There are a lot of things I *wish* I could do.
Can't drop ping packets as these are production systems and we need it
for status monitoring.
Can't upgrade to Solaris 10 because these are Banner systems, if you are
in academia you
know something about what that means. Lots of pressure about don't
change anything.
So far my efforts to get IP Filter on these systems has been turned
back, as we cannot
get it to support FTP without crashing our development system
sporadically. In any sane
data-center we would turn off FTP, but in academia you have little
pockets of users here and
there with batch files that were written a decade ago, and by God they
are not going to
change anything if they can avoid it.
I've seen hints in the mailing lists that the NAT functionality has bugs
and that may
be what I am running into. I just wish I knew how to know for sure.
I'll grab a copy
of the crash dump file and read up on how to look into that, maybe I'll
find something
useful to the list.
Thanks for the ideas though everyone!
Rabellino Sergio wrote:
Vincent Fox wrote:
Has anyone any experience of recent IP Filter releases totally
hanging the system?
As in becomes unresponsive and only a STOP-A will let you generate a
crash dump.
Details:
We are using the NAT function but only for it's proxy to make FTP work
Solaris 9
ipf 4.1.13
pfil 2.1.11
A case with the crash-dump sent to Sun, only results in "non-Solaris
software, remove it".
Which is not really helpful as we need some kind of software firewall.
What other alternatives are there for Solaris 9 anyhow?
I am compiling 4.1.17 on the hopes that might fix it.
Yes, I've discovered that a simple ping to or through the NAT hangs
Solaris at all.
I've introduced an ipf rule to deny all the ping packets and the NAT
works fine, until the next update.
Bye.
