From: Tobias Oetiker (oetiker@ee.ethz.ch)
Date: Tue Jan 11 2005 - 17:12:51 EST
My Question:
> We have a multi-homed Solaris box serving as a boot-server in
> several subnets. The machine does not route.
>
> Our Networking People now want to introduce anti-spoofing filters
> on each of the subnets routers/switches.
>
> This raises an interesting problem.
>
> When a client host opens a connection to the multi-homed servers
> main interface (which is not in the local subnet) the answer will
> be sent through the servers interface connected to the clients
> subnet.
>
> This does not play well with the anti-spoofing filters (or so our
> network people tell us)
>
> Is there any way to tell a Solaris box to always answer on the
> same interface as it received the packet in the first place ?
Thanks to Philipp Buehler, Michael Horton, Matthew Stier, Darren
Dunham, Crist Clark for providing their insights.
This is what I have learned:
a) At the networking level, there is no association between any
"incoming" and "reply" packets. That could only be done at the
application layer (it's not generally done). The interface from
which a packet leaves is determined by its destination alone.
b) Use ipfilter's NAT rules to do some source routing. If a packet
has a particular (solaris) source address, force it to leave via
a particular interface.
http://www.sunmanagers.org/pipermail/summaries/2002-May/001645.html
c) One solution is to prevent the packets from going to the wrong
interface in the first place by makeing sure that the hosts file
has the 'main name' for the multihomed-box on all its addresses,
and have all the clients refer to the host via its 'main name'.
Machines will then automatically use the closest interface and
thus forego any problems.
192.168.1.1 host0 host
192.168.2.1 host1 host
192.168.3.1 host2 host
192.168.4.1 host3 host
d) disable anti-spoofing on the switch ports of that machine ;-)
cheers
tobi
-- ______ __ _ /_ __/_ / / (_) Oetiker @ ISG.EE, ETL F24.2, ETH, CH-8092 Zurich / // _ \/ _ \/ / System Manager, Time Lord, Coder, Designer, Coach /_/ \.__/_.__/_/ http://people.ee.ethz.ch/oetiker +41(0)44-632-5286 _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:29:59 EDT