I used ipfilter on Solaris for almost 10 years now. And I always did it myself, when Sun was not
supporting it, suggesting commercial software instead.
I was happy to find that at last Sun went to the same path as mine, choosing ipfilter on his great new OS.
At first I installed Solaris 10 as is, and used the contained ipfilter package.
Now, I'm patching all my customer's machines by removing the original package and substituting it with Darren's latest one.
Why? Because I faced a bug in NAT management, and my customers machines appeared to slow down the connections, as compared to the Solaris 8 + ipfilter package they had before.
To have the patch to this problem, Sun no more let you download them freely (at least not all of them), and ipfilter seems to be one of the not-free-to-download-patch program.
I could build the new packages for every platform (sparcv9, x86, x64).
The x64 build was a pain, but I found the solution.
I posted it on this list, but if anyone lost my email and ever need to rebuild for amd64, contact me. ;)
Gabriele.
----------------------------------------------------------------------------------
Da: Damon Register <[EMAIL PROTECTED]>
A: [email protected]
Data: 18 gennaio 2006 2.20.34 CET
Oggetto: Re: Solaris 10+ipfilter how-to (revised)
supporting it, suggesting commercial software instead.
I was happy to find that at last Sun went to the same path as mine, choosing ipfilter on his great new OS.
At first I installed Solaris 10 as is, and used the contained ipfilter package.
Now, I'm patching all my customer's machines by removing the original package and substituting it with Darren's latest one.
Why? Because I faced a bug in NAT management, and my customers machines appeared to slow down the connections, as compared to the Solaris 8 + ipfilter package they had before.
To have the patch to this problem, Sun no more let you download them freely (at least not all of them), and ipfilter seems to be one of the not-free-to-download-patch program.
I could build the new packages for every platform (sparcv9, x86, x64).
The x64 build was a pain, but I found the solution.
I posted it on this list, but if anyone lost my email and ever need to rebuild for amd64, contact me. ;)
Gabriele.
|
|
|
Gabriele Bulfon - Sonicle S.r.l. Tel +39 028246016 Int. 30 - Fax +39 028243880 Via Felice Cavallotti 16 - 20089, Rozzano - Milano - ITALY http://www.sonicle.com |
----------------------------------------------------------------------------------
Da: Damon Register <[EMAIL PROTECTED]>
A: [email protected]
Data: 18 gennaio 2006 2.20.34 CET
Oggetto: Re: Solaris 10+ipfilter how-to (revised)
Jeff A. Earickson wrote:
> The Pros of replacing Sun ipfilter with Darren's latest:
> 1) You get the latest bug fixes and features of ipfilter.
I guess that makes sense
> 2) You help humanity by testing the latest version of ipfilter.
but then you might help humanity (at least me :-) ) by getting
the Solaris version to work
> 3) You get the collected beauty and wisdom of this list.
can't argue that
> 4) You don't have to hassle with Sun support for ipfilter.
Looks like I will have to do that. The main reason I got the
Ultra20 with Solaris 10 is for learning. I am told by a
sysadmin at work that Solaris 10 is gaining popularity. Since
I am now in a group that is almost all Solaris, I need to
learn more. While going with the public version would get me
more help from the list, I would really like to learn as much
as I can about the Solaris 10 way of doing things. From what
I have seen so far, Solaris 10 seems quite nice and possibly
even easier.
> 3) The list may not be able to help you with your problem.
I am coming to that conclusion. Perhaps if I ever get this
figured out, I can help someone else
> I run version 4.1.8 on my Solaris 10 boxes with either pfil 2.1.6 or
I don't even know what version came with my Ultra20
> use as a test box with 4.1.9/10. 4.1.9 would hang the system. With
> 4.1.10 I got mysterious reboots. Then I had to put the V210 into
That doesn't sound good
> production. 4.1.8 is rock solid on my V210 and V490 systems, so that's
I will definitely keep that in mind
Do you or anyone reading this have experience with both the
Solaris 10 way and the public version? When I first started
messing with this, I was trying to use the output of fwbuilder
but I found that is for Solaris 9 and I am wondering if I
messed up what I have in the process. I notice that both
svcadm enable ipfilter
and
ipf -E
seem to do something but is that only because ipfilter is still
ipfilter even though it is tailored for Solaris 10?
http://www.rite-group.com/consulting/solaris_nat.html
gives some Solaris 10 advice but I can't even get the simple
NAT example working.
Damon Register
