Re: insight on S10 ipfilter patch 125014-02?

On Wed, 7 Mar 2007, Jeff A. Earickson wrote:

> Date: Wed, 7 Mar 2007 10:23:48 -0500 (EST)
> From: Jeff A. Earickson <jaearick@colby.edu>
> To: ipfilter@coombs.anu.edu.au
> Subject: Re: insight on S10 ipfilter patch 125014-02?
>
> On Tue, 6 Mar 2007, Darren Reed wrote:
>
>> Date: Tue, 06 Mar 2007 11:43:32 -0800
>> From: Darren Reed <darrenr@reed.wattle.id.au>
>> To: Jeff A. Earickson <jaearick@colby.edu>
>> Cc: Carson Gaspar <carson@taltos.org>, ipfilter@coombs.anu.edu.au
>> Subject: Re: insight on S10 ipfilter patch 125014-02?
>>
>> Jeff A. Earickson wrote:
>>> ...
>>
>> It is IPMP and "keep state".
>> Unless you use ndd to define an IPMP interface group there, it
>> is not possible to use stateful filtering as "keep state" tries to bind
>> the connection to specific NICs but IPMP sends them out over
>> either one.
>>
>> You could also try this:
>>
>> pass in quick on -,- out-via -,- proto tcp from any to any port = 25
>> flags S keep state
>> pass out quick on -,- out-via -,- proto tcp from any to any port = 25
>> flags S keep state
>
> Darren,
>
> What goes in the "-,-" spots? MAC,port? Is the "out-via" keyword
> supported in ipfilter 4.1.9 (aka, Sun patch 125014-02)? Sun version
> 4.0.3? Or only in later public-domain releases? I didn't find any reference
> to this in the Sun Doc 816-4554-12 (SystemAdministration Guide: IP Services)
> or the old IPF how-to doc. In my case, I am now using
> Sun's version of ipf and not the public-domain version in Solaris 10,
> due to political reasons of Sun support.
>
> This whole issue of ipfilter and IPMP really needs an entry in Phil
> Dibowitz's FAQ.
>
> To summarize my case, where link-based IPMP (Solaris 10) is configured with
> /etc/hostname.ce0 containing:
>
> 137.146.28.72 netmask + broadcast + group ipmp0 up
>
> and /etc/hostname.ce1 containing:
>
> group ipmp0 up
>
> to yield an "ifconfig -a" that looks like:
>
> lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv 4,VIRTUAL> mtu 8232
> index 1
> inet 127.0.0.1 netmask ff000000
> ce0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
> inet 137.146.28.72 netmask ffffffc0 broadcast 137.146.28.127
> groupname ipmp0
> ether 0:14:4f:1:d:7f
> ce1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
> inet 0.0.0.0 netmask ff000000 broadcast 0.255.255.255
> groupname ipmp0
> ether 0:14:4f:1:d:7e
>
> Then if I want to use "keep state" rules with this configuration, I have
> to set the value of qif_ipmp_set for pfil via ndd:
>
> ndd -set /dev/pfil qif_ipmp_set ipmp0=ce0,ce1
>
> Correct? Is that it? Then just write an init script to preserve the ndd
> setting across reboots? Without the "ndd -set" my usage of IPMP and "keep
> state" rules is doomed to failure?

Replying to myself... I did the "ndd set", changed back to my previous
"keep state" rules for ports 25 and 587, and noticed that my email to some
problem sites was piling up again. I changed back to Carson's stateless
rules and the email started moving again. So, ndd twiddles don't do it.

Jeff Earickson
Colby College