The current version on Solasis 10 is 11.10.0,REV=2005.01.21.15.53. (Same version for Solaris 10 2006/Jan and 2006/Jun)
I had a post that asking if Solaris 10 has a same function as xinetd for IP forwarding. The suggestion is to try IP Filter. First, the answer is no. The rdr in Solaris 10 maybe ok for fordwarding a ssh or web connection, but not for Oracle connection(by default, oracle is listening on port 1521) or the procotol or the way it works. For xinetd: The xinetd is started and listening on, for example, port 8888 client machine socket <--> Machine A listening 8888 <--> Machine B oracle 1521 For IP filter: The client perhaps connect to Machine B directly, but with translated IP by Machine A. But anyway, it can not work for Oracle network, maybe ok for other application: client machine socket --> translated IP, no listening on 8888 --> Machine B oracle 1521 The xinetd is not availble on Solaris 10, but luckily, we do not need machine to machine re-direct on Solaris 10, all IP are actually on same physical machine, but on different zones. So in /etc/ipf (we have net card type ce) : 1) pfil.ap: ce -1 0 pfil 2) ipf.conf: pass in all and pass out all 3) ipnat.conf rdr ce0 68.199.199.0/24 port 8888 -> 68.199.199.199 port 1521 tcp rdr ce0 68.199.199.0/24 port 2222 -> 68.199.199.199 port 22 tcp This will work fine no matter the 68.199.199.199 is the ip of the global zone or ip of a none global zone. We have multiple IP net card on the machine, and I believe it will work fine if the net card are different, eg, one ce0, another hme0. But, few Sun servers will have different net card type, always ce0, ce1 ... or hme0, hme1 ... For example, we use ce0 and ce1 for the server: rdr ce0 68.199.199.0/24 port 8888 -> 68.199.199.199 port 1521 tcp rdr ce1 68.199.199.0/24 port 8888 -> 68.199.199.199 port 1521 tcp rdr ce0 65.197.230.0/24 port 2222 -> 68.199.199.199 port 22 tcp It works for only one card, but can never work for both card at same time, connection coming from another card always timeout, though the global zone log shows that the active connection are made (ipmon and ipnat -l). Maybe it works for the first card that the connection are triggered. In pfil, you can only enable by category. For now, we plan to disable all other network card except the ce0, yes, we will lose the IPMP at same time. In case ce0 failed, we have SUN hardware people to change for us. My other question, does it work if unstall the IPfilter SUN version but install a latest version IP filter? This message posted from opensolaris.org _______________________________________________ opensolaris-discuss mailing list [email protected]
