Darren and Sun developers,
I am glad that Sun is recognizing the value of Darren's work, and
seeing fit to role it into S10, but please don't do the "embrace and
strangle" strategy of Microsoft with his work. Please keep the
pkg setup of pfil and ipfilter in sync with whatever public-domain
version Darren sees fit to release in the future. Make it so that
we can upgrade the Sun version with newer versions of Darren's public-domain version if we want to (or if Sun is slow in getting a patch for ipfilter out). I'll throw this minor point out... I changed our site from an HP shop to a Sun shop four years ago and
one of the selling points for us was ipfilter. Please don't screw up
a good thing.
I'll also grumble and shuffle my feet a bit here... Frankly, at this
point in time, I don't trust ipfilter 4.x. I've run it on a couple
of non-production boxes, and I've had some problems (including panics
and app problems). I also don't like that I can't shut down ipf 4,
like I can with ipf3 (to test firewall problems). I know a lot of people are using 4.x, but I'm sticking with 3.4.31 on S9 systems. I figure
these issues will go away when S10 come out of course.
Jeff Earickson Colby College
On Wed, 24 Nov 2004 [EMAIL PROTECTED] wrote:
Date: Wed, 24 Nov 2004 19:52:52 +0100 From: [EMAIL PROTECTED] To: Need Coffee <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] Subject: Re: ipfilter and Solaris 10
On Wed, 24 Nov 2004 18:24:32 +0100, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
It's part of the standard Solaris release; the version number reported is not really proper so it's changed in the next express release to:
ipf: IP Filter: v4.0.2 (592)
We've made a number of changes to ipfilter such that it is now well-behaved; this gives some divergence and just removing and pkgadding the "standard version" will give you some grief; and also no integration with SMF.
As it is part of the OS it will be supported.
Not to be rude, but does "well-behaved" mean that it will work with IPsec without causing panics?
Well behaved primarily means that it does not stuff packets in queues it really shouldn't be accessing and that it inserts itself properly. (Some of that is punted to a new daemon, pfild)
Casper
