Tcp_wrappers and or ipf
Is it possible to prevent outgoing ssh using tcp_wrappers? Or will I need to start using ipf?
We have a server that I'd like to set up to allow only incoming ssh connections and no outgoing ssh connections. ipf is capable of this, but I thought I would check first.
thanks in advance
tcp wrappers controls host/user access to a service via /etc/hosts.allow and /etc/hosts.allow. ipf is the one that allows you to allow/deny/log incoming/outgoing packets based on rules in /etc/ipf/ipf.conf per interface.
Similar Messages
-
How to configure IPMP and PFIL/IPF to work together on Solaris 9?
Hi folks,
See the subject regarding my question.
Is there anyone who has ever accomplished this on Solaris 9? If so, what version of IPMP and PFIL/IPF did you use, and what steps did you take to make it work?
I just can't get it to work, I have tried all tips and tricks I could find on the web so far, most of them are regarding Solaris 10.
Many thanks in advance!
RVDL
PS: Duke Stars available.Not sure what you mean with IPMP, but if you mean active-active loadsharing among more than one interface in the same ifconfig group and subnet monitored by mpathd,
I'm afraid you can't do that with ipf (AFAIK), as the states (from "keep state") are stored per interface while packets may come in and go out unpredictedly and asymetricly on any relevant interface. You must configure active-standby in /etc/hostname.* (or configure 100% static (stateless) rules, i.e. no "keep state" (or pass in&out all TCP with the established flag set)).
I have used active-standby a lot on T1, E450, V480 etc. I compiled ip_filter from Darren's source 3.4 and 4.1
Note: V210/240 and others with the bge-driver may cause problems as the bge-driver is (was) broken, in the way that the stand-by interface isn't 100% stanby (only 99% standby).
Last I checked with snoop it showed sporadic ssh-packets on the stanby-interface making the session hang for a while or timeout. I had to "ifconfig down" the standby interfaces on all V210/240s thus breaking automatic failover.
Active sessions will hang and timeout on failover, but that is ususally only a problem for long-lived sessions like ssh, and no problem for short lived/retry/reconnecting protocol-sessions like HTTP, DNS etc. -
CS5 Printing to an Epson 1900 What happened?
It worked fine in CS 4 to the Epson just select Adobe RGB as the profile in the Print dialog then do the same in the Epson Drivers now I cannot do that once I have the color management option selected in the photoshop print dialog this is now grayed out in the Epson drivers. I found it the past that the data is not fully passed along to the Epson drivers and you have to also select it in the Epson drivers regardless of the fact tht you had Photoshop managing things.
This is another instance of very poor testing process on the side of Adobe when they have testers all of who are creating their own profiles for their paper leaving the professional photographer to go through hell to get their first good print using Photoshop.
Perhaps it is about time you get testers who actually make their living taking photography rather than testers who sell custom profiles.
What nonsense this is from day one that I first got an epson printer I was told that this works for Adobe and it should work for me but everything that Adobe does is not based on everyday professional photography conditions it is base on lab condition which is nonsense, in a controlled environment.
I printed my images extremely well with the 1900 until I tried today and cannot do what I have been doing before. Make the improvement but it has to work. You spend entirely too much time improving thins that just break what ever was fixed before.
And to Chris Cox or any other Adobe employee this has been the issue every single release since I first purchased Photoshop 5, not one time has Adobe not left the user to fend for themselves after they have broken their workflow.
It is time to stop and get to work. This really stinks.
BTW I have my worked reproduced world wide and have very consistent results in Magazines and Books and print to Digital CPrints all the time without any issues.
Adobe your testing team stinks they should have been screaming about this nonsense. Now I have to either print from CS 4 or find a work around.
The fact that many users are using other programs to print is testimony of this failure. it is about time you not prove how smart you are and just make a reasonable work flow.
I seldom complain here but this is just too much it would be please=ant to see one time where this was not an issue.I agree this whole issue is confusing. I have been on the issue (proper printer driver behavior and proper application behavior) using Apple's new print path for a few years now, so I will try to make an attempt to clear up as much confusion as possible.
If drivers and applications are working (written) properly this is how it is supposed to work.
When printer manages color is selected in an application print dialog then all functions of the printer driver are available.
When applications manages color is selected then Color Matching is grayed out defaulted to ColorSync, and the property written print driver defaults to No Color Adjustment (Epson) or No Color Correction (Canon).
See attached examples of both Epson 9600 driver version 8.19 and Canon iPF driver version 2.14.
Epson can and has definitely gotten it right with their latest drivers.
Canon on the other hand uses a special case file (AppColorMatchingInfo.xml) which list the applications that use Apple's new printing path. New application like Photoshop CS5 will need to be added to this file or the driver will default to color management when application manages color is chosen which results in double profiling.
I see nothing that indicates to me that neither Apple or Adobe have problems or bugs in this printflow. Only drivers (and old drivers) that are not written correctly for Apple's new printing path seem to have these problems with double profiling. That being said, do I agree with Apple's approach regarding the new print path? NO. It appear to be an attempt to idiot proof printing using application manages color printing, although it is claimed to be necessary for 64-bit applications. I personally would prefer to use the old print path (like still available in Indesign) where all options are available in the driver regardless of what CM setting I choose in the application print dialog. But it is what it is.
Doyle -
Printing to an Epson R2880 results in bad color (only from Adobe SW)
I've had a nice workflow that I've used for years. I'm sure many of you would find it a bit tedious and I won't go into the details of it, but the important part is that I always printed out of Photoshop (CS6 Extended - now at 13.0.3 - yes I have the stupid Trial window bug, but that's another matter). My monitors are profiled (no custom printer profiles, but I've downloaded appropriate profiles from PixelGenius for those times when I've needed them, and with my color management my prints have been fairly accurate. I use and Epson Stylus Photo R2880 and I've been very happy with it. I mainly work on a 24" iMac (2009 vintage). Recently I decided to change my workflow entirely based on some of the tutorial videos I've purchased from LL. I decided I was ready to integrate much more LR into the workflow, especially now that it includes soft proofing. Because of the new workflow I was really looking forward to printing out of LR. That should more or less get you current.
To date, I haven't printed with my new workflow and I'd say I haven't printed anything since 13.0.1 on PS and 4.1 on LR (not that I was printing from LR at the time). Having not printed in a while I knew I'd need a head cleaning (sure enough I did) and, as is my habit, once the head was clean, I printed (from LR) a 4x6 of the image I planned on printing at a larger size. It catches any lingering gunk after a cleaning. The print just didn't look right to me (too dark and the colors were a little off). I've encountered prints with bad colors once before and it turned out to be a driver issue. In the process I found a great image that is indicative of some kind of problem and I keep both good and bad prints of it handy... just in case. I decided to print this image, and sure enough it came out looking like the standard craptastic version I was getting with the bad driver ages ago. Just to check out that it didn't have to do with my new process, I printed the same image from PS (which worked fine last time I printed this image). It too came out all wrong (the same all wrong as LR). Since the bad prints looked just like the old "bad driver" prints, I figured I knew what was going on and worked with Epson to reset my print pipeline and reinstall my printers (I also have a Workforce 845 for "throw away" printing and for my wife to use).
With new installs for my printers in place I went ahead and printed again... and again it came out wrong. I was, to say the least, despondent. As a final sanity check I loaded the image up in Nikon Capture NX2 (version 2.3.1) and did a print. All of a sudden the print came out perfect. It matched my old "good" prints and, just as importantly, was a dead ringer for the image on the screen. This is where I find myself. Apparently color management is broken in my Adobe products, but works fine in my Nikon software. I'm at a bit of a loss. I'm 99.999999999% sure that I'm printing out of LR, and especially PS, correctly. Anyone have any ideas? I'd love to be able to print again. Printing out of Capture NX2 is really not a great option.
Thanks in advance,
DavidI agree this whole issue is confusing. I have been on the issue (proper printer driver behavior and proper application behavior) using Apple's new print path for a few years now, so I will try to make an attempt to clear up as much confusion as possible.
If drivers and applications are working (written) properly this is how it is supposed to work.
When printer manages color is selected in an application print dialog then all functions of the printer driver are available.
When applications manages color is selected then Color Matching is grayed out defaulted to ColorSync, and the property written print driver defaults to No Color Adjustment (Epson) or No Color Correction (Canon).
See attached examples of both Epson 9600 driver version 8.19 and Canon iPF driver version 2.14.
Epson can and has definitely gotten it right with their latest drivers.
Canon on the other hand uses a special case file (AppColorMatchingInfo.xml) which list the applications that use Apple's new printing path. New application like Photoshop CS5 will need to be added to this file or the driver will default to color management when application manages color is chosen which results in double profiling.
I see nothing that indicates to me that neither Apple or Adobe have problems or bugs in this printflow. Only drivers (and old drivers) that are not written correctly for Apple's new printing path seem to have these problems with double profiling. That being said, do I agree with Apple's approach regarding the new print path? NO. It appear to be an attempt to idiot proof printing using application manages color printing, although it is claimed to be necessary for 64-bit applications. I personally would prefer to use the old print path (like still available in Indesign) where all options are available in the driver regardless of what CM setting I choose in the application print dialog. But it is what it is.
Doyle -
Non-global zone sending TCP SYN-ACK packet over wrong interface.
After spending many hours looking at ipmon/ethereal logs, I believe I've found
a explanation (a bug?) for the following strange behaviour (Solaris 10u1):
I've got a non-global zone with Apache2 with dedicated IP and bound to interface e1000g2 of a Sun X4200 box. The global zone has a different dedicated IP bound to a different interface e1000g0.
When I point a browser at the web site, the HTML page often comes up immediately, but sometimes it will hang and only load when I press the reload browser button one or multiple times. This is reproducible with different browsers from different networks with or without DNS resolution. It's reproducible with other non-local zones configured alike and running different TCP based services (namely SSH or non-Apache HTTP).
This is what happens in a failing case (Ethereal client dump "dump_failed.txt" and IPF log "att1.txt" lines 1-3 pp): the incoming TCP SYN comes over interface e1000g2 (correct) and is passed by IPF. However, the non-global zone sends the TCP SYN-ACK package back over interface e1000g0, which is wrong and causes IPF to fail to build a correct state entry. Then, afterwards, the response packets from the webserver will be filtered by IPF, since it has no state entry.
In the success case (Ethereal client dump "dump_success.txt" and IPF log "att1.txt" lines 19-21 pp), the incoming TCP SYN is answered correctly by a TCP SYN-ACK both over interface e1000g2. IPF can build a state entry and all subsequent packets from the webserver reach the client.
=====
The non-global zone has this setup:
zonecfg:ws1> info
...snip...
net:
address: 62.146.25.34
physical: e1000g2
zonecfg:ws1>
=====
The relevant (as of the IPF log) IPF rules are:
rule 1: block out log all
rule 16: pass in log quick proto tcp from any to 62.146.25.34 port = 80 keep state
=====
If I didn't miss an important point, I suspect this to be a bug in Zones and/or IPF.
Any hints?
