13
Set the default gateway (that this SafeNet ProtectServer Network HSM should use) by
editing the file /etc/sysconfig/network.
If you ever want to address the unit by its name using the loopback connection, you
can set the hostname by editing the /etc/hosts file and the
/etc/sysconfig/network file (which governs external connections).
Setting a name server
Note: It is recommended that you use psesh:>network config dns to set the name
server, instead of using the manual procedure below.
The SafeNet ProtectServer Network HSM processing modules do not have the
resources to operate as their own name servers. If name resolution is required, it needs
to be provided by a DNS server on the network. In order for the SafeNet
ProtectServer Network HSM to use the DNS server, you must add an entry for the
DNS server to the file /etc/resolv.conf, in the following format:
nameserver <IP-ADDRESS>
Setting access control
Note: It is recommended that you use psesh:>network config iptables to configure
the iptables, instead of using the manual procedure below.
Access control on the SafeNet ProtectServer Network HSM is performed using
iptables(8). Below is a list of iptables(8) commands:
iptables -[ADC] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -N chain
iptables -X [chain]
iptables -P chain target [options]
iptables āL [chain]
The following iptables configuration prevents access to all but one IP address:
1. iptables -F INPUT (deletes any previous chains in the INPUT table)
2. iptables -A INPUT -s [ip-address] -j ACCEPT (sets an IP address which
can be accepted)
3. iptables -A INPUT -j DROP (drops everything else)
Once a table configuration has been created that provides suitable network access, it
can be stored as the active network configuration using the following command:
/etc/init.d/iptables save active
Before iptables(8) is completely configured it should have an inactive table
defined. This is less critical as there is very little running in the operating system by
the time the inactive table is loaded. The following is a suitable inactive table:
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
To Next Page
Loading...
Need help?
General
