Last week I ported our firewall (working as a transparent router with special
proxyarp daemons on both interfaces) using IPF 3.4.35 from a Solaris 7_x86 PC
to a Solaris 9 Sun Fire V210 (64 bit only). In either case, IPF was compiled
on the firewall machine. The only differences were that I now added "-xO2" to
the XARCH32 in buildsunos (line 73) and used Forte 7 cc (SPARC) instead of
gcc-2.95.2 (x86).
The configurations in ipf.conf and ipnat.conf remained identical, except
for the names and addresses of the interfaces. For FTP, we use the builtin
proxy without NAT and no other NAT rules (bge0 is the inner, bge1 the outer
interface):
# For active FTP from inside to outer server (witout NAT)
map bge1 0/0 -> 0/0 proxy port ftp ftp/tcp
# For passive FTP from outside to inner server (witout NAT)
map bge0 from any to OUR.FTP.SERVER/32 -> 0/0 proxy port ftp ftp/tcp
Whereas this has always worked on the PC, now no FTP packets are passed
in either direction. For outgoing FTP, "snoop -d bge0" shows connection
attempts but "snoop -d bge1" does not show any packets on the outer
interface, although there are no blocked packets logged.
"ipfstat -t" shows state 2/0; "ipnat -l" looks like this:
MAP 134.76.92.135 42576 <- -> 134.76.92.135 42576 [134.100.9.64 21]
proxy ftp/6 use 2 flags 0
proto 6 flags 0 bytes 0 pkts 0 data YES size 408
FTP Proxy:
passok: 1
Client:
seq 0000000000000000 len 0 junk 0 cmds 0
buf [\000]
Server:
seq 0000000000000000 len 0 junk 0 cmds 0
buf [\000]
Thus at least the mapping appears o.k.
What can the reason be? The -xO2 option? The 64-bit mode? Unfortunately,
this machine does not support 32-bit mode. Presently, I do not want to
upgrade to IPF 4.1.x because of the stability problems reported with
Solaris.
