[SunHELP] ipfilter and IPMP

Francois Dion fdion at atriumwindows.com
Fri Jul 30 10:24:08 CDT 2004 

velociraptor wrote:

>On Thu, 29 Jul 2004 11:08:34 -0400, Francois Dion
><fdion at atriumwindows.com> wrote:
>
>  
>
>>I've defined a group for the lan:
>>block in quick on e1000g0 all head 100
>>block in quick on e1000g1 all head 110
>>
>>but is there a way for the state to be kept on either interface? Seems
>>packets are not coming back if they try to go back on a different interface.
>>    
>>
>
>add "keep state", e.g.:
>
>pass out quick proto tcp from any to any port = 80 keep state group 151
>  
>

I had been using that, but I was wondering how I could keep state 
between 2 groups, 100 and 110? Or could I possibly assign both g0 and g1 
to the same group?

>>On a similar note, how would one group the WAN interface and all it's
>>virtual IPs as one group? Assuming I have a block of 5 IPs assigned, I
>>set up iprb0 as the first IP, then hostname.iprb0:1 for the second thru
>>hostname.iprb0:4 for the last. If I specify something like:
>>
>>block in quick on iprb0 all head 200
>>is there a way to specify that this should include all virtual IPs?
>>    
>>
>
>I'm not a real genius with this stuff--I am just modding what the
>prev. admin had set up for our site (I need to read up on how the
>groups work--that's the part I don't quite understand).  Anyway, you
>can use netblock notation in rules, e.g.:
> pass out quick proto icmp from any to 192.168.1.0/24 group 250
>  
>
Been using that too. The group statement in front tough is bound to a 
specific interface. So I'm not sure how to specify  both physical and 
virtual interfaces as being part of the same group.

>I would assume you can do blocks on "from" as well.  We don't specify
>interfaces except in the default rule to block everything.  In the
>"allow" rules, we use IP's.  We, too are using IPMP.
>  
>
Obviously, ipfilter is a very flexible package, just quite complex. I'd 
like to find more solaris specific examples too... (due to virtual IPs, 
ipmp and the like).

Anyway, I'll continue playing around with this and I'll let you know 
what I find.

Francois

More information about the SunHELP mailing list