At 10:31 AM 7/4/2006, Davide De Nicolo XX \(SA/ERI\) wrote:
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on hme0 proto tcp from 192.168.1.1 to any
pass out quick on hme0 proto tcp from any to any
block in quick on hme0 all
block out quick on hme0 all
So,I think that If Ipfilter receives a tcp packet from 192.168.1.1, it
will pass otherwise it's blocked;
If I connect from 192.168.1.1 on telnet daemon where is started IPF, my
connection is blocked! Why?
first off..you cant filter on lo with solaris...so those rules are a waste.
The loopback interface on Solaris is a "fake" interface. You cannot
filter it, nor can you snoop it. This is for performance reasons.
Virtual interfaces in Solaris are very similar, to filter on them,
use the physical interface instead.
as far as your issue...
Perhaps your not setting keep state?
# Pass LAN traffic to/from internal interface
pass in quick on hme0 all keep state keep frags
pass out quick on hme0 all keep state keep frags
this above rule will cover tcp/udp/icmp
try adding a 'keep state' after your tcp rule?
-JD