Thx,
Tobias
"att1.txt":
LINE PACKET_DT PACKET_FS PACKET_IFC RULE_NUMBER RULE_ACTION SOURCE_IP SOURCE_PORT DEST_IP DEST_PORT PROTOCOL TCP_FLAGS
1 08.05.2006 21:24:09 786741 e1000g2 16 p 84.56.16.159 60693 62.146.25.34 80 tcp S
2 08.05.2006 21:24:09 786863 e1000g0 16 p 62.146.25.34 80 84.56.16.159 60693 tcp AS
3 08.05.2006 21:24:09 808218 e1000g2 16 p 84.56.16.159 60693 62.146.25.34 80 tcp A
4 08.05.2006 21:24:09 837170 e1000g2 16 p 84.56.16.159 60693 62.146.25.34 80 tcp AP
5 08.05.2006 21:24:09 837189 e1000g2 1 b 62.146.25.34 80 84.56.16.159 60693 tcp A
6 08.05.2006 21:24:09 837479 e1000g2 1 b 62.146.25.34 80 84.56.16.159 60693 tcp AP
7 08.05.2006 21:24:12 823801 e1000g2 16 p 84.56.16.159 60693 62.146.25.34 80 tcp AP
8 08.05.2006 21:24:12 823832 e1000g2 1 b 62.146.25.34 80 84.56.16.159 60693 tcp A
9 08.05.2006 21:24:13 210039 e1000g2 1 b 62.146.25.34 80 84.56.16.159 60693 tcp AP
10 08.05.2006 21:24:18 839318 e1000g2 16 p 84.56.16.159 60693 62.146.25.34 80 tcp AP
11 08.05.2006 21:24:18 839351 e1000g2 1 b 62.146.25.34 80 84.56.16.159 60693 tcp A
12 08.05.2006 21:24:19 970040 e1000g2 1 b 62.146.25.34 80 84.56.16.159 60693 tcp AP
13 08.05.2006 21:24:24 840073 e1000g2 1 b 62.146.25.34 80 84.56.16.159 60693 tcp AF
14 08.05.2006 21:24:30 870503 e1000g2 16 p 84.56.16.159 60693 62.146.25.34 80 tcp AP
15 08.05.2006 21:24:30 870538 e1000g2 1 b 62.146.25.34 80 84.56.16.159 60693 tcp A
16 08.05.2006 21:24:33 480059 e1000g2 1 b 62.146.25.34 80 84.56.16.159 60693 tcp AFP
17 08.05.2006 21:24:45 347464 e1000g2 16 p 84.56.16.159 60693 62.146.25.34 80 tcp AF
18 08.05.2006 21:24:45 347498 e1000g2 1 b 62.146.25.34 80 84.56.16.159 60693 tcp A
19 08.05.2006 21:24:47 857068 e1000g2 16 p 84.56.16.159 60694 62.146.25.34 80 tcp S
20 08.05.2006 21:24:47 857118 e1000g2 16 p 62.146.25.34 80 84.56.16.159 60694 tcp AS
21 08.05.2006 21:24:47 878257 e1000g2 16 p 84.56.16.159 60694 62.146.25.34 80 tcp A
22 08.05.2006 21:24:47 907630 e1000g2 16 p 84.56.16.159 60694 62.146.25.34 80 tcp AP
23 08.05.2006 21:24:47 907644 e1000g2 16 p 62.146.25.34 80 84.56.16.159 60694 tcp A
24 08.05.2006 21:24:47 907892 e1000g2 16 p 62.146.25.34 80 84.56.16.159 60694 tcp AP
25 08.05.2006 21:24:47 976361 e1000g2 16 p 84.56.16.159 60694 62.146.25.34 80 tcp AP
26 08.05.2006 21:24:47 976375 e1000g2 16 p 62.146.25.34 80 84.56.16.159 60694 tcp A
27 08.05.2006 21:24:47 976487 e1000g2 16 p 62.146.25.34 80 84.56.16.159 60694 tcp AP
28 08.05.2006 21:24:48 127599 e1000g2 16 p 84.56.16.159 60694 62.146.25.34 80 tcp A
29 08.05.2006 21:24:54 932569 e1000g2 16 p 84.56.16.159 60693 62.146.25.34 80 tcp AFP
30 08.05.2006 21:24:54 932595 e1000g2 1 b 62.146.25.34 80 84.56.16.159 60693 tcp A
31 08.05.2006 21:25:00 490052 e1000g2 1 b 62.146.25.34 80 84.56.16.159 60693 tcp AFP
32 08.05.2006 21:25:02 980057 e1000g2 16 p 62.146.25.34 80 84.56.16.159 60694 tcp AF
33 08.05.2006 21:25:03 1890 e1000g2 16 p 84.56.16.159 60694 62.146.25.34 80 tcp A
34 08.05.2006 21:25:09 907916 e1000g2 16 p 84.56.16.159 60694 62.146.25.34 80 tcp AF
35 08.05.2006 21:25:09 907949 e1000g2 16 p 62.146.25.34 80 84.56.16.159 60694 tcp A
36 08.05.2006 21:25:42 948502 e1000g2 16 p 84.56.16.159 60693 62.146.25.34 80 tcp AFP
37 08.05.2006 21:25:42 948535 e1000g2 1 b 62.146.25.34 80 84.56.16.159 60693 tcp A
38 08.05.2006 21:25:54 500051 e1000g2 1 b 62.146.25.34 80 84.56.16.159 60693 tcp AFP
39 08.05.2006 21:26:54 510046 e1000g2 1 b 62.146.25.34 80 84.56.16.159 60693 tcp AFP
40 08.05.2006 21:27:54 520041 e1000g2 1 b 62.146.25.34 80 84.56.16.159 60693 tcp AFP
41 08.05.2006 21:28:54 530040 e1000g2 1 b 62.146.25.34 80 84.56.16.159 60693 tcp AFP
42 08.05.2006 21:29:54 540039 e1000g2 1 b 62.146.25.34 80 84.56.16.159 60693 tcp AFP
43 08.05.2006 21:30:54 550039 e1000g2 1 b 62.146.25.34 80 84.56.16.159 60693 tcp AFP
44 08.05.2006 21:31:54 560041 e1000g2 1 b 62.146.25.34 80 84.56.16.159 60693 tcp AFP
"dump_failed.txt":
No. Time Source Destination Protocol Info
1 0.000000 192.168.1.101 62.146.25.34 TCP 1079 > http [SYN] Seq=0 Len=0 MSS=1460
Frame 1 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: FujitsuS_81:79:ea (00:30:05:81:79:ea), Dst: D-Link_9b:09:44 (00:0d:88:9b:09:44)
Internet Protocol, Src: 192.168.1.101 (192.168.1.101), Dst: 62.146.25.34 (62.146.25.34)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 48
Identification: 0x0269 (617)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xde9d [correct]
Source: 192.168.1.101 (192.168.1.101)
Destination: 62.146.25.34 (62.146.25.34)
Transmission Control Protocol, Src Port: 1079 (1079), Dst Port: http (80), Seq: 0, Len: 0
Source port: 1079 (1079)
Destination port: http (80)
Sequence number: 0 (relative sequence number)
Header length: 28 bytes
Flags: 0x0002 (SYN)
Window size: 65535
Checksum: 0x5c3c [correct]
Options: (8 bytes)
No. Time Source Destination Protocol Info
2 0.022698 62.146.25.34 192.168.1.101 TCP http > 1079 [SYN, ACK] Seq=0 Ack=1 Win=49368 Len=0 MSS=1452
Frame 2 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: D-Link_9b:09:44 (00:0d:88:9b:09:44), Dst: FujitsuS_81:79:ea (00:30:05:81:79:ea)
Internet Protocol, Src: 62.146.25.34 (62.146.25.34), Dst: 192.168.1.101 (192.168.1.101)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 48
Identification: 0x002f (47)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 50
Protocol: TCP (0x06)
Header checksum: 0x2ed8 [correct]
Source: 62.146.25.34 (62.146.25.34)
Destination: 192.168.1.101 (192.168.1.101)
Transmission Control Protocol, Src Port: http (80), Dst Port: 1079 (1079), Seq: 0, Ack: 1, Len: 0
Source port: http (80)
Destination port: 1079 (1079)
Sequence number: 0 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
Header length: 28 bytes
Flags: 0x0012 (SYN, ACK)
Window size: 49368
Checksum: 0xd017 [correct]
Options: (8 bytes)
No. Time Source Destination Protocol Info
3 0.022749 192.168.1.101 62.146.25.34 TCP 1079 > http [ACK] Seq=1 Ack=1 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
Frame 3 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: FujitsuS_81:79:ea (00:30:05:81:79:ea), Dst: D-Link_9b:09:44 (00:0d:88:9b:09:44)
Internet Protocol, Src: 192.168.1.101 (192.168.1.101), Dst: 62.146.25.34 (62.146.25.34)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 40
Identification: 0x026a (618)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xdea4 [correct]
Source: 192.168.1.101 (192.168.1.101)
Destination: 62.146.25.34 (62.146.25.34)
Transmission Control Protocol, Src Port: 1079 (1079), Dst Port: http (80), Seq: 1, Ack: 1, Len: 0
Source port: 1079 (1079)
Destination port: http (80)
Sequence number: 1 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
Header length: 20 bytes
Flags: 0x0010 (ACK)
Window size: 65535
Checksum: 0x19dc [incorrect, should be 0xbdac]
No. Time Source Destination Protocol Info
4 0.022919 192.168.1.101 62.146.25.34 HTTP GET / HTTP/1.1
Frame 4 (476 bytes on wire, 476 bytes captured)
Ethernet II, Src: FujitsuS_81:79:ea (00:30:05:81:79:ea), Dst: D-Link_9b:09:44 (00:0d:88:9b:09:44)
Internet Protocol, Src: 192.168.1.101 (192.168.1.101), Dst: 62.146.25.34 (62.146.25.34)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 462
Identification: 0x026b (619)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xdcfd [correct]
Source: 192.168.1.101 (192.168.1.101)
Destination: 62.146.25.34 (62.146.25.34)
Transmission Control Protocol, Src Port: 1079 (1079), Dst Port: http (80), Seq: 1, Ack: 1, Len: 422
Source port: 1079 (1079)
Destination port: http (80)
Sequence number: 1 (relative sequence number)
Next sequence number: 423 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 65535
Checksum: 0x1b82 [incorrect, should be 0xcda5]
Hypertext Transfer Protocol
No. Time Source Destination Protocol Info
5 3.013084 192.168.1.101 62.146.25.34 HTTP [TCP Retransmission] GET / HTTP/1.1
Frame 5 (476 bytes on wire, 476 bytes captured)
Ethernet II, Src: FujitsuS_81:79:ea (00:30:05:81:79:ea), Dst: D-Link_9b:09:44 (00:0d:88:9b:09:44)
Internet Protocol, Src: 192.168.1.101 (192.168.1.101), Dst: 62.146.25.34 (62.146.25.34)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 462
Identification: 0x0276 (630)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xdcf2 [correct]
Source: 192.168.1.101 (192.168.1.101)
Destination: 62.146.25.34 (62.146.25.34)
Transmission Control Protocol, Src Port: 1079 (1079), Dst Port: http (80), Seq: 1, Ack: 1, Len: 422
Source port: 1079 (1079)
Destination port: http (80)
Sequence number: 1 (relative sequence number)
Next sequence number: 423 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 65535
Checksum: 0x1b82 [incorrect, should be 0xcda5]
SEQ/ACK analysis
Hypertext Transfer Protocol
No. Time Source Destination Protocol Info
6 9.029003 192.168.1.101 62.146.25.34 HTTP [TCP Retransmission] GET / HTTP/1.1
Frame 6 (476 bytes on wire, 476 bytes captured)
Ethernet II, Src: FujitsuS_81:79:ea (00:30:05:81:79:ea), Dst: D-Link_9b:09:44 (00:0d:88:9b:09:44)
Internet Protocol, Src: 192.168.1.101 (192.168.1.101), Dst: 62.146.25.34 (62.146.25.34)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 462
Identification: 0x027f (639)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xdce9 [correct]
Source: 192.168.1.101 (192.168.1.101)
Destination: 62.146.25.34 (62.146.25.34)
Transmission Control Protocol, Src Port: 1079 (1079), Dst Port: http (80), Seq: 1, Ack: 1, Len: 422
Source port: 1079 (1079)
Destination port: http (80)
Sequence number: 1 (relative sequence number)
Next sequence number: 423 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 65535
Checksum: 0x1b82 [incorrect, should be 0xcda5]
SEQ/ACK analysis
Hypertext Transfer Protocol
No. Time Source Destination Protocol Info
7 21.060827 192.168.1.101 62.146.25.34 HTTP [TCP Retransmission] GET / HTTP/1.1
Frame 7 (476 bytes on wire, 476 bytes captured)
Ethernet II, Src: FujitsuS_81:79:ea (00:30:05:81:79:ea), Dst: D-Link_9b:09:44 (00:0d:88:9b:09:44)
Internet Protocol, Src: 192.168.1.101 (192.168.1.101), Dst: 62.146.25.34 (62.146.25.34)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 462
Identification: 0x0284 (644)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xdce4 [correct]
Source: 192.168.1.101 (192.168.1.101)
Destination: 62.146.25.34 (62.146.25.34)
Transmission Control Protocol, Src Port: 1079 (1079), Dst Port: http (80), Seq: 1, Ack: 1, Len: 422
Source port: 1079 (1079)
Destination port: http (80)
Sequence number: 1 (relative sequence number)
Next sequence number: 423 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 65535
Checksum: 0x1b82 [incorrect, should be 0xcda5]
SEQ/ACK analysis
Hypertext Transfer Protocol
No. Time Source Destination Protocol Info
8 35.561984 192.168.1.101 62.146.25.34 TCP 1079 > http [FIN, ACK] Seq=423 Ack=1 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
Frame 8 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: FujitsuS_81:79:ea (00:30:05:81:79:ea), Dst: D-Link_9b:09:44 (00:0d:88:9b:09:44)
Internet Protocol, Src: 192.168.1.101 (192.168.1.101), Dst: 62.146.25.34 (62.146.25.34)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 40
Identification: 0x029a (666)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xde74 [correct]
Source: 192.168.1.101 (192.168.1.101)
Destination: 62.146.25.34 (62.146.25.34)
Transmission Control Protocol, Src Port: 1079 (1079), Dst Port: http (80), Seq: 423, Ack: 1, Len: 0
Source port: 1079 (1079)
Destination port: http (80)
Sequence number: 423 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
Header length: 20 bytes
Flags: 0x0011 (FIN, ACK)
Window size: 65535
Checksum: 0x19dc [incorrect, should be 0xbc05]
"dump_success.txt":
No. Time Source Destination Protocol Info
1 0.000000 192.168.1.101 62.146.25.34 TCP 1083 > http [SYN] Seq=0 Len=0 MSS=1460
