Solaris 10: Ipfilter
I am experiencing a wierd problem with ipfilter on my solaris 10 box. It is configured to allow all traffic out. However, after 1-14 days it blocks all outgoing TCP. ICMP works just fine as I am able to ping it, but logging on with SSH or using HTTP simply does not work.
Each time this happens I have to restart ipfilter.
My configuration of ipfilter is as following:
block in on bge0
pass out quick all keep state
pass in quick on bge0 proto tcp from any to any port = 22 flags S keep state
pass in quick on bge0 proto tcp from any to any port = 80 flags S keep state
pass in quick on bge0 proto tcp from any to any port = 443 flags S keep state
pass in quick on bge0 proto tcp from any to any port = 3690 flags S keep state
pass in quick on bge0 proto tcp from any to any port = 8080 flags S keep state
pass in quick on bge0 proto tcp from any to any port = 8081 flags S keep state
pass in quick on bge0 proto tcp from any to any port = 8090 flags S keep state
pass in quick on bge0 proto tcp from any to any port = 1099 flags S keep state
pass in quick on bge0 proto tcp from any to any port = 8999 flags S keep state
pass in quick on bge0 proto tcp from any to any port = 9999 flags S keep state
pass in quick on bge0 proto tcp from any to any port = 10099 flags S keep state
pass in quick on bge0 proto udp from any to any port = 4114 keep state
pass in quick on bge0 proto icmp from any to any keep state
I am open to any suggestions as to what can be wrong...
The problem was caused by the ipfilter behavior - ignorance of interface alias. My ipnat rule was:
map aggr150031:1 ...
I have changed into:
map aggr150031 ...
and the things began to work.
Sorry for the noise.
Similar Messages
-
Solaris 10, Tomcat 5 Cant connect to a database
Hi:
I installed Solaris 10 in a Sun Sunfire V100 Server and installed Tomcat 5.5.20 with JDK1.5, when my application needs to connect to my database server (MS Windows 2000 with MS SQL SERVER 2000 by Port 1433) using JDBC, the application do nothing, There's no information in Tomcat and System logs, I think it is related with Solaris Security (IPFilter) open/closed ports but I am not sure.
I tested the connection to the database using a java class program and got the next error: [Microsoft][SQLServer 2000 Driver for JDBC]Error establishing socket.
Thanks for the help.I know nothing about tomcat & DBs, but you could
try telnetting out from Solaris on various ports to
connect to other services on the MSWin box.
Eg,
$ telnet 192.168.1.244 80
will attempt to hit port 80 on the MSWin machine.
You'll know what services WIndows is running.
This'll help you isolate the problem, if you can get
through on some ports rather than others. If can't
get out at all at all, check that your network services
are ok with
# svcs -x
'snoop' is also worth trying out on the Solaris box.
snoop 192.168.1.244
will give you brief info on packets.
snoop -V 192.168.1.244
will give you more info
snoop -v 192.168.1.244
will give you shedloads
Apologies if these steps were already known to you. -
G'day,
I went through a couple of inter zone traffic related posts on the
Solaris Zones Forum. From what I read (links below) traffic
between zones utilizes internal path so far.
There is an option to disable all the traffic between zones via
reject routes /see "Traffic Between Zones" posts/
and also an option to bind a zone with a particular physical
network interface and help yourself with wrappers to filter based
on the zone's IP address /see "Different subnets securely"
posts and "ipfilter use in zones?" posts/.
What I'm interested in is whether a feature Blaises mentiones
within "Traffic Between Zones", in short - same machine inter
zone communication over the wire - will be introduced as a next
option of passing traffic between zones:
"Currently, two zones on the same machine cannot communicate
with each other over the wire, they can only use the internal
path. We're considering relaxing this in the future."
Thanks
Martin
Links:
Solaris Forums - Zones: Different subnets securely
http://forum.sun.com/thread.jspa?threadID=22749&messageID=73411#73411
Solaris Forums - Traffic Betwwen Zones
http://forum.sun.com/thread.jspa?threadID=22685&messageID=72867#72867
Solaris Forums - ipfilter use in zones?
http://forum.sun.com/thread.jspa?threadID=21937&messageID=66098#66098
Solaris Forums - Firewall in a zone to manage interface in another one
http://forum.sun.com/thread.jspa?threadID=18848&messageID=53440#53440Hi Martin,
I asked this question at the expert exchange about D-Trace and Solaris Containers on June 16th.
"Fast Track to Solaris 10 Adoption: DTrace & Containers."
"Today there is a limitation in the zones technology: the ability to use filter traffic between zones themselves, because the traffic is going over the loopback. Is there any way to force the zone traffic out of the system, use external filters, and then back into the another zone?"
For some reason the Q&A transcript hasn't yet been published at http://www.sun.com/expertexchange
From what I can remember, they are working on put an option to force zone traffic out on the wire.
However I'm guessing that option won't be available in the first update. I had a discussion with Blaise (among others) about this: http://forum.sun.com/thread.jspa?threadID=24557&tstart=15 -
Solaris 10 as router using ipfilter and nat
Hi,
I installed Solaris 10 on a second disk on an Ultra 5, but have no
success on using
ipfilter with NAT.
I have it working on the first disk with Solaris 9 and ipfilter 3.4.35.
I have pfil on both interfaces (hme0 internal and qfe0
external-internet) and ipfilter enabled. I used the working rule sets
from Solaris9 and have ip-forwading enabled. IPFilter is working on the
external interface, but none of the hosts on the internal network can
connect through the router to the internet, but they can ping both
interfaces.
