Hello,
I've tried searching the list, but it's impossible to search for
'Solaris 10' as the 10 gets excluded regardless. Anyway, we are porting
some systems over to new hardware and management figures we should now
use Sun's version due to contract issues. But it's not working and we
are getting nowhere with them. Note that same ruleset works good under
Solaris 8,9 and ipf 4.1.10
We have a Cisco Pix that does a static NAT. (ie one to one static fixed
translation, no port mangling/forwarding) We took all ACLs out,
basically putting the box on the edge. We configured IPFilter with a
simple ruleset to allow SSH and telnet. Still it blocks external
traffic, when it has no problems with internal. Turn IPF off and it
works fine. Same config on the Pix works fine for the Solaris 9 boxes,
or any other box, yet Sun of course blames it elsewhere.
BTW, not a hardware/chipset issue, as this is happening on both Sparc
(with bge nic) and an old Intel PC with a elx nic.
The rule is as follow:
pass in quick on lo0 all
pass out quick on lo0 all
pass out quick on elxl0 proto tcp from any to any flags S keep state
keep frags
pass out quick on elxl0 proto udp from any to any keep state keep frags
pass out quick on elxl0 proto icmp from any to any icmp-type unreach
pass out quick on elxl0 proto icmp from any to any keep state
block in log quick all with short
pass in quick on elxl0 proto tcp from any to any port = 22 flags S keep
state
pass in quick on elxl0 proto tcp from any to any port = 23 flags S keep
state
pass in quick on elxl0 proto udp from any port = domain to any
block in quick on elxl0 proto icmp from any to any icmp-type 17 keep state
pass in quick on elxl0 proto icmp from any to any keep state
block in log on elxl0 from any to any
Logs show:
Mar 13 17:59:36 xxx.xxx.xxx ipmon[142]: [ID 702911 local0.warning]
17:59:36.266417 elxl0 @0:8 b 130.xx.xx.xx,21731 -> 10.0.0.10,23 PR tcp
len 20 40 -A IN
Mar 13 17:59:36 xxx.xxx.xxx ipmon[142]: [ID 702911 local0.warning]
17:59:36.266697 elxl0 @0:8 b 130.xx.xx.xx,21731 -> 10.0.0.10,23 PR tcp
len 20 58 -AP IN
Mar 13 17:59:36 xxx.xxx.xxx ipmon[142]: [ID 702911 local0.warning]
17:59:36.266794 elxl0 @0:8 b 130.xx.xx.xx,21731 -> 10.0.0.10,23 PR tcp
len 20 40 -A IN
Mar 13 17:59:38 xxx.xxx.xxx ipmon[142]: [ID 702911 local0.warning]
17:59:38.103502 elxl0 @0:8 b 130.xx.xx.xx,21731 -> 10.0.0.10,23 PR tcp
len 20 58 -AP IN
Some info requested:
uname -a
SunOS xxx.xxx.xxx 5.10 Generic_118844-19 i86pc i386 i86pc
isainfo -vk
32-bit i386 kernel modules
ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu
8232 index
1
inet 127.0.0.1 netmask ff000000
elxl0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 10.0.0.10 netmask ffff0000 broadcast 10.0.255.255
netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
10.0.0.0 10.0.0.10 U 1 11 elxl0
224.0.0.0 10.0.0.10 U 1 0 elxl0
default 10.0.0.1 UG 1 11
127.0.0.1 127.0.0.1 UH 2 20 lo0
netstat -i
Name Mtu Net/Dest Address Ipkts Ierrs Opkts Oerrs Collis
Queue
lo0 8232 loopback localhost 64 0 64 0 0 0
elxl0 1500 xxx.xxx.xxx xxx 22975 0 6082 0 0 0
netstat -s -P ip
IPv4 ipForwarding = 2 ipDefaultTTL = 255
ipInReceives = 4565 ipInHdrErrors = 0
ipInAddrErrors = 0 ipInCksumErrs = 0
ipForwDatagrams = 0 ipForwProhibits = 0
ipInUnknownProtos = 0 ipInDiscards = 0
ipInDelivers = 498 ipOutRequests = 5965
ipOutDiscards = 0 ipOutNoRoutes = 0
ipReasmTimeout = 60 ipReasmReqds = 0
ipReasmOKs = 0 ipReasmFails = 0
ipReasmDuplicates = 0 ipReasmPartDups = 0
ipFragOKs = 0 ipFragFails = 0
ipFragCreates = 0 ipRoutingDiscards = 0
tcpInErrs = 0 udpNoPorts = 2
udpInCksumErrs = 0 udpInOverflows = 0
rawipInOverflows = 0 ipsecInSucceeded = 0
ipsecInFailed = 0 ipInIPv6 = 0
ipOutIPv6 = 0 ipOutSwitchIPv6 = 0
ipf -V
ipf: IP Filter: v4.0.2 (500)
Kernel: IP Filter: v4.0.2
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
ipfstat
bad packets: in 0 out 0
input packets: blocked 1259 passed 4592 nomatch 0 counted 0 short 0
output packets: blocked 0 passed 5987 nomatch 5 counted 0 short 0
input packets logged: blocked 1259 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0
fragment state(out): kept 0 lost 0
packet state(in): kept 6 lost 4
packet state(out): kept 471 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 544 (out): 6
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 9878
Packet log flags set: (0)
none
ipfstat -io
pass out quick on lo0 all
pass out quick on elxl0 proto tcp from any to any flags S/FSRPAU keep
state keep frags
pass out quick on elxl0 proto udp from any to any keep state keep frags
pass out quick on elxl0 proto icmp from any to any icmp-type unreach
pass out quick on elxl0 proto icmp from any to any keep state
pass in quick on lo0 all
block in log quick from any to any with short
pass in quick on elxl0 proto tcp from any to any port = ssh flags
S/FSRPAU keep state
pass in quick on elxl0 proto tcp from any to any port = telnet flags
S/FSRPAU keep state
pass in quick on elxl0 proto udp from any port = domain to any
block in quick on elxl0 proto icmp from any to any icmp-type maskreq
keep state
pass in quick on elxl0 proto icmp from any to any keep state
block in log on elxl0 from any to any
ipnat -slv
mapped in 0 out 0
added 0 expired 0
no memory 0 bad nat 0
inuse 0
rules 0
wilds 0
table 8047b14 list 0
List of active MAP/Redirect filters:
List of active sessions:
List of active host mappings:
Thanks in advance...
--
°(((=((===°°°(((===========================================
