Solved! Hans Werner Strube wrote: > I always liked IPF because of its well-functioning FTP proxy and had > 3.4.x (finally, 3.4.35) running for years on a Solaris 7_x86 PC with > two interfaces (routing). This was replaced by a Solaris 9 SunFire V210 > (64 bit only), with IPF 3.4.35 compiled on it and the same configuration > as on the PC. Then with FTP proxy rules in ipnat.conf, IPF did not pass any > FTP-related packets (not even those of the control connection) to the other > interface, as verified by snoop.
Now I found a solution, or rather, a workaround. As the firewall had to be rebooted for other reasons, I made an entry in /etc/syslog: set ip:dohwcksum=0 This fixed the problem! The SunFire V210 has bge network interfaces, which do hardware checksumming by default. As is known, ipfilter NAT does not work correctly with hardware checksumming. > Also, no-proxy NAT works correctly through the firewall. This was not true but not found by my tests (then, we did not actually use NAT, but recently tried). Also fixed by dohwcksum=0. But why does Solaris ipfilter not handle dohwcksum=1 correctly? After all, this parameter _is_ tested in ip_nat.c, ip_proxy.c, and solaris.c.
