Great Circle Associates Firewalls
(February 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: [FW1] Firewall 2.1 , Solaris and rouing
From: Ryan Russell/SYBASE <Ryan . Russell @ sybase . com>
Date: 21 Feb 97 5:30:34 EDT
To: Jerald Josephs <jerald . josephs @ Ebay . Sun . COM>
Cc: "Raymond.Sleiman" <Raymond . Sleiman @ mail . gestronic . ch>, daniel <daniel @ elmail . co . uk>, sun-managers <sun-managers @ ra . mcs . anl . gov>, firewalls <firewalls @ GreatCircle . COM>, fw-1-mailinglist <fw-1-mailinglist @ us . checkpoint . com> 
I beg to differ.

Most definitions of routing involve forwarding
of packets based on layer 3 information, which
IP Forwarding on a Solaris machine will happily do,
whether it's advertising or not.  If fwd is unloaded or crashes,
and IP Forwarding is on, packets will go right through, routed
or rdisc running or not.  You REALLY want IP Forwarding
turned off on your FW1 machine.

If you don't like my definition of routing, here's a
practical example:

I've got an inside network with a class B, which is atached to
my FW1 on the "inside" interface, with an address in the class B.
The FW1 also has an "outside" interface with a class C address,
connected to a Cisco 2500 router which routes the class C.  If I 
unload FWD, and turn on IP Forwarding, and I put a static route on the 
outside 2500 pointing to the inside class B, via the address on the 
"outside" interface of my FW1, the outside 2500 can then access
everything inside my firewall.  So would anyone doing source routing
from the Internet that I didn't happen to block.  I'm not running routed
or rdisc on my FW1.

     Ryan



---------- Previous Message ----------
To: Raymond.Sleiman, daniel
cc: sun-managers, firewalls, fw-1-mailinglist
From: jerald.josephs @ Ebay.Sun.COM (Jerald Josephs) @ smtp
Date: 02/20/97 01:28:51 PM
Subject: Re: [FW1] Firewall 2.1 , Solaris  and rouing

"Routing" is not enabled when FireWall-1 starts,
ip_forwarding is.

These are two separate things.

You should not run in.routed nor should you run in.rdisc on your
firewall gateway.

The best way to prevent this is to define a default router.

However, you can block RIP from being broadcast to any network
by disabling broadcasts in that network object.

Prevent in.rdisc from running at all by renaming /usr/sbin/in.rdisc


    /\  Jerald E. Josephs
   \\ \  Course Developer - Network Security
  \ \\ /  Sun Educational Services
 / \/ / / 
/ /   \//\ 
\//\   / / 
 / / /\ /
  / \\ \  Phone/VM: 408-276-0941
   \ \\  FAX: 408-276-1565
    \/  E-mail: jerald .
 josephs @
 EBay .
 Sun .
 COM       


> From fw-1-mailinglist-owner @
 us .
 checkpoint .
 com  Wed Feb 19 17:28:04 1997
> X-Authentication-Warning: loudecho.us.checkpoint.com: majordom set sender to 
owner-fw-1-mailinglist @
 us .
 checkpoint .
 com using -f
> Date: Wed, 19 Feb 1997 12:14:14 +0000 (GMT)
> From: Daniel Strawson <daniel @
 elmail .
 co .
 uk>
> To: Raymond Sleiman-Gestronic Systems Integration Manager 
<Raymond .
 Sleiman @
 mail .
 gestronic .
 ch>
> cc: sun-managers <sun-managers @
 ra .
 mcs .
 anl .
 gov>,
>         firewalls <firewalls @
 GreatCircle .
 COM>,
>         fw-1-mailinglist <fw-1-mailinglist @
 us .
 checkpoint .
 com>
> Subject: Re: [FW1] Firewall 2.1 , Solaris  and rouing
> MIME-Version: 1.0
> 
> 
> Raymond -
> 
> Routing is enabled when your SS5 is running FW-1, it should be disabled
> (if FW-1 has been correctly installed) at during boot and whilst FW-1 runs
> up.
> 
> If you want to tell your firewall to stop broadcasting routing info, just
> stop the routing daemon (routed).  Either edit it's startup file or set a
> default route manually (edit /etc/defaultrouter).  On standard solaris,
> this file will cause the routing daemon not to start.
> 
> Cheers,
> 
> Daniel
> 
> 
> On Wed, 19 Feb 1997, Raymond Sleiman-Gestronic Systems Integration Manager 
wrote:
> 
> > Hello,
> > Could someone tell me if the routing is enabled or disabled when
> > firewall 2.1 is running in a SparcSation 5 running Solaris 2.5.1 ?. If
> > not, is it possible to tell the routing daemon to not tell routing
> > tables to another machines on the network ?.
> > Thanks
> > 
> > --
> > _________________________________________________________
> > Raymond Sleiman             Systems Integration Manager
> > GESTRONIC S.A        Phone   # +41 22 342 71 50
> > 25 rue jacques grosselin    Fax     # +41 22 343 91 16
> > 1227 Carouge Geneve         Mobile  # +41 79 200 81 03
> > Switzerland                 Direct  # +41 22 342 25 27
> > 
> > email: Raymond .
 Sleiman @
 gestronic .
 ch
> > 
> > X400:/S=Sleiman/O=Gestronic/P=SWITCH/A=ARCOM/C=ch/@chx400.switch.ch
> > 
> >    >>>> Visit us on the WEB  http://www.gestronic.ch <<<<
> >    >>>> Visit our Job page   http://www.gestronic.ch/jobs.html <<<<
> > _________________________________________________________
> > 
> > 
>
Indexed By Date Previous: VERY IMPORTANT!!!!
From: "Forum Manager Caroline Aeby" <CarolineA_MSP @ msn . com>
Next: How manage CISCO ACL ?
From: "Arnaud Tarrago" <Arnaud . TARRAGO @ cli57aa . der . edf . fr>
Indexed By Thread Previous: RE: VERY IMPORTANT!!!!
From: <HBarnett @ incite . com>
Next: Re: [FW1] Firewall 2.1 , Solaris and rouing
From: ericj @ breakers . East . Sun . COM (Eric Johnson)
Google
 
Search Internet Search www.greatcircle.com