ipfilter problem in Solaris 10 8/07

[Database Administrator]

Hi,

starting with Solaris 10 8/07 the output of the command

ifconfig bge0 modlist

reports

0 arp
1 ip
2 bge

although I have configured and enabled ipfilter. In Solaris 10 11/06
the command

ifconfig bge0 modlist

reports

0 arp
1 ip
2 pfil
3 bge

The ipfilter configuration on both systems are identical. The
installation
of the patches 127886-03 and 128493-01 doesn't solve this problem.
Has anything changed in the ipfilter behaviour between Solaris 10
11/06 and 8/07?
I found out that the file /etc/ipf/ipmon.pid is no longer present in
Solaris
10 8/07. No idea why?
Here are some configuration checks:

# grep bge /etc/ipf/pfil.ap
bge -1 0 pfil
# svcs -a | grep ipf
online svc:/network/ipfilter:default

Any hints are appreciated.

--
Thanks Roland

[Database Administrator]

On 7 Dez., 15:14, and...@cucumber.demon.co.uk (Andrew Gabriel) wrote:
> In article <5e57ddc5-19f9-4184-a9b2-6667379de...@e10g2000prf.googlegroups.com>,
> news_rt writes:
>
>
>
> > Hi,
>
> > starting with Solaris 10 8/07 the output of the command
>
> > ifconfig bge0 modlist
>
> > reports
>
> > 0 arp
> > 1 ip
> > 2 bge
>
> > although I have configured and enabled ipfilter. In Solaris 10 11/06
> > the command
>
> > ifconfig bge0 modlist
>
> > reports
>
> > 0 arp
> > 1 ip
> > 2 pfil
> > 3 bge
>
> pfil is no longer used or needed in Solaris 10 8/07.
>
>
>
> > The ipfilter configuration on both systems are identical. The
> > installation
> > of the patches 127886-03 and 128493-01 doesn't solve this problem.
> > Has anything changed in the ipfilter behaviour between Solaris 10
> > 11/06 and 8/07?
> > I found out that the file /etc/ipf/ipmon.pid is no longer present in
> > Solaris
> > 10 8/07. No idea why?
> > Here are some configuration checks:
>
> > # grep bge /etc/ipf/pfil.ap
> > bge -1 0 pfil
> > # svcs -a | grep ipf
> > online svc:/network/ipfilter:default
>
> > Any hints are appreciated.
>
> You haven't said what (if anything) is wrong.
>
> --
> Andrew Gabriel
> [email address is not usable -- followup in the newsgroup]

I think ipfilter works as expected but I was wondering that the
output of "ifconfig bge0 modlist" has changed in Solaris 10 8/07.
So nothing is wrong with it.
BWT: Is this change documented anywhere?

--
Thanks Roland

[Database Administrator]

On 7 Dez., 15:28, news_rt wrote:
> On 7 Dez., 15:14, and...@cucumber.demon.co.uk (Andrew Gabriel) wrote:
>
>
>
> > In article <5e57ddc5-19f9-4184-a9b2-6667379de...@e10g2000prf.googlegroups.com>,
> > news_rt writes:
>
> > > Hi,
>
> > > starting with Solaris 10 8/07 the output of the command
>
> > > ifconfig bge0 modlist
>
> > > reports
>
> > > 0 arp
> > > 1 ip
> > > 2 bge
>
> > > although I have configured and enabled ipfilter. In Solaris 10 11/06
> > > the command
>
> > > ifconfig bge0 modlist
>
> > > reports
>
> > > 0 arp
> > > 1 ip
> > > 2 pfil
> > > 3 bge
>
> > pfil is no longer used or needed in Solaris 10 8/07.
>
> > > The ipfilter configuration on both systems are identical. The
> > > installation
> > > of the patches 127886-03 and 128493-01 doesn't solve this problem.
> > > Has anything changed in the ipfilter behaviour between Solaris 10
> > > 11/06 and 8/07?
> > > I found out that the file /etc/ipf/ipmon.pid is no longer present in
> > > Solaris
> > > 10 8/07. No idea why?
> > > Here are some configuration checks:
>
> > > # grep bge /etc/ipf/pfil.ap
> > > bge -1 0 pfil
> > > # svcs -a | grep ipf
> > > online svc:/network/ipfilter:default
>
> > > Any hints are appreciated.
>
> > You haven't said what (if anything) is wrong.
>
> > --
> > Andrew Gabriel
> > [email address is not usable -- followup in the newsgroup]
>
> I think ipfilter works as expected but I was wondering that the
> output of "ifconfig bge0 modlist" has changed in Solaris 10 8/07.
> So nothing is wrong with it.
> BWT: Is this change documented anywhere?
>
> --
> Thanks Roland

I have one further question:

If pfil is no longer used I assume that the file
/etc/ipf/pfil.ap is also no longer needed.
Is this right?

