Re: Info Source Route option
Barry Margolin
yoi...@bhphotovideo.com (Joel Brave) wrote:
> Hi there to anyone and everyone,
>
> I am would like to Explore "Source Route" how it works and its
> possibilities but I don't seem to get it, can anyone give me a
> reference with some details of the commands how it works [in Windows]?
>
> What I would like to know if I can do a source route through another
> computer [meaning not a router].
Any device that will forward packets is effectively a router. So if the
computer is "not a router", then it won't forward packets, so you can't
do a source route through it.
>
> When I do "Ping –j IPA IPB" I get the following message:
>
> Reply from IP A: Invalid source route specified.
>
> I am aware that most routers will block Source Route that's why I
> tried it locally not passing through the router, both IP addresses are
> "PC's" and on my network.
The PC probably doesn't do packet forwarding.
> (Another question, I am aware that most routers restrict source router
> or any IP Datagram with options, but is there a difference if the
> options are completed already before getting to the router or if it
> the options are still pending because they are set to be done after
> the router.
>
> Example Datagram with options before getting to the router is if I
> send "Ping –j IPA IPB" and both IP addresses are on my local network.
> Example Datagram with options after going through the router "Ping –j
> IPA IPB" and IP B is outside my local network and it has to go through
> the router before getting it).
The detailed criteria for blocking packets depends on the router. My
guess is most will reject them if the option exists, regardless of
whether it needs to do anything with it.
--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
Joel Brave
way to route packets through any other computer if it is not setup for
it [like enabling the routing service匽, is there any way possible to
route packets through a computer even if the routing service is
disabled?
Here is the issue:
Our company is using web filtering software based on everybody's IP
Address they have different web access, now I am thinking if someone
can re-route his HTTP requests through a computer that has more web
access then him so he will get all the sites that are open on the
other PC?
Is this possible, if yes how can we avoid this?
Thanks A Lot.
Joel
Keith Wansbrough
> First of all thanks for your response, According to this there is no
> way to route packets through any other computer if it is not setup for
> it [like enabling the routing service], is there any way possible to
> route packets through a computer even if the routing service is
> disabled?
Not at the IP level - if the IP stack isn't forwarding packets, it
won't forward packets.
But you could run another application on that computer to forward
specific packets or requests. Or you could turn on the appropriate
system options (registry / sysctl / whatever) to make that computer a
router.
> Our company is using web filtering software based on everybody's IP
> Address they have different web access, now I am thinking if someone
> can re-route his HTTP requests through a computer that has more web
> access then him so he will get all the sites that are open on the
> other PC?
You are confusing the route with the source IP. Using a different
route has no effect on the source IP of the packet, only on the route
it takes to get from the source to the destination. If it did change
the source IP, then you wouldn't get the responses anyway.
OTOH, it's easy enough to run an application-level proxy on the
computer with higher privileges - say AnalogX Proxy for Windows, or
Squid for a Unix system. This forwards requests at the HTTP level,
rather than at the IP level, and would certainly allow users of the
proxy to access the web at the privilege level of the machine running
the proxy.
> Is this possible, if yes how can we avoid this?
Don't allow the user with higher privileges to use the proxy. Or read
your border proxy's web access logs and look for unusual patterns. Or
give everyone the same web access and avoid the problem entirely.
> Thanks A Lot.
>
> Joel
HTH.
--KW 8-)
--
Keith Wansbrough <kw...@cl.cam.ac.uk>
http://www.cl.cam.ac.uk/users/kw217/
University of Cambridge Computer Laboratory.
Barry Margolin
Keith Wansbrough <kw...@cl.cam.ac.uk> wrote:
> yoi...@bhphotovideo.com (Joel Brave) writes:
> > Our company is using web filtering software based on everybody's IP
> > Address they have different web access, now I am thinking if someone
> > can re-route his HTTP requests through a computer that has more web
> > access then him so he will get all the sites that are open on the
> > other PC?
>
> You are confusing the route with the source IP. Using a different
> route has no effect on the source IP of the packet, only on the route
> it takes to get from the source to the destination. If it did change
> the source IP, then you wouldn't get the responses anyway.
>
> OTOH, it's easy enough to run an application-level proxy on the
> computer with higher privileges - say AnalogX Proxy for Windows, or
> Squid for a Unix system. This forwards requests at the HTTP level,
> rather than at the IP level, and would certainly allow users of the
> proxy to access the web at the privilege level of the machine running
> the proxy.
You might also be able to accomplish this by turning on Internet
Connection Sharing on the computer with additional web access.
Of course, if you do this then you're likely violating company policy;
if you get caught, it could easily be grounds for termination.