Re: insight on S10 ipfilter patch 125014-02?

Jeff A. Earickson wrote:
> Darren,
>
> If I change my port 25 rule from:
>
> pass in quick proto tcp from any to 137.146.28.72 port = 25 flags S
> keep state keep frags
> pass out quick proto tcp from 137.146.28.72 to any port = 25 flags S
> keep state keep frags
>
> to:
>
> pass in quick proto tcp from any to 137.146.28.72 port = 25
> pass out quick proto tcp from 137.146.28.72 to any port = 25
>
> Then all/most of my email traffic halts. I am using Sun multipathing,

If you want stateless rules, then you need to allow reply packets, which
you haven't done. Try the following (syntax from memory, so...):

pass out quick proto tcp from 137.146.28.72 to any port = 25
pass in quick proto tcp from any port = 25 to 137.146.28.72 port >
32767 flags A/A
pass in quick proto tcp from any to 137.146.28.72 port = 25
pass out quick proto tcp from 137.146.28.72 port = 25 to any port > 1023
flags A/A

You'll note that the inbound rule is more restrictive with ports. You've
said you're running Solaris, so the anonymous port range is
32768-65535 (unless you've changed it). The Internet has a much broader
range of anonymous ports (but always >= 1024, in my experience).
Personally, I'd get rid of the outbound ACK rule port restriction
entirely, unless you have naughty users running things on your mail
server...

--
Carson