Hi, for a small test setup I have this ipf.conf:
---------------------------------------------------------------------- block return-rst in quick proto tcp from any to any port = 4711 pass out quick proto tcp from any port = 4711 to any flags R/RSFUP pass in all pass out all ---------------------------------------------------------------------- This is nearly a copy from the ipf FAQ. Using this setup on Solaris 9 with ipf v3.4.35 works as expected. A 'telnet <system> 4711' gives me a 'connection refused'. Using the same config on Solaris 10 with ipf v4.0.3 didnot work. The telnet comes back with 'connection timed out' The FAQ tells us the second line above is neccesary to get the packet out of the network stack. On Solaris 9 this really happens: ---------------------------------------------------------------------- # ipfstat -ihn 2 @1 block return-rst in quick proto tcp from any to any port = 4711 23653 @2 pass in from any to any # ipfstat -ohn 2 @1 pass out quick proto tcp from any port = 4711 to any flags R/FSRPU 9869 @2 pass out from any to any ---------------------------------------------------------------------- On Solaris 10 this line seems not to match: ---------------------------------------------------------------------- # ipfstat -ihn 2 @1 block return-rst in quick proto tcp from any to any port = 4711 182 @2 pass in all # ipfstat -ohn 0 @1 pass out quick proto tcp from any port = 4711 to any flags R/FSRPU 201 @2 pass out all ---------------------------------------------------------------------- What's wrong here? What has to be changed in the config to get return-rst working again? I tried to find something about this on the net without success. Any help is appreciated. Willi
