #
    
  2. Controllare la configurazione IPFilter.

    Assicurarsi che le regole contenute nel file /etc/ipf/ipf.conf corrispondano all'output della schermata riportata di seguito.

    # cat /etc/ipf/ipf.conf
    block in log on all
    block out log on ipmppub0 all
    pass in quick on ipmppub0 proto tcp from any to any port = 22 flags S keep state
    pass out quick on ipmppub0 proto tcp from any to any port = 22 flags S keep state
    pass in quick on ipmppub0 proto tcp from any to any port = 111 flags S keep state
    pass out quick on ipmppub0 proto tcp from any to any port = 111 flags S keep state
    pass in quick on ipmppub0 proto tcp from any to any port = 443 flags S keep state
    pass in quick on ipmppub0 proto tcp from any to any port = 1159 flags S keep state
    pass in quick on ipmppub0 proto tcp from any to any port = 1158 flags S keep state
    pass in quick on ipmppub0 proto tcp from any to any port 5499 >< 5550 flags S keep state
    pass in quick on ipmppub0 proto tcp from any to any port = 4900 flags S keep state
    pass out quick on ipmppub0 proto tcp from any to any port = 4900 flags S keep state
    pass out quick on ipmppub0 proto tcp from any to any port = 1522 flags S keep state
    pass out quick on ipmppub0 proto tcp from any to any port = 1523 flags S keep state
    pass in quick on ipmppub0 proto tcp from any to any port = 2049 flags S keep state
    pass out quick on ipmppub0 proto tcp from any to any port = 2049 flags S keep state
    pass out quick on ipmppub0 proto tcp/udp from any to any port = domain keep state
    pass in quick on ipmppub0 proto icmp icmp-type echo keep state
    pass out quick on ipmppub0 proto icmp icmp-type echo keep state
    pass in quick on ipmppub0 proto udp from any to any port = 123 keep state
    pass out quick on ipmppub0 proto udp from any to any port = 123 keep state
    block return-icmp in proto udp all
    
  3. Verificare che i servizi IPF siano online.
    # svcs | grep svc:/network/ipfilter:default
    online         22:13:55 svc:/network/ipfilter:default
    # ipfstat -v
    bad packets:            in 0    out 0
     IPv6 packets:          in 0 out 0
     input packets:         blocked 2767 passed 884831 nomatch 884798 counted 0 short 0
    output packets:         blocked 0 passed 596143 nomatch 595516 counted 0 short 0
     input packets logged:  blocked 0 passed 0
    output packets logged:  blocked 0 passed 0
     packets logged:        input 0 output 0
     log failures:          input 0 output 0
    fragment state(in):     kept 0  lost 0  not fragmented 0
    fragment reassembly(in):        bad v6 hdr 0     bad v6 ehdr 0  failed reassembly 0
    fragment state(out):    kept 0  lost 0  not fragmented 0
    packet state(in):       kept 0  lost 0
    packet state(out):      kept 0  lost 0
    ICMP replies:   0       TCP RSTs sent:  0
    Invalid source(in):     0
    Result cache hits(in):  0       (out):  0
    IN Pullups succeeded:   0       failed: 3462
    OUT Pullups succeeded:  0       failed: 0
    Fastroute successes:    0       failures:       0
    TCP cksum fails(in):    0       (out):  0
    IPF Ticks:      92894
    Packet log flags set: (0)
            none
    
  4. Assicurarsi inoltre che i database e le applicazioni siano accessibili senza dover modificare le regole dei firewall.