[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: insight on S10 ipfilter patch 125014-02?
From:       Darren Reed <darrenr () reed ! wattle ! id ! au>
Date:       2007-03-09 11:01:27
Message-ID: 45F13E87.4030806 () reed ! wattle ! id ! au
[Download RAW message or body]

Jeff A. Earickson wrote:
> On Tue, 6 Mar 2007, Darren Reed wrote:
>
>> Date: Tue, 06 Mar 2007 11:43:32 -0800
>> From: Darren Reed <darrenr@reed.wattle.id.au>
>> To: Jeff A. Earickson <jaearick@colby.edu>
>> Cc: Carson Gaspar <carson@taltos.org>, ipfilter@coombs.anu.edu.au
>> Subject: Re: insight on S10 ipfilter patch 125014-02?
>>
>> Jeff A. Earickson wrote:
>>> ...
>>
>> It is IPMP and "keep state".
>> Unless you use ndd to define an IPMP interface group there, it
>> is not possible to use stateful filtering as "keep state" tries to bind
>> the connection to specific NICs but IPMP sends them out over
>> either one.
>>
>> You could also try this:
>>
>> pass in quick on -,- out-via -,- proto tcp from any to any port = 25
>> flags S keep state
>> pass out quick on -,- out-via -,- proto tcp from any to any port = 25
>> flags S keep state
>
> Darren,
>
> What goes in the "-,-" spots?  MAC,port?  Is the "out-via" keyword
> supported in ipfilter 4.1.9 (aka, Sun patch 125014-02)?  Sun version
> 4.0.3?  Or only in later public-domain releases?

It should be in both.
The rules above are literal text - using "-" as the interface name.
Except for one bug (see previous patch)..


> ...
> Then if I want to use "keep state" rules with this configuration, I have
> to set the value of qif_ipmp_set for pfil via ndd:
>
>    ndd -set /dev/pfil qif_ipmp_set ipmp0=ce0,ce1
>
> Correct?  Is that it?  Then just write an init script to preserve the ndd
> setting across reboots?  Without the "ndd -set" my usage of IPMP and
> "keep state" rules is doomed to failure?

yes, yes yes, yes :)

I need to provide a place to do it in the pfil startup script.

Darren

[prev in list] [next in list] [prev in thread] [next in thread]