The only point I will disagree with is that all policies stay in place
when the daemon dies. I don't believe this is the case 100% of the time.
Anyway, what you've described is what is in the firewall-1 docs, but the point
has been made that too many implementors for FW1 miss that section..
My original arguement was that IP Forwarding *IS* routing, which you
disagreed with.
Ryan
---------- Previous Message ----------
To: Ryan.Russell
cc: jerald.josephs, Raymond.Sleiman, daniel, sun-managers, firewalls,
fw-1-mailinglist
From: jerald.josephs @ Sun.COM (JERALD JOSEPHS) @ smtp
Date: 02/21/97 10:37:46 AM
Subject: Re: [FW1] Firewall 2.1 , Solaris and rouing
Ryan,
You are correct, but you are not actually disagreeing with my
post that you reference below.
We agree on not running in.routed and in.rdisc.
We agree that ip_forwarding should be 0 on the gateway.
We also know that if FW-1 starts up, it will change ip_forwarding.
We also know that if the FW-1 daemons die, the policy is still enforced.
It isn't until fwstop executes `fw unload all.all` and
`fw ctl uninstall`, which leaves the gateway wideopen.
A previous post of mine discussed that ip_forwarding is set to 2
initially by Solaris on any multihomed host.
This is not what we want and you have emphasized that. I agree with
you.
Therefore, if one creates an /etc/defaultrouter file on Solaris with
the IP address of your Cisco 2500, for example, we don't run any routing
daemons on the gateway, which is good.
But, ip_forwarding stays at 2, which is bad.
So we need to add a line to /etc/init.d/inetinit to set ip_forwarding
to 0 if [ -z $defrouters ] returns 0.
I have attached a modified /etc/init.d/inetinit as an example.
I quickly made an edit , but I did not test it against errors.
Look at the bottom
/\ Jerald E. Josephs
\\ \ Course Developer - Network Security
\ \\ / Sun Educational Services
/ \/ / /
/ / \//\
\//\ / /
/ / /\ /
/ \\ \ Phone/VM: 408-276-0941
\ \\ FAX: 408-276-1565
\/ E-mail: jerald .
josephs @
EBay .
Sun .
COM
Ryan Russell/SYBASE wrote:
>
> I beg to differ.
>
> Most definitions of routing involve forwarding
> of packets based on layer 3 information, which
> IP Forwarding on a Solaris machine will happily do,
> whether it's advertising or not. If fwd is unloaded or crashes,
> and IP Forwarding is on, packets will go right through, routed
> or rdisc running or not. You REALLY want IP Forwarding
> turned off on your FW1 machine.
>
> If you don't like my definition of routing, here's a
> practical example:
>
> I've got an inside network with a class B, which is atached to
> my FW1 on the "inside" interface, with an address in the class B.
> The FW1 also has an "outside" interface with a class C address,
> connected to a Cisco 2500 router which routes the class C. If I
> unload FWD, and turn on IP Forwarding, and I put a static route on the
> outside 2500 pointing to the inside class B, via the address on the
> "outside" interface of my FW1, the outside 2500 can then access
> everything inside my firewall. So would anyone doing source routing
> from the Internet that I didn't happen to block. I'm not running routed
> or rdisc on my FW1.
>
> Ryan
>
> ---------- Previous Message ----------
> To: Raymond.Sleiman, daniel
> cc: sun-managers, firewalls, fw-1-mailinglist
> From: jerald.josephs @ Ebay.Sun.COM (Jerald Josephs) @ smtp
> Date: 02/20/97 01:28:51 PM
> Subject: Re: [FW1] Firewall 2.1 , Solaris and rouing
>
> "Routing" is not enabled when FireWall-1 starts,
> ip_forwarding is.
>
> These are two separate things.
>
> You should not run in.routed nor should you run in.rdisc on your
> firewall gateway.
>
> The best way to prevent this is to define a default router.
>
> However, you can block RIP from being broadcast to any network
> by disabling broadcasts in that network object.
