Hy All, I see the feature on IPFilter 4.1.1 now published by Darren few days ago where
-- On the feature side of things, someone didn't like that it wasn't possible to list multiple interfaces in a single rule, like is possible with addresses, so this is now possible: block in on (ex0 ex1) all -- Maybe someone have the same idea! Great! Where is possible to have more documentation for this feature? I expect that it work. It that correct? -- block in log level local2.notice on (ce4 ce7) all head 100 block in log level local2.notice on (ce4 ce7) all head 110 # LAN 10.9.19.X pass in quick from 10.2.19.0/24 to 10.1.1.27/32 keep frags keep state group 100 pass out quick from 10.1.1.27/32 to 10.2.19.0/24 keep frags keep state group 150 -- Someone have the precompiled version packages for Solaris 2.9? Thanks for attention. Cesare ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[email protected]> Sent: Monday, March 20, 2006 12:25 PM Subject: IPFilter 3.4.32 on Solaris swith MultiPath > Hy all, > > I installed a IPFilter on Solaris 9.x environment with MultiPath enabled and I'm facing a configuration problem (is not a really problem at all, but maybe useful to talk about a implementation for future release). > > With MultiPath configuration, is possibile to configure two NIC (or more) on same subnet (with different main IP_address) for fault tolerance and load balance of IP traffic. The packets in outbound are construct with the main IP-address and the o.s. respond with the main. Let me introduce an example: > > -- > [EMAIL PROTECTED]> ifconfig -a > lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 > inet 127.0.0.1 netmask ff000000 > ce4: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 > inet 0.0.0.0 netmask ff000000 broadcast 0.255.255.255 > groupname kmher > ether 0:3:ba:b1:d7:1c > ce4:1: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 2 > inet 10.1.1.61 netmask ffffff80 broadcast 10.1.1.127 > ce7: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 > inet 10.1.1.27 netmask ff000000 broadcast 10.255.255.255 > groupname kmher > ether 0:3:ba:b1:d7:1f > ce7:1: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 3 > inet 10.1.1.60 netmask ffffff80 broadcast 10.1.1.127 > ip.tun1: flags=10028d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,UNNUMBERED,IPv4> mtu 1480 index 4 > inet tunnel src 10.1.1.27 tunnel dst 10.1.27.21 > tunnel security settings esp (3des-cbc/hmac-md5) > tunnel hop limit 60 > inet 10.1.27.27 --> 10.1.25.1 netmask ff000000 > -- > > The default-gw is: 10.1.1.1. With this configuration I want to deploy a IP/Filter rule. I wrote: > > -- > #------------------------------------------------------- > # Group setup. > # ================================== > block in log level local2.notice on ce4 all head 100 > block in log level local2.notice on ce7 all head 110 > block out log level local2.notice on ce4 all head 150 > block out log level local2.notice on ce7 all head 160 > > # MultiPath > pass in quick proto icmp from 10.1.1.1/32 to 10.1.1.61/32 group 100 > pass out quick proto icmp from 10.1.1.61/32 to 10.1.1.1/32 group 150 > pass in quick proto icmp from 10.1.1.1/32 to 10.1.1.60/32 group 110 > pass out quick proto icmp from 10.1.1.60/32 to 10.1.1.1/32 group 160 > > # LAN 10.9.19.X > pass in quick from 10.2.19.0/24 to 10.1.1.27/32 keep frags keep state group 100 > pass out quick from 10.1.1.27/32 to 10.2.19.0/24 keep frags keep state group 150 > pass in quick from 10.2.19.0/24 to 10.1.1.27/32 keep frags keep state group 110 > pass out quick from 10.1.1.27/32 to 10.2.19.0/24 keep frags keep state group 160 > -- > > As yours can see, I need to duplicate every rules for every NIC on MultiPath. I'm wondering if there is another way to deploy rules, or if on the next release will be possibile to insert a rule like this: > > pass in quick from 10.2.19.0/24 to 10.1.1.27/32 keep frags keep state group 100,110 > > How to think about that? > > Thanks for reading and free feel to send back any comments. > > Cesare > > > > > > > __________ NOD32 1.1450 (20060318) Information __________ > > This message was checked by NOD32 antivirus system. > http://www.eset.com > > > > __________ NOD32 1.1450 (20060318) Information __________ > > This message was checked by NOD32 antivirus system. > http://www.eset.com > >
