>
>>
>> Mark Verber <verber @
parc .
xerox .
com> wrote :
>>
>> > Yes, setting IPFORWARDING properly in options or changing ip_forwarding
>> > with adb works just as well as editing ip_proto.c. Once again, my primary
>> > warning is that source routing happens whether you have IPfowarding on
>> > or off.
>
>As I believe has been pointed out on this list in the past, the fact that you
>can turn off IPFORWARDING with adb IS part of the problem with this approach.
>It's just as easy for someone to turn it back on this way. If you have source
>and can actually remove the code that handles the forwarding, you are better
>because then if someone DOES manage to get root access (and somehow they
>seem to keep finding new and improved ways to do this) it will at least be
>more difficult for them to undo your protection.
>
One thing with turning it off with adb I have found is that if you change
with adb and then reboot with a kernel with it turned off, you can't turn
it back on without another reboot.
Since all adb'ing and writing the change back out does is to poke the proper
predefined variable into the proper place it just saves a recompile.
If you boot with a kernel with it turned off, it will not come back on with
another adb. Instead, you have to adb, write out a new change and reboot
again. Seems if the kernel boots with it off, there is no way to get it
turned back on. I guess some initialization code is never called if the
values is initially -1.
So, someone breaking in would have to know to adb, turn it back on, and then
know to reboot. Either way, I figure I would definitly notice the system
rebooting for some reason. And, after any system reboot its always a good
idea to try and send packets through the system just to make sure its
still not forwarding.
James
References:
|
|
