This document assumes that you have the necessary software to do ipfiltering installed on your SGI. Namely, the "eoe.sw.ipgate" subsystem.
As "root" in a "shell", check to see if "ipfilterd" is enabled on your system.
# /etc/chkconfig | grep ipfilterd
This should return the following:
ipfilterd on
If this is NOT turned on you will find that the command returns nothing and you see the "root" prompt (#) on the next line.
If you know that you have the "eoe.sw.ipgate" subsystem installed and need to turn the "ipfilterd" feature on, do the following command as "root" in a "shell":
/etc/chkconfig -f ipfilterd
After doing so, check and make sure that "ipfilterd" is turned on by running the "chkconfig" command above.
The next step is to configure the ipfilter "rules" for your machine. The file that contains the "rules" for using ipfilter is: /etc/ipfilterd.conf.
A good "default" /etc/ipfilterd.conf file that saves "state" is as follows:
#
# ipfilterd.conf
# $Revision: 1.3 $
#
# Configuration file for ipfilterd(1M) IP layer packet filtering.
# Lines that begin with # are comments and are ignored.
# Lines begin with a keyword, followed either by a macro definition or
# by an optional interface filter, which may be followed by a protocol filter.
# Both macros and filters use SGI's netsnoop(1M) filter syntax.
#
# The currently supported keywords are:
# accept : accept all packets matching this filter
# reject : silently discard packets matching this filter
# define : define a new macro to add to the standard netsnoop macros
#
# See the ipfilterd(1M) man page for examples of filters and macros.
#
# The network administrator may find the following macros useful:
#
define ip.netAsrc (src&0xff000000)=$1
define ip.netAdst (dst&0xff000000)=$1
define ip.netBsrc (src&0xffff0000)=$1
define ip.netBdst (dst&0xffff0000)=$1
define ip.netCsrc (src&0xffffff00)=$1
define ip.netCdst (dst&0xffffff00)=$1
define ip.notnetAsrc not((src&0xff000000)=$1)
define ip.notnetAdst not((dst&0xff000000)=$1)
define ip.notnetBsrc not((src&0xffff0000)=$1)
define ip.notnetBdst not((dst&0xffff0000)=$1)
define ip.notnetCsrc not((src&0xffffff00)=$1)
define ip.notnetCdst not((dst&0xffffff00)=$1)
#
# Additional macros:
#
# Filters follow:
#
#
# accept loopback only on the loopback
#
accept -i localhost src=127.0.0.1
reject src=127.0.0.1
#
#
# allow all sshd
#
accept tcp.dport=22
#
#
# accept all 128.143.* and 137.54.*
accept ip.netBsrc 128.143.0.0
accept ip.netBsrc 137.54.0.0
#
# allow TCP packets related to outgoing connections
#
accept tcp and not(tcp.flags=SYN)
#
# deny everyhting else
reject (src&0) = 0
This is the default that we have running in the Unixlab on our SGI's. This sill aloow "ssh" connections in and everything else not originating from the machine that you are on is blocked.
If you are running "sendmail" and need to listen for inbound e-mail, you will have to add an additional line to this file.
After the line:
accept tcp.dport=22
Add:
accept tcp.dport=25
Similarly, if you would also like to allow inbound web access (if you have a web server running), you would add the following:
accept tcp.dport=80
This also assumes that you have the above services configured in your
tcp_wrappers hosts.allow file.