Okay, now that we have clarified the argument, I *still* disagree
with you because I understand that the routing of a packet is the
intelligent movement of a packet based upon data obtained from a table
of known routes.
Enabling ip_forwarding says that if a multi-home host sees a packet
entering one interface with a DST IP address in the IP header that
happens to belong on a network that is directly attached to another
interface on that host, the host will simply move the packet to the
TCP/IP protocol stack associated with the destination interface.
Now, you may be able to nail me down technically with information you
have, but wouldn't you agree that (in a general sense) that postings
to this alias have discussed routing protocols and postings have discussed
ip_forwarding as if they are two differant things?
/\ Jerald E. Josephs
\\ \ Course Developer - Network Security
\ \\ / Sun Educational Services
/ \/ / /
/ / \//\
\//\ / /
/ / /\ /
/ \\ \ Phone/VM: 408-276-0941
\ \\ FAX: 408-276-1565
\/ E-mail: jerald .
josephs @
EBay .
Sun .
COM
> From Ryan Russell/SYBASE Fri Feb 21 15:57:09 1997
> To: JERALD JOSEPHS <jerald .
josephs @
Sun .
COM>
> Cc: Ryan Russell/SYBASE <Ryan .
Russell @
sybase .
com>,
> Jerald Josephs
> <jerald .
josephs @
Ebay>,
> "Raymond.Sleiman" <Raymond .
Sleiman @
mail .
gestronic .
ch>,
> daniel <daniel @
elmail .
co .
uk>,
> sun-managers
> <sun-managers @
ra .
mcs .
anl .
gov>,
> firewalls <firewalls @
GreatCircle .
COM>,
> fw-1-mailinglist
> <fw-1-mailinglist @
us .
checkpoint .
com>
> From: Ryan Russell/SYBASE
> <Ryan .
Russell @
sybase .
com>
> Date: 21 Feb 97 16:04:27 EDT
> Subject: Re: [FW1] Firewall 2.1 , Solaris and rouing
> X-Lotus-Type: Reply All
> Mime-Version: 1.0
>
> The only point I will disagree with is that all policies stay in place
> when the daemon dies. I don't believe this is the case 100% of the time.
>
> Anyway, what you've described is what is in the firewall-1 docs, but the point
> has been made that too many implementors for FW1 miss that section..
>
> My original arguement was that IP Forwarding *IS* routing, which you
> disagreed with.
>
>
> Ryan
>
> ---------- Previous Message ----------
> To: Ryan.Russell
> cc: jerald.josephs, Raymond.Sleiman, daniel, sun-managers, firewalls,
> fw-1-mailinglist
> From: jerald.josephs @ Sun.COM (JERALD JOSEPHS) @ smtp
> Date: 02/21/97 10:37:46 AM
> Subject: Re: [FW1] Firewall 2.1 , Solaris and rouing
>
> Ryan,
>
> You are correct, but you are not actually disagreeing with my
> post that you reference below.
>
> We agree on not running in.routed and in.rdisc.
> We agree that ip_forwarding should be 0 on the gateway.
> We also know that if FW-1 starts up, it will change ip_forwarding.
> We also know that if the FW-1 daemons die, the policy is still enforced.
> It isn't until fwstop executes `fw unload all.all` and
> `fw ctl uninstall`, which leaves the gateway wideopen.
>
> A previous post of mine discussed that ip_forwarding is set to 2
> initially by Solaris on any multihomed host.
>
> This is not what we want and you have emphasized that. I agree with
> you.
>
> Therefore, if one creates an /etc/defaultrouter file on Solaris with
> the IP address of your Cisco 2500, for example, we don't run any routing
> daemons on the gateway, which is good.
>
> But, ip_forwarding stays at 2, which is bad.
>
> So we need to add a line to /etc/init.d/inetinit to set ip_forwarding
> to 0 if [ -z $defrouters ] returns 0.
>
> I have attached a modified /etc/init.d/inetinit as an example.
> I quickly made an edit , but I did not test it against errors.
>
> Look at the bottom
>
>
> /\ Jerald E. Josephs
> \\ \ Course Developer - Network Security
> \ \\ / Sun Educational Services
> / \/ / /
> / / \//\
> \//\ / /
> / / /\ /
> / \\ \ Phone/VM: 408-276-0941
> \ \\ FAX: 408-276-1565
> \/ E-mail: jerald .
josephs @
EBay .
Sun .
COM
>
> Ryan Russell/SYBASE wrote:
> >
> > I beg to differ.
> >
> > Most definitions of routing involve forwarding
> > of packets based on layer 3 information, which
> > IP Forwarding on a Solaris machine will happily do,
> > whether it's advertising or not. If fwd is unloaded or crashes,
> > and IP Forwarding is on, packets will go right through, routed
> > or rdisc running or not. You REALLY want IP Forwarding
> > turned off on your FW1 machine.