Frame 1 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: FujitsuS_81:79:ea (00:30:05:81:79:ea), Dst: D-Link_9b:09:44 (00:0d:88:9b:09:44)
Internet Protocol, Src: 192.168.1.101 (192.168.1.101), Dst: 62.146.25.34 (62.146.25.34)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 48
Identification: 0x02a3 (675)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xde63 [correct]
Source: 192.168.1.101 (192.168.1.101)
Destination: 62.146.25.34 (62.146.25.34)
Transmission Control Protocol, Src Port: 1083 (1083), Dst Port: http (80), Seq: 0, Len: 0
Source port: 1083 (1083)
Destination port: http (80)
Sequence number: 0 (relative sequence number)
Header length: 28 bytes
Flags: 0x0002 (SYN)
Window size: 65535
Checksum: 0x70ca [correct]
Options: (8 bytes)
No. Time Source Destination Protocol Info
2 0.020553 62.146.25.34 192.168.1.101 TCP http > 1083 [SYN, ACK] Seq=0 Ack=1 Win=49368 Len=0 MSS=1452
Frame 2 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: D-Link_9b:09:44 (00:0d:88:9b:09:44), Dst: FujitsuS_81:79:ea (00:30:05:81:79:ea)
Internet Protocol, Src: 62.146.25.34 (62.146.25.34), Dst: 192.168.1.101 (192.168.1.101)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 48
Identification: 0x006b (107)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 50
Protocol: TCP (0x06)
Header checksum: 0x2e9c [correct]
Source: 62.146.25.34 (62.146.25.34)
Destination: 192.168.1.101 (192.168.1.101)
Transmission Control Protocol, Src Port: http (80), Dst Port: 1083 (1083), Seq: 0, Ack: 1, Len: 0
Source port: http (80)
Destination port: 1083 (1083)
Sequence number: 0 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
Header length: 28 bytes
Flags: 0x0012 (SYN, ACK)
Window size: 49368
Checksum: 0xb530 [correct]
Options: (8 bytes)
No. Time Source Destination Protocol Info
3 0.020599 192.168.1.101 62.146.25.34 TCP 1083 > http [ACK] Seq=1 Ack=1 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
Frame 3 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: FujitsuS_81:79:ea (00:30:05:81:79:ea), Dst: D-Link_9b:09:44 (00:0d:88:9b:09:44)
Internet Protocol, Src: 192.168.1.101 (192.168.1.101), Dst: 62.146.25.34 (62.146.25.34)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 40
Identification: 0x02a4 (676)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xde6a [correct]
Source: 192.168.1.101 (192.168.1.101)
Destination: 62.146.25.34 (62.146.25.34)
Transmission Control Protocol, Src Port: 1083 (1083), Dst Port: http (80), Seq: 1, Ack: 1, Len: 0
Source port: 1083 (1083)
Destination port: http (80)
Sequence number: 1 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
Header length: 20 bytes
Flags: 0x0010 (ACK)
Window size: 65535
Checksum: 0x19dc [incorrect, should be 0xa2c5]
No. Time Source Destination Protocol Info
4 0.020746 192.168.1.101 62.146.25.34 HTTP GET / HTTP/1.1
Frame 4 (476 bytes on wire, 476 bytes captured)
Ethernet II, Src: FujitsuS_81:79:ea (00:30:05:81:79:ea), Dst: D-Link_9b:09:44 (00:0d:88:9b:09:44)
Internet Protocol, Src: 192.168.1.101 (192.168.1.101), Dst: 62.146.25.34 (62.146.25.34)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 462
Identification: 0x02a5 (677)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xdcc3 [correct]
Source: 192.168.1.101 (192.168.1.101)
Destination: 62.146.25.34 (62.146.25.34)
Transmission Control Protocol, Src Port: 1083 (1083), Dst Port: http (80), Seq: 1, Ack: 1, Len: 422
Source port: 1083 (1083)
Destination port: http (80)
Sequence number: 1 (relative sequence number)
Next sequence number: 423 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 65535
Checksum: 0x1b82 [incorrect, should be 0xb2be]
Hypertext Transfer Protocol
No. Time Source Destination Protocol Info
5 0.071290 62.146.25.34 192.168.1.101 TCP http > 1083 [ACK] Seq=1 Ack=423 Win=49368 Len=0
Frame 5 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: D-Link_9b:09:44 (00:0d:88:9b:09:44), Dst: FujitsuS_81:79:ea (00:30:05:81:79:ea)
Internet Protocol, Src: 62.146.25.34 (62.146.25.34), Dst: 192.168.1.101 (192.168.1.101)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 40
Identification: 0x006c (108)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 50
Protocol: TCP (0x06)
Header checksum: 0x2ea3 [correct]
Source: 62.146.25.34 (62.146.25.34)
Destination: 192.168.1.101 (192.168.1.101)
Transmission Control Protocol, Src Port: http (80), Dst Port: 1083 (1083), Seq: 1, Ack: 423, Len: 0
Source port: http (80)
Destination port: 1083 (1083)
Sequence number: 1 (relative sequence number)
Acknowledgement number: 423 (relative ack number)
Header length: 20 bytes
Flags: 0x0010 (ACK)
Window size: 49368
Checksum: 0xe046 [correct]
No. Time Source Destination Protocol Info
6 0.075838 62.146.25.34 192.168.1.101 HTTP HTTP/1.1 200 OK (text/html)
Frame 6 (413 bytes on wire, 413 bytes captured)
Ethernet II, Src: D-Link_9b:09:44 (00:0d:88:9b:09:44), Dst: FujitsuS_81:79:ea (00:30:05:81:79:ea)
Internet Protocol, Src: 62.146.25.34 (62.146.25.34), Dst: 192.168.1.101 (192.168.1.101)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 399
Identification: 0x006d (109)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 50
Protocol: TCP (0x06)
Header checksum: 0x2d3b [correct]
Source: 62.146.25.34 (62.146.25.34)
Destination: 192.168.1.101 (192.168.1.101)
Transmission Control Protocol, Src Port: http (80), Dst Port: 1083 (1083), Seq: 1, Ack: 423, Len: 359
Source port: http (80)
Destination port: 1083 (1083)
Sequence number: 1 (relative sequence number)
Next sequence number: 360 (relative sequence number)
Acknowledgement number: 423 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 49368
Checksum: 0x29b8 [correct]
Hypertext Transfer Protocol
Line-based text data: text/html
No. Time Source Destination Protocol Info
7 0.095473 192.168.1.101 62.146.25.34 HTTP GET /favicon.ico HTTP/1.1
Frame 7 (407 bytes on wire, 407 bytes captured)
Ethernet II, Src: FujitsuS_81:79:ea (00:30:05:81:79:ea), Dst: D-Link_9b:09:44 (00:0d:88:9b:09:44)
Internet Protocol, Src: 192.168.1.101 (192.168.1.101), Dst: 62.146.25.34 (62.146.25.34)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 393
Identification: 0x02aa (682)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xdd03 [correct]
Source: 192.168.1.101 (192.168.1.101)
Destination: 62.146.25.34 (62.146.25.34)
Transmission Control Protocol, Src Port: 1083 (1083), Dst Port: http (80), Seq: 423, Ack: 360, Len: 353
Source port: 1083 (1083)
Destination port: http (80)
Sequence number: 423 (relative sequence number)
Next sequence number: 776 (relative sequence number)
Acknowledgement number: 360 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 65176
Checksum: 0x1b3d [incorrect, should be 0x1e0c]
Hypertext Transfer Protocol
No. Time Source Destination Protocol Info
8 0.139786 62.146.25.34 192.168.1.101 TCP http > 1083 [ACK] Seq=360 Ack=776 Win=49368 Len=0
Frame 8 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: D-Link_9b:09:44 (00:0d:88:9b:09:44), Dst: FujitsuS_81:79:ea (00:30:05:81:79:ea)
Internet Protocol, Src: 62.146.25.34 (62.146.25.34), Dst: 192.168.1.101 (192.168.1.101)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 40
Identification: 0x006e (110)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 50
Protocol: TCP (0x06)
Header checksum: 0x2ea1 [correct]
Source: 62.146.25.34 (62.146.25.34)
Destination: 192.168.1.101 (192.168.1.101)
Transmission Control Protocol, Src Port: http (80), Dst Port: 1083 (1083), Seq: 360, Ack: 776, Len: 0
Source port: http (80)
Destination port: 1083 (1083)
Sequence number: 360 (relative sequence number)
Acknowledgement number: 776 (relative ack number)
Header length: 20 bytes
Flags: 0x0010 (ACK)
Window size: 49368
Checksum: 0xdd7e [correct]
No. Time Source Destination Protocol Info
9 0.144850 62.146.25.34 192.168.1.101 HTTP HTTP/1.1 404 Not Found (text/html)
Frame 9 (464 bytes on wire, 464 bytes captured)
Ethernet II, Src: D-Link_9b:09:44 (00:0d:88:9b:09:44), Dst: FujitsuS_81:79:ea (00:30:05:81:79:ea)
Internet Protocol, Src: 62.146.25.34 (62.146.25.34), Dst: 192.168.1.101 (192.168.1.101)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 450
Identification: 0x006f (111)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 50
Protocol: TCP (0x06)
Header checksum: 0x2d06 [correct]
Source: 62.146.25.34 (62.146.25.34)
Destination: 192.168.1.101 (192.168.1.101)
Transmission Control Protocol, Src Port: http (80), Dst Port: 1083 (1083), Seq: 360, Ack: 776, Len: 410
Source port: http (80)
Destination port: 1083 (1083)
Sequence number: 360 (relative sequence number)
Next sequence number: 770 (relative sequence number)
Acknowledgement number: 776 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 49368
Checksum: 0x7a71 [correct]
Hypertext Transfer Protocol
Line-based text data: text/html
No. Time Source Destination Protocol Info
10 0.269307 192.168.1.101 62.146.25.34 TCP 1083 > http [ACK] Seq=776 Ack=770 Win=64766 [TCP CHECKSUM INCORRECT] Len=0
Frame 10 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: FujitsuS_81:79:ea (00:30:05:81:79:ea), Dst: D-Link_9b:09:44 (00:0d:88:9b:09:44)
Internet Protocol, Src: 192.168.1.101 (192.168.1.101), Dst: 62.146.25.34 (62.146.25.34)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 40
Identification: 0x02af (687)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xde5f [correct]
Source: 192.168.1.101 (192.168.1.101)
Destination: 62.146.25.34 (62.146.25.34)
Transmission Control Protocol, Src Port: 1083 (1083), Dst Port: http (80), Seq: 776, Ack: 770, Len: 0
Source port: 1083 (1083)
Destination port: http (80)
Sequence number: 776 (relative sequence number)
Acknowledgement number: 770 (relative ack number)
Header length: 20 bytes
Flags: 0x0010 (ACK)
Window size: 64766
Checksum: 0x19dc [incorrect, should be 0x9fbe]lev wrote:This performance regression renders openvpn with a tun adapter unusable if client and server use kernel 3.14 .
Thus I created a bug report: https://bugs.archlinux.org/task/40089
i actually noticed it to be an "either-or" type of thing; my Windows clients were seeing the same thing coming off a 3.14 openvpn server.
yeah, weird issue. like i noticed spurts of even-powers-of-2 sized packets
Client connecting to 10.10.10.6, TCP port 5001
TCP window size: 416 KByte
[ 3] local 10.10.10.1 port 40643 connected with 10.10.10.6 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0- 2.0 sec 512 KBytes 2.10 Mbits/sec
[ 3] 2.0- 4.0 sec 0.00 Bytes 0.00 bits/sec
[ 3] 4.0- 6.0 sec 0.00 Bytes 0.00 bits/sec
[ 3] 6.0- 8.0 sec 0.00 Bytes 0.00 bits/sec
[ 3] 8.0-10.0 sec 128 KBytes 524 Kbits/sec
[ 3] 10.0-12.0 sec 128 KBytes 524 Kbits/sec
[ 3] 12.0-14.0 sec 512 KBytes 2.10 Mbits/sec
[ 3] 14.0-16.0 sec 128 KBytes 524 Kbits/sec
[ 3] 16.0-18.0 sec 512 KBytes 2.10 Mbits/sec
[ 3] 18.0-20.0 sec 128 KBytes 524 Kbits/sec
[ 3] 20.0-22.0 sec 384 KBytes 1.57 Mbits/sec
[ 3] 22.0-24.0 sec 256 KBytes 1.05 Mbits/sec
[ 3] 24.0-26.0 sec 512 KBytes 2.10 Mbits/sec
[ 3] 26.0-28.0 sec 384 KBytes 1.57 Mbits/sec
[ 3] 28.0-30.0 sec 256 KBytes 1.05 Mbits/sec
[ 3] 30.0-32.0 sec 128 KBytes 524 Kbits/sec
[ 3] 32.0-34.0 sec 640 KBytes 2.62 Mbits/sec
[ 3] 34.0-36.0 sec 384 KBytes 1.57 Mbits/sec
[ 3] 36.0-38.0 sec 384 KBytes 1.57 Mbits/sec
[ 3] 38.0-40.0 sec 384 KBytes 1.57 Mbits/sec
[ 3] 40.0-42.0 sec 128 KBytes 524 Kbits/sec -
Sendmail and tcp_wrappers
Hi all,
According to the documentation, in solaris 10 access to sendmail should be controllable through tcp_wrappers, but I can't seem to get it to work like it should.
I've edited the /etc/hosts.allow to this:
sendmail: 127.0.0.1
But when I try and connect from another machine it still allows me access:
[user@othermachine ~]$ telnet box 25
Trying 10.37.5.91...
