In Solaris 10, IP Forwarding can be enabled or disabled using the routeadm & ifconfig commands as against the ndd commands in Solaris 9 and earlier. The advantage is the change dynamic and real-time and the change persist across reboot unlike the ndd command.

Enable/Disable IP Forwarding globally 

To globally enable IP Forwarding in Solaris 10 use the routeadm command as follows:

In IPv4

solaris10# routeadm -e ipv4-forwarding

In IPv6

solaris10# routeadm -e ipv6-forwarding

The switches “-e” enables IP Forwarding.

To disable IP Forwarding

In IPv4

solaris10# routeadm -d ipv4-forwarding

In IPv6

solaris10# routeadm -d ipv6-forwarding

The switches “-d” enables IP Forwarding.

After the change run the following command for the changes to take effect.

solaris10# routeadm -u

Enable/Disable IP Forwarding per interface 

To enable IP Forwarding on a specific interface (say ce0) using the ifconfig command

In IPv4

solaris10# ifconfig ce0 router

In IPv6

solaris10# ifconfig ce0 inet6 router

To disable IP Forwarding for an interface (say ce0)

In IPv4

solaris10# ifconfig ce0 -router

In IPv6

solaris10# ifconfig ce0 inet6 -router

Solaris Operating Environment by default is configured to both accept and send  the ICMP Redirect messages. According to RFCs, only a router or a gateway device should send an ICMP Redirect message and any other hosts should only be able to receive the ICMP Redirects. If the Solaris server is not acting as a Router or a Gateway then sending ICMP Redirect message should be disabled. The same applies to accepting ICMP Redirect messages if the solaris server is not required to receive ICMP Redirect messages (say a single Router/Gateway network/subnets scenario) as a malicous hacker could send fake ICMP redirect messages to modify the routing table on the host and potentialy cause a Denial of Service attack.

Show and Disable ICMP Redirect message accept option

To see if accepting ICMP Redirects are enabled in Solaris,

In IPv4

root@solaris# ndd -get /dev/ip ip_ignore_redirect
0

In IPv6 then

root@solaris# ndd -get /dev/ip ip6_ignore_redirect
0

The “0″ indicates that the host is configured to accept ICMP Redirect messages and “1″ indicates it is being disabled

To disable the ICMP Redirect accept option,

In IPv4

root@solaris# ndd -set /dev/ip ip_ignore_redirect 1

In IPv6

root@solaris# ndd -set /dev/ip ip6_ignore_redirect 1

Show and Disable ICMP Redirect message send option

To see if sending ICMP Redirects are enabled in Solaris,

If you are using IPv4

root@solaris# ndd -get /dev/ip ip_send_redirects
1

If you are using IPv6 then

root@solaris# ndd -get /dev/ip ip6_send_redirects
1

The “1″ indicates that the host is configured to send ICMP Redirect messages and “0″ indicates it is being disabled

To disable the option,

In IPv4

root@solaris# ndd -set /dev/ip ip_send_redirects 0

In IPv6

root@solaris# ndd -set /dev/ip ip6_send_redirects 0

The above ndd -set commands dynamically update the ICMP Redirect send/receive options on the host. However, to ensure that the settings are applied at the boot time (say the next time when the server reboots) then edit the startup script /etc/rc2.d/S69inet and modify values accordingly.

Alternatively, you can download the nddconfig script and install on your server. This script can be used to adjust most of the ndd parameters for security purpose.

The script can be downloaded here (need an Sunsolve account)

http://www.sun.com/blueprints/tools/

To install the nddconfig script

Untar the downloaded nddconfig.tar file

root@solaris# tar -xvf nddconfig.tar

Copy the nddconfig file to /etc/init.d/ directory

root@solaris# cp nddconfig /etc/init.d/nddconfig

Change the file permissions to 744

root@solaris# chmod 744 /etc/init.d/nddconfig

Change the file ownership to root(user) and sys (grooup)

root@solaris# chown root:sys /etc/init.d/nddconfig

Create a hard link as follows:

root@solaris# ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig

This should help.