> Given that we are talking about sunos machines, on sunos 4.*:
> Actually, you want to set IPFORWARDING=-1. Setting it to 0 disables
> forwarding on a single homed machine, and re-enables it (sets it back
> to 1) on a multi-homed machine. Setting it to -1 leaves it
> permanently disabled.
>
> When disabled, source routing only happens if the packet leaves on the
> same interface it arrived at.
>
Right, but if you have a firewall setup something like this:
Nasty World
|
|
*-------+-------+-------
router | |
| other hosts
Bastion Host
where the router filtering packets to go to just the bastion host which
is a proxy server but not blocking source routes, -or-
Nasty World
|
| internal router
*-------+---------------*
ext router | |
| |
Bastion Host Internal Net
where the external router isn't blocking source routes and the internal
router isn't properly configured you are vulnerable since the source routed
packet comes in and goes out on the same interface.
I realize that this involves two or three misconfigurations.... a
series of mistakes that most of us would not make, but it is best to
close off all possible problems, especially given cisco's history of
bugging handling of source route, eg the CERT advisory a while ago.
--mark
|
|