Connected to box.
Escape character is '^]'.
220 box ESMTP Sendmail 8.13.6+Sun/8.13.6; Mon, 24 Apr 2006 14:57:08 +0200 (MEST)
I've used truss on the sendmail process, and can see it actually opening /etc/hosts.allow:
507: open("/etc/hosts.allow", O_RDONLY) = 6
507: fstat64(6, 0xFFBFCF58) = 0
507: fstat64(6, 0xFFBFCE00) = 0
507: ioctl(6, TCGETA, 0xFFBFCEE4) Err#25 ENOTTY
507: read(6, " s e n d m a i l : l o c".., 8192) = 122
507: read(6, 0x0016B71C, 8192) = 0
507: llseek(6, 0, SEEK_CUR) = 122
507: close(6) = 0
507: open("/etc/hosts.deny", O_RDONLY) = 6
507: fstat64(6, 0xFFBFCF58) = 0
507: fstat64(6, 0xFFBFCE00) = 0
507: ioctl(6, TCGETA, 0xFFBFCEE4) Err#25 ENOTTY
507: read(6, " A L L : A L L\n s e n d".., 8192) = 21
507: llseek(6, 0xFFFFFFFFFFFFFFF3, SEEK_CUR) = 8
507: close(6) = 0
507: fstat(4, 0xFFBFD338) = 0
507: time() = 1145882218
507: getpid() = 507 [475]
507: putmsg(4, 0xFFBFC9F0, 0xFFBFC9E4, 0) = 0
507: open("/var/run/syslog_door", O_RDONLY) = 6
I've also installed the latest sendmail patch ( 122856-01 ).
If anyone can shed some light on this i'd be appreciated.
Thanks in advance!Just went through this with support. Sendmail should use tcp wrappers by default.
Check:
If you run the command:
# /usr/lib/sendmail -d0.1 < /dev/null
Does the output show tcpwrappers as it does below:
# /usr/lib/sendmail -d0.1 < /dev/null
Version 8.13.4+Sun
Compiled with: DNSMAP LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8
MIME8TO7 NAMED_BIND NDBM NETINET NETINET6 NETUNIX NEWDB NIS
NISPLUS PIPELINING SCANF STARTTLS TCPWRAPPERS USERDB
USE_LDAP_INIT XDEBUG
*** Now, the meat... if tcp wrappers is indicated as above, connect & try mail from command. sendmail always allows the connection, but if blocked by wrappers, mail from will be disallowed. It's not intuitive, since other tcp wrappers don't allow any connection when a host is denied. And, Sun ought to document better, since we're counting on them!
E.g. (mconnect is Solaris command, like telnet to port 25, actual info changed to protect us):
mconnect mailserver
connecting to host mailserver (10.1.1.25), port 25
connection open
220 mailserver.domain.net ESMTP Sendmail 8.13.6+Sun/8.13.6; Tue, 25 Apr 2006 14:54:45 -0400 (EDT)
MAIL FROM:[email protected]
550 5.0.0 Access denied -
Where can I find Appraisal and IPF data for Employee for particular Year.
Hello,
I want to see appraisal data and IPF data for a particular employee for a particluar year.
Please suggest Tables, Infotypes, T-Codes that I may use.
Thanks & Regards,
Labanya.Hi Labanya
You should be able to see appraisal data through SE38 --> RHHAP_DISPLAY_DB or PHAP_SEARCH_PA.
Hope this helps
Best Regards
Reddy -
Kernel panic with ipf and patch 125014-02?
Hi,
After bringing a bunch of Sparc servers running Solaris 10 up to current patch level I've been experiencing strange and unstable behavior. All servers are running with an ipfilter configuration.
One server has been freezing on the network interface at least once every day without any syslog notice. A reboot is the only way up again.
Now today one server (a Internet proxy server) did a kernel panic twice - never seen that before on this server.
It seems like it was caused by the kernel module ipf. And since it has never happend before I guess it could be caused by the IP filter patch 125014-02.
Anyone experiencing something similar and am I on the right track with suspecting this patch to be bad?
Thanks
Kasper
Message from syslog:
Feb 20 14:53:00 ceres unix: [ID 836849 kern.notice]
Feb 20 14:53:00 ceres ^Mpanic[cpu0]/thread=2a10053dcc0:
Feb 20 14:53:00 ceres unix: [ID 340138 kern.notice] BAD TRAP: type=31 rp=2a10053ca70 addr=18 mmu_fsr=0 occurred in module "ipf" due to a NULL pointer dereference
Feb 20 14:53:00 ceres unix: [ID 100000 kern.notice]
Feb 20 14:53:00 ceres unix: [ID 839527 kern.notice] sched:
Feb 20 14:53:00 ceres unix: [ID 520581 kern.notice] trap type = 0x31
Feb 20 14:53:00 ceres unix: [ID 381800 kern.notice] addr=0x18
Feb 20 14:53:00 ceres unix: [ID 101969 kern.notice] pid=0, pc=0x7bb3ad30, sp=0x2a10053c311, tstate=0x80001602, context=0x0
Feb 20 14:53:00 ceres unix: [ID 743441 kern.notice] g1-g7: 0, 0, 2621c, 1aa10, ea0a, 16, 2a10053dcc0
Feb 20 14:53:00 ceres unix: [ID 100000 kern.notice]
Feb 20 14:53:00 ceres genunix: [ID 723222 kern.notice] 000002a10053c790 unix:die+78 (31, 2a10053ca70, 18, 0, 2a10053c850, 1076000)
Feb 20 14:53:00 ceres genunix: [ID 179002 kern.notice] %l0-3: 0000000000001fff 0000000000000031 0000000001000000 0000000000002000
Feb 20 14:53:00 ceres %l4-7: 000000000181a1d8 000000000181a000 0000000000000000 00000000e85e2018
Feb 20 14:53:00 ceres genunix: [ID 723222 kern.notice] 000002a10053c870 unix:trap+9d4 (2a10053ca70, 10000, 1fff, 5, 0, 1)
Feb 20 14:53:00 ceres genunix: [ID 179002 kern.notice] %l0-3: 0000000000000000 00000000018364c0 0000000000000031 0000000000000000
Feb 20 14:53:00 ceres %l4-7: ffffffffffffe000 0000000000f250af 0000000000000001 0000000000000005
Feb 20 14:53:01 ceres genunix: [ID 723222 kern.notice] 000002a10053c9c0 unix:ktl0+48 (b80c, c006, b7f2, 3511, 1a, 82e1)
Feb 20 14:53:01 ceres genunix: [ID 179002 kern.notice] %l0-3: 0000000000000003 0000000000001400 0000000080001602 000000000101aa04
Feb 20 14:53:01 ceres %l4-7: 0000000000000008 00000600009a6e04 0000000000000006 000002a10053ca70
Feb 20 14:53:01 ceres genunix: [ID 562518 kern.notice] 000002a10053cb10 6 (0, 600009a6df0, 4, 600009a6e04, f332, 0)
Feb 20 14:53:01 ceres genunix: [ID 179002 kern.notice] %l0-3: 00000600009a6e14 0000000000000014 0000000000000006 0000000000000014
Feb 20 14:53:01 ceres %l4-7: 0000000000000028 0000000000000005 0000000000000045 0000000000000000
Feb 20 14:53:01 ceres genunix: [ID 723222 kern.notice] 000002a10053cbc0 ipf:appr_check+32c (2a10053cff8, 60002a0ef00, 0, 2a10053d000, 600010ad7b0, 0)
Feb 20 14:53:01 ceres genunix: [ID 179002 kern.notice] %l0-3: 0000000000000000 00000600009a6df0 00000600009a6e04 0000000000000000
Feb 20 14:53:01 ceres %l4-7: 000000000000ffff 00000000701734b8 000000000000ffff 000000000000fc00
Feb 20 14:53:01 ceres genunix: [ID 723222 kern.notice] 000002a10053cc70 ipf:fr_natout+248 (2a10053cff8, 60002a0ef00, 1, 600009a6e14, a85a, fffff4e3)
Feb 20 14:53:01 ceres genunix: [ID 179002 kern.notice] %l0-3: 0000000000000000 000006000115b500 0000060002a0f008 00000600009a6df0
Feb 20 14:53:01 ceres %l4-7: 0000000082e13511 0000000000000001 00000000701734b8 0000000000000001
Feb 20 14:53:01 ceres genunix: [ID 723222 kern.notice] 000002a10053cd20 ipf:fr_checknatout+4a8 (2a10053cff8, 6000115b500, 2a10053d000, 6000106bdf0, 70173388, fc)
Feb 20 14:53:02 ceres genunix: [ID 179002 kern.notice] %l0-3: 0000000080000000 0000000000040007 ffffffff00000000 0000000100000000
Feb 20 14:53:02 ceres %l4-7: 0000000082e13511 0000060002a0ef00 0000000000000000 0000000000000001
Feb 20 14:53:02 ceres genunix: [ID 723222 kern.notice] 000002a10053ce20 ipf:fr_fastroute+278 (600036e3000, 2a10053d188, 2a10053cff8, 0, 4, 6000106bdf0)
Feb 20 14:53:02 ceres genunix: [ID 179002 kern.notice] %l0-3: 0000000000000000 0000000000000000 000006000106bdf0 0000000000000001
Feb 20 14:53:02 ceres %l4-7: 00000600036e3040 000002a10053cfa8 00000600009a6df0 00000600009a6df0
Feb 20 14:53:02 ceres genunix: [ID 723222 kern.notice] 000002a10053cef0 ipf:fr_send_ip+168 (2a10053d258, 600036e3040, 2a10053d188, 4000, ff, 600009a6df0)
Feb 20 14:53:02 ceres genunix: [ID 179002 kern.notice] %l0-3: 0000000040000000 0000000000000000 0000000000000000 000000000000000e
Feb 20 14:53:02 ceres %l4-7: 0000060000b969c0 000002a10053d410 000006000106beac 0000060000aee2a0
Feb 20 14:53:02 ceres genunix: [ID 723222 kern.notice] 000002a10053d0d0 ipf:fr_send_reset+258 (2a10053d258, c006ea0a, 600009a6e04, 600009a6df0, 0, 82e13511)
Feb 20 14:53:02 ceres genunix: [ID 179002 kern.notice] %l0-3: 000002a10053d260 0000000000000000 00000600009a7de0 0000000000000028
Feb 20 14:53:02 ceres %l4-7: 0000000000000006 0000000000000045 0000000000000040 0000000000000040
Feb 20 14:53:03 ceres genunix: [ID 723222 kern.notice] 000002a10053d190 ipf:fr_check+59c (3000, 0, 0, 701720d0, 600022d5900, 2a10053d518)
Feb 20 14:53:03 ceres genunix: [ID 179002 kern.notice] %l0-3: 000002a10053d258 0000000000000001 0000000000000000 0000000000000000
Feb 20 14:53:03 ceres %l4-7: 000002a10053d254 0000000000000000 0000000040009101 0000000000080000
Feb 20 14:53:03 ceres genunix: [ID 723222 kern.notice] 000002a10053d330 pfil:pfil_precheck+6c8 (0, 1, 14, 6000106bdf0, 0, 0)
Feb 20 14:53:03 ceres genunix: [ID 179002 kern.notice] %l0-3: 000002a10053d410 00000600009a7e08 0000060001109900 000006000311b1c0
Feb 20 14:53:03 ceres %l4-7: 00000000700cfef0 0000000000000000 00000600009a7de0 0000000000000800
Feb 20 14:53:03 ceres genunix: [ID 723222 kern.notice] 000002a10053d460 pfil:pfilmodrput+2c0 (60000aee2a0, 6000311b1c0, 2a100538000, 41, 6000106bdf0, 0)
Feb 20 14:53:03 ceres genunix: [ID 179002 kern.notice] %l0-3: 00000000010076e4 0000000000000006 0000004480001600 00000000000007c8
Feb 20 14:53:03 ceres %l4-7: 00000300000b3c80 0000000023800000 0000000000000042 0000000000000043
Feb 20 14:53:03 ceres genunix: [ID 723222 kern.notice] 000002a10053d520 unix:putnext+218 (60000aee490, 60000aee2a0, 6000311b1c0, 100, 60000aee530, 0)
Feb 20 14:53:03 ceres genunix: [ID 179002 kern.notice] %l0-3: 0000000000000000 0000000000000000 0000000000000000 00000000000055d0
Feb 20 14:53:03 ceres %l4-7: 000000000000010d 000000007016ba40 000000007bb24418 fffffd5effac8000
Feb 20 14:53:04 ceres genunix: [ID 723222 kern.notice] 000002a10053d5d0 dld:dld_str_rx_fastpath+24 (60001043e08, 0, 6000311b1c0, e, 0, 0)
Feb 20 14:53:04 ceres genunix: [ID 179002 kern.notice] %l0-3: 0000060001069f10 0000000000000006 000006000311b1c0 0000000000000000
Feb 20 14:53:04 ceres %l4-7: 0000000000000003 0000000000000003 0000060001069f54 0000000000001e71
Feb 20 14:53:04 ceres genunix: [ID 723222 kern.notice] 000002a10053d680 dls:i_dls_link_ether_rx+1c8 (0, 0, 133a850, 2a10053d740, 2a10053d748, 2a10053d730)
Feb 20 14:53:04 ceres genunix: [ID 179002 kern.notice] %l0-3: 000002a10053d738 0000000000000000 0000000000000000 00000600008c4940
Feb 20 14:53:04 ceres %l4-7: 0000060001061f80 0000060001061fa8 0000000000000001 0000000000000000
Feb 20 14:53:04 ceres genunix: [ID 723222 kern.notice] 000002a10053d770 mac:mac_rx+58 (6000105fce8, 0, 6000311b1c0, 133c5fc, 0, 6000105fa78)
Feb 20 14:53:04 ceres genunix: [ID 179002 kern.notice] %l0-3: 0000000000000005 00000600009a7d40 0000000000000002 0000000000000002
Feb 20 14:53:04 ceres %l4-7: 0000000000000001 0000000000000000 0000060000ac9308 0000000000000000
Feb 20 14:53:04 ceres genunix: [ID 723222 kern.notice] 000002a10053d820 bge:bge_receive+350 (60000e2fe10, 6000098f000, 0, 6000098fb40, 6000311b1c0, 6000311b1c0)
Feb 20 14:53:04 ceres genunix: [ID 179002 kern.notice] %l0-3: 00000300016c6800 00000600009908e0 000006000098f840 000006000311b1c0
Feb 20 14:53:04 ceres %l4-7: 00000300016db012 000000000000012e 0000000000000200 0000000000000040
Feb 20 14:53:05 ceres genunix: [ID 723222 kern.notice] 000002a10053d970 bge:bge_intr+108 (6000098f000, 18e0, 50000002a000000, 1800, 600009908e0, 1a20)
Feb 20 14:53:05 ceres genunix: [ID 179002 kern.notice] %l0-3: 0000000100000000 0000000000000000 0000000000000400 0000000000000002
Feb 20 14:53:05 ceres %l4-7: 0000000000001a20 0000000000006808 0000000000006800 00000300016db000
Feb 20 14:53:05 ceres genunix: [ID 723222 kern.notice] 000002a10053da20 pcisch:pci_intr_wrapper+b4 (300000c21c8, 60000b0b600, 0, 0, 0, 600010172d0)
Feb 20 14:53:05 ceres genunix: [ID 179002 kern.notice] %l0-3: 00000000018d3bb0 00000600009cc580 00000000018d3bf8 0000000000f26e20
Feb 20 14:53:05 ceres %l4-7: 00000300003e0970 000006000098f000 0000000000000000 000000007bb19110
Feb 20 14:53:05 ceres unix: [ID 100000 kern.notice]
Feb 20 14:53:05 ceres genunix: [ID 672855 kern.notice] syncing file systems...
