Scott,
Wondered if the /etc/system tunable below helps?
Steve
ip_strict_dst_multihoming and ip6_strict_dst_multihoming
Description
Determine whether a packet arriving on a non-forwarding interface can be
accepted for an IP address that is not explicitly configured on that
interface. If ip_forwarding is enabled, or xxx:ip_forwarding for the
appropriate interfaces is enabled, then this parameter is ignored, because
the packet is actually forwarded.
Refer to RFC 1122 3.3.2.4.
Default
0 (loose multihoming)
Range
0 = Off (loose multihoming)
1 = On (strict multihoming)
Dynamic?
Yes
When to Change
If a machine has interfaces that cross strict networking domains (for
example, a firewall or a VPN node), set this variable to 1.
Commitment Level
Unstable
> I'd love to learn about and configure BGP but neither of my ISPs do
> anything with it and my guess it that buying a second firewall would
> be far cheaper than getting into this.
> Again, I have an absolute requirement that packets must leave on the
> same wire they came in on. Primarily because one of my ISPs has
> spoofing detection in place and packets that are "not supposed to be"
> on the wire are dropped.
> I'm at the point of configuring policy/source routing on one of my two
> Cisco routers. I only have control over one of them. Actually, I was
> first trying to configure this routing using an Extreme switch but
> that isn't working out.
> >>>Hello,
> >>>I have FW-1 running on Solaris 7 with two Internet connections and two
> >>>DMZs. Each DMZ contains various Web, mail, etc. servers. At the
> >>>present time, I'm using 4 interfaces on a single firewall to route
> >>>between the 4 networks. All routing is static and I'm unable to
> >>>undertake something more complex. The configuration is not intended
> >>>to provide redundancy or load sharing. It is simply meant to provide
> >>>separate services to two different groups of clients.
> >>>My question is the following... Is there any way to force outgoing
> >>>traffic back down the same route that it entered? I've discovered
> >>>that two default routes can be defined on the firewall but they are
> >>>used in a round robin fashion and my requirement is very strict that
> >>>outbound traffic must take the same path it entered. I did try rules
> >>>on the firewall to block misdirected outbound traffic hoping the other
> >>>route would pick up but that didn't work as I expected.
> >>>Am I missing a way to achieve this or should I toss a few more $k at
> >>>this and deploy a second firewall?
> >>Scott, I would think that you really should be doing something with
> >>BGP external to your firewall. Get a Cisco and a BGP AS from your
> >>providers and let your gateway router do the load balancing and
> >>dynamic routing. Put your firewall with one interface set to default
> >>route to your BGP router.
> >I don't see how BGP would solve this problem.
> >What he needs is routing based on source addresses. I don't think this
can
> >be done with Firewall-1, but it can be done with a Cisco router. If you
> >connect both Internet connections to the same Cisco router, you can use
> >Cisco's "policy routing" feature to select the ISP interface based on the
> >source address.
> >--
> >Genuity, Burlington, MA
> >*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to
newsgroups.
> >Please DON'T copy followups to me -- I'll assume it wasn't posted to the
group.
> Thanks!