I am running pfil 2.17 and ipfilter 4.1.0 on an Ultra 5 with Solaris 10 for about 1 week without problems.
Regards, Horst Simon On Thu, 15 Dec 2005 08:37 am, Jeff A. Earickson wrote: > Scott, > > I remember that I finally found pfil-2.1.7 by connecting to the > following: > > ftp://coombs.anu.edu.au/pub/net/ip-filter/ > > I just did this again and all I see there now besides the ipfilter > versions is pfil-2.1.6.tar.gz and pfil-2.1.tar.gz. 2.1.7 is not > there. Why not package pfil and ipfilter into the same tarball? > > BTW, I'll throw out that I had a production Solaris 10 box out > of service for a few days, so I removed pfil 2.1.6 and ipfilter > 4.1.8 and installed 2.1.7/4.1.10. I couldn't get the box to do > much networkwise. It was real secure! :) I rolled back to > 4.1.8 (leaving pfil 2.1.7) and it started acting right again. > I know this is a vague complaint (4.1.9 would just hang the > box, a Sun V210) but that is all I can report now. I had to > get the V210 back into production. > > I'm installing Solaris 10 onto an old Ultra 5 for a test box, > I hope to report more in a few days. > > Jeff Earickson > Colby College > > On Wed, 14 Dec 2005, Scott Walker wrote: > > Date: Wed, 14 Dec 2005 12:46:09 -0400 > > From: Scott Walker <[EMAIL PROTECTED]> > > To: Jeff A. Earickson <[EMAIL PROTECTED]> > > Subject: Re: IPFilter 4.1.10 > > > > Where did you manage to find it? > > > > Jeff A. Earickson wrote: > >> Never mind, I found it... Could pfil be placed in the same > >> directory as ipfilter please? > >> > >> On Thu, 8 Dec 2005, Jeff A. Earickson wrote: > >>> Date: Thu, 8 Dec 2005 09:55:53 -0500 (EST) > >>> From: Jeff A. Earickson <[EMAIL PROTECTED]> > >>> To: Darren Reed <[EMAIL PROTECTED]> > >>> Cc: [email protected] > >>> Subject: Re: IPFilter 4.1.10 > >>> > >>> Darren, > >>> > >>> Is there a new version of pfil? I remember a mention of pfil-2.1.7 > >>> on the list a while back, but all I find on avalon is 2.1.6. Which > >>> version of pfil should we use with 4.1.10? > >>> > >>> Jeff Earickson > >>> Colby College > >>> > >>> On Thu, 8 Dec 2005, Darren Reed wrote: > >>>> Date: Thu, 8 Dec 2005 21:23:20 +1100 (EST) > >>>> From: Darren Reed <[EMAIL PROTECTED]> > >>>> To: [email protected] > >>>> Subject: IPFilter 4.1.10 > >>>> > >>>> > >>>> There are a couple of significant changes between 4.1.9 and 4.1.10. > >>>> > >>>> Firstly, after spending some time with gcov, I've taken steps to > >>>> expand the number of lines of code that the test suite covers. I'll > >>>> continue to work on expanding the coverage here until I'm satisfied > >>>> that as much of the code can be tested with ipftest as possible. > >>>> > >>>> Next, there have been some problems on Solaris with sending TCP RST > >>>> and ICMP packets back, causing panics due to bad use of locks. These > >>>> problems have been licked. > >>>> > >>>> Lastly, I've spent some time closely analysing packet traces from > >>>> situations where TCP out of window (OOW) packets have been resulting > >>>> in RSTs being sent and the connections closed. As noted in an earlier > >>>> email, there have been two contributors to this: window scaling being > >>>> incorrectly turned off and bugs in Microsoft Windows XP/2000's TCP, > >>>> especially SACK. My advice is that if you're having problems with > >>>> "keep state" and TCP data transfers with Windows, disable SACK. To > >>>> reduce the problem, RST packets are no longer sent if a packet is OOW, > >>>> the offender will just be dropped. > >>>> > >>>> Of course there are other changes and bug fixes, including those > >>>> posted to this list - see below for a bigger summary. > >>>> > >>>> http://coombs.anu.edu.au/~avalon/ip_fil4.1.10.tar.gz > >>>> > >>>> MD5 (ip_fil4.1.10.tar.gz) = 6d00cb091ba047738d2c14a23b3020ed > >>>> MD5 (patch-4.1.10.gz) = b0bf95ffdbae2a3d877aadb214f68a97 > >>>> > >>>> Darren > >>>> > >>>> 4.1.10 - Released 6 December 2005 > >>>> > >>>> Expand regression testing to cover more features > >>>> > >>>> Add "coverage" build target for BSD > >>>> > >>>> Fix building 64bit sparc target for Solaris > >>>> > >>>> Add IPv6 mobility header to list of accepted keywords for V6 headers > >>>> > >>>> Resolve locking problems on Solaris when sending RST/icmp packets > >>>> > >>>> #ifdef's for IPFILTER_BPF need to check if words are defined before > >>>> using them in comparisons > >>>> > >>>> Add checking for SACK permitted option in TCP SYN packets > >>>> > >>>> Fix loading anonymous pools from inline rule configuration groups > >>>> > >>>> Add -C command line option to ipftest > >>>> > >>>> Include extra "const" from NetBSD > >>>> > >>>> Don't require SIOCKSTLCK for SIOCSTPUT > >>>> > >>>> Fix some use of "sticky" on NAT rules > >>>> > >>>> Fix statistical counting of deleting state for TCP connections > >>>> > >>>> Fix compile problems caused by changes to is_opt/is_optmsk in > >>>> ip_sync.c > >>>> > >>>> Fix TCP out-of-window (OOW) problems: > >>>> - window scaling turned off if one chose for its scale factor > >>>> - Microsoft Windows TCP sends the "next packet" to the right of the > >>>> window > >>>> when using SACK and filling in a hole > >>>> > >>>> 4.1.9 - Released 13 August 2005