Feb 20 14:53:05 ceres genunix: [ID 433738 kern.notice] [1]
Feb 20 14:53:05 ceres genunix: [ID 733762 kern.notice] 35
Feb 20 14:53:07 ceres genunix: [ID 433738 kern.notice] [1]
Feb 20 14:53:07 ceres genunix: [ID 733762 kern.notice] 28
Feb 20 14:53:08 ceres genunix: [ID 433738 kern.notice] [1]
Feb 20 14:53:29 ceres last message repeated 20 times
Feb 20 14:53:30 ceres genunix: [ID 622722 kern.notice] done (not all i/o completed)
Feb 20 14:53:33 ceres genunix: [ID 111219 kern.notice] dumping to /dev/dsk/c1t0d0s0, offset 430374912, content: kernel
Feb 20 14:53:40 ceres genunix: [ID 409368 kern.notice] ^M100% done: 20967 pages dumped, compression ratio 4.92,
Feb 20 14:53:40 ceres genunix: [ID 851671 kern.notice] dump succeededme too - I'm still waiting for a patch:
Case# 65340046 - panic due to IPF firewall
From: Fletcher Cocquyt
To: <[email protected]>
Date: Feb 12 2007 - 10:09am
We had another panic & reboot, so we will be forced to disable IPF firewall
(is svcadm disable sufficient, or do I need to do more to prevent the
panics?)
How can I be notified when there is a proper Sun patch to fix this?
thanks
-----Original Message-----
From: Fletcher Cocquyt
Sent: Tuesday, February 06, 2007 8:08 AM
To: '[email protected]'
Subject: RE: Case# 65340046
Is it IPF firewall related?
Will disabling ipf (until there is a fix) avoid this bug ?
Thanks
-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Tuesday, February 06, 2007 8:01 AM
To: fcocquyt@
Subject: Case# 65340046
Fletcher,
This system panic'd due to bug 6490522: S10 System panic bad mutex in
ipf:fr_derefrule. Unfortunately at this time we do not have an offical fix
for
this bug, however we do have a test binary built. Please let me know if you
would like to test this binary on this system.
Thanks.
Christine Perrigo
Kernel Technical Support Engineer
Sun Services
http://www.sun.com/service/online
E-mail: [email protected]
1-800-USA4-SUN (option 1, option 1, then case #) -
As you know Canon lists applications that use Apple's new printing path in a special cases file so that when choosing application manages color No Color Correction is selected.
I have now add LR3 to this file. This also includes PSCS5 and still includes the LR3B2.
http://www.dypinc.com/Canon/AppColorMatchingInfo.xml
The file goes here.
/Library/Printers/Canon/GARO/Frameworks/GARO_CUPS.framework/Versions/Current/Resources/App ColorMatchingInfo.xml
Make sure you save the original in case you want to go back to it.
DoyleAs you know Canon lists applications that use Apple's new printing path in a special cases file so that when choosing application manages color No Color Correction is selected.
I have now add LR3 to this file. This also includes PSCS5 and still includes the LR3B2.
http://www.dypinc.com/Canon/AppColorMatchingInfo.xml
The file goes here.
/Library/Printers/Canon/GARO/Frameworks/GARO_CUPS.framework/Versions/Current/Resources/App ColorMatchingInfo.xml
Make sure you save the original in case you want to go back to it.
Doyle -
Pacman doesn't upgrade and update the system properly
It's been almost one and half months that my system is not getting upgrade or update, what all I go t is :
bhaskar@bhaskar-laptop_11:28:06_Mon Sep 06:/etc> sudo pacman -Syu
:: Synchronizing package databases...
core is up to date
extra is up to date
community is up to date
archlinuxfr is up to date
:: Starting full system upgrade...
there is nothing to do
Here is my mirrorlist url ,which I am using for long long time:
Server = http://distro.ibiblio.org/pub/linux/dis … po/os/i686
Server = http://archlinux.mirrors.uk2.net/$repo/os/i686
Server = http://mirror.isoc.org.il/pub/archlinux/$repo/os/i686
Now please look at the installed packages..I am paranoid about systemupgrade and update and I do it very frequently....
bhaskar@bhaskar-laptop_11:32:14_Mon Sep 06:/etc> sudo pacman -Q
a52dec 0.7.4-4
aalib 1.4rc5-6
abiword 2.8.6-1
acl 2.2.49-1
alsa-lib 1.0.23-1
apache 2.2.15-2
apr 1.4.2-1
apr-util 1.3.9-4
archlinux-artwork 1.6-1
aria2 1.9.5-1
artwiz-fonts 1.3-5
aspell 0.60.6-4
at-spi 1.30.1-1
atk 1.30.0-1
attica 0.1.3-1
attr 2.4.44-1
audiofile 0.2.7-1
autoconf 2.66-2
automake 1.11.1-1
avahi 0.6.25-3
babl 0.1.2-1
bash 4.1.007-1
bashdb 4.1_0.4-1
bcm43xx-fwcutter 006-1
beanshell 2.0b4-1
bin86 0.16.17-4
bind 9.7.1-1
binutils 2.20.1-3
bison 2.4.2-1
bluez 4.69-1
brasero 2.30.2-1
bridge-utils 1.4-3
bzip2 1.0.5-5
c-ares 1.7.3-1
ca-certificates 20090814-3
cabextract 1.2-2
cacti 0.8.7e-1
cairo 1.8.10-1
cairomm 1.8.4-1
capi4k-utils 050718-7
cdparanoia 10.2-2
cdrdao 1.2.3-4
cdrkit 1.1.10-1
chkrootkit 0.49-1
chromium 5.0.375.99-1
clamav 0.96.1-1
claws-mail 3.7.6-1
cloog-ppl 0.15.9-1
clucene 0.9.21b-1
compositeproto 0.4.1-1
consolekit 0.4.1-2
coreutils 8.5-2
cpio 2.11-2
cpufrequtils 008-1
cracklib 2.8.16-1
cryptsetup 1.1.3-1
curl 7.21.0-1
cyrus-sasl-plugins 2.1.23-2
damageproto 1.2.0-1
db 4.8.26-2
dbus 1.2.24-1
dbus-core 1.2.24-1
dbus-glib 0.86-1
dcron 4.4-2
ddrescue 1.11-1
desktop-file-utils 0.16-1
device-mapper 2.02.70-1
dhcpcd 5.2.5-1
dialog 1.1_20100428-1
diffutils 3.0-1
dirmngr 1.1.0rc1-1
dmapi 2.2.10-2
dmidecode 2.10-1
dmxproto 2.3-1
dnsutils 9.6.1-3
docbook-xml 4.5-4
dosfstools 3.0.9-1
dri2proto 2.3-1
dvd+rw-tools 7.1-2
e2fsprogs 1.41.12-1
ed 1.4-2
eggdbus 0.6-1
eject 2.1.5-4
empathy 2.30.2-1
enca 1.13-1
enchant 1.6.0-1
epiphany 2.30.2-1
esound 0.2.41-1
ethtool 6-2
eventlog 0.2.12-1
evince 2.30.3-1
evolution-data-server 2.30.2.1-1
exempi 2.1.1-1
exiv2 0.19-1
expat 2.0.1-5
faac 1.28-2
faad2 2.7-1
fakeroot 1.14.4-2
fam 2.7.0-14
farsight2 0.0.20-1
ffmpeg 24460-1
fftw 3.2.2-1
file 5.04-2
filesystem 2010.02-4
findutils 4.4.2-2
firefox 3.6.8-1
fixesproto 4.1.1-1
flac 1.2.1-2
flashplugin 10.1.53.64-1
flex 2.5.35-3
fluidsynth 1.1.1-2
fontcacheproto 0.1.3-1
fontconfig 2.8.0-1
fontsproto 2.1.0-1
freeglut 2.6.0-1
freetype2 2.4.1-1
fribidi 0.19.2-1
fuse 2.8.4-2
gawk 3.1.8-1
gcc 4.5.0-6
gcc-libs 4.5.0-6
gconf 2.28.1-1
gconf-editor 2.30.0-1
gd 2.0.36RC1-3
gdbm 1.8.3-7
gdk-pixbuf 0.22.0-7
gdm 2.30.4-1
gegl 0.1.2-1
gen-init-cpio 2.6.32-1
gettext 0.18.1.1-1
ghostscript 8.71-3
giflib 4.1.6-3
gimp 2.6.9-1
glib 1.2.10-8
glib2 2.24.1-1
glibc 2.12-4
glibmm 2.24.2-1
gmime 2.4.17-1
gmp 5.0.1-1
gnome-applets 2.30.0-1
gnome-backgrounds 2.30.0-1
gnome-control-center 2.30.1-1
gnome-desktop 2.30.2-1
gnome-disk-utility 2.30.1-1
gnome-doc-utils 0.20.1-1
gnome-icon-theme 2.30.3-1
gnome-js-common 0.1.2-1
gnome-keyring 2.30.3-1
gnome-media 2.30.0-2
gnome-menus 2.30.2-1
gnome-mime-data 2.18.0-4
gnome-panel 2.30.2-1
gnome-screensaver 2.30.0-1
gnome-session 2.30.2-1
gnome-settings-daemon 2.30.2-1
gnome-system-tools 2.30.2-1
gnome-terminal 2.30.2-1
gnome-themes 2.30.2-1
gnome-utils 2.30.0-1
gnome-vfs 2.24.3-2
gnome2-user-docs 2.30.0-1
gnupg 1.4.10-2
gnupg2 2.0.15-1
gnutls 2.8.6-1
gobject-introspection 0.6.14-1
gparted 0.6.1-1
gpgme 1.3.0-1
gpm 1.20.6-5
grep 2.6.3-1
groff 1.20.1-4
grub 0.97-17
gsfonts 1.0.7pre44-2
gstreamer0.10 0.10.29-1
gstreamer0.10-base 0.10.29-1
gstreamer0.10-base-plugins 0.10.29-1
gstreamer0.10-good 0.10.23-1
gstreamer0.10-good-plugins 0.10.23-1
gstreamer0.10-python 0.10.18-1
gtk 1.2.10-10
gtk-engines 2.20.1-1
gtk-smooth-engine 0.6.0.1-5
gtk2 2.20.1-2
gtkmm 2.20.3-1
gucharmap 2.30.2-1
gvfs 1.6.3-1
gzip 1.4-1
hal 0.5.14-4
hal-info 0.20091130-1
hdf5 1.8.4_patch1-1
hdparm 9.28-1
heimdal 1.3.3-1
hicolor-icon-theme 0.12-1
hsqldb-java 1.8.0.10-1
htop 0.8.3-1
hunspell 1.2.12-1
hwdetect 2010.07-1
hyphen 2.5-1
icon-naming-utils 0.8.90-1
icu 4.4.1-1
ifenslave 1.1.0-5
iftop 0.17-9
ilmbase 1.0.1-1
imlib2 1.4.4-1
inetutils 1.8-1
initscripts 2010.07-1
inputproto 2.0-1
intel-dri 7.8.2-1
intltool 0.41.1-1
iotop 0.4.1-1
ipcalc 0.41-3
iperf 2.0.4-1
iproute2 2.6.34-2
iptables 1.4.8-1
iptraf 3.0.0-2
iputils 20100214-2
ipw2100-fw 1.3-4
ipw2200-fw 3.1-2
ipw3945 1.2.2-1
ipw3945-ucode 1.14.2-1
ipw3945d 1.7.22-3
isdn4k-utils 3.2p1-5
iso-codes 3.14-1
jack 0.118.0-3
jasper 1.900.1-5
jdk 6u20-1
jfsutils 1.1.14-1
jre 6u20-1
k3b 2.0.0-2
kbd 1.15.2-1
kbproto 1.0.4-1
kdebase-runtime 4.4.5-1
kdelibs 4.4.5-1
kdemultimedia-kioslave 4.4.5-1
kernel26 2.6.34.1-1
kernel26-headers 2.6.34.1-1
ladspa 1.13-2
lame 3.98.4-1
lcms 1.18-3
less 436-1
libao 1.0.0-2
libarchive 2.8.4-1