> >
> > If you don't like my definition of routing, here's a
> > practical example:
> >
> > I've got an inside network with a class B, which is atached to
> > my FW1 on the "inside" interface, with an address in the class B.
> > The FW1 also has an "outside" interface with a class C address,
> > connected to a Cisco 2500 router which routes the class C. If I
> > unload FWD, and turn on IP Forwarding, and I put a static route on the
> > outside 2500 pointing to the inside class B, via the address on the
> > "outside" interface of my FW1, the outside 2500 can then access
> > everything inside my firewall. So would anyone doing source routing
> > from the Internet that I didn't happen to block. I'm not running routed
> > or rdisc on my FW1.
> >
> > Ryan
> >
> > ---------- Previous Message ----------
> > To: Raymond.Sleiman, daniel
> > cc: sun-managers, firewalls, fw-1-mailinglist
> > From: jerald.josephs @ Ebay.Sun.COM (Jerald Josephs) @ smtp
> > Date: 02/20/97 01:28:51 PM
> > Subject: Re: [FW1] Firewall 2.1 , Solaris and rouing
> >
> > "Routing" is not enabled when FireWall-1 starts,
> > ip_forwarding is.
> >
> > These are two separate things.
> >
> > You should not run in.routed nor should you run in.rdisc on your
> > firewall gateway.
> >
> > The best way to prevent this is to define a default router.
> >
> > However, you can block RIP from being broadcast to any network
> > by disabling broadcasts in that network object.
> >
> > Prevent in.rdisc from running at all by renaming /usr/sbin/in.rdisc
> >
> > /\ Jerald E. Josephs
> > \\ \ Course Developer - Network Security
> > \ \\ / Sun Educational Services
> > / \/ / /
> > / / \//\
> > \//\ / /
> > / / /\ /
> > / \\ \ Phone/VM: 408-276-0941
> > \ \\ FAX: 408-276-1565
> > \/ E-mail: jerald .
josephs @
EBay .
Sun .
COM
> >
> > > From fw-1-mailinglist-owner @
us .
checkpoint .
com Wed Feb 19 17:28:04 1997
> > > X-Authentication-Warning: loudecho.us.checkpoint.com: majordom set sender to
> > owner-fw-1-mailinglist @
us .
checkpoint .
com using -f
> > > Date: Wed, 19 Feb 1997 12:14:14 +0000 (GMT)
> > > From: Daniel Strawson <daniel @
elmail .
co .
uk>
> > > To: Raymond Sleiman-Gestronic Systems Integration Manager
> > <Raymond .
Sleiman @
mail .
gestronic .
ch>
> > > cc: sun-managers <sun-managers @
ra .
mcs .
anl .
gov>,
> > > firewalls <firewalls @
GreatCircle .
COM>,
> > > fw-1-mailinglist <fw-1-mailinglist @
us .
checkpoint .
com>
> > > Subject: Re: [FW1] Firewall 2.1 , Solaris and rouing
> > > MIME-Version: 1.0
> > >
> > >
> > > Raymond -
> > >
> > > Routing is enabled when your SS5 is running FW-1, it should be disabled
> > > (if FW-1 has been correctly installed) at during boot and whilst FW-1 runs
> > > up.
> > >
> > > If you want to tell your firewall to stop broadcasting routing info, just
> > > stop the routing daemon (routed). Either edit it's startup file or set a
> > > default route manually (edit /etc/defaultrouter). On standard solaris,
> > > this file will cause the routing daemon not to start.
> > >
> > > Cheers,
> > >
> > > Daniel
> > >
> > >
> > > On Wed, 19 Feb 1997, Raymond Sleiman-Gestronic Systems Integration Manager
> > wrote:
> > >
> > > > Hello,
> > > > Could someone tell me if the routing is enabled or disabled when
> > > > firewall 2.1 is running in a SparcSation 5 running Solaris 2.5.1 ?. If
> > > > not, is it possible to tell the routing daemon to not tell routing
> > > > tables to another machines on the network ?.
> > > > Thanks
> > > >
> > > > --
> > > > _________________________________________________________
> > > > Raymond Sleiman Systems Integration Manager
> > > > GESTRONIC S.A Phone # +41 22 342 71 50
> > > > 25 rue jacques grosselin Fax # +41 22 343 91 16
> > > > 1227 Carouge Geneve Mobile # +41 79 200 81 03
> > > > Switzerland Direct # +41 22 342 25 27
> > > >
> > > > email: Raymond .
Sleiman @
gestronic .
ch
> > > >
> > > > X400:/S=Sleiman/O=Gestronic/P=SWITCH/A=ARCOM/C=ch/@chx400.switch.ch
> > > >
> > > > >>>> Visit us on the WEB http://www.gestronic.ch <<<<
> > > > >>>> Visit our Job page http://www.gestronic.ch/jobs.html <<<<
> > > > _________________________________________________________
> > > >
> > > >
> > >
>
>
>
>
>
|
|
