Ricardo Stella wrote On 03/13/06 15:08,:
Hello,
I've tried searching the list, but it's impossible to search for
'Solaris 10' as the 10 gets excluded regardless. Anyway, we are porting
some systems over to new hardware and management figures we should now
use Sun's version due to contract issues. But it's not working and we
are getting nowhere with them. Note that same ruleset works good under
Solaris 8,9 and ipf 4.1.10
You found the shortcut to the Sun engineers who should be able to help
you out.
We have a Cisco Pix that does a static NAT. (ie one to one static fixed
translation, no port mangling/forwarding) We took all ACLs out,
basically putting the box on the edge. We configured IPFilter with a
simple ruleset to allow SSH and telnet. Still it blocks external
traffic, when it has no problems with internal. Turn IPF off and it
works fine. Same config on the Pix works fine for the Solaris 9 boxes,
or any other box, yet Sun of course blames it elsewhere.
The idea of turning IP Filter on and off is a little different with
Solaris 10. With the addtion of SMF, you should check for the ipfilter
and pfil services with
#svcs | grep ipfilter
#svcs | grep pfil
BTW, not a hardware/chipset issue, as this is happening on both Sparc
(with bge nic) and an old Intel PC with a elx nic.
The rule is as follow:
[...]
pass in quick on elxl0 proto tcp from any to any port = 23 flags S keep
state
This is the rule which should be hit.
Verify this with
#ipfstat -hi
[...]
Logs show:
Mar 13 17:59:36 xxx.xxx.xxx ipmon[142]: [ID 702911 local0.warning]
17:59:36.266417 elxl0 @0:8 b 130.xx.xx.xx,21731 -> 10.0.0.10,23 PR tcp
len 20 40 -A IN
Mar 13 17:59:36 xxx.xxx.xxx ipmon[142]: [ID 702911 local0.warning]
17:59:36.266697 elxl0 @0:8 b 130.xx.xx.xx,21731 -> 10.0.0.10,23 PR tcp
len 20 58 -AP IN
Mar 13 17:59:36 xxx.xxx.xxx ipmon[142]: [ID 702911 local0.warning]
17:59:36.266794 elxl0 @0:8 b 130.xx.xx.xx,21731 -> 10.0.0.10,23 PR tcp
len 20 40 -A IN
Mar 13 17:59:38 xxx.xxx.xxx ipmon[142]: [ID 702911 local0.warning]
17:59:38.103502 elxl0 @0:8 b 130.xx.xx.xx,21731 -> 10.0.0.10,23 PR tcp
len 20 58 -AP IN
but appears to not match that rule and drop through to the default
drop/log rule at the end.
[...]
ipfstat -io
pass out quick on lo0 all
pass out quick on elxl0 proto tcp from any to any flags S/FSRPAU keep
state keep frags
pass out quick on elxl0 proto udp from any to any keep state keep frags
pass out quick on elxl0 proto icmp from any to any icmp-type unreach
pass out quick on elxl0 proto icmp from any to any keep state
pass in quick on lo0 all
block in log quick from any to any with short
pass in quick on elxl0 proto tcp from any to any port = ssh flags
S/FSRPAU keep state
And it looks like it was properly loaded.
While that rule should work, try it without the tcp flags designation
as that's the only thing that's distictive about this rule.
-Mike
