Folks, We're been using ipfilter and found problems with rsh from Linux hosts to Solaris hosts.
I think this is a sample of a set of problems dealing with OOW material.
The summary of the behavior we've seen is:
rsh from a Linux host to a Solaris host with ipfilter:
fails
rcp from a Linux host to a Solaris host with ipfilter:
works
rsh, then rcp from a Linux host to a Solaris host with
ipfilter: fails
rsh from from a Solaris host with ipfilter to a Linux host:
works
rsh from a Solaris host to a Solaris host with ipfilter:
works
The connection from a Linux host to a Solaris host fails, then
subsequent connections fail
until I believe the state table clears or the rules are reloaded.
We tested:
------------------------------------------------------------------------
--------------------------------
Network access attempt from a:[ Linux ] host to a:[ Solaris ]
host using:[ rcp_rsh ]
Network access attempt from a:[ Linux ] host to a:[ Solaris ]
host using:[ rsh_rcp ]
Network access attempt from a:[ Linux ] host to a:[ Solaris ]
host using:[ rsh_rcp_rsh ]
Network access attempt from a:[ Linux ] host to a:[ Solaris ]
host using:[ rsh_rsh ]
Network access attempt from a:[ Solaris ] host to a:[ Linux ]
host using:[ rcp_rsh ]
Network access attempt from a:[ Solaris ] host to a:[ Linux ]
host using:[ rsh_rcp ]
Network access attempt from a:[ Solaris ] host to a:[ Linux ]
host using:[ rsh_rcp_rsh ]
Network access attempt from a:[ Solaris ] host to a:[ Linux ]
host using:[ rsh_rsh ]
------------------------------------------------------------------------
--------------------------------
The configuration of the servers are:
------------------------------------------------------------------------
--------------------------------
Solaris:
SunOS sol8_host 5.8 Generic_117350-25 sun4u sparc SUNW,Ultra-80 running
ipf: IP Filter: v4.1.8 (500)
Linux:
Linux linux_host 2.4.21-32.0.1 #1 SMP Mon Dec 5 21:32:44 EST 2005 i686
------------------------------------------------------------------------
--------------------------------
All of the rules are pass in quick with keep frags and keep state.
Attached are the scripts, network snoops, and ipfstat information
collected.
( converting and suppressing names and addresses ).
I also have the raw network snoops, and the original files.
I've seen a patch from Viktor Duchovni dealing with OOW issues. Has this
been incorporated into the main tree?
When could we see this patch in the main tree?
We've currently have a work around, by permitting OOW traffic, but this
is a temporary fix.
I hope a code fix post ipfilter 4.1.13/pfil 2.1.11 may provide a
solution.
Thanks for any and all help.
-- Wayne Schmidt --
--------------------------------------------------------
NOTICE: If received in error, please destroy and notify sender. Sender does not
intend to waive confidentiality or privilege. Use of this email is prohibited
when received in error.
ipfilter_debug.tar.gz
Description: ipfilter_debug.tar.gz
