Hi, We're running ipfilter v3.4.35 on Solaris 9. The other day we noted some extremely odd behavior, where the device (applications, OS, and ipfilter) appeared to be working normally, except that traffic from one host in particular was not being seen by the box. Its possible the issue was completely non-ipfilter related, but it makes me scratch my head as to what was going on...
Here's the system setup and a breakdown of what we saw: Server_A is running: server_A:/# ipf -V ipf: IP Filter: v3.4.35 (496) Kernel: IP Filter: v3.4.35 1) Using snoop on client A, DHCP lease queries were verified to be leaving Client A destined for server_A. 2) Using snoop on server_A, DHCP traffic was seen from all other clients but not from client A. 3) Non-DHCP traffic from client a was seen via snoop on server_A, just not the DHCP lease query traffic. (Pings, ssh, etc.) 4) Server A's DHCP application logs were checked, and no errors were seen. 5) Unloading (stopping) ipfilters on server_A executed successfully; however client A's lease query traffic _still_ wasn't seen on the device. Here's the weird, weird, weird part: With ipfilters stopped on server_A (using /etc/init.d/ipfboot stop), snoop still did not see the DHCP traffic from client A. Upon stopping and restarting server_A's DHCP application, traffic was immediately seen by snoop, and the application worked as normal. I verified on server that even if ipfilters is dropping a given packet, that packet is still "seen" by snoop, so something odd was definitely happening on this system. I verified with the application vendor that the DHCP application does not (to the best of their knowledge) have any unusual stack calls, nor any specific network drivers/etc., it supposedly just uses regular sockets. Any ideas or experience seeing this type of behavior? Where does snoop "fit" into the order of packet process sing in relation to ipfilter? Any idea how/why/if an application error could "hide" network traffic from snoop? Thanks, Bill Sweeney The power of accurate observation is commonly called cynicism by those who have not got it. ~George Bernard Shaw
