gamiddleton@watmath.waterloo.edu (Guy Middleton) (10/07/89)
If I have a 4.3bsd (or 4.3-tahoe) machine with two IP interfaces, is there any way to prevent packets from one net reaching the other? I want the machine to be able to talk to either net, but nobody else should be able to use it as an IP gateway. I can't think of any obvious way of doing this. -Guy Middleton, University of Waterloo gamiddleton@watmath.waterloo.edu (+1 519 885 1211 x3472) gamiddleton@watmath.uwaterloo.ca
troy@mr_plod.cbme.unsw.oz (Troy Rollo) (10/09/89)
From article <29942@watmath.waterloo.edu>, by gamiddleton@watmath.waterloo.edu (Guy Middleton): gamiddleton> If I have a 4.3bsd (or 4.3-tahoe) machine with two IP interfaces, is there any gamiddleton> way to prevent packets from one net reaching the other? I want the machine to gamiddleton> be able to talk to either net, but nobody else should be able to use it as an gamiddleton> IP gateway. I can't think of any obvious way of doing this. All you have to do is "gag" routed. That is, invoke routed with the "-q" flag. This prevents the gateway from telling anybody else about the networks it knows about. This is how routed is invoked on my machine: routed -h -f -q You have to be careful when you do this (presumably it is because one of your nets is using a non-NIC registered network number), because there will always be one network in the world you won't be able to communicate with as a result of this. In my case it's 192.0.2 (would the real 192.0.2 please stand up?) Note also that you will need to set up the name server on the gateway node, so that local machines can figure out the names of other local machines, as well as remote machines. This will not interfere with the rest of the network as long as you don't have a name server in a higher domain directing queries to you. ___________________________________________________________ troy@mr_plod.cbme.unsw.oz.au Make our greenies useful! The Resident Fascist Put them in the army!
brian@ucsd.Edu (Brian Kantor) (10/10/89)
Or compile the kernel with the "ipforwarding" variable turned off, eh? I suppose you could poke it with ADB if you don't have source.
chris@mimsy.UUCP (Chris Torek) (10/13/89)
Two different people suggested two different approaches: >Or compile the kernel with the "ipforwarding" variable turned off, eh? Then it would not be a gateway. >[do not run a routing daemon, or make it not advertise the gateway] This does not stop source-routed packets, but may suffice. I sent a kernel hack (read: kludge) to the original querent. -- In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7163) Domain: chris@cs.umd.edu Path: uunet!mimsy!chris
chris@mimsy.UUCP (Chris Torek) (10/14/89)
In article <20149@mimsy.UUCP> I wrote: >>Or compile the kernel with the "ipforwarding" variable turned off, eh? >Then it would not be a gateway. What I missed was this (from the original article): >If I have a 4.3bsd (or 4.3-tahoe) machine with two IP interfaces, is >there any way to prevent packets from one net reaching the other? I >want the machine to be able to talk to either net, but nobody else ------ >should be able to use it as an IP gateway. I can't think of any >obvious way of doing this. Such a machine is not a gateway, merely a multi-homed host. Turning off ipforwarding would do it. A more useful trick is to allow `friends' to get to either net from the other, but not to allow the rest of the world; for this, one needs a kernel hack. -- In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7163) Domain: chris@cs.umd.edu Path: uunet!mimsy!chris
gamiddleton@watmath.waterloo.edu (Guy Middleton) (10/19/89)
In article <20158@mimsy.UUCP> chris@mimsy.UUCP (Chris Torek) writes: | In article <20149@mimsy.UUCP> I wrote: | >>Or compile the kernel with the "ipforwarding" variable turned off, eh? | | >Then it would not be a gateway. | | What I missed was this (from the original article): | | >If I have a 4.3bsd (or 4.3-tahoe) machine with two IP interfaces, is | >there any way to prevent packets from one net reaching the other? I | >want the machine to be able to talk to either net, but nobody else | ------ | >should be able to use it as an IP gateway. I can't think of any | >obvious way of doing this. | | Such a machine is not a gateway, merely a multi-homed host. Turning | off ipforwarding would do it. It seems I should have been more explicit in my original query. The machine really is on three nets, and I only want to isolate one of them. I mentioned only two, for simplicity. Had I remembered the kernel ipforwarding variable, I would have been more explicit. Chris's fix is actually what I was looking for. Thanks everybody else for reminding me about ipforwarding. -Guy Middleton, University of Waterloo gamiddleton@watmath.waterloo.edu (+1 519 885 1211 x3472) gamiddleton@watmath.uwaterloo.ca