The packets shown as dropped: "eri0 @0:18 b 123.456.78.59,52740 -> 123.456.78.11,32772 PR tcp len 20 40 -AF IN "
Do not match your rules for access. Source: s.port destination: d.port: 123.456.70.59 52740 123.456.78.11 32772 Isn't allowed anywhere I see. As mentioned previously, you've got quick and non-quick rules set, which makes troublehsooting more of a pain. Your outbound rules aren't set to quick. If your intent is to allow all traffic from certain hosts or subnets, its often easiest to forgo the flags statments, and include frag statements if you use applications written by lazy people who don't understand netowrking and like to stuff more than 1500 bytes of data down to the stack. The stuff in [brakets] are optional choices with my comments, don't use them in the real rules. pass in quick proto tcp from 123.456.70.0/26 to 123.456.70.59 [or any] keep state [keep frags (if you want)] pass in quick proto udp from 123.456.70.0/26 to 123.456.70.59 [or any] any keep state pass in quick proto icmp from 123.456.70.0/26 123.456.70.59 [or any] to any pass out log all pass out quick tcp from 123.456.70.59 [or any] to any keep state pass out quick udp from 123.456.70.59 to any keep state pass out quick icmp from 123.456.70.59 to any pass out quick any from 123.456.70.59 to any (if you're doing non tcp/udp/icmp stuff) Hope that helps, Bill -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, June 18, 2007 2:49 PM To: [email protected] Subject: IPFilter 4.1.13 on Solaris 8 ... What am I missing? Per Phil Dibowitz's suggestion: Attached is an altered version of my ipf.conf file. It is only altered to change the real IPs to bogus IPs for protection / paranoia. Realizing the confusion introduced by bogus IPs, our subnet is 70 (xxx.xxx.70.xx). So, in my previous Email, substitute all references to subnet 78 with subnet 70 (ipmonlog, etc.) Phil is right. As shown in the attached file, blocks are done by Rule 18: block in log all Thanks, in advance, for any help that you may offer. Charles -----Original Message----- From: Phil Dibowitz <[EMAIL PROTECTED]> To: IP Filter <[email protected]> Sent: Sun, 17 Jun 2007 6:57 pm Subject: Re: IPFilter 4.1.13 on Solaris 8 ... What am I missing? [EMAIL PROTECTED] wrote: > > As described below, I am still unable to deploy IPFilter because it > blocks communication among trusted hosts within my domain. Since the > Email below, I've explicitly coded "pass in quick ..." statements for > each IP address in my subnet, yet blocks still occur. > > What am I missing? According to these lines: > Computer 123.456.78.11: > 29/11/2006 12:16:35.785428 eri0 @0:18 b 123.456.78.59,52740 -> > 123.456.78.11,32772 PR tcp len 20 40 -AF IN > 29/11/2006 12:16:36.713333 eri0 @0:18 b 123.456.78.59,52740 -> > 123.456.78.11,32772 PR tcp len 20 40 -AF IN It's blocked by rules 18, and NOT by OOW. Since you haven't included 18 rules, I suspect you're not giving us your whole ruleset. Without your whole ruleset, people are unlikely to look into this very far. -- Phil Dibowitz [EMAIL PROTECTED] Open Source software and tech docs Insanity Palace of Metallica http://www.phildev.net/ http://www.ipom.com/ "Never write it in C if you can do it in 'awk'; Never do it in 'awk' if 'sed' can handle it; Never use 'sed' when 'tr' can do the job; Never invoke 'tr' when 'cat' is sufficient; Avoid using 'cat' whenever possible" -- Taylor's Laws of Programming ________________________________________________________________________ Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection. ________________________________________________________________________ Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection.
