Re: [FW1] Ip forwarding On Firewall

Thu, 17 Aug 2000 10:53:45 -0700

Agreed. In fact why not touch /etc/notrouter. Then it will never act as a router unless the fw allows
the packets to proceed from one interface to another after the rules are parsed and if the rules allows
the packet to be forwarded.

merlin
 
 

Christine Tran wrote:

Woa now .. you might not have a choice.  fw (at least on solaris) runs as
a dynamic kernel module, when it runs, /dev/ip belongs to it.  This is why
on earlier OS & fw version you can't ifconfig <new-if> plumb if fw is modloaded.

If you install fw not using a default filter, & no ip_forwarding @ boottime,
and you don't have a policy written on the manager yet, you can set ip_forwarding
to whatever you want but when fw starts, ip_forwarding=0.  This is thru empirical
observation, and it's logical: there's no policy to match any packet against.
fw startup is in /etc/rc3.d, after boot, you can set it ip_forwarding=1, but
it's meaningless.

My usual practice is to let fw1 handle ip_forwarding.  "when the FireWall blows
up", how?  One has to qualify this "blow up" thing: out of proc, out of mem,
vaporized by act of god.  If something happens to your fw, it's worse to let
it continue to forward packets w/o inspection than to just let connections die.

CT

"Firebird" <[EMAIL PROTECTED]> wrote:
>Date: Thu 17 Aug 2000 08:21:27 +0200 (CEST)
>
>    Great idea, so when the FireWall blows up, the whole net connecton
>blows up... And not just the ptrotection.. how smart :) I must admit that
>this shouldn't happen, but if it does, during the night, then your network
>won't be accessable like it would be otherwise.
>
>    I would recommend leaving it configured and configure correctly the
>FireWall. It can't do any harm to leave the kernel handle this.

>
>---Reply to mail from Barry W. Kokotailo about [FW1] Ip forwarding On Firewall
>> Leave ip routing off on the Solaris machine. The firewall will handle it.

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
              http://www.checkpoint.com/services/mailing.html
================================================================================

-- 
Barry W. Kokotailo
Senior Unix Systems Administrator
1-780-675-6399
PGP =  71 71 96 A3 C0 C2 23 7A  23 4E D4 04 8C E0 42 6B  B0 2D D1 A5
 

Reply via email to