IP_FORWARD /etc/sysconfig/network magic words?

Rick Stevens rstevens at vitalstream.com
Fri Apr 29 20:38:44 UTC 2005 

Jeff Kinz wrote:
> On Fri, Apr 29, 2005 at 03:01:16PM -0400, Jeff Kinz wrote:
> 
>>In the file /etc/sysconfig/network, does the line :
>>
>>FORWARD_IPV4=YES
>>
>>actually control IP forwarding?  Currently my system seems to be
>>ignoring it.  ie - I font actually get any ip-forwarding happening when
>>the network is up unless I explicitly enable it.
> 
> 
> Aha!  
> Google - almost as powerful as Rick Stevens!

Heheheh!  At least it's faster and doesn't get distracted by people
wandering into its office!  :-)

> https://www.redhat.com/archives/redhat-list/2001-May/msg01047.html
> indicates:
> 
> ########################### QUOTE ###############################
> I do not thing that forward_ipv4="yes" works any more.  The settings in
> sysctl.conf are used instead.

/etc/sysconfig/network does not control forwarding any longer.  The
"FORWARD_IPV4" option is ignored.  In fact, it hasn't controlled it
since, oh, RH7.2 or there abouts (2.2 kernels).

> Look at /etc/sysctl.conf.  Forward_ipv4 is one of the things normaly
> controlled by this config file.  You may also want to look at the sysctl
> command - it is a cleaner way to change the settings then using echo.
> 
> ########################### END QUOTE ###############################
> 
> In /etc/sysctl.conf:
> net.ipv4.ip_forward = 0  
> 
> appears to disable forwarding.
> 
> What are the security implications of changing "0" to "1" in this line?

Setting it to 1 turns on forwarding, 0 disables it.

> At system boot time, will the /etc/sysconfig/iptables file info be
> processed significantly later than the /etc/sysctl.conf info?

iptables is set up before the forwarding is enabled or disabled, if
that's what you mean.  This makes sense...set up the firewall, THEN
enable the network.  You aren't exposed to any non-firewalled network
activity that way.

> If that is true, then do we have insecure window of time where 
> the system will automatically forward packets anywhere? 

You are correct.  It isn't true.  If you examine the /etc/rc.d/rcx.d
directories, you'll find that iptables is run as "S08iptables", and the
forwarding and such is set up in "S10network".
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-        Brain:  The organ with which we think that we think.        -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list