Hello all,
We had a Virus this morning (connecting to port 1433) which unfortunately takes the old NAT box to its knees. (Solaris 8, ipfil 3.3.22).
Since it was 1 day before the migration to move to Solaris 10 and its IpFilter v4.0.2 (default that comes with Solaris 10) we decided to just switch right away.
Our ipf.conf only has permit all. Out ipnat.conf has: map iprb0 192.168.0.0/16 -> 0/32 proxy port ftp ftp/tcp map iprb0 172.16.0.0/16 -> 0/32 proxy port ftp ftp/tcp map iprb0 10.0.0.0/8 -> 0/32 proxy port ftp ftp/tcp map iprb0 192.168.0.0/16 -> 0/32 portmap tcp/udp auto map iprb0 172.16.0.0/16 -> 0/32 portmap tcp/udp auto map iprb0 10.0.0.0/8 -> 0/32 portmap tcp/udp auto map iprb0 192.168.0.0/16 -> 0/32 map iprb0 172.16.0.0/16 -> 0/32 map iprb0 10.0.0.0/8 -> 0/32
Initially, everything appears to be running rather well, except the traceroute does not work. (Both ICMP and UDP mode just stop at the NAT box, ping and everything else works ok). It also handled that people were infected much better.
If I issue "snoop -r -c 1000 net 192.168.0.0" on the _external_ interface, I get no traffic, as one would expect. There should be no internal IPs being sent out on the external interface.
Ipnat table has about 22k entries. ipnat -s and ipfstat -s both look ok, no memory failures, and %used is around 3%.
However, after about 30-40 minutes of operation, we start seeing packets going out with source-host 192.168.0.0/16 on the _external_ interface.
Timing the snoop command, it took about 7 seconds to see 1000 (internal) packets. The ipnat table is down to about 14k entries, and decreasing. People start to complain.
Once it gets really bad, it takes just under 2 seconds to see 1000 packets from internal addresses.
svcadm restart, and "disable / enable" does not fix the problem. If I modunload, and modload "ipf" it does fix it. For another 30 minutes or so. We observed this 4 times this morning.
In the end, we rolled back to the old box, and just block anything going to port 1433 and things are settling down.
1) That it is sending out packets with internal address would imply it is not NATting suddenly, but simply forwarding packets. That sounds like a bug? Is it a known bug?
2) Should we try pfil 2.0.5 and ipfilter 4.1.6 ? But if we change away from Sun's Solaris 10 version, does that mean it will not be "supported" ?
3) Is that traceroute does not work related? Feels like it isn't.
I saved output from ipfstat, ipfstat -s and ipnat -s, but the new box is not currently networked upstairs, but I can fetch them if they might be useful.
Any reply is appreciated.
Lund
-- Jorgen Lundman | <[EMAIL PROTECTED]> Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work) Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell) Japan | +81 (0)3 -3375-1767 (home)
