SUMMARY: pfil/ipfilter problem

From: Grzegorz Bakalarski <G.Bakalarski_at_icm.edu.pl>
Date: Tue Mar 02 2004 - 09:06:22 EST
Dear Readers,


I've recently asked a question about IPFilter (see below).
Finnaly I've got info from developers team, that this is known
problem and will be fixed in next release of IPF (4.1.1).
So my statement is one should not use IPF v4.1 with Solaris 9
on production servers.
In the end I downgraded to v. 3.4.33 and ipf looks  working.

Kind regards,


GB
----- Original query -----

Dear All

Machine is Sun Fire V440, 4x1Ghz 8GB memory, Solaris 9 12/03 + recommended patches.

I try to install IPFiltr 4.1. I downloaded pfil and ipf source from:

http://coombs.anu.edu.au/ipfilter/ipf-mentat.html

compiled & installed. Then comfigured pfil for ce0 according to instructions
(README) and configured ipf via /etc/opt/ipf/ipf.conf. I started filtering ...
All worked excellent! Then I rebooted machine and during boot I can see:

ipfilter: pfil not configured for firewall/NAT operation
Set 0 now inactive
filter sync'd
Clearly IPFilter is not working ...
Because  it looks like pfil lost configuration info due to boot.

Is there any way to make the pfil's configuration permanent?

What is more strange and serious is that when I try to configure
pfil againg: i.e. when I'm doing:

# strconf < /dev/ce 
pfil
ce
# ifconfig ce0 modlist
0 arp
1 ip
2 ce
# ifconfig ce0 modinsert pfil@2

the system panics and reboots automaticly with the following info:

panic[cpu0]/thread=300038c6020: recursive rw_enter, lp=780a7f50 wwwh=300038c6024 thread=300038c6020

000002a10058a7d0 ipf:get_unit+4c (30000070b18, 4, 2a10058a89c, 78127454, 2a10058aa99, 800)
  %l0-3: 00000000780a7f50 0000000000000004 0000030000f81c78 00000300002737a0
  %l4-7: 000003000389a048 0000030000fa3340 0000030005e846d0 0000000080586994
000002a10058a8b0 ipf:frsynclist+98 (30000070a08, 0, 25, 144db98, 4, 0)
  %l0-3: 000000000000006c 0000030000070b18 0000000000000010 0000000000000030
  %l4-7: 0000030005e846d0 000000000144db80 000000000000003c 000000000000002c
000002a10058a980 ipf:frsync+58 (1, 30005e537a0, 0, 144db98, 144dbb0, 58)
  %l0-3: 000000007815e338 0000000000000008 000000000000000a 000000007815e000
  %l4-7: 000003000154df88 000000000144db80 000000000000003c 000000000000002c
000002a10058aa40 ipf:fr_qifsync+18 (0, 0, 30005b8bdf0, 0, 30005b8bdf0, 0)
  %l0-3: 0000000000000000 0000030005b8bdf0 000002a10058aa88 0000030001584f40
  %l4-7: 000002a10058aa99 0000000000005400 000000000123ba38 0000000000000000
000002a10058ab30 pfil:qif_attach+194 (30005e53890, 0, 30000f81c78, 30002c67588, 30000070cb0, 30005b8bdf0)
  %l0-3: 00000000781811a8 0000030005b8bdf0 0000030000026f08 0000030005b8bdf0
  %l4-7: 0000030005b8bdf0 00000300000270d8 0000030000027140 0000030005a94900
000002a10058ac20 pfil:pfilwput_ioctl+25c (30005e53890, 30000fa3340, 0, 30005a8c740, 30000f81c78, 0)
  %l0-3: 00000000780a7f50 0000000040586993 0000030005e84448 0000000000000000
  %l4-7: 0000000000000000 00000000014adb20 0000000000000000 0000030000fa3340
000002a10058ad40 pfil:pfilmodwput+1f8 (30005e53890, 30000fa3340, 20, 0, 1, 30005b8bdf0)
  %l0-3: 000000000000000e 0000030005e53890 0000030005a8c4f8 0000030005b8bdf0
  %l4-7: 00000300032143c0 0000000000000000 0000000000000c50 0000000000003a98
000002a10058ae40 unix:putnext+21c (0, 30000fa3340, 20, 0, 300038ff500, 0)
  %l0-3: 0000000078125af8 0000030005e53980 0000030005e53890 0000000000000000
  %l4-7: 0000000000000000 000000007808fd38 0000030001585030 0000030000fa3340
000002a10058aef0 ip:ip_sioctl_copyin_done+2630 (0, 30000fa3340, c078699d, c0206958, c0786800, 2a10058b0c6)
  %l0-3: 0000030005a8c4f8 0000030000070cb0 0000030000f81c78 00000300002737a0
  %l4-7: 000003000389a048 0000030000fa3340 0000030005e846d0 0000000080586994
000002a10058b030 ip:ip_wput_nondata+198 (30005e846d0, 30000fa3340, 0, 258, 72740070, ffbffb10)
  %l0-3: 0000000000000000 0000030000fa3340 00000000014b0c00 0000030000fa3340
  %l4-7: 0000030005e846d0 000003000389a048 0000030005e848ea 0000000000000000
000002a10058b0f0 unix:putnext+21c (0, 3000154df80, 20, 0, 10, ffbffb10)
  %l0-3: 000000000126a6cc 0000030001551ee0 0000030005e846d0 0000000000000000
  %l4-7: 000003000154df88 00000000014b1040 0000030005e84448 0000030000fa3340
000002a10058b1a0 udp:udp_wput_iocdata+2c (30005e84448, 30000fa3340, 123ba38, 1, 30005e84448, 0)
  %l0-3: 0000030005e84448 0000030000fa3340 0000030005e84538 000000000123ba38
  %l4-7: 0000000000005490 0000000000005400 000000000123ba38 0000000000000000
000002a10058b280 udp:udp_wput+5cc (30005e84448, 30000fa3340, 20, 14af400, 72005f70, 72636872004475)
  %l0-3: 0000000000000003 0000000000000000 000000000000ff00 00000000f0ff5e6f
  %l4-7: 0000030005e84448 0000030000fa3340 00000000014af4fc 000000000000fc00
000002a10058b350 unix:putnext+21c (0, 30000fa3340, 20, 1, 100c6b8, 0)
  %l0-3: 000000000123abe0 0000030005e84538 0000030005e84448 0000000000000000
  %l4-7: 0000000000000000 00000000014adb20 0000030005e84958 0000030000fa3340
000002a10058b400 genunix:strdoioctl+788 (300039159b0, 300039159b2, 1, 30000263aa8, 1, 0)
  %l0-3: 0000030003915928 0000030000fa3340 00000300039159a8 0000000000000000
  %l4-7: 000002a10058b838 0000000000000c50 0000000000000c50 0000000000003a98
000002a10058b4f0 genunix:strioctl+10a4 (30000263aa8, 30005e84868, 30005e84958, 0, 5000, 0)
  %l0-3: 0000000000000000 0000030003915928 0000000040586993 00000300039159a8
  %l4-7: 0000000000000001 0000000000100003 000002a10058baec 00000300038028f8
000002a10058b860 sockfs:sock_ioctl+cec (300038028f8, 40586993, 100003, 100003, 30000263aa8, 2a10058baec)
  %l0-3: 0000030003802990 0000000040586993 0000000000005000 00000300038028f8
  %l4-7: 00000000ffbffb10 0000000000000078 00000300038028f8 00000000ff3f9080
000002a10058b9a0 genunix:ioctl+1f8 (3, 40586993, ffbffb10, 0, 72740070, ffbffb10)
  %l0-3: 00000000012454cc 0000000040586993 0000000000000003 0000000000005316
  %l4-7: 00000300037f2f98 0000000000000000 0000000000000000 0000000000000000

