Woa now .. you might not have a choice. fw (at least on solaris) runs as
a dynamic kernel module, when it runs, /dev/ip belongs to it. This is why
on earlier OS & fw version you can't ifconfig <new-if> plumb if fw is modloaded.
If you install fw not using a default filter, & no ip_forwarding @ boottime,
and you don't have a policy written on the manager yet, you can set ip_forwarding
to whatever you want but when fw starts, ip_forwarding=0. This is thru empirical
observation, and it's logical: there's no policy to match any packet against.
fw startup is in /etc/rc3.d, after boot, you can set it ip_forwarding=1, but
it's meaningless.
My usual practice is to let fw1 handle ip_forwarding. "when the FireWall blows
up", how? One has to qualify this "blow up" thing: out of proc, out of mem,
vaporized by act of god. If something happens to your fw, it's worse to let
it continue to forward packets w/o inspection than to just let connections die.
CT
"Firebird" <[EMAIL PROTECTED]> wrote:
>Date: Thu 17 Aug 2000 08:21:27 +0200 (CEST)
>
> Great idea, so when the FireWall blows up, the whole net connecton
>blows up... And not just the ptrotection.. how smart :) I must admit that
>this shouldn't happen, but if it does, during the night, then your network
>won't be accessable like it would be otherwise.
>
> I would recommend leaving it configured and configure correctly the
>FireWall. It can't do any harm to leave the kernel handle this.
>
>---Reply to mail from Barry W. Kokotailo about [FW1] Ip forwarding On Firewall
>> Leave ip routing off on the Solaris machine. The firewall will handle it.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
