I've just attempted to upgrade two Solaris 7 boxes running ipf 3.4.25 to 3.4.29.
One box worked fine (one interface), the other would not correctly pass packets after the upgrade using the same ruleset. Packets which should have been allowed were being blocked by the catch-all rules, eg. ssh replies: Nov 7 18:48:46 fw ipmon[111]: [ID 702911 local0.warning] 18:48:45.520290 le2 @0:15 b y,22 -> x,44605 PR tcp len 20 44 -AS OUT The rule allowing x -> y port = 22 is: pass in quick proto tcp from x to y port = 22 flags S keep state group 200 As "keep state" is being used, the syn/ack should have been allowed to go out le2. I confirmed that the correct rule was being matched and the SYN would be blocked if it didn't match, anyway. Going back to 3.4.25 immediately resolved the problem. I am unfortunately not easily able to isolate which 3.4.2[6-9] release introduced this problem. :( Has anyone else experienced such things? g.
