Subject: Re: forwarding question
To: Marton Fabo <>
From: Quentin Garnier <>
List: tech-net
Date: 02/13/2003 08:47:56
Le Thu, 13 Feb 2003 03:04:42 +0100
Marton Fabo a écrit :
> What I want is to have the router only forward packets between the
> exetrnal interface and the local subnets, but not between the two local
> subnets. net.inet.ip.forwarding=1 enables forwarding among any subnets
> the router is connected to.
> I guess this could be done with filtering. But what I would prefer is to
> have the router not even try to forward between the local subnets,
> rather than try it and subsequently fail because a filter. So,
> basically, instead of a global "forwardnig ON" switch, I'd like to
> enable it explicitely for pairs of interfaces or subnets.
> Is this possible on NetBSD?

This *is* filtering. See, the problem is that NetBSD would have to perform
the routing (i.e. chosing a route for the packet) before taking the
decision to forward. Or, if the decision is delayed, it should either
remember at route time where the packet is from, or guessing it.

And what about local packets that are sent from a socket binded to a
certain IP address ? They don't pass through ip_forward(), but they would
still be unauthorized.

So, filtering is really what you want.

Quentin Garnier -
"Feels like I'm fiddling while Rome is burning down.
Should I lay my fiddle down and take a rifle from the ground ?"
Leigh Nash/Sixpence None The Richer, Paralyzed, Divine Discontents, 2002.