I had the same problem with Solaris 9 using ipfilter 4.x and had to go
back to 3.4.35.
ipfstat shows all rules are loaded and ipnat -l shows the rules, but no
connections. ndd -get /dev/ip ip_forwarding returns 1.
Following are my rules:
ipf.conf
lock in log quick all with opt lsrr
block in log quick all with opt ssrr
block in log quick all with ipopts
block in log quick proto tcp all with short
block in log quick proto icmp all with frag
block in log quick on qfe0 from 10.0.0.0/8 to any
block in log quick on qfe0 from 127.0.0.0/8 to any
block in log quick on qfe0 from 169.254.0.0/16 to any
block in log quick on qfe0 from 172.16.0.0/12 to any
block in log quick on qfe0 from 192.0.2.0/24 to any
block in log quick on qfe0 from 192.168.0.0/16 to any
block in log quick on qfe0 from 204.152.64.0/23 to any
block in log quick on qfe0 from 224.0.0.0/3 to any
block in log quick on qfe0 from aaa.aaa.aaa.0/24 to any
block in log quick on qfe0 from any to aaa.aaa.aaa.0/32
block in log quick on qfe0 from any to aaa.aaa.aaa.255/32
block in log on qfe0 all
block out quick on qfe0 proto tcp/udp from any port 136 >< 140 to any
block out quick on qfe0 proto tcp/udp from any to any port 136 >< 140
pass out quick on qfe0 proto tcp all flags S/SA keep state keep frags
pass out quick on qfe0 proto udp all keep state keep frags
pass out quick on qfe0 proto icmp all keep state keep frags
pass out quick on qfe0 all
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on hme0 all
pass out quick on hme0 all
ipnat.conf:
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 proxy port ftp ftp/tcp
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 proxy port 7070
raudio/tcp
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 proxy port 1720
h323/tcp
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 portmap tcp/udp auto
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32
aaa.aaa.aaa.aaa = internal network
bbb.bbb.bbb.bbb = external
My routeadm statement shows:
Configuration Current Current
Option Configuration System State
IPv4 forwarding enabled enabled
IPv4 routing enabled enabled
IPv6 forwarding disabled disabled
IPv6 routing disabled disabled
IPv4 routing daemon "/usr/sbin/in.routed"
IPv4 routing daemon args ""
IPv4 routing daemon stop "kill -TERM `cat /var/tmp/in.routed.pid`"
IPv6 routing daemon "/usr/lib/inet/in.ripngd"
IPv6 routing daemon args "-s"
IPv6 routing daemon stop "kill -TERM `cat /var/tmp/in.ripngd.pid`"
Any suggestion what more checks I should do or what additional information is needed.
Regards,
HorstHi,
I installed Solaris 10 on a second disk on an Ultra 5, but have no
success on using
ipfilter with NAT.
I have it working on the first disk with Solaris 9 and ipfilter 3.4.35.
I have pfil on both interfaces (hme0 internal and qfe0
external-internet) and ipfilter enabled. I used the working rule sets
from Solaris9 and have ip-forwading enabled. IPFilter is working on the
external interface, but none of the hosts on the internal network can
connect through the router to the internet, but they can ping both
interfaces.
I had the same problem with Solaris 9 using ipfilter 4.x and had to go
back to 3.4.35.
ipfstat shows all rules are loaded and ipnat -l shows the rules, but no
connections. ndd -get /dev/ip ip_forwarding returns 1.
Following are my rules:
ipf.conf
lock in log quick all with opt lsrr
block in log quick all with opt ssrr
block in log quick all with ipopts
block in log quick proto tcp all with short
block in log quick proto icmp all with frag
block in log quick on qfe0 from 10.0.0.0/8 to any
block in log quick on qfe0 from 127.0.0.0/8 to any
block in log quick on qfe0 from 169.254.0.0/16 to any
block in log quick on qfe0 from 172.16.0.0/12 to any
block in log quick on qfe0 from 192.0.2.0/24 to any
block in log quick on qfe0 from 192.168.0.0/16 to any
block in log quick on qfe0 from 204.152.64.0/23 to any
block in log quick on qfe0 from 224.0.0.0/3 to any
block in log quick on qfe0 from aaa.aaa.aaa.0/24 to any
block in log quick on qfe0 from any to aaa.aaa.aaa.0/32
block in log quick on qfe0 from any to aaa.aaa.aaa.255/32
block in log on qfe0 all
block out quick on qfe0 proto tcp/udp from any port 136 >< 140 to any
block out quick on qfe0 proto tcp/udp from any to any port 136 >< 140
pass out quick on qfe0 proto tcp all flags S/SA keep state keep frags
pass out quick on qfe0 proto udp all keep state keep frags
pass out quick on qfe0 proto icmp all keep state keep frags
pass out quick on qfe0 all
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on hme0 all
pass out quick on hme0 all
ipnat.conf:
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 proxy port ftp ftp/tcp
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 proxy port 7070
raudio/tcp
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 proxy port 1720
h323/tcp
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 portmap tcp/udp auto
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32
aaa.aaa.aaa.aaa = internal network
bbb.bbb.bbb.bbb = external
My routeadm statement shows:
Configuration Current Current
Option Configuration System State
IPv4 forwarding enabled enabled
IPv4 routing enabled enabled
IPv6 forwarding disabled disabled
IPv6 routing disabled disabled
IPv4 routing daemon "/usr/sbin/in.routed"
IPv4 routing daemon args ""
IPv4 routing daemon stop "kill -TERM `cat /var/tmp/in.routed.pid`"
IPv6 routing daemon "/usr/lib/inet/in.ripngd"
IPv6 routing daemon args "-s"
IPv6 routing daemon stop "kill -TERM `cat /var/tmp/in.ripngd.pid`"
Any suggestion what more checks I should do or what additional information is needed.
