Chris Ross wrote:
I've seen numerous discussions about updating the ipfilter (and pfil) in the release version of Solaris 10. But, I don't recall seeing *why* people were doing it.
From my experience. It starts to "leak" internal addresses on the external interface when you NAT. Or to put it differently, it stops NAT'ing and just forward packets. Slowly over time it shifts from 100% NATing ok to 0% nothing works. More noticable the more clients you have. We are around 1600 PCs on the internal networks and it took about 4 hours to be only NATing at 80% of packets.
traceroute did not work, but ping did. (With NATing).
Is there a known flaw or deficiency in the 4.0.2 (which Darren notes is actually closer to 4.1) that ships with the release version of Solaris 10? Is there a security problem? Just new features added?
If you have a small installation, it will probably do you well. You can unload, and re-load the kernel mod to clear the above NAT issues. But it is frustrating in that it is a gradual "random" failure, not a brick wall, so it is hard to decide /when/ to reload it.
There was unfortunately no option for us with Solaris 10, we had to go without Sun's support, but the current version we run now (pfil-4.16, ipfil-4.1.6) has been just perfect (touch wood).
9:44am up 48 day(s), 17:42, 1 user, load average: 0.00, 0.00, 0.00
ipnat -s mapped in 1799097909 out 1649060746 added 88576312 expired 0 no memory 0 bad nat 275624 inuse 2714 rules 9 wilds 0
The new box, which is similar spec to the old one, is almost permanently on load avg 0, when the old Sol8+ipf3.2.22 was always 2+.
Perhaps Darren is the best person to answer this, but if anyone else knows what the pro's and con's are of doing this, I'd love to hear details.
Hope it helps more than being noise.
Lund
-- Jorgen Lundman | <[EMAIL PROTECTED]> Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work) Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell) Japan | +81 (0)3 -3375-1767 (home)
