[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: pppOE / IPFilter
From:       Jim Sandoz <sandoz () lucent ! com>
Date:       2001-08-31 3:44:47
[Download RAW message or body]


fazel,

a) write your rules for the Sppp0 interface.
b) don't write rules for the physical interface (elxl, iprb, mxfe, etc).
c) ipf 3.4.20 compiles just fine on solaris8 for x86.
    "make solaris" will do it;  but i like to enable
    statetop (see the Makefile) so i can see what's
    going on in real time.

jim

ps
if you need to nat/keep state on a large number of hosts,
take advantage of the ability of solaris to futz with
ipf's internals at boot-time via your /etc/system file, e.g.

...
* ipf table size settings
* see: http://false.net/ipfilter/2000_05/0100.html
* and: http://false.net/ipfilter/2000_07/0082.html
* and: http://www.utm.edu/research/primes/
* and: http://www.utm.edu/research/primes/lists/small/10000.txt
*
* notes:
* IPSTATE_MAX (=fr_statemax) should be ~70% of IPSTATE_SIZE
* IPSTATE_SIZE (=fr_statesize) has to be a prime number
*
* ipf: reduce ipf's default tcp state timeouts
set ipf:fr_tcpidletimeout = 172800
set ipf:fr_tcphalfclosed = 7200
*
* ipf: increase the state table sizes
set ipf:fr_statemax = 7000
set ipf:fr_statesize = 10009
*
* ipf: increase the NAT table sizes
* (n.b.: define'ing LARGE_NAT in ip_nat.h helps out as well)
set ipf:ipf_nattable_sz = 10009
set ipf:ipf_natrules_sz = 127
set ipf:ipf_rdrrules_sz = 127



"Vayalilagathu, Fazel" wrote:

>
>
> So, Can I assume that you wrote IPF rules for sppp0 and not for the actual
> Ethernet. Are you using IPF 3.4.20?. Is there anything special we need to
> do for Solaris Intel for installing this version. Just curious. (I am
> going to face it anyway!)
>
> Thanks.
>
> Fazel Vayalilagathu
> UNIX Systems Support
> Sempra Energy
> ML      RB2000
> Phone (858) 613-3052
> Pager (888) 826-0968
>
> -----Original Message-----
> From: Greg [mailto:gonufer@yahoo.com]
> Sent: Thursday, August 30, 2001 12:59 PM
> To: Vayalilagathu, Fazel
> Cc: ipfilter@coombs.anu.edu.au
> Subject: Re: pppOE / IPFilter
>
> Vayalilagathu, Fazel wrote:
>
> > I have a question about my pppOE setup for ADSL on Solaris8 Intel Box. I
>
> > am using Sun PPPOE. I will be using IPFilter 3.4.20 for this. I have
> > interface mxfe0 (Ethernet) and  pseudo Sppp0 (pppOE) interface. Now. For
>
> > which interface should I write ipf rules?
>
> That's exactly what I'm doing except on Solaris 9.  I use a second,
> dedicated ethernet interface for the DSL modem.  *NO* IP frames
> traverse that link, ip_filter can't do much there.  All of the IP
> traffic happens on the sppp0 interface.
>
> -greg

[prev in list] [next in list] [prev in thread] [next in thread]