I've just upgraded my good old Solaris 7 with ipfilter v3.4.20 to
Solaris 10 with the default ipfilter v4.0.3. I've always had this rule
in the configuration:
pass out quick on elxl0 proto icmp from any to any icmp-type echo keep
state
and with the old system, it worked fine for tracert from Windows
clients. With the new system, it looks like v4.0.3 doesn't really
establish or keep the state, and attempts to use tracert end up with
timxceed/transit blocked by the default rule, e.g.:
elxl0 @0:56 b 130.81.29.218 -> 192.168.1.1 PR icmp len
20 56 icmp timxceed/transit for 192.168.1.1 - 72.14.207.99 PR icmp len
20 92 icmp 8/0 IN
When I try to just let incoming timxceed/transit packets in, the Windows
tracert ignores them, and tcpdump shows that the ip id field is botched
in the packets on the inside.
Am I missing or doing something wrong or is it a bug in v4.0.3 and I
need to upgrade?
Thanks!
Dima