Regards,
Horst -
X86 Solaris 10 problems with ipfilter
Colleagues,
I'm install Solaris 10 on HP Proliant DL360 G4
(listed in HCL for Solaris OS http://www.sun.com/bigadmin/hcl/data/sol/systems/details/691.html)
Everything works fine till, but when I increase loading
(DNS server there, so too much UDP packets, about 2000/sec) Solaris panic with:
Nov 30 10:35:45 d0 ^Mpanic[cpu0]/thread=ffffffff85759820:
Nov 30 10:35:45 d0 genunix: [ID 103648 kern.notice] mutex_exit: not owner, lp=0 owner=0 thread=ffffffff85759820
Nov 30 10:35:46 d0 unix: [ID 100000 kern.notice]
Nov 30 10:35:46 d0 genunix: [ID 655072 kern.notice] fffffe8000c08190 unix:mutex_panic+6f (0, ffffffff860f5d98, fffffe)
Nov 30 10:35:46 d0 genunix: [ID 655072 kern.notice] fffffe8000c081b0 unix:mutex_vector_exit+39 ()
Nov 30 10:35:46 d0 genunix: [ID 655072 kern.notice] fffffe8000c081e0 ipf:ipf_stinsert+333e9215 ()
Nov 30 10:35:46 d0 genunix: [ID 655072 kern.notice] fffffe8000c08210 ipf:fr_updatestate+61 ()
Nov 30 10:35:46 d0 genunix: [ID 655072 kern.notice] fffffe8000c08250 ipf:fr_checkstate+10f ()
Nov 30 10:35:46 d0 genunix: [ID 655072 kern.notice] fffffe8000c08390 ipf:fr_check+629 ()
Nov 30 10:35:46 d0 genunix: [ID 655072 kern.notice] fffffe8000c08530 pfil:pfil_precheck+850 ()
Nov 30 10:35:46 d0 genunix: [ID 655072 kern.notice] fffffe8000c08560 pfil:pfilmodwput+9f ()
Nov 30 10:35:46 d0 genunix: [ID 655072 kern.notice] fffffe8000c085c0 unix:putnext+1f1 ()
Nov 30 10:35:46 d0 genunix: [ID 655072 kern.notice] fffffe8000c086d0 ip:ip_wput_ire+1a98 ()
Nov 30 10:35:46 d0 genunix: [ID 655072 kern.notice] fffffe8000c08780 ip:ip_output+ee9 ()
Nov 30 10:35:46 d0 genunix: [ID 655072 kern.notice] fffffe8000c08790 ip:ip_wput+18 ()
Nov 30 10:35:46 d0 genunix: [ID 655072 kern.notice] fffffe8000c087f0 unix:putnext+1f1 ()
Nov 30 10:35:46 d0 genunix: [ID 655072 kern.notice] fffffe8000c08870 udp:udp_wput+29d ()
Nov 30 10:35:46 d0 genunix: [ID 655072 kern.notice] fffffe8000c088d0 unix:putnext+1f1 ()
Nov 30 10:35:46 d0 genunix: [ID 655072 kern.notice] fffffe8000c08a70 genunix:strput+3bc ()
Nov 30 10:35:46 d0 genunix: [ID 655072 kern.notice] fffffe8000c08af0 genunix:kstrputmsg+1e8 ()
Nov 30 10:35:46 d0 genunix: [ID 655072 kern.notice] fffffe8000c08ba0 sockfs:sosend_dgram+181 ()
Nov 30 10:35:46 d0 genunix: [ID 655072 kern.notice] fffffe8000c08c10 sockfs:sotpi_sendmsg+1bc ()
Nov 30 10:35:46 d0 genunix: [ID 655072 kern.notice] fffffe8000c08c80 sockfs:sendit+f0 ()
Nov 30 10:35:46 d0 genunix: [ID 655072 kern.notice] fffffe8000c08ed0 sockfs:sendmsg+1bf ()
Nov 30 10:35:47 d0 unix: [ID 100000 kern.notice]
Nov 30 10:35:47 d0 genunix: [ID 672855 kern.notice] syncing file systems...
Nov 30 10:35:47 d0 genunix: [ID 733762 kern.notice] 34
Nov 30 10:35:48 d0 genunix: [ID 733762 kern.notice] 24
Nov 30 10:36:08 d0 last message repeated 20 times
Nov 30 10:36:09 d0 genunix: [ID 622722 kern.notice] done (not all i/o completed)
Nov 30 10:37:30 d0 genunix: [ID 540533 kern.notice] ^MSunOS Release 5.10 Version Generic_118844-20 64-bit
Nov 30 10:37:30 d0 genunix: [ID 943906 kern.notice] Copyright 1983-2005 Sun Microsystems, Inc. All rights reserved.
At some stage there are problems with creation of a new state...
I remember some time ago (Solaris 2.8) there where problems like that with ipfilter, but now ipfilter included in Solaris distribution, hardware tested and so on...
New reincarnation of a problem?
Somebody has similar problems with the software x86 Solaris 10?
Thanks, Roman Gnatenko (rvg at co.ru)Hi. I've never seen anything like this, and it seems to be something which
the JDBC module is going to be an innocent victim of, rather than a
contributor to... Your best course is to open an official support case.
Joe -
Solaris 10 x86 ipfilter aggr problem
Hi, all.
