Hello
I have ipf ipfx 4.1.2 installed on Solaris 9 (sparc). I've noticed a discrepancy between how ipfilter 3.4.32 on Solaris 8 and how ipfilter 4.1.2 on Solaris 9 handles the "pass out quick proto tcp all keep state"... this allows the sending of TCP reset packets generated by solaris in 3.4.32, but does not work on 4.1.2.
On version 4.1.2 I have to add an extra line containing "pass out quick proto tcp all flags R/RSFUP" in order for this to work (see below for my current config).
Why is this? Is it enhanced behaviour in 4.1.2, or a bug? You would think that the pass out tcp keep state would allow for the sending of reset packets to ports that are not listening eh?
Note that this only applies to ports that are allowed by ipfilter where there is no process doing a LISTEN on the port. That is, if ipfilter is generating the resets then there is no problem, but if solaris is generating the resets then they are killed by ipfilter unless the extra line is added.
Also, if I am to move the line "...flags R/RSFUP..." line to the end of the head 10 block, then it's like it's not there at all. This also seems strange I think?
...
block out quick all head 10
block out quick from 127.0.0.0/8 to any group 10
block out quick from any to 127.0.0.0/8 group 10
pass out quick proto tcp all flags R/RSFUP group 10
pass out quick proto udp all keep state group 10
pass out quick proto tcp all keep state group 10
pass out quick proto icmp all keep state group 10
...
block return-rst in quick proto tcp all head 20 # block TCP in, send RST
block in log quick from 127.0.0.0/8 to any group 20
pass in quick proto tcp from ...
...
Thanks very much
Jesse
Jesse Reynolds
UNIX Systems Administrator
UNSW IT Services - http://www.its.unsw.edu.au/
Phone: +61 (0)2 9385 2893 Fax: +61 (0)2 9385 1033 Mobile: +61 (0)414 669 790
AIM/iChat: jessedreynolds Yahoo Messenger: jessereynolds Skype: jessereynolds
