If you compare the names of the functions used in solaris.c to the names
of the functions in /usr/include/sys/neti.h, you'll see what the problem is.
Darren
Brian H. Nelson wrote:
Hello.
I've searched and searched for any info on this situation and have not
had any luck. Any help is much appreciated!
I'm trying to use ipf to restrict web traffic on a terminal server to
our internal web sites only. I have a pretty simple set of rules in
and the 'restricting' part is working fine. The problem I'm having is
that even though my block rule is in with 'return-rst' it does not
seem be working. Prohibited outbound connections still take many
seconds to time out instead of just being refused.
I have verified that return-rst does work for INbound connections,
albeit with the IRE/cache/route/arp bug that I have read about on
Solaris 10. I have checked (with ipmon) that the return packets are
not being blocked by ipf. In addition to return-rst, I have also tried
return-icmp and return-icmp-as-dest with the same result.
Here is my config:
block in log on e1000g0 all
block return-rst in log on e1000g0 proto tcp all
block out log on e1000g0 all
block return-rst out log on e1000g0 proto tcp all
pass out on e1000g0 from any to x.x.0.0/16 keep state (x.x.0.0/16 is
our campus network)
So far I have been trying this with the built-in ipf on Solaris 10
(4.1.9). I am working on getting ipf 5.1.0 installed on the server to
see if that makes any difference. I realize that this isn't a Solaris
support list. I'm just looking for any insight on this specific issue
with return-rst on outbound connections. Should it work? Is this a
bug? Has it been fixed in a later version of ipf or is it a Solaris bug?
Or feel free to suggest a better way to accomplish what I'm trying to
do if you know one.
Thanks much!
-Brian
