Brian H. Nelson wrote:
Joseph Tam wrote:
On Wed, 19 May 2010, Brian H. Nelson wrote:
I have verified that return-rst does work for INbound connections,
albeit with the IRE/cache/route/arp bug that I have read about on
Solaris 10.
How did you get this to work? Is there a patch that makes return-rst
work?
My Solaris10 ipf's still suffer from this malady.
Joseph Tam <[email protected]>
I didn't exactly. I was only able to verify that it does work if the
bug is worked around.
I just found this post that seems to indicate that the return-rst
problem on Solaris 10 is a problem in the kernel and not ipf:
http://marc.info/?l=ipfilter&m=123887232610765&w=2
I had found this Solaris bug previously, 6801301, that applies to
return-rst on inbound connections. The workaround in there (pinging
the host in question) does seem to 'enable' the reset packet to get
sent. If you have a Solaris service contract, you could in theory
raise an escalation on that bug.
http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6801301
However, I'm still not clear if that is the issue with or is related
to trying to return-rst for outbound connections.
In general, it is difficult to generate a TCP RST packet for outgoing
connections because there is no way to supply an inbound packet and have
it not go through ipfilter again and into the kernel.
Darren
