Firewalls: Re: Solaris 2 & ip

Firewalls
(March 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Solaris 2 & ip_forwarding
From:	Darren Reed <avalon @ coombs . anu . edu . au>
Date:	Fri, 15 Mar 1996 21:16:00 +1100 (EDT)
To:	jeremyp @ gsms01 . alcatel . com . au (Peter Jeremy)
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<199603142030 . HAA21693 @ gsms01 . alcatel . com . au> from "Peter Jeremy" at Mar 15, 96 07:30:04 am

A few points which seemingly get forgotten often:

In some mail from Peter Jeremy, sie said:
> 
> On Thu, 14 Mar 1996 09:04:52 +0100, Casper Dik <casper @
 holland .
 Sun .
 COM> wrote:
> >Unfortiunately, you're sadly mistaken about the magic involved with
> >setting IPFORWARDING to -1 in SUnOS 4.x.  If you have a binary license, all it
> >does is:
> >
> >/usr/kvm/sys/netinet/in_proto.c:int    ip_forwarding = IPFORWARDING;
> 
> I suspect it does exactly the same even if you have a source licence.
> (At least the 4.4BSD source behaves this way, and the code seems fairly
> similar).

4.4BSD can, with kern.securelevel, prevent it being changed once into
multiuser mode (or when otherwise set).

> >which can be undone with adb.
> True, but you need to be root first.  And in general, once you get root
> on a normal Unix box, all bets are off.  Why bother with IP forwarding
> when you can just start an application-level proxy to do whatever you want?

> > as long as you can patch
> >a running kernel)
> Note that SunOS 4.1.3 (can't comment obout other OSs) doesn't allow you
> to patch code whilst the kernel is running.  This means that altering
> kernel code takes a bit more care (like changing return addresses or
> function pointers in data structures).

If you know the right spells, adb can be used to patch a running kernel #:-)

> What I find more annoying is that it is impossible to make the kernel
> ignore ICMP_REDIRECT packets without patching it (admittedly, the patch
> is very simple).  This makes it fairly simple for someone to tell the
> kernel to forward everything to them...

Sigh.  I'll say this once more :)  If you want to filter out bits and piece
of IP traffic with SunOS4.1.x, look at
http://coombs.anu.edu.au/~avalon/ip-filter.html

If you're runnig with LKMs enabled, on any OS, it should be trivial to
patch a live kernel #:->

Can Solaris2 be configured to run from a static setup (ie modload/add_drv
not work) ?  Deleting the binaries doesn't count...

darren

------------------------------------------------------------------------------
Darren Reed <darrenr @
 cyber .
 com .
 au> Fax: +61 3 9642-5998 Phone: +61 3 9642-5997
Cybersource P/L: Unix Systems Administration  /  Network Security & Assessment

References:

Re: Solaris 2 & ip_forwarding
From: Peter Jeremy <jeremyp @ gsms01 . alcatel . com . au>

Indexed By Date	Previous:	Hello From: brian . smith @ morebbs . com
Indexed By Date	Next:	Re: Security of Networked Workstations with dial-up PPP Internet!!! From: Darren Reed <avalon @ coombs . anu . edu . au>
Indexed By Thread	Previous:	Re: Solaris 2 & ip_forwarding From: Peter Jeremy <jeremyp @ gsms01 . alcatel . com . au>
Indexed By Thread	Next:	IP/IPX gateways From: Jeffry Tank <jtankf @ vsecorp . com>