Interfaces
bge0 off
bge1 Internet pppoe
sppp0 dynamic address
bge3 192.168.128.1
bge3:1 10.0.1.1
I have tried to get out from both the 10.0.1 subnet and the
192.168.128 subnet. In both cases the data goes out but does not
translate.
[EMAIL PROTECTED] # cat ipf.conf
## ipf.conf - config file for ipfilter
##
## This is a very simple set of rulesets for a single machine's
## firewall. It will only drop packets, not actively respond to
## probes. Uncomment out the services you wish to use.
##
## Last revised 15 Feb 2002 - m-woo
##
## pass all local traffic
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on bge0 all
pass out quick on bge0 all
pass in quick on bge1 all
pass out quick on bge1 all
pass in quick on bge3 all
pass out quick on bge3 all
##
## block inbound traffic from a particular IP on a particular port
#block in quick on sppp0 from <IP #> to any port = <port #>
##
## block all inbound/outbound traffic that doesn't comply with rules
below
## the first rule logs to the daemon.notice syslog event level
#block in log level daemon.notice all
block in all
block out all
##
## pass all inbound tcp, udp, icmp traffic from x.x.x.x with state
## substitute host address for x.x.x.x
#pass in quick on sppp0 proto tcp from x.x.x.x to any keep state
#pass in quick on sppp0 proto udp from x.x.x.x to any keep state
#pass in quick on sppp0 proto icmp from x.x.x.x to any keep state
#Block trafffic for specific hosts
block out quick on sppp0 from 192.168.3.8 to any
##
## pass inbound echo request
#pass in quick on sppp0 proto icmp from any to any icmp-type 8
##
## pass inbound identd requests
#pass in quick on sppp0 proto tcp from any to any port = 113 flags S
keep state
##
## pass inbound smtp
#pass in quick on sppp0 proto tcp from any to any port = 25 flags S
keep state
##
## pass inbound ssh
pass in quick on sppp0 proto tcp from any to any port = 22 flags S
keep state
##
## pass inbound http and https
#pass in quick on sppp0 proto tcp from any to any port = 80 flags S
keep state
#pass in quick on sppp0 proto tcp from any to any port = 443 flags S
keep state
##
## pass inbound active ftp
pass in quick on sppp0 proto tcp from any to any port = 21 flags S
keep state
##
## pass inbound passive ftp using unprivileged ports in range
15000-16000 only
## this requires that the ftp daemon be configured to use that range
only
#pass in quick proto tcp from any to any port 15000 >< 16000 flags S
keep state
##
## pass inbound telnet
pass in quick on sppp0 proto tcp from any to any port = 23 flags S
keep state
##
## pass inbound NFS requests
## you will have to determine how to allow connection to mountd
#pass in quick on sppp0 proto tcp from any to any port = 2049 flags S
keep state
#pass in quick on sppp0 proto udp from any to any port = 2049 keep state
##
## pass inbound lpd requests
#pass in quick on sppp0 proto tcp from any to any port = 515 flags S
keep state
##
## pass all outbound tcp, udp, icmp traffic with state
pass out quick on sppp0 proto tcp from any to any keep state keep frags
pass out quick on sppp0 proto udp from any to any keep state keep frags
pass out quick on sppp0 proto icmp from any to any keep state
##
## end of ipfilter ruleset
------------------------------------------------------------------------
------------------------
[EMAIL PROTECTED] # cat ipnat.conf
# minimal ipnat rule for allowing active ftp client
#
map sppp0 192.168.128.0/24 -> 0/32 proxy port 21 ftp/tcp
map sppp0 192.168.128.0/24 -> 0/32 portmap tcp/udp 10000:40000
map sppp0 192.168.128.0/24 -> 0/32
[EMAIL PROTECTED] #
On 26-Oct-05, at 3:23 AM, Phil Dibowitz wrote:
Murray Thomson wrote:
I am using a sun v210 with the pre-compiled binary of ipfilter for
Solaris 9 - v 3.4.32-Sol9
When I set it up the NAT worked OK. Some complaints about it being
slow. So I upgraded it to 4.1.9 and it won't nat. The packets go
out to
the internet untranslated.
It is going out over a ppp interface exactly like before. I ran into
this with Sunscreen where it failed to translate over virtual (pppoe)
interfaces.
Is there a known problem with newer version if ipfilter or is there a
different way to make the configuration files that I am not aware of?
Please at least post your ruleset for both ipnat and ipf... or
alternatively see:
http://www.phildev.net/ipf/IPFmail.html#mail3
Which should give you a list of things to post to make it easier
for us
to diagnose your issue.
--
Phil Dibowitz [EMAIL PROTECTED]
Freeware and Technical Pages Insanity Palace of Metallica
http://www.phildev.net/ http://www.ipom.com/
"Be who you are and say what you feel, because those who mind don't
matter and those who matter don't mind."
- Dr. Suess
