Chapter 4: Testing and Configuration
6.
[Optional] Add a search domain to the network configuration. These are automatically appended to an
internet address you specify in PSESH. For example, if you add the search domain
mycompany.com
,
entering the command
network ping hsm1
would search for the domain
hsm1.mycompany.com
. If the
domain resolves, it pings the device with that hostname.
lunash:>
network dns add searchdomain
<domain>
-device
<net_device>
The search domain is added to the appliance DNS table.
NOTE
The search domain settings apply to static network configurations only. If you are
using DHCP, the DNS search domains configured on the DHCP server are used.
When you add a DNS search domain to a specific network device, it is added to the DNS table for the
appliance and becomes available to both devices, provided the device you added it to is connected to the
network. For example, if you add a DNS server to eth0, eth1 will be able to access the DNS server if eth0 is
connected to the network. If eth0 is disconnected from the network, eth1 also loses DNS server access. To
ensure that any DNS server you add is available in the event of a network or port failure, it is recommended
that you add it to both network-connected devices.
If you have chosen to perform setup via SSH, you will likely lose your network connection as you confirm the
change of IP address from the default setting.
7.
[Optional] Add iptables ACCEPT and DROP rules to manage network access to the appliance.
By default, the SafeNet ProtectServer Network HSM allows access to all networks and hosts. The default
policy for the INPUT and OUTPUT chain is set to ACCEPT. The default policy for the FORWARD chain is set
to DROP, since the SafeNet ProtectServer Network HSM is not used to forward packets, as in a router or
proxy.
CAUTION!
If you are configuring iptables via SSH, a malformed rule can cause a lockout.
a.
To add an ACCEPT rule, specify a host or network:
psesh:>
network iptables addrule accept host -ip
<IP_address>
psesh:>
network iptables addrule accept network -net
<IP_address>
-mask
<netmask>
b.
To add a DROP rule, specify a host or network:
psesh:>
network iptables addrule drop host -ip
<IP_address>
psesh:>
network iptables addrule drop network -net
<IP_address>
-mask
<netmask>
c.
To see the current list of rules:
psesh:>
network iptables show
d.
To delete a rule, specify the rule's position on the list:
psesh:>
network iptables delrule -rulenum
<number>
A rule's number is based on its current list position, so executing
network iptables delrule -rulenum 1
multiple times will eventually delete the entire list.
e.
Save your iptables changes:
psesh:>
network iptables save
You must execute this command, or any changes will be lost on the next appliance reboot.
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto
31