Great Circle Associates Firewalls
(March 1994)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

From: lacoursj @ uprc . com (Jeffrey D. LaCoursiere)
Date: Fri, 4 Mar 1994 11:01:35 +0600
To: firewalls @ greatcircle . com
Cc: dallas @ dfw . paranet . com, sun-managers-relay @ ra . mcs . anl . gov

Wanted to test the results of turning on/off IP_FORWARDING in a Sun
4.1.3.U1 kernel.  First of all, I haven't yet found the blurb about
where you make this change.  Have been browsing around in /sys/net and
looked through route.h, but couldn't find a mention of ipforwarding.
If anyone knows this off the top of their head, it would save me digging
through much piled paper.

After failing to find the correct kernel file to modify, I decided I 
would set up my test case anyway.  Ran into several problems.  The machine
that I wanted to configure to SEND packets "through" the ipforwarding
machine is running Solaris 2.3.  I attempted to set up a routing table
that contained ONLY the loopback route and a default route to the ipforward
machine: (scorpio is the ipforward machine)

Routing Table:
  Destination           Gateway           Flags  Ref   Use   Interface
-------------------- -------------------- ----- ----- ------ ---------
localhost            localhost             UH       0 627591  lo0
default              scorpio               UG       0    557  

This table was the first problem.  Even though my mask was FFFFFF00, a
ping to another machine on the subnet would result in "Network Unreachable",
which I am assuming is complaining about not being able to find a route
to scorpio.  I thought that this was the point of the subnet mask, i.e.
if the network part of the destination address matched the network part
of any interface's address, I would simply put the packet on that interface.
Scorpio is on the same subnet as the local machine.

At any rate, adding a route for the local net fixed the problem:

enet_f35_208         cygnus                U        2    360  le0

(where cygnus is the local machine, enet_f35_208 is the local net).

I didn't have this problem on scorpio (4.1.3.U1).  His resulting route
table did look a bit different, however:

Routing tables
Destination          Gateway              Flags    Refcnt Use        Interface
localhost            localhost            UH       5      999        lo0
default              cisco1_17            UG       1      34         le0

The difference being the default route had an interface associated with it.
Is this difference a Solaris "feature" or am I missing something?

The subnet has a CISCO routing to other nets; it is running proxy arp.
(cisco1_17).  I configured scorpio's route table to send all packets
to the cisco.  I assumed that if ipforwarding was turned on, any attempt
by cygnus to send packets to an external machine would result in the
packet first being sent to scorpio, who would forward the packet (via
it's default route) to the cisco, which would take it from there.  Have
I missed something here?

At any rate, it didn't fly.  Any attempt to ping external machines from
cygnus would simply hang and result in "no answer".  Changing the default
route on cygnus to point to the cisco and trying again, the ping would
be successful.  I am tempted to make the conclusion that stock 4.1.3.U1
with the GENERIC kernel doesn't support ipforwarding (or it comes turned

The whole point of this was to make sure that I could trust a bastion
host loaded with 4.1.3.U1 after turning off ipforwarding.  Apparently
I don't have anything to do...!


Jeff LaCoursiere
Network Admin
Ft. Worth, TX

Indexed By Date Previous: Re: Interlock bug
From: blu @ jericho . mc . com (Brian Utterback)
From: Mark Verber <verber @ parc . xerox . com>
Indexed By Thread Previous: Re: Interlock bug
From: Brent Chapman <brent @ mycroft . GreatCircle . COM>
From: Mark Verber <verber @ parc . xerox . com>

Search Internet Search