Peter, Thank you for your reply. This makes things more clear.
All, Can anybody give more details on IPFilter 4.1.7 behavior with Solaris VLAN tagged interfaces ? At present I have 3.4.33 in production environment working fine with VLAN tagged interfaces. 3.4.33 on load gives information, that : Mar 7 14:19:52 server ipf: [ID 185768 kern.notice] NOTICE: VLAN HACK ENABLED Mar 7 14:19:52 server ipf: [ID 920137 kern.notice] IP Filter: attach to [ce700000,700000] - IPv4 Maybe similar HACK is available also in 4.1.7 ? Alas I have no abilities to simulate these scenarios in test environment, so any comments will be highly appreciated. So still following questions are open for me : 1. Will 4.1.7 apply already loaded rules for interfaces that will be plumbed after IPFilter normal startup without reloading rules or restarting IPFilter ? 2. Will 4.1.7 understand and work normally with VLAN tagged interfaces like ce700000 (VLAN ID 700, interface 0) ? Thank you in advance. With best regards Martynas -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jeremy Sent: Wednesday, March 16, 2005 9:09 PM To: Buozis, Martynas Cc: [email protected] Subject: Re: VLAN tagged interfaces plumb/unplumb + bimap questions On 2005-Mar-16 14:15:52 +0100, "Buozis, Martynas" <[EMAIL PROTECTED]> wrote: >1. About IPFilter behavior plumbing and unplumbing interfaces on SUN >box running Solaris. May I prepare rules set and load these rules on >startup, but plumb and configure interfaces upon need later ? Or will I >have to restart IPFilter and add/remove configuration lines for ipf and >ipnat every time when I plumb/unplumb network interface ? Will rules >for non existing interfaces will somehow impact IPFilter services ? You don't need to restart ipfilter to change the configuration - simply load the new configuration into the inactive filter list and switch filter lists. >Network interfaces are VLAN tagged interfaces like ce100000. Rules >examples are : > >Ipf: >pass in quick on ce100000 from 192.168.205.0/24 to 192.168.100.0/24 In ipfilter 3.4.33, there doesn't seem to be any requirement that the interface exist when the rules are loaded. I'm not in a position to test that the rules are correctly associated with later plumbed interfaces. Note that VLAN tagged interfaces don't work well with 4.1.2 or 4.1.3 because ipfilter treats everything beyond the 'ce' as an interface instance and tries to store it in an unsigned short so 'ce100000' will be treated as 'ce1696'. I don't know if this has been fixed in more recent 4.1.x versions. >2. In some case I use bimap for ipnat like : > >bimap hme0 192.168.205.10/32 -> 192.168.100.160/32 > >This I need to get available connections to/from specific host for >outbound and inbound traffics (host 192.168.205.10 should be reachable >from "outside" network as 192.168.100.160). Did I understood right and >bimap is not very welcome for configurations like that ? Should I >change this better to map/rdr pair and what I would gain if I'll do that ? That is correct for most protocols. If you want to allow an FTP client on host 192.168.205.10 to reach external FTP servers, you'll also need map hme0 192.168.205.10/32 -> 192.168.100.160/32 proxy port ftp ftp/tcp (and I think this line needs to appear before the bimap). I agree that the documentation could be more helpful. -- Peter Jeremy This email may contain privileged/confidential information. You may not copy or disclose this email to anyone without the written permission of the sender. If you have received this email in error please kindly delete this message and notify the sender. Opinions expressed in this email are those of the sender and not necessarily the opinions of the employer. This email and any attached files should be scanned to detect viruses. No liability will be accepted by the employer for loss or damage (whether caused by negligence or not) as a result of email transmission.
