[rescue] IPFILTER woes

Greg A. Woods woods at weird.com
Mon Feb 18 19:37:45 CST 2002 

[ On Monday, February 18, 2002 at 19:16:44 (-0500), Brian Hechinger wrote: ]
> Subject: Re: [rescue] IPFILTER woes
>
> ugh, i'm sorry, i've been completely out of it.  you are of course, quite
> right.

No problem -- just wanted to make sure you knew you wouldn't be likely
to get much useful information out of us all if you didn't give us a
clue where to start!  ;-)

> ipf: IP Filter: v3.4.23 (400)
> Kernel: IP Filter: v3.4.23              
> Running: yes
> Log Flags: 0 = none set
> Default: pass all, Logging: available
> Active list: 1

Hmmmm.....  no major clues there, other than of course that you're
running the latest release and it appears to be installed properly.

> it's the precomiled 64bit package from uhm, wherever that's from. :)  let me
> look.  http://www.maraudingpirates.org/ipfilter/  i was going to try and build
> my own version, but haven't had a chance yet, it's on my list of things to do.

I'd be very wary of running a binary kernel module on my firewall (but
then I refuse to run anything on my firewall that I didn't build from my
own local copy of sources.... :-)  especially not on any production box....

> as far as kernel modules, modifications, it's just a stock Solaris 8 box with
> most features turned off.  it's running DiskSuite (mirrored disks) and IPFILTER
> and that's it.  well, it runs Apache for inbound ProxyPass work, but the other
> firewall didn't have that and still had the same symtoms, so i'd rule out
> apache as having anything to do with it.

How about disksuite -- there shouldn't be any interaction, but who knows?

> the config is available upon request.  i will not post it to a public forum. ;)

is it also running as a NAT?

> i seriously doubt it would solve the problem.  the thing that sets the sparc5
> apart from the others, is that it was many versions ago that ran on the sparc5.
> the sparc10 ran 3.4.22 so they are closely linked.  the solaris hanging issue
> seems to have been going on for several revisions now, even though i don't seem
> to be suffering from the same problem.

Ah, this is good information too, though it doesn't help me identify
your problem any better -- I'm sure the folks on the ipfilter mailing
list will be more in tune with the current state of things with the
specific software revisions you're using....  I'm still stuck on 3.4.16
(though with my next NetBSD-current source update it looks like 3.4.23
is on the way finally!)

> > Anyway I'd personally stay about as far away from any sparc64 stuff as
> > possible, at least for production use....
> 
> i'm sorry, that's just a rude comment for rude comment's sake.  i've been
> running sparc64+Solaris since they came out.

Hmmm....  sorry, but I'm very very very serious about that.  There are
inevitably still many LP64-related bugs in lots of software (eg. the
latest security fix release of rsync is apparently broken on 64-bit
machines, and won't even compile on some 32-bit-only platforms! :-).

While I generally trust ipfilter's author to write good solid code, he's
not really that much more of an expert on 32-bit/64-bit portability
issues than many of the rest of us having a great deal more experience
on the former than the latter and his code has not had anywhere near as
much shakeout on 64-bit machines.

While even Darren Reed might disagree with me, I think you really are
asking for the potential of having "an interesting experience" by trying
to run ipfilter on a 64-bit machine.....

>  in production.  and not on my
> piddly little home systems either.  from maxed out UE6500 and down.  and they
> are more stable than most other hardware.  maybe not the most stable, but i've
> had great luck with them.

Hmmmm.... yeah, but if I remember correctly Sun "cheats" -- lots of
their own software doesn't yet run in full 64-bit mode.  The kernel
though is definitely 100% in 64-bit land, and ipfilter runs inside the
kernel.

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods at acm.org>;  <g.a.woods at ieee.org>;  <woods at robohack.ca>
Planix, Inc. <woods at planix.com>; VE3TCP; Secrets of the Weird <woods at weird.com>

More information about the rescue mailing list