IP-Forwarding and ICMP-Source-Routing

Any Unix host with more than one network interface does submit packets from one side to the other, if the packets are destined there. Thus every Unix host can be used as router.

For proper operation it suffices to run the daemon in.routed. It will advertise the router to all other machines on the net.

How to disable this behaviour

Sometimes it is necessary to disallow routing on a host with several interfaces. First, one can stop the in.routed so the router isn't advertised all the time. Or one can give in.routed the option -q (quiet).

But this doesn't disable the routing. Other hosts with a default route or abusal people can still penetrate the router.

But there is help: the kernel does have a variable, which blocks the routing. It can be set in the kernel configuration and even modified during operation.

Disabling forwarding in the kernel

Put this into the kernel config file:
# turn off ipforwarding
options "IPFORWARDING=-1"
A suitable position would be right behind the other options and before the comments to the "config vmunix" line.

During operation one can use adb:

# adb -w -k /vmunix /dev/mem
_ip_forwarding/W-1
_ip_forwarding?W-1
$q
The line with "/" modifies the kernel on disk while the line with "?" modifies the kernel in memory.

And how is it reenabled?

# adb -w -k /vmunix /dev/mem
_ip_forwarding/W0
_ip_forwarding?W0
$q

ICMP-Source-Routing

One hole remains. With ICMP packets one can fool the host to still route some packets through. Unfortunately it is not so easy to fix that. It is necessary to recompile a kernel function. While the source file of SunOS isn't available, one can use the coresponding files from BSD (for example 4.3reno, 4.3tahoe or NetBSD): The precompiled file ip_input.o and the original in_proto.c should be renamed and then one can copy the new files to the right position:
# mv /sys/`arch -k`/OBJ/ip_input.o /sys/`arch -k`/OBJ/ip_input.o.FCS
# mv /sys/netinet/in_proto.c /sys/netinet/in_proto.c.FCS
# cp ./in_proto.c /sys/netinet/in_proto.c
# cp ./ip_input.c /sys/netinet/ip_input.c
Now a new kernel has to be compiled. But before one should set the following options in the kernel config file:
# turn off ipforwarding
options "IPFORWARDING=-1"

# drop source routed packets
options "IPBLOCKSOURCEROUTE=1"
Time to build the new kernel:
# KERNELNAME=`head -1 /etc/motd | sed -e "s/.*(//" -e "s/).*//"`
# cd /sys/`arch -k`/conf
# config $KERNELNAME
# cd ../$KERNELNAME
# make
# mv /vmunix /vmunix.old
# mv vmunix /vmunix
# reboot
Sure, one can reenable this option during operation:
# adb -w -k /vmunix /dev/mem
_ip_block_source_routed/W0
_ip_block_source_routed?W0
$q
With W1 instead of W0 source routing is disabled again.

Thanks

Thanks to B. Powell, who did the first version of this patch in 1993.
Copyright 1999-2007 Peter Koch