For some reason ipfilter is blocking inbound fragmented ip packets (the packets are larger than the interface's MTU) that are encapsulating UDP segments. The connection works, so I know ipfilter is letting some traffic through, it is just a lot slower than it should be.
Rules that allow the traffic:
Code:
pass in quick proto udp from pool/12 to any keep state
pass in quick proto tcp from pool/12 to any keep state
Rule ipmon reports as blocking the traffic (bottom line in ipf.conf):
Code:
block in log all
Sample log entries (hostname and IPs substituted for security reasons):
Code:
Dec 9 12:31:54 hostname ipmon[14093]: [ID 123456 site.warning] 12:31:54.543987 skge0 @0:39 b 127.0.0.1 -> 127.0.0.2 PR udp len 20 (1500) (frag 12001:1480@1480+-) IN
Dec 9 12:31:54 hostname ipmon[14093]: [ID 123456 site.warning] 12:31:54.544011 skge0 @0:39 b 127.0.0.1 -> 127.0.0.2 PR udp len 20 (1500) (frag 12001:1480@2960+-) IN
I should also add that when I turn ipfilter off, the connections performance improves drastically. In the listening services log, I see a lot of NACKs sent back to the sender with the firewall on, but hardly any with it off.
Any ideas?
Last edited by ilikecows; 12-12-2010 at 11:46 PM..
Reason: Added info
When discussing inodes and data blocks, I know Solaris creates these data blocks with a total size of 8192b, divided into eight 1024b "fragments." It stores data in "contiguous" fragments and solaris doesn't allow a file to use portions of two different fragments. If the file size permits, then the... (4 Replies)
how can I create a rule that will allow my machine to FTP to itself, but not allow other machines to FTP to it.. I know this sounds weird but this how they want it so they can test some application functionality that uses ftp. (2 Replies)
Hello,
| am trying to setup ipfilter on solaris express snv_91 but I don't seem to have the following file available.
/etc/ipf/pfil.ap
Is this an older way of configuring the interface?, I have all the packages installed.
Thanks, (1 Reply)
Dears,
i am a new user for using ipfilter in solaris 10
and i have some question about this:
by using ipfilter
for example
1- i want specific MAC address able to access hotmail only
2- also i want to make 10MB for this MAC address is a max download per day
3- i am asking about using MAC... (0 Replies)
Hi everybody,
I'm running on Solaris 10 X86 (update 1009).
I would like to make NAT's rule. I explain you.
On Solaris, I configure the principal interface e1000g0 with IP : 192.168.0.33
I created the first logical interface like that :
ifconfig e1000g0 addif 192.168.0.40 netmask... (0 Replies)
Howdy
My goal is to block locally the applications on a Solaris 10 server to access specific port on a remote machine. All attempts to access the <remote ip>:<remote port> should be rejected with ICMP port unreachable or with TCP RST.
I tried with the following:
block... (2 Replies)
I have a .xml file that looks something like this :
<measInfo>
.........
string1
.........
</measInfo>
<measInfo>
......
string2
........
</measInfo>
I want to extract only the 'chunk of file' from '<measInfo>' to '</measInfo>' containing string1 (or a certain string that I... (13 Replies)
among the below socket programming api's, please let me know which are blocking and non-blocking.
socket
accept
bind
listen
write
read
close (2 Replies)
I'm on OmniOS.
I have set a linux zone(lx zone) wich use 10.2.0.0/24 network.
The other network,connected to internet is 192.168.0.0/24
The network interface of 10.2.0.0/24 is bge1
The network interface of 192.168.0.0/24 is bge0
I know is more easy to use the same network but i prefer to... (1 Reply)
Code 1:
#!/bin/sh
for arg1 in "$@"
do
counter=0
for arg2 in "$@"
do
if &&
then
counter=$((counter+1))
continue
fi (8 Replies)
Discussion started by: johnprogrammer
8 Replies
LEARN ABOUT DEBIAN
filter_backends
FILTER BACKENDS(7) Miscellaneous Information Manual FILTER BACKENDS(7)NAME
filter_backends - output drivers for the filtergen packet filter compiler
INTRODUCTION
This document describes the status and feature-set of the currently available filtergen backends.
IPTABLES
Most development is done first against the iptables driver. It supports reject, masquerading, transparent proxying, logging (with text)
and sub-groups, all of which should work fine (though the latter has only recently been fixed).
IPCHAINS
The ipchains driver supports all of the above features, too. Its state model is much weaker though, of course. The forwarding support
should work OK, though it is not possible to support "local"-only packets.
IPFILTER
The ipfilter backend is incomplete. It supports accept, drop, reject and logging, but not masq, transproxy or sub-groups. It should be
easy for someone with knowledge of ipfilter to add support for the other features. Options for OpenBSD "pf" features and syntax would be
nice, too. It has received no testing; I don't even know if the generated filters are syntactically correct.
CISCO
The cisco driver is in roughly the same sort of state as the ipfilter one. Additionally, because of the limitations of IOS ACLs, it sup-
ports only a limited set of features. It cannot support reject or transparent proxying, and may not be able to support masquerading
either. An option for reflexive (stateful) ACLs would be very useful.
I understand that Cisco PIX firewalls use a variant of this syntax -- it would be very nice to support them too.
SEE ALSO filtergen(8), filter_syntax(5)
January 7, 2004 FILTER BACKENDS(7)