Re: ipf redirection feature functional on Solaris 10?

[Darren Reed]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dominique Petitpierre wrote:
| ...
| My second try was to use two stateless rules, and to do "source port
| routing" for outgoing packets:
|
| pass in quick proto tcp from any to any port = 443 group i_sso-test1
| pass out quick  on e1000g0 to e1000g305000:10.13.5.1 proto tcp from 
any port = 443 to any group o_sso-test1
| pass out quick proto tcp from any port = 443 to any group o_sso-test1
|
| Which I understand as "incoming packets to port 443 are allowed and
| outgoing packets from port 443, if passing on interface e1000g0, are
| redirected through interface e1000g305000 via the gateway 10.13.5.1,
| if not, are simply allowed".
Right.

| It does not work either; in the ipf log it shows that both the in and
| the first out rules matched:
|
| 23:09:00.591163 e1000g305000 @i_sso-test1:1 p 10.194.17.11,26080 -> 
10.13.5.181,443 PR tcp len 20 60 -S IN
| 23:09:00.591363 e1000g0 @o_sso-test1:1 p 10.13.5.181,443 -> 
10.194.17.11,26080 PR tcp len 20 44 -AS OUT

These are two different packets...

|
|
| But again the reply packet seems to be lost in thin air.
| I have tried various other rules to no avail.
|
| - Should this work with ipfilter v4.1.9 (592) coming with Solaris 10
|  u7?

Yes...

What you might like to do is start with two rules, "log in all" and "log 
out all" and find out how ipfilter sees the network traffic with respect 
to the virtual network interfaces and the real ones.

It may be that ipfilter is not seeing the packets associated with 
network interfaces like you might expect.

| Context:
|
|
| If it matters, this is occuring in a Solaris 10 zone, whith virtual
| interfaces one of which uses 801.q tagging (vlan 305, subnet
| 10.13.5.0/24), and the "router" is a Cisco ACE load balancer with
| interface 10.13.5.1 on the server side.

This may have some impact on things...

Darren

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkr8d4sACgkQP7JIXtvLbFWWdQCeMnWSj39hvq1N4atKwYEbVo8A
jDcAoMKU6ecW5r26oXXkCfV+KPCvas4s
=AGcB
-----END PGP SIGNATURE-----