Ryan,
My apologies to the list if this is a repeat posting. It's a good
idea to disable ip_forwarding in Solaris (see below) & use
'fw ctl ip_forwarding always' to let FW-1 assume control
over IP forwarding. I have seen others suggest diasbling
the forwarding source routed packets, but this seems redundant
to me. If you forward no packets, source routed packets will
certainly not get forwarded. Disabling RIP & rdisc isn't a bad
idea if it isn't vital for you.
HTH.
Regards,
Eric
/\ Eric R. Johnson
\\ \ Technical Support Engineer
\ \\ / Internet Products
/ \/ / / SunService
/ / \//\
\//\ / / Phone: (508)-442-1071
/ / /\ / Fax: (508)-442-1500
/ \\ \
\ \\ EMail: eric .
johnson @
east .
sun .
com
\/
----
/etc/rc2.d/S69inet
# Machine is a router: turn on ip_forwarding, run routed,
# and advertise ourselves as a router using router discovery.
echo "machine is a router."
# ndd -set /dev/ip ip_forwarding 1 << Comment this out
ndd -set /dev/ip ip_forwarding 0
if [ -f /usr/sbin/in.routed ]; then
/usr/sbin/in.routed -s
fi
if [ -f /usr/sbin/in.rdisc ]; then
/usr/sbin/in.rdisc -r
fi
/etc/rc2.d/S95firewall1
#!/bin/sh
# FW-1 Start
if [ -f /opt/SUNWfw/bin/fwstart ]; then
FWDIR=/opt/SUNWfw
export FWDIR
/opt/SUNWfw/bin/fwstart
fi
/etc/fw/bin/fw ctl ip_forwarding always
# FW-1 END
> I beg to differ.
>
> Most definitions of routing involve forwarding
> of packets based on layer 3 information, which
> IP Forwarding on a Solaris machine will happily do,
> whether it's advertising or not. If fwd is unloaded or crashes,
> and IP Forwarding is on, packets will go right through, routed
> or rdisc running or not. You REALLY want IP Forwarding
> turned off on your FW1 machine.
>
> If you don't like my definition of routing, here's a
> practical example:
>
> I've got an inside network with a class B, which is atached to
> my FW1 on the "inside" interface, with an address in the class B.
> The FW1 also has an "outside" interface with a class C address,
> connected to a Cisco 2500 router which routes the class C. If I
> unload FWD, and turn on IP Forwarding, and I put a static route on the
> outside 2500 pointing to the inside class B, via the address on the
> "outside" interface of my FW1, the outside 2500 can then access
> everything inside my firewall. So would anyone doing source routing
> from the Internet that I didn't happen to block. I'm not running routed
> or rdisc on my FW1.
>
> Ryan
>
>
>
> ---------- Previous Message ----------
> To: Raymond.Sleiman, daniel
> cc: sun-managers, firewalls, fw-1-mailinglist
> From: jerald.josephs @ Ebay.Sun.COM (Jerald Josephs) @ smtp
> Date: 02/20/97 01:28:51 PM
> Subject: Re: [FW1] Firewall 2.1 , Solaris and rouing
>
> "Routing" is not enabled when FireWall-1 starts,
> ip_forwarding is.
>
> These are two separate things.
>
> You should not run in.routed nor should you run in.rdisc on your
> firewall gateway.
>
> The best way to prevent this is to define a default router.
>
> However, you can block RIP from being broadcast to any network
> by disabling broadcasts in that network object.
>
> Prevent in.rdisc from running at all by renaming /usr/sbin/in.rdisc
>
>
> /\ Jerald E. Josephs
> \\ \ Course Developer - Network Security
> \ \\ / Sun Educational Services
> / \/ / /
> / / \//\
> \//\ / /
> / / /\ /
> / \\ \ Phone/VM: 408-276-0941
> \ \\ FAX: 408-276-1565
> \/ E-mail: jerald .
josephs @
EBay .
Sun .
COM
>
>
> > From fw-1-mailinglist-owner @
us .
checkpoint .
com Wed Feb 19 17:28:04 1997
> > X-Authentication-Warning: loudecho.us.checkpoint.com: majordom set sender to
> owner-fw-1-mailinglist @
us .
checkpoint .
com using -f
> > Date: Wed, 19 Feb 1997 12:14:14 +0000 (GMT)
> > From: Daniel Strawson <daniel @
elmail .
co .
uk>
> > To: Raymond Sleiman-Gestronic Systems Integration Manager
> <Raymond .
Sleiman @
mail .
gestronic .
ch>
> > cc: sun-managers <sun-managers @
ra .
mcs .
anl .
gov>,
> > firewalls <firewalls @
GreatCircle .
COM>,
> > fw-1-mailinglist <fw-1-mailinglist @
us .
checkpoint .
com>
> > Subject: Re: [FW1] Firewall 2.1 , Solaris and rouing
> > MIME-Version: 1.0
> >
> >
> > Raymond -
> >
> > Routing is enabled when your SS5 is running FW-1, it should be disabled
> > (if FW-1 has been correctly installed) at during boot and whilst FW-1 runs
> > up.
> >
> > If you want to tell your firewall to stop broadcasting routing info, just
> > stop the routing daemon (routed). Either edit it's startup file or set a
> > default route manually (edit /etc/defaultrouter). On standard solaris,
> > this file will cause the routing daemon not to start.
> >
> > Cheers,
> >
> > Daniel
> >
> >
> > On Wed, 19 Feb 1997, Raymond Sleiman-Gestronic Systems Integration Manager
> wrote:
> >
> > > Hello,
> > > Could someone tell me if the routing is enabled or disabled when
> > > firewall 2.1 is running in a SparcSation 5 running Solaris 2.5.1 ?. If
> > > not, is it possible to tell the routing daemon to not tell routing
> > > tables to another machines on the network ?.
> > > Thanks
> > >
> > > --
> > > _________________________________________________________
> > > Raymond Sleiman Systems Integration Manager
> > > GESTRONIC S.A Phone # +41 22 342 71 50
> > > 25 rue jacques grosselin Fax # +41 22 343 91 16
> > > 1227 Carouge Geneve Mobile # +41 79 200 81 03
> > > Switzerland Direct # +41 22 342 25 27
> > >
> > > email: Raymond .
Sleiman @
gestronic .
ch
> > >
> > > X400:/S=Sleiman/O=Gestronic/P=SWITCH/A=ARCOM/C=ch/@chx400.switch.ch
> > >
> > > >>>> Visit us on the WEB http://www.gestronic.ch <<<<
> > > >>>> Visit our Job page http://www.gestronic.ch/jobs.html <<<<
> > > _________________________________________________________
> > >
> > >
> >
>
>
>
>
Follow-Ups:
|
|
