I tried removing ipfilter and installing the precompiled binary,
which is where I am now. I am using version 3.4.32
This one ios wierder. It nat's but only certain web sites get
through. google.ca comes through but yahoo.com does not. What seems a
bit interesting is that the sights that seem to get through are ones
that were previously visited by a browser directly on the sun server
through a sunray. In other words if I use a browser on the sun and
get to a web site, I seems that I can get to that site from a PC
routed through the sun. I'll have to test that when I go out there
tomorrow.
On ipfilter 4.1.9 no packets dropped but it wouldn't nat at all.
Also at another location I installed ipfilter 3.4.32 from package the
same way I did here and it works fine.
What do you think?
[EMAIL PROTECTED] # uname -a
SunOS burlsun 5.9 Generic_117171-07 sun4u sparc SUNW,Sun-Fire-V210
[EMAIL PROTECTED] # isainfo -vk
64-bit sparcv9 kernel modules
Below
bge0 is local net
bge1 is the interface for the internet
bge3 is the interface for a sunray net.
sppp0 is the internet virtual interface connected over bge1
[EMAIL PROTECTED] # ifconfig -a
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 4
inet 127.0.0.1 netmask ff000000
bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500
index 5
inet 10.0.1.1 netmask ffffff00 broadcast 10.0.1.255
ether 0:3:ba:c9:89:b9
bge1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500
index 6
inet 0.0.0.0 netmask ff000000 broadcast 0.255.255.255
ether 0:3:ba:c9:89:ba
bge3: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500
index 7
inet 192.168.128.1 netmask ffffff00 broadcast 192.168.128.255
ether 0:3:ba:c9:89:bc
sppp0: flags=10008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4> mtu
1492 index 9
inet 69.158.81.212 --> 64.230.197.205 netmask ff000000
ether 0:0:0:0:0:0
[EMAIL PROTECTED] # netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
64.230.197.205 69.158.81.212 UH 1 3 sppp0
192.168.128.0 192.168.128.1 U 1 21 bge3
10.0.1.0 10.0.1.1 U 1 8 bge0
224.0.0.0 10.0.1.1 U 1 0 bge0
default 64.230.197.205 UG 1 4
127.0.0.1 127.0.0.1 UH 34 81564 lo0
[EMAIL PROTECTED] # netstat -s -P ip
IPv4 ipForwarding = 1 ipDefaultTTL = 255
ipInReceives = 75564 ipInHdrErrors = 0
ipInAddrErrors = 0 ipInCksumErrs = 0
ipForwDatagrams = 809 ipForwProhibits = 0
ipInUnknownProtos = 29 ipInDiscards = 0
ipInDelivers =165647 ipOutRequests = 60972
ipOutDiscards = 0 ipOutNoRoutes = 39
ipReasmTimeout = 60 ipReasmReqds = 0
ipReasmOKs = 0 ipReasmFails = 0
ipReasmDuplicates = 0 ipReasmPartDups = 0
ipFragOKs = 0 ipFragFails = 0
ipFragCreates = 0 ipRoutingDiscards = 0
tcpInErrs = 0 udpNoPorts = 30
udpInCksumErrs = 0 udpInOverflows = 0
rawipInOverflows = 0 ipsecInSucceeded = 87889
ipsecInFailed = 0 ipInIPv6 = 0
ipOutIPv6 = 0 ipOutSwitchIPv6 = 38
[EMAIL PROTECTED] # ipf -V
ipf: IP Filter: v3.4.32 (496)
Kernel: IP Filter: v3.4.32
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
[EMAIL PROTECTED] # ipfstat
dropped packets: in 0 out 0
non-data packets: in 7 out 2
no-data packets: in 0 out 0
non-ip packets: in 0 out 0
bad packets: in 0 out 0
copied messages: in 5 out 3548
IPv6 packets: in 0 out 0
input packets: blocked 1273 passed 67325 nomatch 0 counted 0
short 0
output packets: blocked 0 passed 52237 nomatch 0 counted 0
short 0
input packets logged: blocked 0 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 2 lost 0
fragment state(out): kept 2 lost 0
packet state(in): kept 3 lost 0
packet state(out): kept 28 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 52757 (out): 32191
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 16 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
Packet log flags set: (0)
none
[EMAIL PROTECTED] # ipfstat -io
pass out quick on lo0 from any to any
pass out quick on bge0 from any to any
pass out quick on bge1 from any to any
pass out quick on bge3 from any to any
block out from any to any
pass out quick on sppp0 proto tcp from any to any keep state keep frags
pass out quick on sppp0 proto udp from any to any keep state keep frags
pass out quick on sppp0 proto icmp from any to any keep state
pass in quick on lo0 from any to any
pass in quick on bge0 from any to any
pass in quick on bge1 from any to any
pass in quick on bge3 from any to any
block in from any to any
pass in quick on sppp0 proto tcp from any to any port = 22 flags S/
FSRPAU keep state
pass in quick on sppp0 proto tcp from any to any port = 21 flags S/
FSRPAU keep state
pass in quick on sppp0 proto tcp from any to any port = 23 flags S/
FSRPAU keep state
[EMAIL PROTECTED] # ipnat -slv
mapped in 441 out 317
added 16 expired 16
no memory 0 bad nat 0
inuse 0
rules 3
wilds 0
table ffffffff7ffffb30 list 30000060548
List of active MAP/Redirect filters:
map sppp0 10.0.1.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map sppp0 10.0.1.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map sppp0 10.0.1.0/24 -> 0.0.0.0/32
List of active sessions:
List of active host mappings:
[EMAIL PROTECTED] #
[EMAIL PROTECTED] # cat /etc/opt/ipf/ipf.conf
## ipf.conf - config file for ipfilter
##
## This is a very simple set of rulesets for a single machine's
## firewall. It will only drop packets, not actively respond to
## probes. Uncomment out the services you wish to use.
##
## Last revised 15 Feb 2002 - m-woo
##
## pass all local traffic
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on bge0 all
pass out quick on bge0 all
pass in quick on bge1 all
pass out quick on bge1 all
pass in quick on bge3 all
pass out quick on bge3 all
##
## block inbound traffic from a particular IP on a particular port
#block in quick on sppp0 from <IP #> to any port = <port #>
##
## block all inbound/outbound traffic that doesn't comply with rules
below
## the first rule logs to the daemon.notice syslog event level
#block in log level daemon.notice all
block in all
block out all
##
## pass all inbound tcp, udp, icmp traffic from x.x.x.x with state
## substitute host address for x.x.x.x
#pass in quick on sppp0 proto tcp from x.x.x.x to any keep state
#pass in quick on sppp0 proto udp from x.x.x.x to any keep state
#pass in quick on sppp0 proto icmp from x.x.x.x to any keep state
##
## pass inbound echo request
#pass in quick on sppp0 proto icmp from any to any icmp-type 8
##
## pass inbound identd requests
#pass in quick on sppp0 proto tcp from any to any port = 113 flags S
keep state
##
## pass inbound smtp
#pass in quick on sppp0 proto tcp from any to any port = 25 flags S
keep state
##
## pass inbound ssh
pass in quick on sppp0 proto tcp from any to any port = 22 flags S
keep state
##
## pass inbound http and https
#pass in quick on sppp0 proto tcp from any to any port = 80 flags S
keep state
#pass in quick on sppp0 proto tcp from any to any port = 443 flags S
keep state
##
## pass inbound active ftp
pass in quick on sppp0 proto tcp from any to any port = 21 flags S
keep state
##
## pass inbound passive ftp using unprivileged ports in range
15000-16000 only
## this requires that the ftp daemon be configured to use that range
only
#pass in quick proto tcp from any to any port 15000 >< 16000 flags S
keep state
##
## pass inbound telnet
pass in quick on sppp0 proto tcp from any to any port = 23 flags S
keep state
##
## pass inbound NFS requests
## you will have to determine how to allow connection to mountd
#pass in quick on sppp0 proto tcp from any to any port = 2049 flags S
keep state
#pass in quick on sppp0 proto udp from any to any port = 2049 keep state
##
## pass inbound lpd requests
#pass in quick on sppp0 proto tcp from any to any port = 515 flags S
keep state
##
## pass all outbound tcp, udp, icmp traffic with state
pass out quick on sppp0 proto tcp from any to any keep state keep frags
pass out quick on sppp0 proto udp from any to any keep state keep frags
pass out quick on sppp0 proto icmp from any to any keep state
##
## end of ipfilter ruleset
[EMAIL PROTECTED] # ^[[A^[[B
^[[A^[[B: not found
[EMAIL PROTECTED] # bash
[EMAIL PROTECTED] # cat /etc/opt/ipf/ipnat.conf
# minimal ipnat rule for allowing active ftp client
#
#map sppp0 0/0 -> 0/32 proxy port 21 ftp/tcp
map sppp0 10.0.1.0/24 -> 0/32 proxy port 21 ftp/tcp
map sppp0 10.0.1.0/24 -> 0/32 portmap tcp/udp auto
map sppp0 10.0.1.0/24 -> 0/32
[EMAIL PROTECTED] #
On 26-Oct-05, at 3:23 AM, Phil Dibowitz wrote:
Murray Thomson wrote:
I am using a sun v210 with the pre-compiled binary of ipfilter for
Solaris 9 - v 3.4.32-Sol9
When I set it up the NAT worked OK. Some complaints about it being
slow. So I upgraded it to 4.1.9 and it won't nat. The packets go
out to
the internet untranslated.
It is going out over a ppp interface exactly like before. I ran into
this with Sunscreen where it failed to translate over virtual (pppoe)
interfaces.
Is there a known problem with newer version if ipfilter or is there a
different way to make the configuration files that I am not aware of?
Please at least post your ruleset for both ipnat and ipf... or
alternatively see:
http://www.phildev.net/ipf/IPFmail.html#mail3
Which should give you a list of things to post to make it easier
for us
to diagnose your issue.
--
Phil Dibowitz [EMAIL PROTECTED]
Freeware and Technical Pages Insanity Palace of Metallica
http://www.phildev.net/ http://www.ipom.com/
"Be who you are and say what you feel, because those who mind don't
matter and those who matter don't mind."
- Dr. Suess
