Re: IPFilter 4.1.10

I am running pfil 2.17 and ipfilter 4.1.0 on an Ultra 5 with Solaris 10 for
about 1 week without problems.

Regards,
Horst Simon

On Thu, 15 Dec 2005 08:37 am, Jeff A. Earickson wrote:
> Scott,
>
> I remember that I finally found pfil-2.1.7 by connecting to the
> following:
>
> ftp://coombs.anu.edu.au/pub/net/ip-filter/
>
> I just did this again and all I see there now besides the ipfilter
> versions is pfil-2.1.6.tar.gz and pfil-2.1.tar.gz. 2.1.7 is not
> there. Why not package pfil and ipfilter into the same tarball?
>
> BTW, I'll throw out that I had a production Solaris 10 box out
> of service for a few days, so I removed pfil 2.1.6 and ipfilter
> 4.1.8 and installed 2.1.7/4.1.10. I couldn't get the box to do
> much networkwise. It was real secure! :) I rolled back to
> 4.1.8 (leaving pfil 2.1.7) and it started acting right again.
> I know this is a vague complaint (4.1.9 would just hang the
> box, a Sun V210) but that is all I can report now. I had to
> get the V210 back into production.
>
> I'm installing Solaris 10 onto an old Ultra 5 for a test box,
> I hope to report more in a few days.
>
> Jeff Earickson
> Colby College
>
> On Wed, 14 Dec 2005, Scott Walker wrote:
> > Date: Wed, 14 Dec 2005 12:46:09 -0400
> > From: Scott Walker <crimson@unspeakable.org>
> > To: Jeff A. Earickson <jaearick@colby.edu>
> > Subject: Re: IPFilter 4.1.10
> >
> > Where did you manage to find it?
> >
> > Jeff A. Earickson wrote:
> >> Never mind, I found it... Could pfil be placed in the same
> >> directory as ipfilter please?
> >>
> >> On Thu, 8 Dec 2005, Jeff A. Earickson wrote:
> >>> Date: Thu, 8 Dec 2005 09:55:53 -0500 (EST)
> >>> From: Jeff A. Earickson <jaearick@colby.edu>
> >>> To: Darren Reed <darrenr@reed.wattle.id.au>
> >>> Cc: ipfilter@coombs.anu.edu.au
> >>> Subject: Re: IPFilter 4.1.10
> >>>
> >>> Darren,
> >>>
> >>> Is there a new version of pfil? I remember a mention of pfil-2.1.7
> >>> on the list a while back, but all I find on avalon is 2.1.6. Which
> >>> version of pfil should we use with 4.1.10?
> >>>
> >>> Jeff Earickson
> >>> Colby College
> >>>
> >>> On Thu, 8 Dec 2005, Darren Reed wrote:
> >>>> Date: Thu, 8 Dec 2005 21:23:20 +1100 (EST)
> >>>> From: Darren Reed <darrenr@reed.wattle.id.au>
> >>>> To: ipfilter@coombs.anu.edu.au
> >>>> Subject: IPFilter 4.1.10
> >>>>
> >>>>
> >>>> There are a couple of significant changes between 4.1.9 and 4.1.10.
> >>>>
> >>>> Firstly, after spending some time with gcov, I've taken steps to
> >>>> expand the number of lines of code that the test suite covers. I'll
> >>>> continue to work on expanding the coverage here until I'm satisfied
> >>>> that as much of the code can be tested with ipftest as possible.
> >>>>
> >>>> Next, there have been some problems on Solaris with sending TCP RST
> >>>> and ICMP packets back, causing panics due to bad use of locks. These
> >>>> problems have been licked.
> >>>>
> >>>> Lastly, I've spent some time closely analysing packet traces from
> >>>> situations where TCP out of window (OOW) packets have been resulting
> >>>> in RSTs being sent and the connections closed. As noted in an earlier
> >>>> email, there have been two contributors to this: window scaling being
> >>>> incorrectly turned off and bugs in Microsoft Windows XP/2000's TCP,
> >>>> especially SACK. My advice is that if you're having problems with
> >>>> "keep state" and TCP data transfers with Windows, disable SACK. To
> >>>> reduce the problem, RST packets are no longer sent if a packet is OOW,
> >>>> the offender will just be dropped.
> >>>>
> >>>> Of course there are other changes and bug fixes, including those
> >>>> posted to this list - see below for a bigger summary.
> >>>>
> >>>> http://coombs.anu.edu.au/~avalon/ip_fil4.1.10.tar.gz
> >>>>
> >>>> MD5 (ip_fil4.1.10.tar.gz) = 6d00cb091ba047738d2c14a23b3020ed
> >>>> MD5 (patch-4.1.10.gz) = b0bf95ffdbae2a3d877aadb214f68a97
> >>>>
> >>>> Darren
> >>>>
> >>>> 4.1.10 - Released 6 December 2005
> >>>>
> >>>> Expand regression testing to cover more features
> >>>>
> >>>> Add "coverage" build target for BSD
> >>>>
> >>>> Fix building 64bit sparc target for Solaris
> >>>>
> >>>> Add IPv6 mobility header to list of accepted keywords for V6 headers
> >>>>
> >>>> Resolve locking problems on Solaris when sending RST/icmp packets
> >>>>
> >>>> #ifdef's for IPFILTER_BPF need to check if words are defined before
> >>>> using them in comparisons
> >>>>
> >>>> Add checking for SACK permitted option in TCP SYN packets
> >>>>
> >>>> Fix loading anonymous pools from inline rule configuration groups
> >>>>
> >>>> Add -C command line option to ipftest
> >>>>
> >>>> Include extra "const" from NetBSD
> >>>>
> >>>> Don't require SIOCKSTLCK for SIOCSTPUT
> >>>>
> >>>> Fix some use of "sticky" on NAT rules
> >>>>
> >>>> Fix statistical counting of deleting state for TCP connections
> >>>>
> >>>> Fix compile problems caused by changes to is_opt/is_optmsk in
> >>>> ip_sync.c
> >>>>
> >>>> Fix TCP out-of-window (OOW) problems:
> >>>> - window scaling turned off if one chose for its scale factor
> >>>> - Microsoft Windows TCP sends the "next packet" to the right of the
> >>>> window
> >>>> when using SACK and filling in a hole
> >>>>
> >>>> 4.1.9 - Released 13 August 2005