libart-lgpl 2.3.21-1
libass 0.9.9-1
libassuan 2.0.0-1
libatasmart 0.17-1
libavc1394 0.5.3-3
libbeagle 0.3.9-1
libbonobo 2.24.3-1
libbonoboui 2.24.3-1
libcaca 0.99.beta17-1
libcanberra 0.23-1
libcap 2.19-1
libcddb 1.3.2-2
libcdio 0.82-1
libcroco 0.6.2-1
libcups 1.4.4-1
libdaemon 0.14-1
libdatrie 0.2.3-1
libdca 0.0.5-2
libdjvu 3.5.22-3
libdmx 1.1.0-1
libdownload 1.1-3
libdrm 2.4.21-1
libdv 1.0.0-3
libdvbpsi 0.1.7-1
libdvdnav 4.1.3-2
libdvdread 4.1.3-2
libebml 1.0.0-1
libelf 0.8.13-1
libetpan 1.0-1
libevent 1.4.14b-1
libexif 0.6.19-1
libfetch 2.32-1
libffi 3.0.9-1
libfm 0.1.12-1
libfontenc 1.0.5-1
libftdi 0.18-1
libgail-gnome 1.20.3-1
libgcrypt 1.4.6-1
libgl 7.8.2-1
libglade 2.6.4-1
libgnome 2.30.0-1
libgnome-keyring 2.30.1-1
libgnomecanvas 2.30.1-1
libgnomekbd 2.30.2-1
libgnomeui 2.24.3-1
libgpg-error 1.7-3
libgphoto2 2.4.9-1
libgraphite 2.3.1-1
libgsf 1.14.18-1
libgsf-gnome 1.14.18-1
libgssglue 0.1-2
libgtop 2.28.1-1
libgweather 2.30.2-1
libical 0.44-1
libice 1.0.6-1
libid3tag 0.15.1b-5
libidl2 0.8.14-1
libidn 1.16-1
libiec61883 1.2.0-1
libiodbc 3.52.7-4
libjpeg 8.0.2-1
libksba 1.0.7-1
libldap 2.4.22-1
libmad 0.15.1b-4
libmatroska 1.0.0-1
libmng 1.0.10-3
libmodplug 0.8.8.1-1
libmp4v2 1.9.1-1
libmpc 0.8.2-2
libmpcdec 1.2.6-2
libmpeg2 0.5.1-1
libmspack 0.0.20060920alpha-2
libmtp 1.0.2-1
libmysqlclient 5.1.47-1
libnewt 0.52.8-2
libnice 0.0.12-1
libnl 1.1-2
libnotify 0.4.5-1.1
libogg 1.2.0-1
liboil 0.3.17-1
liboobs 2.30.1-1
libpcap 1.1.1-1
libpciaccess 0.11.0-1
libpng 1.4.3-1
libproxy 0.3.1-1
libpurple 2.7.2-1
libraw1394 2.0.5-1
librpcsecgss 0.19-3
librsvg 2.26.3-1
libsamplerate 0.1.7-1
libsasl 2.1.23-4
libsexy 0.1.11-2
libshout 2.2.2-3
libsigc++ 2.2.8-1
libsm 1.1.1-1
libsndfile 1.0.21-1
libsoup 2.30.2-1
libsoup-gnome 2.30.2-1
libspectre 0.2.6-1
libssh 0.4.5-1
libstroke 0.5.1-3
libsynaptics 0.14.6c-4
libtasn1 2.6-1
libthai 0.1.14-1
libtheora 1.1.1-1
libtiff 3.9.4-1
libtirpc 0.2.1-1
libtool 2.2.10-1
libtracker 0.6.95-1
libunique 1.1.6-2
libusb 0.1.12-4
libv4l 0.6.4-1
libva 0.31.0_p13-2
libvdpau 0.4-1
libvisual 0.4.0-3
libvorbis 1.3.1-1
libvpx 0.9.1-1
libwebkit 1.2.3-1
libwmf 0.2.8.4-7
libwnck 2.30.2-1
libwpd 0.8.14-1
libx11 1.3.4-1
libx86 1.1-2
libxau 1.0.5-1
libxaw 1.0.7-1
libxcb 1.6-1
libxcomposite 0.4.2-1
libxcursor 1.1.10-1
libxdamage 1.1.3-1
libxdmcp 1.0.3-1
libxext 1.1.2-1
libxfixes 4.0.5-1
libxfont 1.4.2-1
libxfontcache 1.0.5-1
libxft 2.1.14-1
libxi 1.3-2
libxinerama 1.1-1
libxkbfile 1.0.6-1
libxklavier 5.0-1
libxml2 2.7.7-1
libxmu 1.0.5-1
libxp 1.0.0-3
libxpm 3.5.8-1
libxrandr 1.3.0-1
libxrender 0.9.6-1
libxres 1.0.4-1
libxslt 1.1.26-1
libxss 1.2.0-1
libxt 1.0.8-1
libxtst 1.1.0-1
libxv 1.0.5-1
libxvmc 1.0.5-1
libxxf86dga 1.1.1-1
libxxf86misc 1.0.2-1
libxxf86vm 1.1.0-1
licenses 2.6-1
lilo 22.8-4
linux-api-headers 2.6.34-1
linux-atm 2.5.1-1
linux-firmware 20100623-2
lirc-utils 0.8.6-3
logrotate 3.7.8-1
logwatch 7.3.6-3
loudmouth 1.4.3-2
lpsolve 5.5.0.15-1
lsof 4.83-1
lua 5.1.4-5
lucene 2.9.3-1
lvm2 2.02.70-1
lynx 2.8.7-2
lzo 1.08-5
lzo2 2.03-1
m4 1.4.14-2
madwifi 0.9.4.4119-2
madwifi-utils 0.9.4.4119-1
mailx 8.1.1-7
make 3.81-5
man-db 2.5.7-1
man-pages 3.25-1
mcpp 2.7.2-2
mdadm 3.1.2-2
menu-cache 0.3.2-1
mesa 7.8.2-1
metacity 2.30.1-1
mime-types 1.0-3
mkinitcpio 0.6.7-1
mkinitcpio-busybox 1.16.2-1
mlocate 0.22.4-1
module-init-tools 3.11.1-2
monit 5.0.3-2
most 5.0.0a-2
mozilla-common 1.4-1
mpfr 3.0.0-1
mrtg 2.16.3-1
munin 1.4.5-1
munin-node 1.4.5-1
musicbrainz 2.1.5-3
mysql 5.1.47-1
mysql-clients 5.1.47-1
nagios 3.2.0-1
nagios-nrpe-plugin 2.12-1
nagios-nsca 2.7.2-2
nagios-plugins 1.4.14-1
nano 2.2.4-1
nautilus 2.30.1-1
ncurses 5.7-3
ndiswrapper 1.56-3
ndiswrapper-utils 1.56-2
neon 0.29.3-2
net-snmp 5.5-5
net-tools 1.60-14
nfs-utils 1.2.2-3
nfsidmap 0.23-3
nmap 5.21-2
notification-daemon 0.4.0-4
nspr 4.8.4-1
nss 3.12.6-3
ntfs-3g 2010.5.22-1
ntfsprogs 2.0.0-4
opencore-amr 0.1.2-1
openexr 1.6.1-1
openjpeg 1.3-3
openntpd 3.9p1-12
openoffice-base 3.2.1-1
openssh 5.5p1-1
openssl 1.0.0.a-2
openswan 2.4.14-1
openvpn 2.1.1-2
orbit2 2.14.18-1
orc 0.4.6-1
oxygen-icons 4.4.5-1
package-query 0.3-2
pacman 3.4.0-2
pacman-color 3.4.0-1
pacman-mirrorlist 20100621-1
pam 1.1.1-1
pango 1.28.1-1
pangomm 2.26.2-1
parted 2.3-1
partimage 0.6.8-2
patch 2.6.1-1
pciutils 3.1.7-1
pcmanfm 0.9.7-1
pcre 8.10-1
perl 5.10.1-5
perl-date-manip 6.07-3
perl-dbd-mysql 4.013-1
perl-dbi 1.609-1
perl-html-parser 3.64-1
perl-html-tagset 3.20-1
perl-html-template 2.9-4
perl-libwww 5.836-1
perl-log-log4perl 1.28-1
perl-net-server 0.97-3
perl-term-readkey 2.30.01-1
perl-text-iconv 1.7-3
perl-uri 1.54-1
perl-xml-parser 2.36-6
perl-xml-simple 2.18-2
perl-xml-twig 3.34-1
perl-xyne-arch 2010.07.17.1-1
perl-xyne-common 2010.04.01.2-3
perl-yaml-syck 1.07-1
phonon 4.4.2-1
phonon-gstreamer 4.4.2-1
php 5.3.2-6
php-apache 5.3.2-6
pilot-link 0.12.5-1
pinentry 0.8.0-1
pixman 0.18.2-1
pkg-config 0.25-2
pm-quirks 0.20100619-1
pm-utils 1.4.0-1
polkit 0.96-2
polkit-gnome 0.96-3
polkit-qt 0.95.1-1
poppler 0.14.0-1
poppler-data 0.4.2-1
poppler-glib 0.14.0-1
popt 1.16-2
postfix 2.7.1-1
postgresql-libs 8.4.4-1
powerpill 2010.06.20.1-1
powertop 1.11-2
ppl 0.10.2-3
ppp 2.4.5-1
pptpclient 1.7.2-2
printproto 1.0.4-2
procinfo-ng 2.0.304-1
procps 3.2.8-1
psmisc 22.11-1
pth 2.0.7-3
pycairo 1.8.8-1
pygobject 2.21.3-1
pygtk 2.17.0-1
python 2.6.5-3
qca 2.0.2-2
qemu-kvm 0.12.4-2
qt 4.6.3-1
randrproto 1.3.1-1
raptor 1.4.21-1
rarian 0.8.1-1
rasqal 0.9.19-2
readline 6.1.002-1
recode 3.6-5
recordproto 1.14-1
redland 1.0.10-2
reiserfsprogs 3.6.21-2
renderproto 0.11-1
rp-pppoe 3.10-5
rpcbind 0.2.0-1
rrdtool 1.4.3-2
run-parts 3.2.3-1
saxon 9.2.0.6-1
schroedinger 1.0.9-1
screen 4.0.3-8
scrnsaverproto 1.2.0-1
sdl 1.2.14-5
sdl_image 1.2.10-2
sdparm 1.05-1
seahorse 2.30.1-1
sed 4.2.1-2
seed 2.30.0-2
sg3_utils 1.29-1
shadow 4.1.4.2-3
shared-desktop-ontologies 0.5-1
shared-mime-info 0.71-1
silc-toolkit 1.1.10-1
slang 2.2.1-1
smbclient 3.5.4-1
soprano 2.4.4-1
sound-theme-freedesktop 0.7-1
speex 1.2rc1-1.1
sqlite3 3.6.23.1-1
squid 2.7.STABLE9-1
startup-notification 0.10-1
strace 4.5.20-1
strigi 0.7.2-2
sudo 1.7.3-1
sysfsutils 2.1.0-5
syslog-ng 3.1.1-1
sysstat 9.0.6.1-1
system-tools-backends 2.10.0-1
sysvinit 2.86-5
t1lib 5.1.2-2
taglib 1.6.3-1
talloc 2.0.1-1
tar 1.23-3
tcp_wrappers 7.6-11
tcpdump 4.1.1-1
tdb 1.2.1-1
telepathy-farsight 0.0.14-1
telepathy-gabble 0.8.14-1
telepathy-glib 0.10.7-1
telepathy-haze 0.3.6-1
telepathy-mission-control 5.4.3-1
telepathy-salut 0.3.12-1
texinfo 4.13a-4
thunderbird 3.1.1-1
tomcat 5.5.29-1
totem-plparser 2.30.1-1
tripwire 2.4.1.2-2
ttf-dejavu 2.30-2
ttf-freefont 20090104-2
ttf-ms-fonts 2.0-3
tzdata 2010j-1
udev 160-1
udisks 1.0.1-4
unixodbc 2.3.0-1
upower 0.9.4-1
usbutils 0.87-1
util-linux-ng 2.18-2
vbetool 1.1-1
vde2 2.3-1
vi 050325-3
videoproto 2.3.0-1
vigra 1.7.0-3
vim 7.2-1
vim-runtime 7.2-1
virtualbox-ose 3.2.6-1
virtualbox-ose-additions 3.2.6-1
virtualbox-ose-additions-modules 3.2.6-1
virtuoso 6.1.1-1
vlc 1.1.1-3
vnstat 1.10-5
vpnc 0.5.3-2
vte 0.24.3-1
wavpack 4.60.1-1
wget 1.12-2
which 2.20-3
wireless_tools 29-3
wireshark 1.2.9-1
wlan-ng26-utils 0.2.9-1
wpa_supplicant 0.6.10-2
wv 1.2.7-1
wvdial 1.61-2
wvstreams 4.6.1-2
x264 20100722-1
xbitmaps 1.1.0-1
xcb-proto 1.6-1
xcb-util 0.3.6-1
xchat 2.8.8-1
xcursor-themes 1.0.2-1
xdg-utils 1.0.2.20100618-1
xextproto 7.1.1-1
xf86-input-evdev 2.4.0-1
xf86-input-synaptics 1.2.2-2
xf86-video-intel 2.12.0-1
xf86-video-vesa 2.3.0-2
xf86dgaproto 2.1-1
xf86miscproto 0.9.3-1
xf86vidmodeproto 2.3-1
xfsdump 3.0.4-1
xfsprogs 3.1.2-1
xineramaproto 1.2-1
xinetd 2.3.14-5
xkeyboard-config 1.8-1
xorg-apps 7.5-3
xorg-docs 1.5-1
xorg-font-utils 7.5-2
xorg-fonts-100dpi 1.0.1-3
xorg-fonts-75dpi 1.0.1-3
xorg-fonts-alias 1.0.2-1
xorg-fonts-encodings 1.0.3-1
xorg-fonts-misc 1.0.1-1
xorg-res-utils 1.0.3-3
xorg-server 1.8.1.902-1
xorg-server-utils 7.5-4
xorg-twm 1.0.4-3
xorg-utils 7.6-2
xorg-xauth 1.0.4-1
xorg-xinit 1.2.1-1
xorg-xkb-utils 7.5-2
xplc 0.3.13-2
xproto 7.0.17-1
xterm 259-1
xulrunner 1.9.2.8-1
xvidcore 1.2.2-1
xz 4.999.9beta-5
yajl 1.0.9-3
yaourt 0.9.4.3-1
yelp 2.30.1-1
zd1211-firmware 1.4-3
zenity 2.30.0-1
zip 3.0-1.1
zlib 1.2.5-2
zvbi 0.2.33-2
I am not able to figure out why is not getting updated or upgraded for last month or so????
