ippool not working?

--QjChrgaD0UdCC3TK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

All,
I am having a problem trying to use ippools in my
configuration. I have defined a simple pair of rules and a simply pool
to test with and I am running into problems. My ipf.conf is simply the
following.

block in log quick proto tcp/udp from 128.125.253.114 to any port =3D 22
block in log quick proto tcp/udp from pool/100 to any port =3D 22

my ippool.conf is as follows

table role =3D ipf type =3D hash number =3D 100
{ 128.125.253.124/32; 128.125.253.214/32;
};

Connections from 128.125.253.114 are blocked correctly (because if the
first rule), but the IPs in the pool are not blocked. I suspect the
problem has something to do with the fact that the pool definition as
a ! next to in ipfstat -io, but since I am new to ipf and ippools I am
not sure.

[root@msg-mx4 ipf]# ipfstat -io
empty list for ipfilter(out)
block in log quick proto tcp/udp from 128.125.253.114/32 to any port =3D
22
block in log quick proto tcp/udp from pool/100(!) to any port =3D 22

Anyone have any idea what I am doing wrong here?


Other potentially usefull information that Phil's FAQ recommends.

[root@msg-mx4 ipf]# uname -a
SunOS msg-mx4.usc.edu 5.9 Generic_118558-19 sun4u sparc
SUNW,Sun-Fire-V240
[root@msg-mx4 ipf]# isainfo -vk
64-bit sparcv9 kernel modules
[root@msg-mx4 ipf]# ifconfig -a
lo0: flags=3D1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4 > mtu 8232 index
2
inet 127.0.0.1 netmask ff000000=20
bge0: flags=3D1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv 4> mtu 1500
index 3
inet 128.125.137.9 netmask ffffffe0 broadcast 128.125.137.31
ether 0:3:ba:51:bc:fd=20
[root@msg-mx4 ipf]# netstat -rn

Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
128.125.137.0 128.125.137.9 U 1 100 bge0
224.0.0.0 128.125.137.9 U 1 0 bge0
default 128.125.137.1 UG 1 659 =20
127.0.0.1 127.0.0.1 UH 1 10 lo0
[root@msg-mx4 ipf]# netstat -i
Name Mtu Net/Dest Address Ipkts Ierrs Opkts Oerrs
Collis Queue=20
lo0 8232 loopback localhost 269 0 269 0 0
0 =20
bge0 1500 msg-mx4.usc.edu msg-mx4 1381209 0 1284851 0
0 0 =20

[root@msg-mx4 ipf]# ipf -V
ipf: IP Filter: v4.1.13 (592)
Kernel: IP Filter: v4.1.13 =20
Running: yes
Log Flags: 0 =3D none set
Default: pass all, Logging: available
Active list: 1
Feature mask: 0x187
[root@msg-mx4 ipf]# ipfstat
bad packets: in 0 out 0
IPv6 packets: in 0 out 0
input packets: blocked 6 passed 1252102 nomatch 469596
counted 0 short 0
output packets: blocked 0 passed 1154179 nomatch 421689
counted 0 short 0
input packets logged: blocked 6 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0 not fragmented 0
fragment state(out): kept 0 lost 0 not fragmented 0
packet state(in): kept 0 lost 0
packet state(out): kept 0 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 782506 (out): 732490
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 22 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 298714
Packet log flags set: (0)
none

--=20
Chet Burgess

Director, Systems Support
Information Technology Services
University of Southern California
cfb@usc.edu
213-740-5160

--QjChrgaD0UdCC3TK
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (SunOS)

iD8DBQFE2lxqNgnmTPwvyfARAt+JAJ9VAgWZZpKQFc8O0zhEZI h6phuarQCaAyFN
6ESOItFbeJVUlBkpX4LyPus=
=TSBX
-----END PGP SIGNATURE-----

--QjChrgaD0UdCC3TK--