Re: FTP proxy not working in Solaris 9

Thu, 18 Aug 2005 06:23:20 -0700 

Hans Werner Strube wrote:
> Hans Werner Strube wrote:
> > Last week I ported our firewall (working as a transparent router with 
> > special
> > proxyarp daemons on both interfaces) using IPF 3.4.35 from a Solaris 7_x86 
> > PC
> > to a Solaris 9 Sun Fire V210 (64 bit only)
...
> > Whereas this has always worked on the PC, now no FTP packets are passed
> > in either direction.
... 
> Just for testing, I added other (not FTP related) map rules without proxy;
> these worked well.
> 
> Looking at the "make solaris" output, I found many warnings by the compiler,
> concerning implicitly defined types and functions, also warnings due to the
> K&R-style function calls.
> Could there be an inconsistency in 64-bit mode due to these?

Now I recompiled the kernel module without the -xO2 optimization and added
some #includes and fixed some missing types to avoid the compiler warnings.
Testing with the new module (but the old program binaries) showed no
difference. Thus I guess the bug might be in the treatment of the 64-bit
mode.
Dear readers, please tell me about your experiences with the FTP proxy in
64-bit Solaris!

Here the output of ipnat -lv when trying an outgoing FTP connection to
an outer server 134.76.11.100 (bge0 is the inner, bge1 the outer interface):

List of active MAP/Redirect filters:
map bge1 0.0.0.0/0 -> 0.0.0.0/0 proxy port ftp ftp/tcp
map bge0 from any to OUR.FTP.SERVER/32 -> 0.0.0.0/0 proxy port ftp ftp/tcp

List of active sessions:
MAP MY.CLIENT    46565 <- -> MY.CLIENT    46565 [134.76.11.100 21]
        age 457 use 0 sumd 0/hw(0x7443) pr 6 bkt 1170/1170 flags 1 drop 0/3
        ifp bge1 bytes 128 pkts 3 0
        proxy ftp/6 use 2 flags 0
                proto 6 flags 0 bytes 0 pkts 0 data YES size 408
                state[0,0], sel[0,0]
                seq: off 0/0 min 0/0
                ack: off 0/0 min 0/0
        FTP Proxy:
                passok: 1
        Client:
                seq 0000000000000000 len 0 junk 0 cmds 0
                buf [\000]
        Server:
                seq 0000000000000000 len 0 junk 0 cmds 0
                buf [\000]

List of active host mappings:
MY.CLIENT -> 0.0.0.0 (use = 1 hv = 2020)

It does not help if I replace 0/0 -> 0/0 by MY.CLIENT -> MY.CLIENT in
the bge1 NAT rule, just for testing. Also I repeat that the "vanished"
packets are not logged as blocked and not visible by snoop -d bge1.

Reply via email to