Michael Lim wrote: > > > Ricardo Stella wrote On 03/13/06 15:08,: >> Hello, >> >> I've tried searching the list, but it's impossible to search for >> 'Solaris 10' as the 10 gets excluded regardless. Anyway, we are porting >> some systems over to new hardware and management figures we should now >> use Sun's version due to contract issues. But it's not working and we >> are getting nowhere with them. Note that same ruleset works good under >> Solaris 8,9 and ipf 4.1.10 > > You found the shortcut to the Sun engineers who should be able to help > you out. > Unfortunately they are so far no help (level 2 escalated for over 3 days already) >> We have a Cisco Pix that does a static NAT. (ie one to one static fixed >> translation, no port mangling/forwarding) We took all ACLs out, >> basically putting the box on the edge. We configured IPFilter with a >> simple ruleset to allow SSH and telnet. Still it blocks external >> traffic, when it has no problems with internal. Turn IPF off and it >> works fine. Same config on the Pix works fine for the Solaris 9 boxes, >> or any other box, yet Sun of course blames it elsewhere. > > The idea of turning IP Filter on and off is a little different with > Solaris 10. With the addtion of SMF, you should check for the ipfilter > and pfil services with > > #svcs | grep ipfilter > #svcs | grep pfil Yes, familiar with it - We've been using Solaris 10 for over 6 months now internally... > >> BTW, not a hardware/chipset issue, as this is happening on both Sparc >> (with bge nic) and an old Intel PC with a elx nic. >> >> The rule is as follow: > > [...] > >> pass in quick on elxl0 proto tcp from any to any port = 23 flags S keep >> state > > This is the rule which should be hit. > > Verify this with > #ipfstat -hi > > [...] As you see below from the logs it doesn't... > >> Logs show: Mar 13 17:59:36 xxx.xxx.xxx ipmon[142]: [ID 702911 >> local0.warning] >> 17:59:36.266417 elxl0 @0:8 b 130.xx.xx.xx,21731 -> 10.0.0.10,23 PR tcp >> len 20 40 -A IN >> Mar 13 17:59:36 xxx.xxx.xxx ipmon[142]: [ID 702911 local0.warning] >> 17:59:36.266697 elxl0 @0:8 b 130.xx.xx.xx,21731 -> 10.0.0.10,23 PR tcp >> len 20 58 -AP IN >> Mar 13 17:59:36 xxx.xxx.xxx ipmon[142]: [ID 702911 local0.warning] >> 17:59:36.266794 elxl0 @0:8 b 130.xx.xx.xx,21731 -> 10.0.0.10,23 PR tcp >> len 20 40 -A IN >> Mar 13 17:59:38 xxx.xxx.xxx ipmon[142]: [ID 702911 local0.warning] >> 17:59:38.103502 elxl0 @0:8 b 130.xx.xx.xx,21731 -> 10.0.0.10,23 PR tcp >> len 20 58 -AP IN > > but appears to not match that rule and drop through to the default > drop/log rule at the end. > > [...] > >> ipfstat -io >> pass out quick on lo0 all >> pass out quick on elxl0 proto tcp from any to any flags S/FSRPAU keep >> state keep frags >> pass out quick on elxl0 proto udp from any to any keep state keep frags >> pass out quick on elxl0 proto icmp from any to any icmp-type unreach >> pass out quick on elxl0 proto icmp from any to any keep state >> pass in quick on lo0 all >> block in log quick from any to any with short >> pass in quick on elxl0 proto tcp from any to any port = ssh flags >> S/FSRPAU keep state > > And it looks like it was properly loaded. > > While that rule should work, try it without the tcp flags designation > as that's the only thing that's distictive about this rule. > > -Mike Taking out the 'flags S' makes it work (at least for telnet now) - Thanks for the tip - never occur to me to try it without the flag. Which gives me more fuel to push Sun into looking at it. Anyone else with ideas as to what would be causing this ?
TIA. -- °(((=((===°°°(((===========================================