I have Solaris 10 x86 machine
Kernel Patch: 142910-17
IP patch: 143593-05
The problem shortly:
I am using two network LACP interfaces
aggr125030 contains e1000g1 interface
aggr150031 contains e1000g2 interface
Aggregation 31 was created by:
dladm create-aggr -P L3 -l active -T short -d e1000g2 31
and works fine.
If I add policy based routing rule:
pass out quick on aggr125030 to aggr150031:y.y.y.y proto tcp from x.x.x.x/32 to any port = 25 keep state
traffic matches the rule (it is observed through ipfstat -inohv command) but the rule doesn't work.
How did I decide? I have also ipnat rule
map aggr150031 <skipped>
so if PBR works, the ipnat rule is working too.
If I remove the second aggregation interface aggr150031 and pass the physical interface explicitly, the rule works:
pass out quick on aggr125030 to e1000g2:y.y.y.y proto tcp from x.x.x.x/32 to any port = 25 keep state
as well as the ipnat's one.
x.x.x.x is IP address of e1000g2 interface (or aggr150031)
y.y.y.y is IP address of router for x.x.x.x IP address
It seems that PBR for Ipfilter doesn't support aggregation interfaces for outbound.
Also if you combine vlans 125 and 150 withing one LACP (aggr150031 is replaced by aggr150030 and one physical interface is used for both vlans trunking), the PBR rule doesn't work too.
What shall I do?The problem was caused by the ipfilter behavior - ignorance of interface alias. My ipnat rule was:
map aggr150031:1 ...
I have changed into:
map aggr150031 ...
and the things began to work.
Sorry for the noise. -
Ipfilter: does policy routing work on Solaris 10?
Hello,
- Does the ipf redirection (aka policy routing) feature work with the
ipfilter that comes with Solaris 10?
I would like to use the the ipf redirection statements "to
interface:router_ip" or "reply-to interface:router_ip" as decribed in
http://coombs.anu.edu.au/~avalon/ipf.new.txt
(The syntax is mentionned in the BNF of the Solaris 10 ipf(4) man
page, but the explanations there are lacking.)
On a machine that has two interfaces, the purpose is to send output
reply packets of a TCP session to the same interface that the input
packets came from. The idea to use ipfilter to do this comes from the
blog entry:
Packets out of the wrong interface
http://blogs.sun.com/carlson/entry/packets_out_of_the_wrong
My first try was to use "reply-to" in a "keep state" rule:
pass in quick on e1000g305000 reply-to e1000g305000:10.13.5.1 proto tcp from any to any port = 443 keep state keep frags group i_sso-test1
Which I understand as "once a connection to port 443 starts on
interface e1000g305000 send all reply packets to the same interface to
the gateway 10.13.5.1"
But it does not work; in the ipf log it shows that the rule matched:
22:56:32.770690 e1000g305000 @i_sso-test1:1 p 10.194.17.11,5648 -> 10.13.5.181,443 PR tcp len 20 60 -S K-S K-F IN
22:56:32.770783 e1000g0 @i_sso-test1:1 p 10.13.5.181,443 -> 10.194.17.11,5648 PR tcp len 20 44 -AS K-S K-F OUT
But the reply packet is not seen on the router (10.13.5.1), nor does
it get to 10.194.17.11 through another route (no firewall on that
machine).
My second try was to use two stateless rules, and to do "source port
routing" for outgoing packets:
pass in quick proto tcp from any to any port = 443 group i_sso-test1
pass out quick on e1000g0 to e1000g305000:10.13.5.1 proto tcp from any port = 443 to any group o_sso-test1
pass out quick proto tcp from any port = 443 to any group o_sso-test1
Which I understand as "incoming packets to port 443 are allowed and
outgoing packets from port 443, if passing on interface e1000g0, are
redirected through interface e1000g305000 via the gateway 10.13.5.1,
if not, are just allowed".
It does not work either; in the ipf log it shows that both the in and
the first out rules matched:
23:09:00.591163 e1000g305000 @i_sso-test1:1 p 10.194.17.11,26080 -> 10.13.5.181,443 PR tcp len 20 60 -S IN
23:09:00.591363 e1000g0 @o_sso-test1:1 p 10.13.5.181,443 -> 10.194.17.11,26080 PR tcp len 20 44 -AS OUT
But again the reply packet seems to be lost in thin air.
I have tried various other rules to no avail.
- Should this work with ipfilter v4.1.9 (592) coming with Solaris 10
u7?
- Am I missing something in the configuration?
- Shouldn't the ipf log show the outgoing reply packet twice? (Once on
the "wrong" interface e1000g0 and once on the interface it is
redirected to e1000g305000.) Or indicate in another manner that the
redirection occurred (like it indicates K-S for "keep state")?
Context:
# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
default 10.194.7.1 UG 1 2407
default 10.194.7.1 UG 1 5104 e1000g0
10.13.5.0 10.13.5.181 U 1 5 e1000g305000:1
10.194.7.0 10.194.7.81 U 1 3 e1000g0:2
224.0.0.0 10.194.7.81 U 1 0 e1000g0:2
127.0.0.1 127.0.0.1 UH 1 7 lo0:7
# cat /etc/release
Solaris 10 5/09 s10s_u7wos_08 SPARC
Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 30 March 2009
# ipf -V
ipf: IP Filter: v4.1.9 (592)
Kernel: IP Filter: v4.1.9
Running: yes
Log Flags: 0x70000000 = pass, block, nomatch
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x107
If it matters, this is occuring in a Solaris 10 zone, whith virtual
interfaces one of which uses 801.q tagging (vlan 305, subnet
10.13.5.0/24), and the "router" is a Cisco ACE load balancer with
interface 10.13.5.1 on the server side.
