>Sorry if this has just come up, but I saw a reference to "turning
>packet forwarding off." It really torques me off to admit to
>ignorance, but I thought that you had to be running something like
>gated for packet forwarding to occur.
Packet forwarding's the default in every version of UNIX
I can think of. Basically it means that the kernel will try to
route traffic.
In IP, the kernel routes packets towards the destination,
based on its internal routing tables. Most systems are 'end nodes'
and only get packets destined for them, so it's not an issue - the
routing table just tells it where to send stuff that's going to
systems off the immediate local network.
Gated/routed and so on, manage routing tables. The management
of routing tables is outside of the kernel, in applications that
talk various routing protocols, and then manipulate the in-kernel
routing tables using kernel calls. This is a pretty clever design
decision, because it means your routing table management rules are
outside of the kernel - the kernel doesn't have to know RIP, EGP,
BGP, etc, etc, etc.
So, don't confused gated/routed with routing. The kernel
handles the routing, and gated/routed handle the routing tables.
If ipforwarding is off, if the kernel gets a packet IN, which
the routing tables tell it it should send OUT, it doesn't.
This is one of the earliest forms of firewall: you just
have a machine with 2 network interfaces and ipforwarding turned
off. Both sides can talk *to* it, but neither can talk *across*
it. The side effect is that no traffic is directly routed between
networks - so stuff like FSP (in fact anything that doesn't go
through a proxy forwarder or doesn't work in store-and-forward
mode) doesn't work.
mjr.
|
|
