Hans Werner Strube wrote: > Last week I ported our firewall (working as a transparent router with special > proxyarp daemons on both interfaces) using IPF 3.4.35 from a Solaris 7_x86 PC > to a Solaris 9 Sun Fire V210 (64 bit only) > ... > Whereas this has always worked on the PC, now no FTP packets are passed > in either direction. > ...
Some new result: When I try an ftp connection from the firewall machine itself to an outer server, the FTP proxy works! For this purpose, I had to add a rule to allow FTP out from the outer interface (bge1) of the firewall. The ipf.conf, as far as relevant here, looks like block in log quick on bge1 all head 100 # from outer net block out log quick on bge1 all head 150 # to outer net block in log quick on bge0 all head 200 # from inner net block out log quick on bge0 all head 250 # to inner net block in (... some nasty ports ...) group 200 pass in quick proto tcp from any to !FIREWALL/31 flags S keep state group 200 The added rule is then pass out quick proto tcp from FIREWALL/31 to any port = 21 flags S keep state group 150 The ipnat rule is again map bge1 0.0.0.0/0 -> 0.0.0.0/0 proxy port ftp ftp/tcp However, I did not manage to get a connection from the inner net through to bge1, which never failed on the PC with equivalent configuration. Any other behaviour of the firewall is just as good as it was on the PC. (Sorry, I cannot do more experiments because of vacations during the next 3 weeks.)