Thanks in advance for your help in this matter!
Best regards,
Dominique
Mr Dominique Petitpierre Email: User@Domain
Division Informatique User=Dominique.Petitpierre
University of Geneva Domain=unige.chI was saying
If it matters, this is occurring in a Solaris 10 zone, whith virtual
interfaces one of which uses 801.q tagging (vlan 305, subnet
10.13.5.0/24),...Well, it turns out that 802.1q tagging does matter: packets redirected
by an ipf policy based routing rule to an interface with tagging are
not transmitted.
In order to better see what was happening the ipf rules were extended
like this (stateless case):
@1 pass in quick on e1000g0 proto tcp from any to any port = 443 group i_sso-test1
@2 pass in quick on e1000g305000 proto tcp from any to any port = 443 group i_sso-test1
@1 pass out quick on e1000g0 to e1000g305000:10.13.5.1 proto tcp from 10.13.5.181/32 port = 443 to any group o_sso-test1
@2 pass out quick on e1000g305000 to e1000g0:10.194.7.1 proto tcp from 10.194.7.81/32 port = 443 to any group o_sso-test1
@3 pass out quick on e1000g305000 proto tcp from any port = 443 to any group o_sso-test1
@4 pass out quick on e1000g0 proto tcp from any port = 443 to any group o_sso-test1Also, for the purpose of the demonstration, the zone configuration was
modified to direct all packets to the same interface with tagging,
thus having just one default route:
zonecfg -z sso-test1 info net
net:
address: 10.13.5.181/24
physical: e1000g305000
defrouter: 10.13.5.1
net:
address: 10.194.7.81/24
physical: e1000g305000
defrouter: 10.13.5.1
netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
default 10.194.7.1 UG 1 2867
default 10.13.5.1 UG 1 86 e1000g305000
10.13.5.0 10.13.5.181 U 1 2 e1000g305000:1
10.194.7.0 10.194.7.81 U 1 0 e1000g305000:3
224.0.0.0 10.13.5.181 U 1 0 e1000g305000:1
127.0.0.1 127.0.0.1 UH 1 7 lo0:7 (In this peculiar case the default route to 10.194.7.1 is an artifact
displayed by netstat due to the zone isolation mechanism, but it is
not actually used for routing at the zone level; the interface without
tagging, e1000g0, is only displayed on the global zone where ipfilter
operates)
When testing from 10.194.17.11 with "telnet 10.13.4.180 443", it
works. And one can see in the ipf logs that it is the third out rule
that matched (@o_sso-test1:3), i.e. there was no redirection on
another interface (proof that there is nothing wrong with the context
setup):
16:59:30.479660 e1000g305000 @i_sso-test1:2 p 10.194.17.11,2111 -> 10.13.5.181,443 PR tcp len 20 60 -S IN
16:59:30.479844 e1000g305000 @o_sso-test1:3 p 10.13.5.181,443 -> 10.194.17.11,2111 PR tcp len 20 44 -AS OUT
16:59:30.480182 e1000g305000 @i_sso-test1:2 p 10.194.17.11,2111 -> 10.13.5.181,443 PR tcp len 20 40 -A INWhen testing from 10.194.17.11 with "telnet 10.194.7.81 443", it works
also. This time one can see in the ipf logs that it is the second out
rule that matched (@o_sso-test1:2), i.e. there was redirection from
e1000g305000 to e1000g0.
16:59:41.247101 e1000g0 @i_sso-test1:1 p 10.194.17.11,3851 -> 10.194.7.81,443 PR tcp len 20 60 -S IN
16:59:41.247206 e1000g305000 @o_sso-test1:2 p 10.194.7.81,443 -> 10.194.17.11,3851 PR tcp len 20 64 -AS OUT
16:59:41.247508 e1000g0 @i_sso-test1:1 p 10.194.17.11,3851 -> 10.194.7.81,443 PR tcp len 20 52 -A INA packet capture confirms this and one can see in the capture the
SYN-ACK reply packet go out on e1000g0.
The reverse case, essentially the original setup shown in my first
post, where the default route is the interface without tagging
(e1000g0) and the reply packet matches the redirection rule from
e1000g0 to the interface with tagging e1000g305000, the packet is lost
(i.e. is not visible in the packet capture on either interface).
Further tests with stateful redirection ("reply-to") show the same
pattern (does not work when packets are redirected to an interface
with tagging).
It looks like it is a bug: may be ipfilter injects the redirected
packet at a processing stage where it should already have a 802.1q tag
but does not, or something similar; in the working case, ipfilter acts
on a not yet tagged packet which can be used "as is" at the same
processing stage on the non tagging interface, and thus is correctly
transmitted.
Conclusion: ipfilter policy based routing does work on Solaris 10u7,
but, at least in my setup, not when redirection occurs to a 802.1q
tagging interface.
- Could somebody confirm this?
- Is this a known bug? (I didn't find anything relevant on sunsolve or
on the ipfilter mailing list)
Edited by: kleinstein on Oct 1, 2009 4:22 AM
Edited by: kleinstein on Oct 1, 2009 4:25 AM
Edited by: kleinstein on Oct 1, 2009 4:30 AM
Edited by: kleinstein on Oct 1, 2009 4:32 AM
Edited by: kleinstein on Oct 1, 2009 4:37 AM
Edited by: kleinstein on Oct 1, 2009 4:40 AM
Edited by: kleinstein on Oct 1, 2009 4:41 AM -
Unclear on branded solaris 9 zones and ipfilter
I just managed to install my first solaris 9 zone on a solaris 10 system (v490). It has gone fairly well so far but I
am definitely "unclear on the concept" with respect to ipfilter and the zone. This is a shared ip zone.
