[SunHELP] restrict outbound traffic of second interface
timg98376 at comcast.net
Wed Jan 12 15:51:12 CST 2005
Excellent, that is clear, thanks very much for your help Dale.
From: sunhelp-bounces at sunhelp.org [mailto:sunhelp-bounces at sunhelp.org]On
Behalf Of Dale Ghent
Sent: Wednesday, January 12, 2005 1:32 PM
To: The SunHELP List
Subject: Re: [SunHELP] restrict outbound traffic of second interface
On Jan 12, 2005, at 3:56 PM, Tim Gallagher wrote:
> And this works even though my second interface is configured as;
> second 10.2.3.15
Yes, but, let me explain this more.
You are using 10net addresses. 10.0.0.0 is a "class A" type subnet so
Solaris automatically and BY DEFAULT assigns a netmask of 255.0.0.0 to
interfaces with addresses in that kind of range.
If you do a 'ifconfig -a' command on your solaris box now, you should
see the netmask field for the interfaces set to ff000000. This is hex
Now, what that netmask tells the kernel is that all of 10.0.0.0 is
accessible from interfaces configured with an IP address in that same
To prevent the kernel from sending packets out the wrong interface, or
to only allow an interface that's on, say, the 10.2.4.0 network only
send packets for other hosts on the 10.2.4.0 network, you need to
adjust the netmask of that interface to be more restrictive.
This is where the /etc/netmasks file on solaris comes into play.
In the /etc/netmasks file, you want to tell Solaris that for a
interface with a address on the 10.2.4.0 network to configure not the
default netmask of 255.0.0.0 and instead a smaller, more restrictive
one. I am going to assume here that you're treating your backup network
(10.2.4.0) as a Class C address range and would want to set that
interface up with the appropriate netmask of 255.255.255.0
So, in /etc/netmasks you would put the line:
Any interfaces that are then brought up with a IP address in the
10.2.4.0 range would receive that netmask. Interfaces with IP addresses
NOT in that range (such as your 10.2.2.0 and 10.2.3.0 networks) would
receive the default netmask of 255.0.0.0.
You would then either reboot your server or manually change the backup
network's interface's netmask with the ifconfig command.
After that, your sever will then know that the interface with a
10.2.4.0 address is only allowed to talk to other 10.2.4.0-addressed
hosts. I assume this is what your goal is.
SunHELP maillist - SunHELP at sunhelp.org
More information about the SunHELP