(summary) Re: Making sure a sun does NOT act as a gateway

From: Frank W. Peters (peters@cc.msstate.edu)
Date: Tue Apr 10 1990 - 11:03:42 CDT


Thanks to everyone who responded to my query about assuring that a Sun 490
doesn't act as a gateway between two nets that it is connected to.

First, most people agreed that the system should not cause any problems
as long as it is not advertizing itself as a gateway via routed or
proxyarp. But, to assure this it is possible to change a value in the
kernel to assure that it does not to forwarding.

The modification is to edit the kernel and memory with:

     adb -k -w /vmunix /dev/mem

And enter the following two commands:

     ipforwarding?W0

which will turn off forwarding in the vmunix file on disk and

     ipforwarding/W0

which will turn off forwarding in the image in memory.

Additionally you might want to consider changing the value in the object
file /usr/sys/sun4/OBJ/ip_input.o so that any new kernels will have this
value already unset.

Daniel Trinkle of Purdue sent me a handy shell script for changing this
value on the fly. In addition to changing the ipforwarding flag it also
changes the ipsendredirects which, I presume, controls the sending of ICMP
redirect messages. I'll enclose that script at the end of this message
for anyone who is interested.

Viktor Dukhovni of Princeton expressed some concern that changing this
value would cause the machine to have a sort of split personality in
which some daemons will only listen to one port. None of the other
dozen+ respondents (some of whom were running with ipforwarding off)
expressed this concern. I'll post a followup if I have any such
problems when I get the system up.

Thanks to the following people who replied:

speicher@mwunix.mitre.org
Tad Guy <tadguy@abcfd01.larc.nasa.gov>
montnaro@moose.crd.ge.com (Skip Montanaro)
sob@tmc.edu (Stan Barber)
trinkle@cs.purdue.edu
Bob Hoffman <hoffman@cs.pitt.edu>
rcsmith@anagld.analytics.com (Ray Smith)
Viktor Dukhovni <viktor@math.Princeton.EDU>
"Anthony A. Datri" <datri@convex.com>
"Matt Crawford" <matt@oddjob.uchicago.edu>
barnett@unclejack.crd.ge.com (Bruce Barnett)
George Young <young@vlsi.ll.mit.edu>
karl@MorningStar.Com
Pat_Barron@transarc.com
Sam Horrocks <sam@telegraph.ICS.UCI.EDU>

--Frank

Frank W. Peters Systems Programmer Computing Center & Services
peters@CC.MsState.Edu Peters@MsState.Bitnet (601)325-2942
"I can't give you brains, but I can give you a diploma." -- The Wizard of OZ

------ Daniel Trinkle's shell script
============================== ipgateway.sh ==============================
#!/bin/sh
#
# ipgateway {on|off} [kernel]
# turn on/off IP gatewaying behavior. This includes IPFORWARDING
# and IPSENDREDIRECTS.
# If the kernel name is /vmunix, assuming we are modifying running
# kernel.
PATH=/bin:/usr/bin:/usr/local/bin
export PATH

case $1 in
on)
    VAL=1
    ;;
off)
    VAL=0
    ;;
"")
    echo "USAGE: ipgateway {on|off} [kernel]"
    exit 1
    ;;
*)
    echo "ERROR: unknown option \"$1\""
    exit 1
    ;;
esac

KERNEL=${2-/vmunix}

if [ ! -f "$KERNEL" ] ; then
    echo "ERROR: No kernel: $KERNEL"
    exit 1
fi

# This nastyness is to prevent modifying kernels that are already correct.
# If the count worked for the W command in adb, this would be simple.

if [ "/vmunix" != "$KERNEL" ] ; then
    echo "Editing non-running kernel"
    adb -w $KERNEL <<EOF | grep -v "not core file" | adb -w $KERNEL | grep -v "not core file"
,%ipforwarding-$VAL&1="ipforwarding?W $VAL"
,%ipsendredirects-$VAL&1="ipsendredirects?W $VAL"
\$q
EOF
else
    adb $KERNEL /dev/kmem <<EOF | grep -v "not core file" | adb -w $KERNEL /dev/kmem | grep -v "not core file"
,%ipforwarding-$VAL&1="ipforwarding?W $VAL"
,*ipforwarding-$VAL&1="ipforwarding/W $VAL"
,%ipsendredirects-$VAL&1="ipsendredirects?W $VAL"
,*ipsendredirects-$VAL&1="ipsendredirects/W $VAL"
\$q
EOF
fi
======================================================================



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:05:56 CDT