Great Circle Associates Firewalls
(September 1996)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: ip forwarding - turning it off ?
From: Larry Chin <larry @ ca . cch . com>
Date: Thu, 19 Sep 1996 06:46:10 -0400 (EDT)
To: Firewalls @ greatcircle . com

Situation:
==========

Sparc 20 
SunOs 4.1.3_U1
2 ethernet cards
IP forwarding supposedly turned off


 		 le0 ( 192.9.200.1 ) ------- internal net y
external net --- le1 ( 192.9.201.1 )


netstat -nr shows:
==================

Destination        Gateway              Flags    Refcnt Use        Interface
127.0.0.1          127.0.0.1            UH       0      197        lo0
default            192.9.201.253        UG       1      1231       le1
192.9.201.0        192.9.201.3          U        3      101        le1
192.9.200.0        192.9.200.1          U        3      1036       le0

The default gateway here pointing back to the external network


Kernel has:
===========
options IPFORWARDING="-1"


Problem:
========
Having remade the kernel with the above option and rebooted the machine
with this kernel in place if I go to a machine on the external net 
( 192.9.201.x ) , put in an explicit route thusly:


	route add 192.9.200.0 192.9.201.1 1

and do a:

	ping 192.9.200.1

the interface will answer with:
	
	192.9.200.1 is alive

I was under the impression that no packets should flow between le0 and
le1 with the IPFORWARDING turned off, such that a ping from the
external net would not receive any answer in the above scenario.


QUESTION:
=========
Should a ping of the le0 interface from a node on the external net
receive an "alive" answer ?



Thanks,

Thu Sep 19 06:46:05 EDT 1996
=====================================================================
Larry Chin {Larry_Chin @
 ca .
 cch .
 com}	CCH Canadian Ltd.
Phone: 416-441-4001 ext. 349		6 Garamond Court
Fax:   416-441-3544			North York, Ontario, M3C 1Z5
=====================================================================


Indexed By Date Previous: Re: [NTSEC] NT vs. UNIX white paper
From: David Bouius <ral63 @ dial . pipex . com>
Next: S/KEY Holes?
From: Warren Moore <warren . moore @ cbis . com>
Indexed By Thread Previous: [no subject]
From: "Victor Barris, Jr." <barris @ intac . com>
Next: Re: ip forwarding - turning it off ?
From: Michael Ryan <mike @ NetworX . ie>

Google
 
Search Internet Search www.greatcircle.com