Re: IP Filter and IPMP on Solaris 10 (ipf 3.0.4, pfil 2.1.4)
This is a discussion on Re: IP Filter and IPMP on Solaris 10 (ipf 3.0.4, pfil 2.1.4) within the IPFilter forums, part of the System Security and Security Related category; Hy, I've setup a Solaris9 (IPF 4.1.11) machine with IPMP and following the rule on "ipf....
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-10-2006
|
|||
|
|||
Re: IP Filter and IPMP on Solaris 10 (ipf 3.0.4, pfil 2.1.4)
Hy,
I've setup a Solaris9 (IPF 4.1.11) machine with IPMP and following the rule on "ipf.conf" for maching packet incoming/outcoming interfaces under IPMP. This configuration is allowed on 4.x version of IPFilter, so I suggest to upgrade the binaries you have. My initial ipf.conf row have: #------------------------------------------------------- # Group setup. # ================================== # By default, block and log level local2.notice everything on external and internal interfaces # except hearthbeat interfaces block in log level local2.notice on (ce4 ce7) all head 100 block out log level local2.notice on (ce4 ce7) all head 150 #------------------------------------------------------- With this configuration, I merged the two interface (ce4 and ce7) on a single group (incominig group and outcoming group have different number) and rules for authorizing traffic are (for example): # # Prevent IP spoofing. # block in log level local2.notice quick from 0.0.0.0/24 to any group 100 This is my interfaces configuration about IPMP on my machine: ---- root@XXXX> ifconfig -a lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 3 inet 127.0.0.1 netmask ff000000 ce4: flags=1000842<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4 inet 0.0.0.0 netmask ffffff80 broadcast 0.0.0.127 groupname ims ether 0:3:ba:b1:d7:1c ce4:1: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRE CATED,IPv4,NOFAILOVER> mtu 1500 index 4 inet 10.1.101.61 netmask ffffff80 broadcast 10.1.101.127 ce7: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 5 inet 10.1.101.27 netmask ffffff80 broadcast 10.1.101.127 groupname ims ether 0:3:ba:b1:d7:1f ce7:1: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRE CATED,IPv4,NOFAILOVER> mtu 1500 index 5 inet 10.1.101.60 netmask ffffff80 broadcast 10.1.101.127 --- Hope this help! Cesare ----- Original Message ----- From: "Stuart Remphrey" <stuart.remphrey@rmit.edu.au> To: <ipfilter@coombs.anu.edu.au> Sent: Wednesday, November 29, 2006 5:21 AM Subject: IP Filter and IPMP on Solaris 10 (ipf 3.0.4, pfil 2.1.4) > G'day all, > > Trying to get Solaris IPMP (IP MultiPathing) group recognised by IP > Filter, > using the ipf & pfil as supplied with Solaris 10 (currently 6/06). > > I can define the IPMP groups as something like: > > ndd -set /dev/pfil qif_ipmp_set ipmp0=ce0,ce1 > (it seems names besides ipmp can also be used, such as "db", "web", > whatever) > > Then see them with: > > ndd -get /dev/pfil qif_ipmp_status > > Now, am I supposed to then use "on ipmp0" in a rule, something like: > > pass in log first quick on ipmp0 from X to Y port = 22 flags S keep > state > (or S/SA, S/SAFR, whatever) > > > Incoming SSH does not match this rule, but if I change to "on ce0" > it works as before (however then I'm concerned it may not track > the state across to ce2 if the link or switch on ce0 fails). > > Rgds, Stuart. > > > Stuart Remphrey > RMIT ITS Infrastructure Services - Unix Systems > Phone (03) 992 55 070 (or extension 55070) 
|
Linear Mode
