Re: netmasks and subnets
From: Oliver O'Boyle (o.oboyle_at_celerica.ca)
Date: 01/29/04
- Next message: Oliver O'Boyle: "Re: netmasks and subnets"
- Previous message: Santiago: "Can't figure this out"
- In reply to: Luke: "Re: netmasks and subnets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 29 Jan 2004 00:39:01 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> > this is not the same thing. /proc/sys/net/ipv4/ip_forward is 1
> > applies to your firewall forwarding which, as i explained in the
> > previous email, is not routing. do you have a files called
> > /etc/sysconfig/network ? If so, is there a line in it called
> > 'FORWARD_IPV4=yes'?
>
> Whoo hoo! Fix!
>
> So why is this not the same thing? I'll be googling it, but just
> out of curiousity...
your firewall (any firewall for that matter) has the job of
inspecting packets as they come in to your network from the external
interface. it does this by accepting the incoming packet, analyzing
it by matching it against filters (like do i let it in or do i block
it for X,Y,Z reasons), then sending through to an internal interface.
This process however, is not really routing as you know it. the
filtering process filters, it doesn't route. once the filtering is
done, it passes the packet to the network code that is responsible
for sending the packet out on an internal interface.
the routing process that you were looking for has absolutely nothing
to do with the firewall software. this is because you were sending
the packets from one internal interface to another. the firewall
filters are typically only configured to manage the packets if the
the packets are being sent out the external interface, or being
accepted on the external interface. as such, you need to tell your OS
what to do when it is presented with packets for destinations other
than itself. part of that is to configure your routing table like you
did, the other part requires you to actually tell the OS to active
the code that is responsible for matching the incoming packets with a
desitination in the routing table, and then forwarding the packets
out the correct interface. you actually don't need the firewall
software to do this at all. you could have your 2 ethernet
connections and a PPPoE connection all using the routing code in the
OS to route packets to each other's networks. as I explained above,
the firewall is only there to examine the contents of those packets
(including the destination and source addresses) and to see if they
match any rules. it is not a router.
hope that helps,
oliver
>
>
> --
> Luke StClair
> run_faster@hotmail.com
> PGP key: http://www.students.uiuc.edu/~clairst
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
iQA/AwUBQBicc7coUT0UavXJEQIOswCeJYCrtM3i1JcnPUB17ZxKFW3PzaQAoIjz
zHC/6yow3YLp5l2eIm/smehB
=basT
-----END PGP SIGNATURE-----
- Next message: Oliver O'Boyle: "Re: netmasks and subnets"
- Previous message: Santiago: "Can't figure this out"
- In reply to: Luke: "Re: netmasks and subnets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
