[SunHELP] restrict outbound traffic of second interface

Tim Gallagher timg98376 at comcast.net
Wed Jan 12 15:51:12 CST 2005

Excellent, that is clear, thanks very much for your help Dale.

-----Original Message-----
From: sunhelp-bounces at sunhelp.org [mailto:sunhelp-bounces at sunhelp.org]On
Behalf Of Dale Ghent
Sent: Wednesday, January 12, 2005 1:32 PM
To: The SunHELP List
Subject: Re: [SunHELP] restrict outbound traffic of second interface

On Jan 12, 2005, at 3:56 PM, Tim Gallagher wrote:

> And this works even though my second interface is configured as;
> second

Yes, but, let me explain this more.

You are using 10net addresses. is a "class A" type subnet so 
Solaris automatically and BY DEFAULT assigns a netmask of to 
interfaces with addresses in that kind of range.

If you do a 'ifconfig -a' command on your solaris box now, you should 
see the netmask field for the interfaces set to ff000000. This is hex 

Now, what that netmask tells the kernel is that all of is 
accessible from interfaces configured with an IP address in that same 

To prevent the kernel from sending packets out the wrong interface, or 
to only allow an interface that's on, say, the network only 
send packets for other hosts on the network, you need to 
adjust the netmask of that interface to be more restrictive.

This is where the /etc/netmasks file on solaris comes into play.

In the /etc/netmasks file, you want to tell Solaris that for a 
interface with a address on the network to configure not the 
default netmask of and instead a smaller, more restrictive 
one. I am going to assume here that you're treating your backup network 
( as a Class C address range and would want to set that 
interface up with the appropriate netmask of

So, in /etc/netmasks you would put the line:

Any interfaces that are then brought up with a IP address in the range would receive that netmask. Interfaces with IP addresses 
NOT in that range (such as your and networks) would 
receive the default netmask of

You would then either reboot your server or manually change the backup 
network's interface's   netmask with the ifconfig command.

After that, your sever will then know that the interface with a address is only allowed to talk to other 
hosts. I assume this is what your goal is.

SunHELP maillist  -  SunHELP at sunhelp.org

More information about the SunHELP mailing list