Firewalls: RE: [FW1] Firewall 2.1 , Solaris and rouing

Firewalls
(February 1997)

Indexed By Thread: [Previous] [Next]

Subject:	RE: [FW1] Firewall 2.1 , Solaris and rouing
From:	Hans Vermeulen <hansv @ gv-nmc . unisource . nl>
Date:	Sat, 1 Mar 1997 00:56:53 +0100
To:	Joe Loiacono <jloiacon @ csc . com>, "'Ryan Russell/SYBASE'" <Ryan . Russell @ sybase . com>
Cc:	JERALD JOSEPHS <jerald . josephs @ Sun . COM>, Jerald Josephs <jerald . josephs @ Ebay . Sun . COM>, "Raymond.Sleiman" <Raymond . Sleiman @ mail . gestronic . ch>, daniel <daniel @ elmail . co . uk>, sun-managers <sun-managers @ ra . mcs . anl . gov>, firewalls <firewalls @ GreatCircle . COM>
Cc:	fw-1-mailinglist <fw-1-mailinglist @ us . checkpoint . com>

Hello,

What OSPF patch can I get from Sun for VLSM?
I like to have one for 2.5.1 and 1.1.2. Any idea?

Thanx,

---Hans.

----------
From: 	Ryan Russell/SYBASE[SMTP:Ryan .
 Russell @
 sybase .
 com]
Sent: 	Wednesday, February 26, 1997 5:46 PM
To: 	Joe Loiacono
Cc: 	JERALD JOSEPHS; Ryan Russell/SYBASE; Jerald Josephs; Raymond.Sleiman; daniel; sun-managers; firewalls; fw-1-mailinglist
Subject: 	Re: [FW1] Firewall 2.1 , Solaris and rouing

I can take one guess..

Back to a thread on the firewalls list a few months ago,
about VLSM on Sun boxes.  As shipped in most cases,
SunOS and Solaris only do fixed-length subnet masks.

So, if you've turned off routed and rdisc, they can no longer
receive external route info.  Perhaps your internal network
is subnetted?  Say it's 172.1.x.x, and it's subnetted, so the
inside firewall interface is 172.1.1.1.   The Sun box will now only
be able to talk to 172.1.1.X on the inside because that's the only
subnet it knows about (it knows because it has a static route
for the directly attached net.)

You can't add an entry for the net 172.1.x.x, you'll just confuse the
Sun box.

If this is the problem, you've got three choice that I know of:

- Add a seperate static route for each subnet on the inside
- Knock the subnet mask back to the natural one, and turn on
proxy arp on the router
- Get the OSPF patch from Sun which lets you do variable
length subnet masks.

Hope this helps.

     Ryan

---------- Previous Message ----------
To: jerald.josephs
cc: Ryan.Russell, jerald.josephs, Raymond.Sleiman, daniel, sun-managers, 
firewalls, fw-1-mailinglist
From: jloiacon @ csc.com (Joe Loiacono) @ smtp
Date: 02/26/97 02:57:59 PM
Subject: Re: [FW1] Firewall 2.1 , Solaris and rouing

JERALD JOSEPHS wrote:

> > You should not run in.routed nor should you run in.rdisc on your
> > firewall gateway.

OK, I'll buy this. My guess is that you shouldn't run routed because it
is susceptable to attack, as well as you don't want to advertise info
(routing info) about your network.

So, I turned them off (reboot with newly included defaultrouter file).
However, now I can't get packets to forward, even though:

1. IP forwarding is on (=1, I've even set it to 2 since I have a DMZ)
2. Routing table (netstat -rvn) still has all route/gateway pairs
including default
3. /etc/defaultrouter file has appropriate gateway
4. FW-1 is running (I've stopped (forwarding goes off) and restarted it)

Anything obviously out of whack? Any help would be greatly
appreciated...

Thanks, Joe
-- 
In theory, theory and practice are the same; 
In practice, they're not even close!

Indexed By Date	Previous:	perfect OS for firewalls From: Pavel Galynin <pgalynin @ chipnet . cz>
Indexed By Date	Next:	Re: irc and firewalls From: Benedikt Stockebrand <benedikt @ devnull . ruhr . de>
Indexed By Thread	Previous:	Re: [FW1] Firewall 2.1 , Solaris and rouing From: "Chris Liebsack"<chrisliebsack @ unn . unisys . com>
Indexed By Thread	Next:	How manage CISCO ACL ? From: "Arnaud Tarrago" <Arnaud . TARRAGO @ cli57aa . der . edf . fr>