On Thu, 14 Mar 1996 09:04:52 +0100, Casper Dik <casper @
holland .
Sun .
COM> wrote:
>Unfortiunately, you're sadly mistaken about the magic involved with
>setting IPFORWARDING to -1 in SUnOS 4.x. If you have a binary license, all it
>does is:
>
>/usr/kvm/sys/netinet/in_proto.c:int ip_forwarding = IPFORWARDING;
I suspect it does exactly the same even if you have a source licence.
(At least the 4.4BSD source behaves this way, and the code seems fairly
similar).
>which can be undone with adb.
True, but you need to be root first. And in general, once you get root
on a normal Unix box, all bets are off. Why bother with IP forwarding
when you can just start an application-level proxy to do whatever you want?
> as long as you can patch
>a running kernel)
Note that SunOS 4.1.3 (can't comment obout other OSs) doesn't allow you
to patch code whilst the kernel is running. This means that altering
kernel code takes a bit more care (like changing return addresses or
function pointers in data structures).
What I find more annoying is that it is impossible to make the kernel
ignore ICMP_REDIRECT packets without patching it (admittedly, the patch
is very simple). This makes it fairly simple for someone to tell the
kernel to forward everything to them...
Peter
Follow-Ups:
|
|