On solaris 9 we use ipfilter 3.4.32.
I used a flar from one of these systems to install the zone. On boot, I see that our ipfboot file in /etc/rc2.d fails with
modload failures etc
You must be superuser to load a module
open device: No such file or directory
open device: No such file or directory
constructing minimal name resolution rules...
open device: No such file or directory
open device: No such file or directory
open device: No such file or directory
open device: No such file or directory
/etc/rc2.d/S65ipfboot: load of /etc/opt/ipf/ipf.conf into alternate set failed
Not switching config due to load error.
/dev/ipf: open: No such file or directory
This makes sense but as I said what do I do instead. I found this in the solaris container system admin manual
"Solaris IP Filter can be enabled in non-global zones by turning on loopback filtering as described in Chapter 26, Solaris IP Filter (Tasks), in System Administration Guide: IP Services. "
Yes, but that doesn't help me much since the IP Filter tasks simply tell me to do this in ipf.conf in the global zone.
set intercept_loopback true;
Isn't there more to it than this? A real example some place would be most helpful. And how can I make sure it is working?
Not a real ipf guru :-(First thing to check is if your zone can access the global zone (try pinging). If this isn't the case you probably need to setup a routing entry allowing the non-global zone some access.
For example, say the global is 10.0.0.1 and the non-global 192.168.0.1 on eri0 you'd use something like:
route add 10.0.0.1 192.168.0.1 -iface
This tells your non-global zone that it can reach the global zone through the eri0 interface. Ofcourse you can also expand this to networks and such.
Another very important factor to keep in mind when dealing with internet is trying to access it from the non-global zone (as a test). Your ipnat.conf entry should be enough, my guess for to the reason for not routing the data is a non-static arp entry of your internet gateway. Now, this is a mere guess but if you have a default route in your routing table setup for Internet access (netstat -rn) make sure that the host to which the default route is pointing also has a static arp entry (man arp). If this is indeed the case you may also need to setup a routing entry as mentioned above to allow your zone access to this remote gateway.
After that things should work as usual. Hope this helps. -
Ipfilter on Solaris 10 on VMware problem
Hi! I have a problem with ipfilter on my VMware Solris 10 b72 system.
I`ve configured ipf strictly according to documentation, creating zero-sized ipf.conf and ipnat.conf with one 'rdr' rule.
current status is:
ipnat -ls shows that everything is OK, and shows some mappings.
BUT ! There is no of real traffic flows to redirected port .
Maybe somebody have any ideas ?Hi! I have a problem with ipfilter on my VMware Solris 10 b72 system.
I`ve configured ipf strictly according to documentation, creating zero-sized ipf.conf and ipnat.conf with one 'rdr' rule.
current status is:
ipnat -ls shows that everything is OK, and shows some mappings.
BUT ! There is no of real traffic flows to redirected port .
Maybe somebody have any ideas ? -
How to prevent a solaris user to telnet from multiple computers
Hello,
How to prevent Solaris users to telnet from multiple computers? They should be able to telnet from only one PC.
Please help..ora_tech have a good point, i was about to suggest ipfilter, which is a built-in-firewall in Solaris, but using tcp wrappers would probably be easier. It all depends on which level of security you want (blocking the telnet requests in a firewall would generally be safer than blocking them at the tcp wrapper level, since its prevents some processing).
Since Solaris 10 you can also easily enable tcp wrappers on the inetd services with inetadm, see:
http://blogs.sun.com/gbrunett/entry/tcp_wrappers_on_solaris_10
.. for more details..
.7/M. -
Solaris 10 x86 & 2 x NIC. Can some1 pls have a look if i do all correctly?
i have a server with two NICs and Solaris 10 x86 installed.
i want to use NIC1 with ADSL router (10.0.0.x) and NIC2 with switch (192.168.16.x). i also want to setup a DHCP server for LAN machines (NIC2) and DNS server.
can someone pls confirm/correct my thoughts/steps in configuring two interfaces?
1. during install i had to chose a default route for both interfaces. for NIC1 it was easy - i just entered the ADSL router IP which was 10.0.0.1.
however, i have a difficulty with NIC2. what default route if at all should i use here?
2. my understanding is that after configuring two interfaces they should act as a bridge so that i could setup a DNS server using my LAN machine addresses (192.168.16.x) and traffic coming from outside the office will be converted properly to reach LAN machines (mail, web servers, etc). is that correct or will i need to setup and configure 2 DNS servers for each NIC respectively?
3. DHCP server. any guidance here in terms of two NICs machine?
many thanks
Alexi have a server with two NICs and Solaris 10 x86
installed.
i want to use NIC1 with ADSL router (10.0.0.x) and
NIC2 with switch (192.168.16.x). i also want to setup
a DHCP server for LAN machines (NIC2) and DNS
server.
can someone pls confirm/correct my thoughts/steps in
configuring two interfaces?
1. during install i had to chose a default route for
both interfaces. for NIC1 it was easy - i just
entered the ADSL router IP which was 10.0.0.1.
however, i have a difficulty with NIC2. what default
route if at all should i use here?You don't choose a default route for an interface, you choose a default route for a system. It isn't very useful to have multiple default routes for one machine. You will presumably want your default route to point to the internet-facing router.
