Firewalls: Re: IP

Firewalls
(March 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: IP_FORWARDING
From:	jim @ Tadpole . COM (Jim Thompson)
Date:	Sun, 13 Mar 1994 11:22:06 +0600
To:	firewalls @ GreatCircle . COM
Cc:	jmc @ ksu . ksu . edu, verber @ parc . xerox . com

>> Mark Verber <verber @
 parc .
 xerox .
 com> wrote :
>> Yes, setting IPFORWARDING properly in options or changing ip_forwarding
>> with adb works just as well as editing ip_proto.c.  Once again, my primary
>> warning is that  source routing happens whether you have IPfowarding on
>> or off.

Not on SunOS 4.1.3, see below.

> jmc @
 ksu .
 ksu .
 edu (James Michael Chacon) wrote:
> One thing with turning it off with adb I have found is that if you change 
> with adb and then reboot with a kernel with it turned off, you can't turn
> it back on without another reboot.

Wrong, see below.

> Since all adb'ing and writing the change back out does is to poke the proper
> predefined variable into the proper place it just saves a recompile.
> If you boot with a kernel with it turned off, it will not come back on with
> another adb. Instead, you have to adb, write out a new change and reboot
> again. Seems if the kernel boots with it off, there is no way to get it 
> turned back on.

You don't know about /dev/[k]mem, do you?

> I guess some initialization code is never called if the
> values is initially -1.

This is correct.  When the 2nd interface is brought up, ip_forwarding
is set to '1' (true) if it was '0'.  If its not '0', it doesn't get
changed.

> So, someone breaking in would have to know to adb, turn it back on, and then
> know to reboot.

Wrong,  either ("echo ip_forwarding/W 1" | adb -k -w /vmunix /dev/mem), or 
("echo ip_forwarding/W 1" | adb -w /vmunix /dev/kmem) will turn ip_forwarding
on without a reboot.

ip_forward() (the function in the kernel that forwards IP packets (e.g.
they're not destined for *THIS* machine) does this:

	if ((ip_forwarding != 1) && !source_routed_ok()) {
		/* drop this packet */
	}

source_routed_ok() checks to see if the packet is going out over the
interface it came *IN ON*.  You can't source-route through a machine
where ip_forwarding is set to anything other than '1'.

You can reflect things back *out*, and any port on the machine in
question is reachable (via source routing to the 'far side' address),
and these may be problems, (iftp/itelnet can be spoofed, bad guys
can make the attack look like its comming from your machine, ...),

BUT YOU CAN'T ROUTE IP PACKETS THROUGH THE MACHINE!

Jim

Follow-Ups:

Re: IP_FORWARDING
From: John Hawkinson <jhawk @ panix . com>

Indexed By Date	Previous:	Re: IP_FORWARDING From: jmc @ ksu . ksu . edu (James Michael Chacon)
Indexed By Date	Next:	Re: IP_FORWARDING From: John Hawkinson <jhawk @ panix . com>
Indexed By Thread	Previous:	Re: IP_FORWARDING From: thaynes @ sybase . com (Tom Haynes)
Indexed By Thread	Next:	Re: IP_FORWARDING From: John Hawkinson <jhawk @ panix . com>