# I understand that IPFORWARD (on BSD style kernels) can be set so that
# packets are not automatically forwarded from one net to another when the
# machine is multi-homed.
#
# Questions:
# Is it still possible to write an application that would take packets
# from one network and pass it to another ??
Yes, it is also possible to write an application that changes the
headers in the packet, spoofing one or both ends, taking over TCP
connections, etc.
# On a host where IP forwarding can not be turned off, how does one
# prevent the automatic forwarding of packets ??
One technique would be to install a psuedo-interface that acts as a
'sink' for all packets sent to it, and munge the routing tables into
sending all traffic that way. Remember to handle source routed
packets.
Another would be to write an in-kernel 'router', which can act on the
packets before forwarding them, this replaces the 'forward' function in
the kernel. (Such a thing exists.)
> The thing that will cause you problems with such a host is using NIS or
> /etc/hosts rather than DNS, as these lookups can only return the one
> address, and you can't accept packets for your other interfaces --- you have
> to get the addressing right.
Modern (after SunOS 4.0.3) versions of NIS will return (a limited
number of) addresses, if they're handed back via a call to the
resolver. However, anyone running NIS on a firewall still deserves
what they get. Techniques for breaking NIS (YP) have been well-known
in the cracker community for some time. With the advent of the article
in the SIGCOMM journal, it should be assumed that they are wide-spread.
Jim
|
|
