Well, it seems that ipfilter does the trick. For others with the problem, my solution is adding the following lines to the /etc/ipf/ipf.conf file:
block out quick on e1000g0 to e1000g81000:81.5.113.1 from 81.5.113.0/24 to any block out quick on e1000g81000 to e1000g0:194.67.186.65 from !81.5.113.0/24 to any This blocks packets going out on a certain interface with a certain source address and copies them to another certain interface and a destination host (by original intent it is an IDS logging intrusive packets). I'd have to test whether these lines should go before or after actual firewalling rules (and the "quick" keyword may be undesirable here). In this certain scenario however, the actual firewalling-filtering is done on gateways so I don't care much. Also note that as many authors state, this trick effectively disables IP routing algorithms. While it may be desirable when these algorithms present problems, the trick leaves you vulnerable to connectivity loss at lik failure (whereas IP would select another link to forward its packets). Hope this helps, //Jim PS: I also hope that some of those CR's make it into production after a dozen years in discussion ;) -- This message posted from opensolaris.org _______________________________________________ networking-discuss mailing list [email protected]
