Scott,
I remember that I finally found pfil-2.1.7 by connecting to the
following:
ftp://coombs.anu.edu.au/pub/net/ip-filter/
I just did this again and all I see there now besides the ipfilter
versions is pfil-2.1.6.tar.gz and pfil-2.1.tar.gz. 2.1.7 is not
there. Why not package pfil and ipfilter into the same tarball?
BTW, I'll throw out that I had a production Solaris 10 box out
of service for a few days, so I removed pfil 2.1.6 and ipfilter
4.1.8 and installed 2.1.7/4.1.10. I couldn't get the box to do
much networkwise. It was real secure! :) I rolled back to
4.1.8 (leaving pfil 2.1.7) and it started acting right again.
I know this is a vague complaint (4.1.9 would just hang the
box, a Sun V210) but that is all I can report now. I had to
get the V210 back into production.
I'm installing Solaris 10 onto an old Ultra 5 for a test box,
I hope to report more in a few days.
Jeff Earickson
Colby College
On Wed, 14 Dec 2005, Scott Walker wrote:
Date: Wed, 14 Dec 2005 12:46:09 -0400
From: Scott Walker <[EMAIL PROTECTED]>
To: Jeff A. Earickson <[EMAIL PROTECTED]>
Subject: Re: IPFilter 4.1.10
Where did you manage to find it?
Jeff A. Earickson wrote:
Never mind, I found it... Could pfil be placed in the same
directory as ipfilter please?
On Thu, 8 Dec 2005, Jeff A. Earickson wrote:
Date: Thu, 8 Dec 2005 09:55:53 -0500 (EST)
From: Jeff A. Earickson <[EMAIL PROTECTED]>
To: Darren Reed <[EMAIL PROTECTED]>
Cc: [email protected]
Subject: Re: IPFilter 4.1.10
Darren,
Is there a new version of pfil? I remember a mention of pfil-2.1.7
on the list a while back, but all I find on avalon is 2.1.6. Which
version of pfil should we use with 4.1.10?
Jeff Earickson
Colby College
On Thu, 8 Dec 2005, Darren Reed wrote:
Date: Thu, 8 Dec 2005 21:23:20 +1100 (EST)
From: Darren Reed <[EMAIL PROTECTED]>
To: [email protected]
Subject: IPFilter 4.1.10
There are a couple of significant changes between 4.1.9 and 4.1.10.
Firstly, after spending some time with gcov, I've taken steps to expand
the number of lines of code that the test suite covers. I'll continue
to work on expanding the coverage here until I'm satisfied that as much
of the code can be tested with ipftest as possible.
Next, there have been some problems on Solaris with sending TCP RST
and ICMP packets back, causing panics due to bad use of locks. These
problems have been licked.
Lastly, I've spent some time closely analysing packet traces from
situations where TCP out of window (OOW) packets have been resulting
in RSTs being sent and the connections closed. As noted in an earlier
email, there have been two contributors to this: window scaling being
incorrectly turned off and bugs in Microsoft Windows XP/2000's TCP,
especially SACK. My advice is that if you're having problems with
"keep state" and TCP data transfers with Windows, disable SACK. To
reduce the problem, RST packets are no longer sent if a packet is OOW,
the offender will just be dropped.
Of course there are other changes and bug fixes, including those
posted to this list - see below for a bigger summary.
http://coombs.anu.edu.au/~avalon/ip_fil4.1.10.tar.gz
MD5 (ip_fil4.1.10.tar.gz) = 6d00cb091ba047738d2c14a23b3020ed
MD5 (patch-4.1.10.gz) = b0bf95ffdbae2a3d877aadb214f68a97
Darren
4.1.10 - Released 6 December 2005
Expand regression testing to cover more features
Add "coverage" build target for BSD
Fix building 64bit sparc target for Solaris
Add IPv6 mobility header to list of accepted keywords for V6 headers
Resolve locking problems on Solaris when sending RST/icmp packets
#ifdef's for IPFILTER_BPF need to check if words are defined before
using them in comparisons
Add checking for SACK permitted option in TCP SYN packets
Fix loading anonymous pools from inline rule configuration groups
Add -C command line option to ipftest
Include extra "const" from NetBSD
Don't require SIOCKSTLCK for SIOCSTPUT
Fix some use of "sticky" on NAT rules
Fix statistical counting of deleting state for TCP connections
Fix compile problems caused by changes to is_opt/is_optmsk in ip_sync.c
Fix TCP out-of-window (OOW) problems:
- window scaling turned off if one chose for its scale factor
- Microsoft Windows TCP sends the "next packet" to the right of the
window
when using SACK and filling in a hole
4.1.9 - Released 13 August 2005