syncing file systems... done
dumping to /dev/dsk/c1t0d0s1, offset 322174976, content: kernel



If I remove pfil & ipf packages and install and configure them again, all is fine until
next reboot. Then I have security problem ...

Please help!

I'll summarize if I get any valuable response.


GB

P.S.1 There is no ipf package on SunFreeware for Solaris9. I tried to use Solaris8
      latest available version 3.4x, but it also has problems. This is why I chose
      to compile from source (I used SUN's cc).
P.S.  Rather not related with the above problem: when my ipf is working I get the following
     stupid lines in a log file:

Feb 27 12:46:21 piana.icm.edu.pl ipmon[870]: [ID 702911 local0.warning] 12:46:21.770813 ce0 @0:16 b 127.0.0.1,80 -> 213.135.50.4,1588 PR tcp len 20 40 -AR IN
Feb 27 12:53:41 piana.icm.edu.pl ipmon[870]: [ID 702911 local0.warning] 12:53:41.199612 ce0 @0:16 b 127.0.0.1,80 -> 213.135.50.4,1588 PR tcp len 20 40 -AR IN
Feb 27 13:10:59 piana.icm.edu.pl ipmon[870]: [ID 702911 local0.warning] 13:10:58.990198 ce0 @0:16 b 127.0.0.1,80 -> 213.135.50.4,1219 PR tcp len 20 40 -AR IN
Feb 27 13:11:32 piana.icm.edu.pl ipmon[870]: [ID 702911 local0.warning] 13:11:32.913307 ce0 @0:16 b 127.0.0.1,80 -> 213.135.50.4,1219 PR tcp len 20 40 -AR IN
Feb 27 13:27:23 piana.icm.edu.pl ipmon[870]: [ID 702911 local0.warning] 13:27:23.467633 ce0 @0:16 b 127.0.0.1,80 -> 213.135.50.4,1636 PR tcp len 20 40 -AR IN bad
Feb 27 13:42:29 piana.icm.edu.pl ipmon[870]: [ID 702911 local0.warning] 13:42:29.685490 ce0 @0:16 b 127.0.0.1,80 -> 213.135.50.4,1101 PR tcp len 20 40 -AR IN bad

Look like apache from my machine tries to connect to different port on public interface... But what for? I'm using apache distibuted with Solaris 9
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

----- End forwarded message -----
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Tue Mar 2 09:06:16 2004

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:26 EST