--
Thanks Roland

[Database Administrator]

news_rt wrote:
> I think ipfilter works as expected

check your ipfilter logs for "OOW" (out of window) errors.
it seems to be still a problem with the Solaris 10 ipf version (even with latest
ipf patches) when using "keep state" rules.

eri0 @0:2 b xx.xx.xx.xx,40127 -> 72.14.223.83,80 PR tcp len 20 1392 -AFP OUT OOW

I get lots of those errors when visiting dynamic web sites like gmail, youtube,
google-videos, etc.

I'm tempted to replace Solaris ipfilter (4.1.9) with a newer version (4.1.28)
on my desktop but I'm still hoping a solaris patch that fixes that bug
(I *think* it is bug 6599784).

[Database Administrator]

news_rt writes:
> I think ipfilter works as expected but I was wondering that the
> output of "ifconfig bge0 modlist" has changed in Solaris 10 8/07.
> So nothing is wrong with it.
> BWT: Is this change documented anywhere?

It was referred to obliquely in the release notes as "Packet Filter
Hooks." See:

http://docs.sun.com/app/docs/doc/817-0547/getjd

There's more information -- including a note about the module removal
-- in the System Administrator's Guide:

http://docs.sun.com/app/docs/doc/816...aoq024g?a=view

In general, though, the STREAMS "pfil" module was just an
implementation artifact, and not something that was meant as an
administrative interface.

--
James Carlson, Solaris Networking
Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677

[Database Administrator]

news_rt writes:
> I have one further question:
>
> If pfil is no longer used I assume that the file
> /etc/ipf/pfil.ap is also no longer needed.
> Is this right?

That's correct.

--
James Carlson, Solaris Networking
Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677

[Database Administrator]

Oscar del Rio wrote:
> I get lots of those errors when visiting dynamic web sites like gmail, youtube,
> google-videos, etc.

I had the same problem. As a workaround a set an explicit "age" on all my NAT
rules:

rdr bge0 0.0.0.0/0 port 80 -> 172.16.2.250 port 8080 tcp age 600
map sppp0 172.16.0.0/12 -> 0.0.0.0/32 age 600
....

--
Daniel

[Database Administrator]

On Fri, 7 Dec 2007, Daniel Rock wrote:

> Oscar del Rio wrote:
> > I get lots of those errors when visiting dynamic web sites like gmail, youtube,
> > google-videos, etc.
>
> I had the same problem. As a workaround a set an explicit "age" on all my NAT
> rules:
>
> rdr bge0 0.0.0.0/0 port 80 -> 172.16.2.250 port 8080 tcp age 600
> map sppp0 172.16.0.0/12 -> 0.0.0.0/32 age 600
> ...

Now this matches my earlier problem exactly...
With SMTP servers being blocked on their return... all of them blocked OOW
What would be the default value when not set, the one you change
by setting it to 600? is this value in ticks or seconds?
(like the ipf -T list values)

/Johan A

[Database Administrator]

Mr. Johan Andersson wrote:
>> map sppp0 172.16.0.0/12 -> 0.0.0.0/32 age 600
>> ...
>
> Now this matches my earlier problem exactly...
> With SMTP servers being blocked on their return... all of them blocked OOW
> What would be the default value when not set, the one you change
> by setting it to 600? is this value in ticks or seconds?
> (like the ipf -T list values)

It should be in ticks (half seconds).

--
Daniel

[robert.bigus]

Hi!

I have another problem with ipfilter(v4.1.9 (592)) on x86 Solaris 10( with latest patches):
I enabled ipfilter, added filter rules but it's not working. All packets go throught the packet filter.

ipfilter is running:

# svcs network/ipfilter
STATE STIME FMRI
online Oct_29 svc:/network/ipfilter:default

# ipf -V
ipf: IP Filter: v4.1.9 (592)
Kernel: IP Filter: v4.1.9
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
Feature mask: 0x107

rules loaded:

# ipfstat -hoi
0 block out on bge0 all
0 pass out quick on bge0 proto tcp from any to any port = ssh keep state
0 pass out quick on bge0 proto udp from any to any port = domain keep state
0 pass out quick on bge0 proto tcp from any to any port = domain keep state
0 block in on bge0 all
0 pass in quick on bge0 proto tcp from X.X.X.X/32 to any port = ssh keep state

there's only one public interface bge0:

lo0: flags=2001000849 mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
bge0: flags=1000843 mtu 1500 index 2
inet X.X.X.X netmask ffffff00 broadcast X.X.X.X
ether 0:1b:24:5d:61:19

All config seems to be good, /var/adm/messages is empty.

It is stange for me, that all of the packet counters are zero:
# ipfstat
bad packets: in 0 out 0
IPv6 packets: in 0 out 0
input packets: blocked 0 passed 0 nomatch 0 counted 0 short 0
output packets: blocked 0 passed 0 nomatch 0 counted 0 short 0
input packets logged: blocked 0 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0 not fragmented 0
fragment state(out): kept 0 lost 0 not fragmented 0
packet state(in): kept 0 lost 0
packet state(out): kept 0 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 0 (out): 0
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 197348
Packet log flags set: (0)
none


The same rules on an older Solaris 10 (before 8/07 with pfil) with an older ipf (v4.0.3 (592)) are working fine.

I have no idea, what is wrong. Can you help me?

Thanks
Robert