I forgot to add this to my last message.
# svcs | egrep '(pfil|ipfilter)'
online Jan_08 svc:/system/rmtmpfiles:default
online 7:15:21 svc:/network/pfil:default
online 7:15:27 svc:/network/ipfilter:default
I had to fix my syslogd.conf file. I had spaces instead of tab delimited
spaces applied to the /var/log/ipfilter.log line.
mdpeters wrote:
I found this in the /var/adm/messages log file. There is nothing logged
to /var/log/ipfilter.log yet.
+++++
messages.1:16841:Jan 7 22:00:05 Osiris syslogd: line 35: unknown
priority name "debug /var/log/ipfilter.log
messages.1:16886:Jan 7 22:23:35 Osiris ipfilter: [ID 702911
daemon.warning] pfil not plumbed on any network interfaces.
messages.1:16887:Jan 7 22:23:35 Osiris ipfilter: [ID 702911
daemon.warning] No network traffic will be filtered.
messages.1:16888:Jan 7 22:23:35 Osiris ipfilter: [ID 702911
daemon.warning] See ipfilter(5) for more information.
messages.1:16889:Jan 7 22:23:35 Osiris svc.startd[7]: [ID 652011
daemon.warning] svc:/network/ipfilter:default: Method
"/lib/svc/method/ipfilter start" failed with exit status 96.
messages.1:16890:Jan 7 22:23:35 Osiris svc.startd[7]: [ID 748625
daemon.error] network/ipfilter:default misconfigured
+++++
# more pfil.ap
# IP Filter pfil autopush setup
#
# See autopush(1M) manpage for more information.
#
# Format of the entries in this file is:
#
#major minor lastminor modules
#le -1 0 pfil
#qe -1 0 pfil
hme -1 0 pfil
qfe -1 0 pfil
#eri -1 0 pfil
#ce -1 0 pfil
#bge -1 0 pfil
#be -1 0 pfil
#vge -1 0 pfil
#ge -1 0 pfil
#nf -1 0 pfil
#fa -1 0 pfil
#ci -1 0 pfil
#el -1 0 pfil
#ipdptp -1 0 pfil
#lane -1 0 pfil
#dmfe -1 0 pfil
+++++
I am pretty sure my enable and start commands are good since I can see
rules being loaded with ipfstat -io.
I am wondering if the logging rules are wrong?
log level local7.debug out on qfe0 all
log level local7.debug in on qfe0 all
log level local7.debug out on qfe2 all
log level local7.debug in on qfe2 all
log level local7.debug out on hme0 all
log level local7.debug in on hme0 all
+++++
My QFE0 and QFE2 interfaces are trunked. Will this cause problems by
chance?
Phil Dibowitz wrote:
mdpeters wrote:
I am new to IPFilter. My experience comes from other firewalls. I have
what seems like a proper build from following all sorts of example
documents out there. My problem is that nothing seems to pass through
the system. I am not sure if it is a NAT issue or rule misconfiguration
on my part. If someone could critique an excerpt of what I have and clue
me into what I am doing wrong I would certainly appreciate it.
I noticed you have logging on - what do the logs show? You don't include
that here. It should include the rule that is blocking the packets.
