Re: insight on S10 ipfilter patch 125014-02?

Thu, 08 Mar 2007 10:21:31 -0800 

On Wed, 7 Mar 2007, Jeff A. Earickson wrote:


Date: Wed, 7 Mar 2007 10:23:48 -0500 (EST)
From: Jeff A. Earickson <[EMAIL PROTECTED]>
To: [email protected]
Subject: Re: insight on S10 ipfilter patch 125014-02?

On Tue, 6 Mar 2007, Darren Reed wrote:


Date: Tue, 06 Mar 2007 11:43:32 -0800
From: Darren Reed <[EMAIL PROTECTED]>
To: Jeff A. Earickson <[EMAIL PROTECTED]>
Cc: Carson Gaspar <[EMAIL PROTECTED]>, [email protected]
Subject: Re: insight on S10 ipfilter patch 125014-02?

Jeff A. Earickson wrote:

...


It is IPMP and "keep state".
Unless you use ndd to define an IPMP interface group there, it
is not possible to use stateful filtering as "keep state" tries to bind
the connection to specific NICs but IPMP sends them out over
either one.

You could also try this:

pass in quick on -,- out-via -,- proto tcp from any to any port = 25
flags S keep state
pass out quick on -,- out-via -,- proto tcp from any to any port = 25
flags S keep state


Darren,

What goes in the "-,-" spots?  MAC,port?  Is the "out-via" keyword
supported in ipfilter 4.1.9 (aka, Sun patch 125014-02)?  Sun version
4.0.3? Or only in later public-domain releases? I didn't find any reference to this in the Sun Doc 816-4554-12 (SystemAdministration Guide: IP Services) or the old IPF how-to doc. In my case, I am now using 
Sun's version of ipf and not the public-domain version in Solaris 10,
due to political reasons of Sun support.

This whole issue of ipfilter and IPMP really needs an entry in Phil
Dibowitz's FAQ.
To summarize my case, where link-based IPMP (Solaris 10) is configured with /etc/hostname.ce0 containing: 

  137.146.28.72 netmask + broadcast + group ipmp0 up

and /etc/hostname.ce1 containing:

  group ipmp0 up

to yield an "ifconfig -a" that looks like:
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 
          inet 127.0.0.1 netmask ff000000
  ce0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
          inet 137.146.28.72 netmask ffffffc0 broadcast 137.146.28.127
          groupname ipmp0
          ether 0:14:4f:1:d:7f
  ce1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
          inet 0.0.0.0 netmask ff000000 broadcast 0.255.255.255
          groupname ipmp0
          ether 0:14:4f:1:d:7e

Then if I want to use "keep state" rules with this configuration, I have
to set the value of qif_ipmp_set for pfil via ndd:

  ndd -set /dev/pfil qif_ipmp_set ipmp0=ce0,ce1

Correct?  Is that it?  Then just write an init script to preserve the ndd
setting across reboots? Without the "ndd -set" my usage of IPMP and "keep state" rules is doomed to failure? 

Replying to myself...  I did the "ndd set", changed back to my previous
"keep state" rules for ports 25 and 587, and noticed that my email to some
problem sites was piling up again.  I changed back to Carson's stateless
rules and the email started moving again.  So, ndd twiddles don't do it.

Jeff Earickson
Colby College

Reply via email to