Managing NFS and NIS, 2nd Edition - Mike Eisler [271]
Let's assume that wahoo, at IP address 131.40.52.15, has mounted a filesystem through one or more gateways from the NFS server bigguy at IP address 131.40.208.10. To send a packet to bigguy, wahoo looks for its IP address in its routing table. It finds it, with gatehost2 named as the gateway to this network. If the remote IP network was not matched to a destination in the routing tables, the default route, which uses gatehost, would be used. wahoo sends its packet to gatehost2, filling in the MAC address for gatehost2 but the IP address for bigguy.
When gatehost2 receives the packet, it realizes that the IP network in the destination field is not its own. It forwards the packet, using its own routing information to locate a gateway to network 131.40.208.0. gatehost2 sends the packet to the next gateway, putting in the remote gateway's MAC address but leaving the destination IP address of bigguy intact. Eventually, the packet is received by a gateway that is on network 131.40.208.0; this gateway recognizes that its IP network and the destination IP network in the packet are the same, and it sends it along the local area network to bigguy. The last gateway to forward the packet is the one that inserts bigguy's MAC address in the packet.
By default, hosts on more than one network are configured as routers in order to forward packets from one interface to another. In some cases, it's desirable to disable automatic IP forwarding, so that the host may communicate on multiple networks but it will not act as a transparent conduit between them. Refer back to the NIS security issues raised in Section 12.3.2. If an NIS client can bind to an NIS server, it can dump the password map from the server. To protect the contents of your password file map, you may want to make it impossible for clients outside the local network to bind to a local NIS server. With IP forwarding enabled, any client can use ypset to get to any NIS server, but if IP forwarding is disabled on the host that connects the local network to other networks, ypset never makes it beyond this router host. It's also a good idea to disable IP forwarding on machines that join your company network to a larger network such as the Internet. This creates a firewall between your internal networks and the outside world: hosts outside the router cannot get packets into your company networks.
How you disable IP forwarding depends on your system. In Solaris, this is done by creating a special file:
# touch /etc/notrouter
If the /etc/notrouter file is present when the system boots, then the system will not perform IP forwarding. If you want to turn off IP forwarding immediately, then do the following:
# /usr/sbin/ndd -set /dev/ip ip_forwarding 0
* * *
[1] Of course, identifying a host's interfaces in /etc/hosts is not sufficient if you are using DNS. An excellent treatment of how to set up multiple interfaces for a host in DNS is discussed on the Web in the document "Frequently Asked Questions about Kerberos" by Ken Hornstein, available (at the time this book was written) at http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html. Look for the section entitled "How should I configure my DNS for Kerberos?" Even if you are not using Kerberos, Hornstein's recommendation for "multiple address records per host" is a logical way to configure multiple interfaces in DNS, because his choice associates a single name, such as fred.widget.com, with multiple interface specific names, such as fred-200.widget.com and fred-201.widget.com.
[2] The protocol used by in.routed is called RIP, for Routing Information Protocol. There are other routing protocols that send less information or that allow hosts to perform preferential routing when multiple gateways are present, but a discussion of these protocols is beyond the scope of this book.
[3] Of course, if you are using classless IP addressing (see Section 1.3.4),