Please throw some light on it.
Thanks
Bhaskar
Last edited by jasonwryan (2010-09-06 06:44:07)Still nothing. Even with that server this is what I get
# pacman -Syu
:: Synchronizing package databases...
core is up to date
extra is up to date
community is up to date
:: Starting full system upgrade...
warning: akonadi: local (1.4.0-1) is newer than extra (1.3.1-4)
warning: cabextract: local (1.3-1) is newer than extra (1.2-2)
warning: consolekit: local (0.4.1-3) is newer than extra (0.4.1-2)
warning: cups: local (1.4.4-2) is newer than extra (1.4.4-1)
warning: dhcpcd: local (5.2.7-1) is newer than core (5.2.5-1)
warning: farsight2: local (0.0.21-1) is newer than extra (0.0.20-1)
warning: filesystem: local (2010.07-1) is newer than core (2010.02-4)
warning: gimp: local (2.6.10-1) is newer than extra (2.6.9-1)
warning: gnupg2: local (2.0.16-1) is newer than extra (2.0.15-1)
warning: hplip: local (3.10.6-1) is newer than extra (3.10.5-1)
warning: jre: local (6u21-1) is newer than community (6u20-1)
warning: kdeadmin-kcron: local (4.4.5-2) is newer than extra (4.4.5-1)
warning: kdeadmin-ksystemlog: local (4.4.5-2) is newer than extra (4.4.5-1)
warning: kdeadmin-kuser: local (4.4.5-2) is newer than extra (4.4.5-1)
warning: kdeadmin-system-config-printer-kde: local (4.4.5-2) is newer than extra (4.4.5-1)
warning: kdeutils-ark: local (4.4.5-2) is newer than extra (4.4.5-1)
warning: kdeutils-kcalc: local (4.4.5-2) is newer than extra (4.4.5-1)
warning: kdeutils-kcharselect: local (4.4.5-2) is newer than extra (4.4.5-1)
warning: kdeutils-kdelirc: local (4.4.5-2) is newer than extra (4.4.5-1)
warning: kdeutils-kdf: local (4.4.5-2) is newer than extra (4.4.5-1)
warning: kdeutils-kfloppy: local (4.4.5-2) is newer than extra (4.4.5-1)
warning: kdeutils-kgpg: local (4.4.5-2) is newer than extra (4.4.5-1)
warning: kdeutils-ktimer: local (4.4.5-2) is newer than extra (4.4.5-1)
warning: kdeutils-kwallet: local (4.4.5-2) is newer than extra (4.4.5-1)
warning: kdeutils-okteta: local (4.4.5-2) is newer than extra (4.4.5-1)
warning: kdeutils-printer-applet: local (4.4.5-2) is newer than extra (4.4.5-1)
warning: kdeutils-superkaramba: local (4.4.5-2) is newer than extra (4.4.5-1)
warning: kdeutils-sweeper: local (4.4.5-2) is newer than extra (4.4.5-1)
warning: kernel26: local (2.6.34.2-2) is newer than core (2.6.34.1-1)
warning: ktorrent: local (4.0.2-1) is newer than extra (4.0.1-1)
warning: libcups: local (1.4.4-2) is newer than extra (1.4.4-1)
warning: libdrm: local (2.4.21-2) is newer than extra (2.4.21-1)
warning: libktorrent: local (1.0.2-1) is newer than extra (1.0.1-1)
warning: libnice: local (0.0.13-1) is newer than extra (0.0.12-1)
warning: module-init-tools: local (3.12-1) is newer than core (3.11.1-2)
warning: nvidia: local (256.44-1) is newer than extra (256.35-1)
warning: nvidia-utils: local (256.44-1) is newer than extra (256.35-4)
warning: perl: local (5.12.1-2) is newer than core (5.10.1-5)
warning: psmisc: local (22.12-1) is newer than core (22.11-1)
warning: pycups: local (1.9.51-1) is newer than extra (1.9.50-1)
warning: sqlite3: local (3.7.0.1-1) is newer than core (3.6.23.1-1)
warning: system-config-printer-common: local (1.2.3-1) is newer than extra (1.2.2-1)
warning: thunderbird: local (3.1.2-1) is newer than extra (3.1.1-1)
warning: tzdata: local (2010k-1) is newer than core (2010j-1)
warning: util-linux-ng: local (2.18-3) is newer than core (2.18-2)
warning: virtuoso: local (6.1.2-1) is newer than extra (6.1.1-1)
warning: xine-lib: local (1.1.19-1) is newer than extra (1.1.18.1-2)
there is nothing to do -
Howto: Zones in private subnets using ipfilter's NAT and Port forwarding
This setup supports the following features:
* Requires 1 Network interface total.
* Supports 1 or more public ips.
* Allows Zone to Zone private network traffic.
* Allows internet access from the global zones.
* Allows direct (via ipfilter) internet access to ports in non-global zones.
(change networks to suit your needs, the number of public and private ip was lowered to simplify this doc)
Network setup:
iprb0 65.38.103.1/24
defaultrouter 65.38.103.254
iprb0:1 192.168.1.1/24 (in global zone)
Create a zone on iprb0 with an ip of 192.168.1.2
### Example /etc/ipf/ipnat.conf
# forward from a public port to a private zone port
rdr iprb0 65.38.103.1/32 port 2222 -> 192.168.1.2 port 22
# force outbound zone traffic thru a certain ip address
# required for mail servers because of reverse lookup
map iprb0 192.168.1.2/32 -> 65.38.103.1/32 proxy port ftp ftp/tcp
map iprb0 192.168.1.2/32 -> 65.38.103.1/32 portmap tcp/udp auto
map iprb0 192.168.1.2/32 -> 65.38.103.1
# allow any 192.168.1.x zone to use the internet
map iprb0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map iprb0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
map iprb0 192.168.1.0/24 -> 0/32For testing purposes you can leave /etc/ipf/ipf.conf empty.
Be aware the you must "svcadm disable ipfilter; svcadm enable ipfilter" to reload rules and the rules stay loaded if they are just disabled(bug).
Zones can't modify their routes and inherit the default routes of the global zone. Because of this we have to trick the non-global zones into using a router that doesn't exist.
Create /etc/init.d/zone_route_hack
Link this file to /etc/rc3.d/S99zone_route_hack.
#/bin/sh
# based on information found at
# http://blogs.sun.com/roller/page/edp?entry=using_branded_zones_on_a
# http://forum.sun.com/jive/thread.jspa?threadID=75669&messageID=275741
fake_router=192.168.1.254
public_net=65.38.103.0
router=`netstat -rn | grep default | grep -v " $fake_router " | nawk '{print $2}'`
# send some data to the real network router so we look up it's arp address
ping -sn $router 1 1 >/dev/null
# record the arp address of the real router
router_arp=`arp $router | nawk '{print $4}'`
# delete any existing arp address entry for our fake private subnet router
arp -d $fake_router >/dev/null
# assign the real routers arp address to our fake private subnet router
arp -s $fake_router $router_arp
# route our private subnet through our fake private subnet router
route add default $fake_router
# Can't create this route until the zone/interface are loaded
# Adjust this based on your hardware and number of zones
sleep 300
# Duplicate this line for every non-global zone with a private ip that
# will have ipfilter rdr (redirects) pointing to it
route add -net $public_net 192.168.1.2 -ifaceNow we have both public and private ip addresses on our one iprb0 interface. If we'd really like our private zone network to really be private we don't want any non-NAT'ed 192.168.1.x traffic leaving the interface. Since ipfilter can't block traffic between zones because they use loopbacks we can just block the 192.168.1.x traffic and the zones can still talk.
The following /etc/ipf/ipf.conf defaults to deny.
# ipf.conf
# IP Filter rules to be loaded during startup
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
# INCOMING DEFAULT DENY
block in all
block return-rst in proto tcp all
# two open ports one of which is redirected in ipnat.conf
pass in quick on iprb0 proto tcp from any to any port = 22 flags S keep state keep frags
pass in quick on iprb0 proto tcp from any to any port = 2222 flags S keep state keep frags
# INCOMING PING
pass in quick on iprb0 proto icmp from any to 65.38.103.0/24 icmp-type 8 keep state
# INCOMING GLOBAL ZONE UNIX TRACEROUTE FIX PART 1
#pass in quick on iprb0 proto udp from any to 65.38.103.0/24 keep state
# OUTGOING RULES
block out all
# ALL INTERNAL TRAFFIC STAYS INTERNAL (Zones use non-filtered loopback)
# remove/edit as needed to actually talk to local private physical networks
block out quick from any to 192.168.0.0/16
block out quick from any to 172.16.0.0/12
block out quick from any to 10.0.0.0/8
block out quick from any to 0.0.0.0/8
block out quick from any to 127.0.0.0/8
block out quick from any to 169.254.0.0/16
block out quick from any to 192.0.2.0/24
block out quick from any to 204.152.64.0/23
block out quick from any to 224.0.0.0/3
# Allow traffic out the public interface on the public address
pass out quick on iprb0 from 65.38.103.1/32 to any flags S keep state keep frags
# OUTGOING PING
pass out quick on iprb0 proto icmp from 65.38.103.1/32 to any icmp-type 8 keep state
# Allow traffic out the public interface on the private address (needs nat and router arp hack)
pass out quick on iprb0 from 192.168.1.0/24 to any flags S keep state keep frags
# OUTGOING PING
pass out quick on iprb0 proto icmp from 192.168.1.0/24 to any icmp-type 8 keep state
# INCOMING TRACEROUTE FIX PART 2
#pass out quick on iprb0 proto icmp from 65.38.103.1/32 to any icmp-type 3 keep stateIf you want incoming and outgoing internet in your zones it is easier if you just give them public ips and setup a firewall in the global zone. If you have limited public ip address(I'm setting up a colocation 1u server) then you might take this approach. One of the best things about doing thing this way is that any software configured in the non-global zones will never be configured to listen on an ip address that might change if you change public ips.Instead of using the script as a legacy_run script, set it up in SMF.
