Re: ipfilterd start-up problem on Irix 6.4

Sun, 12 Nov 2000 06:52:21 -0800 

:  I have been trying to use ipfilterd on a Silicon Graphics Origin 200,
:Irix 6.4 machine. No matter how permissive the rules are, once I start the
:deamon (with '/usr/etc/ipfilterd -d') all incoming packets are blocked. I

It's not just "all incoming packets are blocked", but...

:suspect the reason for this behaviour is that the loopback gets blocked
:(because even commands like 'ps -elf' (issued from the console) do not
:respond). I have tried an exhaustive combination of loopback (un)filtering
:rules like :
:
:accept -i lo0
:accept -i lo0 1
:accept ip.dst localhost or ip.src localhost
:accept between localhost localhost
:accept ip.src localhost or ip.dst localhost
:
:,but to no avail. Even with only two rules :
:
:accept -i lo0
:accept -i ef0
:
:the machine still hangs. Once the machines gets to this state, I can't
:even 'reboot' or 'shutdown', so I have to hit the hardware reset button.

...the machine itself hangs.  That's two different things.  No matter
what you do, you should still be able to login through the console on
the serial port (provided you haven't hacked root's login inits all to
hell such that it relies on the network more than it should).

:I'm definitely missing something here, but after 6 or 7 hardware reboots,
:any piece of advice would be greatly appreciated.

Make sure you have patch 2089 installed, or else you'll see this sort
of hang with ipfilterd and O200.  Also, check out IRIX 6.5.11 when it
releases for an updated man page on ipfilterd which may help in terms
of setting up rules.

:Personally I have yet to have a problem running IPF on SGI machines
:which include Origins, O2's, or Indy's, this may not be a solution,
:however it may be your best bet, try going to www.opensourcefirewall.com
:and download TREX which is an OpenSource fw slightly better (IMHO)
:than ipfilterd.

I didn't think that T.REX was ported to IRIX.  It might be pretty
daunting if it's not.  Personally, I wouldn't try to equate "IP
filter" with "firewall", beyond saying that IP filtering is one
component of a firewall.  

--
 Michael J. O'Connor | WWW: http://dojo.mi.org/~mjo/ | Email: [EMAIL PROTECTED]
 Royal Oak, Michigan | (has my PGP & Geek Code info) | Phone: +1 248-848-4481
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"Take my hand...  off to never never land!"                        -Metallica
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to