2. my understanding is that after configuring two
interfaces they should act as a bridgeNo. You can use 'routeadm' on recent releases to configure routing. Otherwise, you need correct routing tables and make sure IP forwarding is enabled.
so that i
could setup a DNS server using my LAN machine
addresses (192.168.16.x) and traffic coming from
outside the office will be converted properly to
reach LAN machines (mail, web servers, etc). is that
correct or will i need to setup and configure 2 DNS
servers for each NIC respectively?Unless your ADSL router understands the routes behind the solaris machine (it almost certainly doesn't), it will never send traffic there. Instead, you would have to run a NAT setup on the machine. ipfilter/ipnat can be used to do that.
3. DHCP server. any guidance here in terms of two
NICs machine?Should be no issues. Just create a scope for the 192.x subnet. If you're using the Solaris DHCP server, you can create a file which prevents it from listening on the other interface, but that's not required.
Darren -
Adding the /etc/host.deny file like linux in solaris 10.
Dears,
I need to add a file which will works like the file of /etc/hosts.deny of Linux in Solaris.
If it is possible in the same manner please let me know that, and if it need some other trick to deny a specific host to access the system please tell me the way to do that.
Eagerly waiting to hear from you.
BR//
Sohel.IPfilter can deny a specific IP address access to the host - enable IPFilter with svcadm and edit the /etc/ipf/ipf.conf file to add the IP to block. An example could be:
block in log quick on bnx0 proto tcp from 192.168.1.5/32 to any
I use IPfilter to pass and block all sorts of specific IP addresses as well as block/allow specific ports (like only specific hosts can use port 22, ssh). -
i would like to install the latest version of ipfilter (4.1.20) for my solaris x86 is there any good tutorial for this?i tried to install the ipfilter and pfil but somehow i always stuck with this error
kimak# pwd
/export/home/lost+found/pfil
kimak# make package
i=`uname -s`; case $i in HP-UX) make hpux;; *) make $i;; esac
make SunOS`optisa sparcv9 >/dev/null 2>&1; if [ $? -eq 0 ] ; then echo "64"; else echo "32"; fi`
(cd SunOS; make pfil "BITS=32" OS=solaris DO=pfil "ADEF=-I.. -I. -D_KERNEL -DSUNDDI -DSOLARIS2="`uname -r | sed -e 's/[0-9]*\.\([0-9]*\).*/\1/'`" -DPFILDEBUG")
cc -I.. -I. -D_KERNEL -DSUNDDI -DSOLARIS2=10 -DPFILDEBUG -c pkt.c -o pkt.o
"pkt.c", line 68: warning: improper pointer/integer combination: arg #8
"pkt.c", line 68: prototype mismatch: 8 args passed, 9 expected
cc: acomp failed for pkt.c
*** Error code 2
make: Fatal error: Command failed for target `pkt.o'
Current working directory /export/home/lost+found/pfil/SunOS
*** Error code 1
make: Fatal error: Command failed for target `SunOS32'
Current working directory /export/home/lost+found/pfil
*** Error code 1 (ignored)
(cd `uname -s`; make package-`uname -s`)
cc -c pkt.c -o pkt.o
"/usr/include/inet/ip_ire.h", line 146: warning: no explicit type given
"/usr/include/inet/ip_ire.h", line 146: syntax error before or at: *
"/usr/include/inet/ip_ire.h", line 146: warning: old-style declaration or incorrect type for: ip_forwarding_table_v6
"/usr/include/inet/ip_ire.h", line 147: warning: no explicit type given
"/usr/include/inet/ip_ire.h", line 147: syntax error before or at: *
"/usr/include/inet/ip_ire.h", line 147: warning: old-style declaration or incorrect type for: ip_cache_table_v6
"/usr/include/inet/ip_ire.h", line 148: warning: no explicit type given
"/usr/include/inet/ip_ire.h", line 148: syntax error before or at: *
"/usr/include/inet/ip_ire.h", line 148: warning: old-style declaration or incorrect type for: ip_mrtun_table
"/usr/include/inet/ip_ire.h", line 149: warning: no explicit type given
"/usr/include/inet/ip_ire.h", line 149: syntax error before or at: *
"/usr/include/inet/ip_ire.h", line 149: warning: old-style declaration or incorrect type for: ip_srcif_table
"pkt.c", line 38: cannot find include file: "compat.h"
"pkt.c", line 39: cannot find include file: "qif.h"
"pkt.c", line 58: undefined symbol: ire_t
"pkt.c", line 58: undefined symbol: dir
"pkt.c", line 60: undefined symbol: ill_t
"pkt.c", line 60: undefined symbol: il
"pkt.c", line 65: warning: implicit function declaration: ire_route_lookup
"pkt.c", line 77: undefined struct/union member: ire_ll_hdr_mp
"pkt.c", line 77: left operand of "->" must be pointer to struct/union
"pkt.c", line 77: undefined struct/union member: ire_ll_hdr_length
"pkt.c", line 77: left operand of "->" must be pointer to struct/union
"pkt.c", line 85: warning: implicit function declaration: ire_to_ill
"pkt.c", line 89: undefined struct/union member: ire_ll_hdr_mp
"pkt.c", line 89: left operand of "->" must be pointer to struct/union
"pkt.c", line 89: warning: improper pointer/integer combination: op "="
"pkt.c", line 90: undefined struct/union member: ire_ll_hdr_length
"pkt.c", line 90: left operand of "->" must be pointer to struct/union
"pkt.c", line 105: warning: implicit function declaration: bcopy
"pkt.c", line 107: warning: implicit function declaration: copyb
"pkt.c", line 107: warning: improper pointer/integer combination: op "="
"pkt.c", line 114: undefined struct/union member: ire_stq
"pkt.c", line 114: left operand of "->" must be pointer to struct/union
"pkt.c", line 115: left operand of "->" must be pointer to struct/union
"pkt.c", line 115: warning: improper pointer/integer combination: op "="
"pkt.c", line 116: undefined struct/union member: ire_rfq
"pkt.c", line 116: left operand of "->" must be pointer to struct/union
"pkt.c", line 117: left operand of "->" must be pointer to struct/union
"pkt.c", line 117: warning: improper pointer/integer combination: arg #1
"pkt.c", line 121: warning: implicit function declaration: RW_EXIT
"pkt.c", line 122: warning: implicit function declaration: putnext
"pkt.c", line 123: warning: implicit function declaration: READ_ENTER
"pkt.c", line 128: warning: implicit function declaration: freemsg
"/usr/include/inet/ip_ire.h", line 146: warning: null dimension: ip_forwarding_table_v6
cc: acomp failed for pkt.c
*** Error code 2
make: Fatal error: Command failed for target `pkt.o'
Current working directory /export/home/lost+found/pfil/SunOS
*** Error code 1
make: Fatal error: Command failed for target `package'
i already installed sun studio 11 but i got have the same problemSolaris 10 comes with ipfilter already installed. You probably don't want to monkey around with the version, just use the one thats there.
