Joseph Tam wrote:
On Wed, 19 May 2010, Brian H. Nelson wrote:
I have verified that return-rst does work for INbound connections,
albeit with the IRE/cache/route/arp bug that I have read about on
Solaris 10.
How did you get this to work? Is there a patch that makes return-rst
work?
My Solaris10 ipf's still suffer from this malady.
Joseph Tam <[email protected]>
I didn't exactly. I was only able to verify that it does work if the bug
is worked around.
I just found this post that seems to indicate that the return-rst
problem on Solaris 10 is a problem in the kernel and not ipf:
http://marc.info/?l=ipfilter&m=123887232610765&w=2
I had found this Solaris bug previously, 6801301, that applies to
return-rst on inbound connections. The workaround in there (pinging the
host in question) does seem to 'enable' the reset packet to get sent. If
you have a Solaris service contract, you could in theory raise an
escalation on that bug.
http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6801301
However, I'm still not clear if that is the issue with or is related to
trying to return-rst for outbound connections.
-Brian
--
----------------------------------------
Brian H. Nelson
Network Security Analyst
Network and Telecommunications Services
Youngstown State University
bnelson[at]cis[dot]ysu[dot]edu
----------------------------------------
