ipfilter & NAT on Solaris 9 using sppp0 interface (pfil 2.1.6, ipfilter 4.1.8)

I've got an urgent problem that appears to be similar to that
described by Adam Summerfield here:

http://www.mail-archive.com/ipfilter.../msg03815.html

and possibly "deepred777" here:

http://forum.sun.com/thread.jspa?thr...essageID=88292

I'm trying to use a SparcClassic running Solaris 9 as a firewall
and to do some NAT with it. It has two internal network interfaces
(le0 and le1) and, when connected to my ISP, one external network
interface (sppp0) whose address is dynamically assigned each time
I dial up (thus: I need to run ipf -y).

I believe that I have a working firewall on le0 and le1 because:

a) "strconf < /dev/le" returns:
pfil
le
b) "ifconfig le0 modlist" and "ifconfig le1 modlist" return:
0 arp
1 ip
2 pfil
3 le
c) "ndd /dev/pfil qifstatus" returns:
ifname ill q OTHERQ ipmp num sap hl nr nw bad copy copyfail drop notip nodata notdata
le1 0xf5a3561c 0xf5dc7730 0xf5dc77b4 0x0 2 800 14 0 36 0 0 0 0 0 0 0
le0 0xf5a3579c 0xf5c97010 0xf5c97094 0x0 0 800 14 4467 4540 0 0 0 0 0 0 0

d) installing a very minimal ipf.conf file (and activating it
with "ipf -F a; ipf -f ipf.conf") that specified blocking
all traffic on all interfaces resulted in the box refusing all
traffic on le0 and le1. I've subsequently put in a more sane
configuration. ;-)


However, it's not clear to me that the firewall is actually enabled
and/or running on sppp0 because:

a) "strconf < /dev/sppp" returns
sppp

(of course I can only run this command when dialed in, otherwise there
is no such device)

b) "ifconfig sppp0 modlist" returns
ifconfig: _I_MUXID2FD: sppp0: Invalid argument

b) I have this line in ipnat.conf:
map sppp0 192.168.0.0/32 -> 0/32
(and "ipnat -l" shows it installed)
yet sniffing packets on sppp0 with tcpdump shows that
outbound traffic from my internal network isn't getting NAT'd:
packets are being emitted on sppp0 with source addresses of
192.168.0.whatever. (BTW: le0 is connected to a network
numbered 192.168.0.X. le1 is connected to one numbered 192.168.2.X
which has nothing at all on it at the moment.)

c) I tried Adam's trick of putting "pfil" in /etc/ppp/options, but
then pppd complains:

pppd[550]: command line: device name /dev/pfil from /etc/ppp/options:3 cannot be overridden

I'm invoking pppd, by the way, with:

/usr/local/bin/pppd debug connect '/usr/local/bin/chat -v "" ATDT1234567890 CONNECT' /dev/cua/pc0 57600 defaultroute user rsk@myisp.net debug

d) /etc/opt/pfil has a file in it (created when pfil was installed)
named "iu.ap", with these contents:
le -1 0 pfil

I'm wondering why sppp isn't mentioned there, but don't understand
this well enough to know if that's wrong.


Bottom line: I'm not sure I have ipfilter actually running on sppp0.
In fact: I'm kinda thinking I don't, which would explain why the box
is routing packets but not doing anything to them.

And (of course) I sorta need to have this working two days ago. ;-)
So any help or pointers or even slaps upside the head because I'm
being a moron would be appreciated.

---Rsk