First create the file /var/svc/manifest/system/ip-route-hack.xml with
the following
---Start---
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM
"/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<!--
ident "@(#)ip-route-hack.xml 1.0 09/21/06"
-->
<service_bundle type='manifest' name='NATtrans:ip-route-hack'>
<service
name='system/ip-route-hack'
type='service'
version='1'>
<create_default_instance enabled='true' />
<single_instance />
<dependency
name='physical'
grouping='require_all'
type='service'
restart_on='none'>
<service_fmri value='svc:/network/physical:default' />
</dependency>
<dependency
name='loopback'
grouping='require_all'
type='service'
restart_on='none'>
<service_fmri value='svc:/network/loopback:default' />
</dependency>
<exec_method
type='method'
name='start'
exec='/lib/svc/method/svc-ip-route-hack start'
timeout_seconds='0' />
<property_group name='startd' type='framework'>
<propval name='duration' type='astring'
value='transient' />
</property_group>
<stability value='Unstable' />
<template>
<common_name>
<loctext xml:lang='C'>
Hack to allow zone to NAT translate.
</loctext>
</common_name>
<documentation>
<manpage
title='zones'
section='1M'
manpath='/usr/share/man' />
</documentation>
</template>
</service>
</service_bundle>
---End---
then modify /var/svc/manfiest/system/zones.xml and add the following
dependancy
---Start---
<dependency
name='inet-ip-route-hack'
type='service'
grouping='require_all'
restart_on='none'>
<service_fmri value='svc:/system/ip-route-hack' />
</dependency>
---End---
Finally create the file /lib/svc/method/svc-ip-route-hack with the
contents of S99zone_route_hack, minus the sleep timer (perms 0755). Run
'svccfg import /var/svc/manifest/system/ip-route-hack.xml' and 'svccfg
import /var/svc/manifest/system/zones.xml'.
This will guarantee that ip-route-hack is run before zones are started,
but after the interfaces are brought on line. It is worth noting that
zones.xml may get overwritten during a patch, so if it suddenly stops
working, that could be why. -
Solaris 10 as router using ipfilter and nat
Hi,
I installed Solaris 10 on a second disk on an Ultra 5, but have no
success on using
ipfilter with NAT.
I have it working on the first disk with Solaris 9 and ipfilter 3.4.35.
I have pfil on both interfaces (hme0 internal and qfe0
external-internet) and ipfilter enabled. I used the working rule sets
from Solaris9 and have ip-forwading enabled. IPFilter is working on the
external interface, but none of the hosts on the internal network can
connect through the router to the internet, but they can ping both
interfaces.
I had the same problem with Solaris 9 using ipfilter 4.x and had to go
back to 3.4.35.
ipfstat shows all rules are loaded and ipnat -l shows the rules, but no
connections. ndd -get /dev/ip ip_forwarding returns 1.
Following are my rules:
ipf.conf
lock in log quick all with opt lsrr
block in log quick all with opt ssrr
block in log quick all with ipopts
block in log quick proto tcp all with short
block in log quick proto icmp all with frag
block in log quick on qfe0 from 10.0.0.0/8 to any
block in log quick on qfe0 from 127.0.0.0/8 to any
block in log quick on qfe0 from 169.254.0.0/16 to any
block in log quick on qfe0 from 172.16.0.0/12 to any
block in log quick on qfe0 from 192.0.2.0/24 to any
block in log quick on qfe0 from 192.168.0.0/16 to any
block in log quick on qfe0 from 204.152.64.0/23 to any
block in log quick on qfe0 from 224.0.0.0/3 to any
block in log quick on qfe0 from aaa.aaa.aaa.0/24 to any
block in log quick on qfe0 from any to aaa.aaa.aaa.0/32
block in log quick on qfe0 from any to aaa.aaa.aaa.255/32
block in log on qfe0 all
block out quick on qfe0 proto tcp/udp from any port 136 >< 140 to any
block out quick on qfe0 proto tcp/udp from any to any port 136 >< 140
pass out quick on qfe0 proto tcp all flags S/SA keep state keep frags
pass out quick on qfe0 proto udp all keep state keep frags
pass out quick on qfe0 proto icmp all keep state keep frags
pass out quick on qfe0 all
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on hme0 all
pass out quick on hme0 all
ipnat.conf:
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 proxy port ftp ftp/tcp
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 proxy port 7070
raudio/tcp
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 proxy port 1720
h323/tcp
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 portmap tcp/udp auto
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32
aaa.aaa.aaa.aaa = internal network
bbb.bbb.bbb.bbb = external
My routeadm statement shows:
Configuration Current Current
Option Configuration System State
IPv4 forwarding enabled enabled
IPv4 routing enabled enabled
IPv6 forwarding disabled disabled
IPv6 routing disabled disabled
IPv4 routing daemon "/usr/sbin/in.routed"
IPv4 routing daemon args ""
IPv4 routing daemon stop "kill -TERM `cat /var/tmp/in.routed.pid`"
IPv6 routing daemon "/usr/lib/inet/in.ripngd"
IPv6 routing daemon args "-s"
IPv6 routing daemon stop "kill -TERM `cat /var/tmp/in.ripngd.pid`"
Any suggestion what more checks I should do or what additional information is needed.
Regards,
HorstHi,
I installed Solaris 10 on a second disk on an Ultra 5, but have no
success on using
ipfilter with NAT.
I have it working on the first disk with Solaris 9 and ipfilter 3.4.35.
I have pfil on both interfaces (hme0 internal and qfe0
external-internet) and ipfilter enabled. I used the working rule sets
from Solaris9 and have ip-forwading enabled. IPFilter is working on the
external interface, but none of the hosts on the internal network can
connect through the router to the internet, but they can ping both
interfaces.
I had the same problem with Solaris 9 using ipfilter 4.x and had to go
back to 3.4.35.
ipfstat shows all rules are loaded and ipnat -l shows the rules, but no
connections. ndd -get /dev/ip ip_forwarding returns 1.
Following are my rules:
ipf.conf
lock in log quick all with opt lsrr
block in log quick all with opt ssrr
block in log quick all with ipopts
block in log quick proto tcp all with short
block in log quick proto icmp all with frag
block in log quick on qfe0 from 10.0.0.0/8 to any
block in log quick on qfe0 from 127.0.0.0/8 to any
block in log quick on qfe0 from 169.254.0.0/16 to any
block in log quick on qfe0 from 172.16.0.0/12 to any
block in log quick on qfe0 from 192.0.2.0/24 to any
block in log quick on qfe0 from 192.168.0.0/16 to any
block in log quick on qfe0 from 204.152.64.0/23 to any
block in log quick on qfe0 from 224.0.0.0/3 to any
block in log quick on qfe0 from aaa.aaa.aaa.0/24 to any
block in log quick on qfe0 from any to aaa.aaa.aaa.0/32
block in log quick on qfe0 from any to aaa.aaa.aaa.255/32
block in log on qfe0 all
block out quick on qfe0 proto tcp/udp from any port 136 >< 140 to any
block out quick on qfe0 proto tcp/udp from any to any port 136 >< 140
pass out quick on qfe0 proto tcp all flags S/SA keep state keep frags
pass out quick on qfe0 proto udp all keep state keep frags
pass out quick on qfe0 proto icmp all keep state keep frags
pass out quick on qfe0 all
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on hme0 all
pass out quick on hme0 all
ipnat.conf:
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 proxy port ftp ftp/tcp
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 proxy port 7070
raudio/tcp
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 proxy port 1720
h323/tcp
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 portmap tcp/udp auto
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32
aaa.aaa.aaa.aaa = internal network
bbb.bbb.bbb.bbb = external
My routeadm statement shows:
Configuration Current Current
Option Configuration System State
IPv4 forwarding enabled enabled
IPv4 routing enabled enabled
IPv6 forwarding disabled disabled
IPv6 routing disabled disabled
IPv4 routing daemon "/usr/sbin/in.routed"
IPv4 routing daemon args ""
IPv4 routing daemon stop "kill -TERM `cat /var/tmp/in.routed.pid`"
IPv6 routing daemon "/usr/lib/inet/in.ripngd"
IPv6 routing daemon args "-s"
IPv6 routing daemon stop "kill -TERM `cat /var/tmp/in.ripngd.pid`"
Any suggestion what more checks I should do or what additional information is needed.
Regards,
Horst -
Ipf: trying to understand the syntax
HI!
I would like to configure my ipf and tryimg to understand its syntax.
For example:
pass in quick proto tcp from 129.97.0.0/16 to any port = 22 keep state and
pass in quick on bge0 proto tcp from any to 0/32 port = 22 flags S keep state group 100 (# group 100 - inbound rules)
Both syntaxes are made to allow ssh, but what is the meaning of[i] o 0/32 port or 129.97.0.0/16 and of flags S keep state
Thanks.There are some really important things to know about when doing serialization. For example one important thing to know about that not is mentioned here is that your serializable classes must define its own private static final long serialVersionUID because if you not do that will you not be able to deserialize (read in) the data you have saved later if you change anything in your serializable class. It is a bit tricky to manage files to which you have serialized different versions of your class, that is versions where you have added more serializable members to the class after you have serialized files. Well, it is not a problem if you don´t care if you have to type in all your saved data again every time you change anything instead of deserialize it (read it) from your file of course :)
Situations like this may be handled if you define your own (private) writeObject(ObjectOutputStream) and your own readObject(ObjectInputStream) methods in your serializable class but there is a better a lot smarter way to handle this. Use of a serialization proxy! how to use that is described in the excellent book Effective Java 2nd ed. With a serialzation proxy for every serializable version of your class (where a version corresponds to a version of your class with differences in its number of serializable members) may your class deserialize data written from elder versions of your class also. Actually is it first since I read the last chapter of Effective Java that I think I have myself begin to understand serialization well enough and I recommend you to do the same to learn how to use serialization in practice. -
No syslog after enable ipf in Solaris 10
Hi,
As I'm newbie in Solaris, I just configure firewall by using IPF in solaris 10. Firewall is working well except I can't see blocking IP address and port number in syslog.
Please let me know how can I see "block in and out" IP address.
JonHello,
You need to define "log" option also in your ipf.conf file.
For ex:
log in all
block in log quick on qfe2 proto icmp all
HTH,
Prabu.S -
9.4.3 - Can't print my PDFs to a Canon IPF 8000s
Hi Everyone!
I would appreciate any advice regarding the above.
For the last two years, I have been able to create work in In-Design CS4 then export it via Acrobat Pro into a PDF and print successfully to a Canon IPF 8000s.
I have updated the various drivers, adobe software over this time and all has been well in my camp.
Just two weeks ago, the printhead on the Canon was changed....and since my printed posters are missing lettering, etc.
I've been chatting with the Canon guys and we've eliminated the printer as a problem.
The problem lies with Acrobat Pro 9.4.3
Is anyone having a similar problem with 9.4.3?
Cheers VW/MKvivrainbow wrote:
Thanks for your time but I have no idea how to 'roll back to 10.6.6'. Discussions around this do not actually explain how to do it, well not in a way that makes me confident.
I have time machine but have never used it.
The odd thing is that some PDFs - eg those generated by my website - print perfectly. The ones that don't have been created in InDesign CS5.
Thanks
Vivienne
go to apple's website > support > dowloads: download X.6.6 Combo updater.
Download and save to convient location.
Locate install disk that came with your computer.
Insert into DVD Slot and Let mount.
next restart Computer holding down C Key.
Keep holding C key down Until Screen somes up for Installer.
release C and and choose desired language.
install. (is similar to the old archive and install).
Make sure you install everything you want even use custom install if necessary.
Restart. Do not open anything other than the X.6.6 Combo updater
install it.
now go to Aplle menu and system update It will find any updates needed since combo installer.
clik to see more info.
check anything in list except X.6.7 update.
Install all those items.
Now you be good to go.
Maybe you are looking for
-
Questions on temps and ide3 usability
Hello, As you can tell I'm new to the forum. I've recently destroyed my Gateway for a great reason and have spent over 850 dollars upgrading. In the price includes a p4 2.4c ghz processor, 865PE Neo-2 board, 2 - 256 mb pc3200 ddr kingston memory (
-
How to implement a table of ordered data ?
This is surely a very common question of database design. Let us say that I am doing a web picture gallery, where I want the pictures to appear in a specific order. I am keeping the reference of the image files in a table, and I specifically want to
-
On hold....
Last night tried calling around midnight I was on hold FOR 3 hours...Now I have been on hold for 1 hour...What the hell Verizon?
-
Mac or an Imac ... ??
Hi ...!! I presently use a 2010 macbook white and work on Logic 9 which in a way solves my purpose to a certain extent.. I was wondering would be a good idea for me to upgrade to an Imac rather considering that i'm looking towards setting up a proper
-
RA&R Rule Script assistance required
Hi Forum guru's, We are customising RA&R, Ver 5.3, SP 10 and require some assistance with the SQL script. We are attempting to disable +-4600 rules at ACTION LEVEL and the tables we are referering to in the script are AC_RULE & AC_HEADER. The script