[SunHELP] ipfilter and IPMP
velociraptor
velociraptor at gmail.com
Thu Jul 29 12:31:28 CDT 2004
On Thu, 29 Jul 2004 11:08:34 -0400, Francois Dion
<fdion at atriumwindows.com> wrote:
>
> I've defined a group for the lan:
> block in quick on e1000g0 all head 100
> block in quick on e1000g1 all head 110
>
> but is there a way for the state to be kept on either interface? Seems
> packets are not coming back if they try to go back on a different interface.
add "keep state", e.g.:
pass out quick proto tcp from any to any port = 80 keep state group 151
> On a similar note, how would one group the WAN interface and all it's
> virtual IPs as one group? Assuming I have a block of 5 IPs assigned, I
> set up iprb0 as the first IP, then hostname.iprb0:1 for the second thru
> hostname.iprb0:4 for the last. If I specify something like:
>
> block in quick on iprb0 all head 200
> is there a way to specify that this should include all virtual IPs?
I'm not a real genius with this stuff--I am just modding what the
prev. admin had set up for our site (I need to read up on how the
groups work--that's the part I don't quite understand). Anyway, you
can use netblock notation in rules, e.g.:
pass out quick proto icmp from any to 192.168.1.0/24 group 250
I would assume you can do blocks on "from" as well. We don't specify
interfaces except in the default rule to block everything. In the
"allow" rules, we use IP's. We, too are using IPMP.
=Nadine=
More information about the SunHELP
mailing list