Unless the new version has some feature you really can't live without.. -
Solaris 10 12/06 IP Routing problems
Hello,
I have setup a Solaris x86 12/06 with a dual port Intel PRO 1000 MT Server adapter and I have an ADSL NAT router connecting to the internet, I also have a PC running Windows XP Pro 2002 SP2 and a gigabit switch.
e1000g0: 10.16.0.1/16
e1000g1: 10.32.0.1/16
Router : 10.32.255.254/16
WinXP : 10.16.5.1/16 GW 10.16.0.1 DNS 10.32.255.254
WinXP and e1000g0 are physically connected to the gigabit switch.
e1000g1 is connected to the Router.
The Solaris server can connect to the internet without issue, however when I try to connect from my WinXP workstation I cannot, I can ping 10.32.0.1 from WinXP.
/etc/ipf/ipf.conf
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on e1000g0 all
pass out quick on e1000g0 all
pass in quick on e1000g1 all
pass out quick on e1000g1 all
/etc/ipf/pfil.pa
e1000g -1 0 pfil
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
default 10.32.255.254 UG 1 18
10.16.0.0 10.16.0.1 U 1 2 e1000g0
10.32.0.0 10.32.0.1 U 1 3 e1000g1
224.0.0.0 10.16.0.1 U 1 0 e1000g0
127.0.0.1 127.0.0.1 UH 1 40 lo0
As root I have done the following:
routeadm -e ipv4-routing
routeadm -e ipv4-forwarding
routeadm -u
svcadm enable ipfilter
{have also rebooted}
The ipfilter service is online and modinfo confirms ipf is loaded, ipf (IP Filter: v4.1.9)
Is there supposed to be a loaded module for pfil?
What do I need to do so traffic from 10.16.0.0/16 is routed via 10.32.0.0/16?
Any assistance greatly appreciated,
Kenny.Hello,
I have setup a Solaris x86 12/06 with a dual port
Intel PRO 1000 MT Server adapter and I have an ADSL
NAT router connecting to the internet, I also have a
PC running Windows XP Pro 2002 SP2 and a gigabit
switch.
e1000g0: 10.16.0.1/16
e1000g1: 10.32.0.1/16
Router : 10.32.255.254/16
WinXP : 10.16.5.1/16 GW 10.16.0.1 DNS 10.32.255.254Does your ADSL router have a route for 10.16.0.0/16? Unless it knows to forward it to the Solaris machine, there's no way for return traffic to get back.
What do I need to do so traffic from 10.16.0.0/16 is
routed via 10.32.0.0/16?For all the routing devices to know that. How is the ADSL router configured?
Darren -
I am using the bundled IPFILTER software on Solaris 10 x86. I find quite a few random requests going out on the external interface with an internal IP address (those requests are not being NAT-ed). This does not happen with all requests though.. only random ones.
Upgraded to kernel version 118844-20. Still no change. Anybody else faced this problem?
Thanks,
sAPHomework question:
http://www.catb.org/~esr/faqs/smart-questions.html#homework
Review the System Requirements and Supported Platforms document. If it is not listed there it is not supported.
http://download.oracle.com/docs/cd/E10415_01/doc/nav/portal_1.htm
Maybe you are looking for
-
Hello.. my client wants to have the open sales Order report in following format : ====================================================================================================== Customer Name | Item 1 code | Item 2 code | Item 3 code | Ite
-
Animated GIF Doesn't Play To The End
I've created a simple animated GIF in Photoshop CS6, eight seconds long, 30fps. I have several layers that fade out at and then more layers that fade IN at four seconds. It plays perfectly in Photoshop, but a rendered GIF doesn't play entirely to the
-
Is Wi Fi speed limited by old iMac and old Airport Express?
I got my sister an Apple TV for Christmas. Download times for movies or TV rentals is really slow. She has Time Warner Road Runner Cable modem at their standard speed (not upgraded to "Turbo". My question is whether a new Airport Express or Extreme r
-
Uploading selection data to an ABAP selection screen
Not sure this is the best place for this question but here goes. When a user is presented with a selection screen from an ABAP they have the option to upload data from a text file. This works fine for single value lists but I cannot get this to work
-
I can't connect airplay using ethernet
I can't connect airplay using ethernet, it works good using wi-fi, AppleTV 3rd gen, last week I reseted the router after this worked with ethernet