Hi,
I've setup ipf and ipnat on Solaris 8 on an E450. I am running ipf v3.4.30. A pc on the internal 192.168.0.x network can web surf and send mail through smtp no worries. But when a user tries to check his mail on an external mail server using POP the mail client connects, gets the count of new messages and then seems to hang when it comes to downloading the messages. My ipf and ipnat rulesets are:
I feel compelled to comment on this ruleset.
map sppp0 192.168.0.0/24 -> 0/32 proxy ftp ftp/tcp map sppp0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto map sppp0 192.168.0.0/24 -> 0/32
---------------------------------------------------------- block in all block out all block in log quick all with opt lsrr block in log quick all with opt ssrr
pass out quick on sppp0 proto tcp/udp from any to any keep state pass in quick on sppp0 proto tcp from any to any port = ftp-data keep state
Not sure what you're trying to accomplish here. You shouldn't have any inbound traffic to port 20 that wasn't part of an outbound connection already matches by the previous rule.
pass in quick on sppp0 proto tcp from any port = ftp-data to any port > 1024
With this ftp-data rule, you are almost completely eliminating the security benefit of using IP Filter. Anyone can connect to any service on a high-numbered port, including X Windows, NFS, various RPC services, etc.
If you want to do FTP, use the FTP proxy you've already configured. If it's not working for the gateway host, it's because you have to add a proxy rule for the public address of the system (sppp0).
pass in quick on qfe3 from any to any keep state pass out quick on qfe3 from any to any keep state
any assistance would be greatly appreciated.
The remote POP server may be performing an IDENT query against the gateway, or hanging on inverse DNS. Or you may be suffering fragmentation problems, and should check into the MSS initiative for help. Try adding "keep frag" to your outbound rule.
Do you have ipmon running? Is it logging any blocked traffic from the POP system?
-- Jefferson Ogata <[EMAIL PROTECTED]> NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]>