>
> Prevent in.rdisc from running at all by renaming /usr/sbin/in.rdisc
>
> /\ Jerald E. Josephs
> \\ \ Course Developer - Network Security
> \ \\ / Sun Educational Services
> / \/ / /
> / / \//\
> \//\ / /
> / / /\ /
> / \\ \ Phone/VM: 408-276-0941
> \ \\ FAX: 408-276-1565
> \/ E-mail: jerald .
josephs @
EBay .
Sun .
COM
>
> > From fw-1-mailinglist-owner @
us .
checkpoint .
com Wed Feb 19 17:28:04 1997
> > X-Authentication-Warning: loudecho.us.checkpoint.com: majordom set sender to
> owner-fw-1-mailinglist @
us .
checkpoint .
com using -f
> > Date: Wed, 19 Feb 1997 12:14:14 +0000 (GMT)
> > From: Daniel Strawson <daniel @
elmail .
co .
uk>
> > To: Raymond Sleiman-Gestronic Systems Integration Manager
> <Raymond .
Sleiman @
mail .
gestronic .
ch>
> > cc: sun-managers <sun-managers @
ra .
mcs .
anl .
gov>,
> > firewalls <firewalls @
GreatCircle .
COM>,
> > fw-1-mailinglist <fw-1-mailinglist @
us .
checkpoint .
com>
> > Subject: Re: [FW1] Firewall 2.1 , Solaris and rouing
> > MIME-Version: 1.0
> >
> >
> > Raymond -
> >
> > Routing is enabled when your SS5 is running FW-1, it should be disabled
> > (if FW-1 has been correctly installed) at during boot and whilst FW-1 runs
> > up.
> >
> > If you want to tell your firewall to stop broadcasting routing info, just
> > stop the routing daemon (routed). Either edit it's startup file or set a
> > default route manually (edit /etc/defaultrouter). On standard solaris,
> > this file will cause the routing daemon not to start.
> >
> > Cheers,
> >
> > Daniel
> >
> >
> > On Wed, 19 Feb 1997, Raymond Sleiman-Gestronic Systems Integration Manager
> wrote:
> >
> > > Hello,
> > > Could someone tell me if the routing is enabled or disabled when
> > > firewall 2.1 is running in a SparcSation 5 running Solaris 2.5.1 ?. If
> > > not, is it possible to tell the routing daemon to not tell routing
> > > tables to another machines on the network ?.
> > > Thanks
> > >
> > > --
> > > _________________________________________________________
> > > Raymond Sleiman Systems Integration Manager
> > > GESTRONIC S.A Phone # +41 22 342 71 50
> > > 25 rue jacques grosselin Fax # +41 22 343 91 16
> > > 1227 Carouge Geneve Mobile # +41 79 200 81 03
> > > Switzerland Direct # +41 22 342 25 27
> > >
> > > email: Raymond .
Sleiman @
gestronic .
ch
> > >
> > > X400:/S=Sleiman/O=Gestronic/P=SWITCH/A=ARCOM/C=ch/@chx400.switch.ch
> > >
> > > >>>> Visit us on the WEB http://www.gestronic.ch <<<<
> > > >>>> Visit our Job page http://www.gestronic.ch/jobs.html <<<<
> > > _________________________________________________________
> > >
> > >
> >
#
# Copyright (c) 1995, by Sun Microsystems, Inc.
# All Rights Reserved
#
#ident "@(#)inetinit 1.20 95/02/24 SMI"
