Great Circle Associates Firewalls
(March 1994)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: IP_FORWARDING
From: Bill Gianopoulos <wag @ sccux1 . msd . ray . com>
Date: Mon, 7 Mar 1994 13:31:52 -0500 (EST)
To: db @ whitney . sunbim . be (Danny Backx)
Cc: firewalls @ GreatCircle . COM, verber @ parc . xerox . com
In-reply-to: <9403070830 . AA02815 @ whitney . sunbim . be> from "Danny Backx" at Mar 7, 94 09:30:55 am

> 
> Mark Verber <verber @
 parc .
 xerox .
 com> wrote :
> 
> > Yes, setting IPFORWARDING properly in options or changing ip_forwarding
> > with adb works just as well as editing ip_proto.c.  Once again, my primary
> > warning is that  source routing happens whether you have IPfowarding on
> > or off.

As I believe has been pointed out on this list in the past, the fact that you
can turn off IPFORWARDING with adb IS part of the problem with this approach.
It's just as easy for someone to turn it back on this way.  If you have source
and can actually remove the code that handles the forwarding, you are better
because then if someone DOES manage to get root access (and somehow they
seem to keep finding new and improved ways to do this) it will at least be
more difficult for them to undo your protection.

-- 
William A. Gianopoulos; Raytheon Missile Systems Division
wag @
 sccux1 .
 msd .
 ray .
 com


Follow-Ups:
References:
Indexed By Date Previous: Re: IP_FORWARDING
From: thaynes @ sybase . com (Tom Haynes)
Next: Authentication of e-mail
From: "Mark R. Ludwig" <Mark-Ludwig @ uai . com>
Indexed By Thread Previous: Re: IP_FORWARDING
From: db @ whitney . sunbim . be (Danny Backx)
Next: Re: IP_FORWARDING
From: jmc @ ksu . ksu . edu (James Michael Chacon)

Google
 
Search Internet Search www.greatcircle.com