As described below, I am still unable to deploy IPFilter because it
blocks communication among trusted hosts within my domain. Since the
Email below, I've explicitly coded "pass in quick ..." statements for
each IP address in my subnet, yet blocks still occur.
What am I missing?
What other reasons would cause explicitly defined "pass in quick ..."
hosts to be blocked?
Could OOW conditions be occurring in spite of my patch below?
I can't try a newer release with confidence until I get this (what
seems should be) basic situation resolved.
This is so-o-o very frustrating! I would certainly appreciate any help
that you may offer.
Charles
-----Original Message-----
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thu, 4 Jan 2007 8:33 am
Subject: IPFilter 4.1.13 on Solaris 8
I am attempting to deploy IPFilter 4.1.13 on Solaris 8 systems.
I was unable to deploy IPFilter 4.1.8 due to my trusted computers being
blocked by OOW conditions.
So, I tried IPFilter 4.1.13. Again OOW conditions prevented
deployment.
Then I rebuilt IPFilter 4.1.13 with (hopefully) no OOW blocking.
Was:
ip_fil.h:#define FI_OOW 0x0800 /* Out of state window, ... */
Is:
ip_fil.h:#define FI_OOW 0x0000 /* Out of state window, ... */
My logic, though arguably faulty, is that I am apparently living okay
with OOW conditions without IPFilter.
I need the protection of IPFilter now.
This modification to IPFilter ran on a test computer for weeks without
any unexpected blocks.
Then when I attempted to deploy it, IPFilter started blocking my
trusted computers. My intent, as shown
by these config statements, is to NEVER block any traffic from any
computers on my subnet
(123.456.78.01 - 123.456.78.99):
pass in quick proto tcp from 123.456.78.0/26 to any flags S keep
pass in quick proto udp from 123.456.78.0/26 to any keep state
pass in quick proto tcp from 123.456.78.64/27 to any flags S keep
state
pass in quick proto udp from 123.456.78.64/27 to any keep state
pass in quick proto tcp from 123.456.78.96/28 to any flags S keep
state
pass in quick proto udp from 123.456.78.96/28 to any keep state
However, as shown below from ipmon logs, sometimes traffic from
123.456.78.xx computers is being blocked.
I hope that someone can see what I am missing.
This situation prohibits me from deploying the much needed IPFilter
firewall.
-------------------------------------------------------------------------
-------------------------------------------------------------------------
-------
Computer 123.456.78.11:
29/11/2006 12:16:35.785428 eri0 @0:18 b 123.456.78.59,52740 ->
123.456.78.11,32772 PR tcp len 20 40 -AF IN
29/11/2006 12:16:36.713333 eri0 @0:18 b 123.456.78.59,52740 ->
123.456.78.11,32772 PR tcp len 20 40 -AF IN
29/11/2006 12:16:38.583342 eri0 @0:18 b 123.456.78.59,52740 ->
123.456.78.11,32772 PR tcp len 20 40 -AF IN
29/11/2006 12:16:42.333484 eri0 @0:18 b 123.456.78.59,52740 ->
123.456.78.11,32772 PR tcp len 20 40 -AF IN
29/11/2006 12:16:49.834710 eri0 @0:18 b 123.456.78.59,52740 ->
123.456.78.11,32772 PR tcp len 20 40 -AF IN
29/11/2006 12:17:04.833742 eri0 @0:18 b 123.456.78.59,52740 ->
123.456.78.11,32772 PR tcp len 20 40 -AF IN
Computer 123.456.78.43:
28/11/2006 20:18:07.266794 eri0 @0:18 b 123.456.78.11,33204 ->
123.456.78.43,33287 PR tcp len 20 40 -AF IN
28/11/2006 20:18:10.632686 eri0 @0:18 b 123.456.78.11,33204 ->
123.456.78.43,33287 PR tcp len 20 40 -AF IN
28/11/2006 20:18:17.382736 eri0 @0:18 b 123.456.78.11,33204 ->
123.456.78.43,33287 PR tcp len 20 40 -AF IN
... records deleted ...
29/11/2006 07:54:58.685624 eri0 @0:18 b 123.456.78.47,40404 ->
123.456.78.43,33287 PR tcp len 20 40 -AF IN
29/11/2006 07:55:03.530294 eri0 @0:18 b 123.456.78.47,40404 ->
123.456.78.43,33287 PR tcp len 20 40 -AF IN
29/11/2006 07:55:13.240332 eri0 @0:18 b 123.456.78.47,40404 ->
123.456.78.43,33287 PR tcp len 20 40 -AF IN
29/11/2006 07:55:32.661388 eri0 @0:18 b 123.456.78.47,40404 ->
123.456.78.43,33287 PR tcp len 20 40 -AF IN
... records deleted ...
29/11/2006 08:18:55.785726 eri0 @0:18 b 123.456.78.68,39750 ->
123.456.78.43,33287 PR tcp len 20 40 -AF IN
29/11/2006 08:19:00.637141 eri0 @0:18 b 123.456.78.68,39750 ->
123.456.78.43,33287 PR tcp len 20 40 -AF IN
29/11/2006 08:19:10.367237 eri0 @0:18 b 123.456.78.68,39750 ->
123.456.78.43,33287 PR tcp len 20 40 -AF IN
29/11/2006 08:19:29.827933 eri0 @0:18 b 123.456.78.68,39750 ->
123.456.78.43,33287 PR tcp len 20 40 -AF IN
... records deleted ...
29/11/2006 09:00:15.181563 eri0 @0:18 b 123.456.78.76,38799 ->
123.456.78.43,33287 PR tcp len 20 40 -AF IN
29/11/2006 09:00:20.037385 eri0 @0:18 b 123.456.78.76,38799 ->
123.456.78.43,33287 PR tcp len 20 40 -AF IN
29/11/2006 09:00:29.767323 eri0 @0:18 b 123.456.78.76,38799 ->
123.456.78.43,33287 PR tcp len 20 40 -AF IN
29/11/2006 09:00:49.229308 eri0 @0:18 b 123.456.78.76,38799 ->
123.456.78.43,33287 PR tcp len 20 40 -AF IN
... records deleted ...
________________________________________________________________________
Check Out the new free AIM(R) Mail -- 2 GB of storage and
industry-leading spam and email virus protection.
________________________________________________________________________
Check Out the new free AIM(R) Mail -- 2 GB of storage and
industry-leading spam and email virus protection.
=0
________________________________________________________________________
Check Out the new free AIM(R) Mail -- 2 GB of storage and
industry-leading spam and email virus protection.
=0