#
# This is the second phase of TCP/IP configuration. The first part,
# run in the "/etc/rcS.d/S30rootusr.sh" script, does all configuration
# necessary to mount the "/usr" filesystem via NFS. This includes configuring
# the interfaces and setting the machine's hostname. The second part,
# run in this script, does all configuration that can be done before
# NIS or NIS+ is started. This includes configuring IP routing,
# setting the NIS domainname and setting any tunable parameters. The
# third part, run in a subsequent startup script, does all
# configuration that may be dependent on NIS/NIS+ maps. This includes
# a final re-configuration of the interfaces and starting all internet
# services.
#
#
# Set configurable parameters.
#
ndd -set /dev/tcp tcp_old_urp_interpretation 1
#
# Configure default routers using the local "/etc/defaultrouter"
# configuration file. The file can contain the hostnames or IP
# addresses of one or more default routers. If hostnames are used,
# each hostname must also be listed in the local "/etc/hosts" file
# because NIS and NIS+ are not running at the time that this script is
# run. Each router name or address is listed on a single line by
# itself in the file. Anything else on that line after the router's
# name or address is ignored. Lines that begin with "#" are
# considered comments and ignored.
#
# The default routes listed in the "/etc/defaultrouter" file will
# replace those added by the kernel during diskless booting. An
# empty "/etc/defaultrouter" file will cause the default route
# added by the kernel to be deleted.
#
if [ -f /etc/defaultrouter ]; then
defrouters=`grep -v \^\# /etc/defaultrouter | awk '{print $1}' `
if [ -n "$defrouters" ]; then
#
# To support diskless operation with a "/usr"
# filesystem NFS mounted from a server located on a
# remote subnet, we have to be very careful about
# replacing default routes. We want the default
# routers listed in the "/etc/defaultrouter" file to
# replace the default router added by the bootparams
# protocol. But we can't have a window of time when
# the system has no default routers in the process.
# That would cause a deadlock since the "route"
# command lives on the "/usr" filesystem.
#
pass=1
for router in $defrouters
do
if [ $pass -eq 1 ]; then
/usr/sbin/route -f add default $router 1
else
/usr/sbin/route add default $router 1
fi
pass=2
done
else
/usr/sbin/route -f
fi
fi
#
# Set NIS domainname if locally configured.
#
if [ -f /etc/defaultdomain ]; then
/usr/bin/domainname `cat /etc/defaultdomain`
echo "NIS domainname is `/usr/bin/domainname`"
fi
#
# Run routed/router discovery only if we don't already have a default
# route installed.
#
if [ -z "$defrouters" ]; then
#
# No default routes were setup by "route" command above - check the
# kernel routing table for any other default routes.
#
defrouters="`netstat -rn | grep default`"
fi
if [ -z "$defrouters" ]; then
#
# Determine how many active interfaces there are and how many pt-pt
# interfaces. Act as a router if there are more than 2 interfaces
# (including the loopback interface) or one or more point-point
# interface. Also act as a router if /etc/gateways exists.
#
# Do NOT act as a router if /etc/notrouter exists.
#
numifs=`ifconfig -au | grep inet | wc -l`
numptptifs=`ifconfig -au | grep inet | egrep -e '-->' | wc -l`
if [ ! -f /etc/notrouter -a \
\( $numifs -gt 2 -o $numptptifs -gt 0 -o -f /etc/gateways \) ]
then
# Machine is a router: turn on ip_forwarding, run routed,
# and advertise ourselves as a router using router discovery.
echo "machine is a router."
ndd -set /dev/ip ip_forwarding 1
if [ -f /usr/sbin/in.routed ]; then
/usr/sbin/in.routed -s
fi
if [ -f /usr/sbin/in.rdisc ]; then
/usr/sbin/in.rdisc -r
echo "not running router discovery"
fi
else
# Machine is a host: if router discovery finds a router then
# we rely on router discovery. If there are not routers
# advertising themselves through router discovery
# run routed in space-saving mode.
# Turn off ip_forwarding
ndd -set /dev/ip ip_forwarding 0
if [ -f /usr/sbin/in.rdisc ] && /usr/sbin/in.rdisc -s; then
echo "starting router discovery."
elif [ -f /usr/sbin/in.routed ]; then
/usr/sbin/in.routed -q;
echo "starting routing daemon."
fi
fi
fi
# begin static updates
route add 192.168.10.0 129.150.65.72 1
# end static updates
|
|
