[SunHELP] restrict outbound traffic of second interface

Dale Ghent daleg at elemental.org
Wed Jan 12 15:32:02 CST 2005 

On Jan 12, 2005, at 3:56 PM, Tim Gallagher wrote:

> And this works even though my second interface is configured as;
>
> second		10.2.3.15

Yes, but, let me explain this more.

You are using 10net addresses. 10.0.0.0 is a "class A" type subnet so 
Solaris automatically and BY DEFAULT assigns a netmask of 255.0.0.0 to 
interfaces with addresses in that kind of range.

If you do a 'ifconfig -a' command on your solaris box now, you should 
see the netmask field for the interfaces set to ff000000. This is hex 
for 255.0.0.0.

Now, what that netmask tells the kernel is that all of 10.0.0.0 is 
accessible from interfaces configured with an IP address in that same 
range.

To prevent the kernel from sending packets out the wrong interface, or 
to only allow an interface that's on, say, the 10.2.4.0 network only 
send packets for other hosts on the 10.2.4.0 network, you need to 
adjust the netmask of that interface to be more restrictive.

This is where the /etc/netmasks file on solaris comes into play.

In the /etc/netmasks file, you want to tell Solaris that for a 
interface with a address on the 10.2.4.0 network to configure not the 
default netmask of 255.0.0.0 and instead a smaller, more restrictive 
one. I am going to assume here that you're treating your backup network 
(10.2.4.0) as a Class C address range and would want to set that 
interface up with the appropriate netmask of 255.255.255.0

So, in /etc/netmasks you would put the line:

10.2.4.0	255.255.255.0

Any interfaces that are then brought up with a IP address in the 
10.2.4.0 range would receive that netmask. Interfaces with IP addresses 
NOT in that range (such as your 10.2.2.0 and 10.2.3.0 networks) would 
receive the default netmask of 255.0.0.0.

You would then either reboot your server or manually change the backup 
network's interface's   netmask with the ifconfig command.

After that, your sever will then know that the interface with a 
10.2.4.0 address is only allowed to talk to other 10.2.4.0-addressed 
hosts. I assume this is what your goal is.

/dale

More information about the SunHELP mailing list