From: Tim Evans (tkevans@tkevans.com)
Date: Sat Nov 04 2006 - 14:55:08 EST
I'm having trouble setting up Solaris 10 ipfilter and ipnat to function as a
firewall/router for my internal network. (The same physical box works perfectly
for this purpose when booted in RedHat Linux.)
First, the network setup:
ISP is Comcast; external network interface (iprb0) address via DHCP. Inside
network interface (elxl0) uses 192.168.x.x address.
Solaris tells me:
# routeadm
Configuration Current Current
Option Configuration System State
---------------------------------------------------------------
IPv4 forwarding enabled enabled
IPv4 routing enabled enabled
IPv6 forwarding disabled disabled
IPv6 routing disabled disabled
# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
192.168.252.0 192.168.252.5 U 1 1 elxl0
69.251.48.0 69.251.52.XX U 1 2 iprb0
224.0.0.0 69.251.52.XX U 1 0 iprb0
default 69.251.48.1 UG 1 38 iprb0
127.0.0.1 127.0.0.1 UH 27 4227 lo0
>From the Solaris machine, I can see/access both the outside world and the
internal network:
$ ping sunmanagers.org
sunmanagers.org is alive
# ping 192.168.252.3
192.168.252.3 is alive
My /etc/ipf/ipf.conf file (from the ipf howto) contains:
# cat ipf.conf
block in quick on iprb0 from 192.168.0.0/16 to any
block in quick on iprb0 from 172.16.0.0/12 to any
block in quick on iprb0 from 10.0.0.0/8 to any
block in quick on iprb0 from 127.0.0.0/8 to any
block in quick on iprb0 from 0.0.0.0/8 to any
block in quick on iprb0 from 169.254.0.0/16 to any
block in quick on iprb0 from 192.0.2.0/24 to any
block in quick on iprb0 from 204.152.64.0/23 to any
block in quick on iprb0 from 224.0.0.0/3 to any
block in log quick on iprb0 from 192.168.252.0/24 to any
block in log quick on iprb0 from any to 192.168.252.0/16
block in log quick on iprb0 from any to 192.168.252.255/16
pass out quick on iprb0 proto tcp/udp from 192.168.252.0/255.255.255.0 to any
keep state
pass out quick on iprb0 proto icmp from 192.168.252.0/255.255.255.0 to any keep
state
My ipnat.conf contains:
# cat ipnat.conf
map iprb0 192.168.252.0/255.255.255.0 -> 0/32 portmap tcp/udp auto
map iprb0 192.168.252.0/255.255.255.0 -> 0/32
OK, now the systems on the inside (192.168.252.x) cannot see/access the outside
world.
ipfstat shows nothing at all:
# ipfstat -ih
0 block in quick on iprb0 from 192.168.0.0/16 to any
0 block in quick on iprb0 from 172.16.0.0/12 to any
0 block in quick on iprb0 from 10.0.0.0/8 to any
0 block in quick on iprb0 from 127.0.0.0/8 to any
0 block in quick on iprb0 from 0.0.0.0/8 to any
0 block in quick on iprb0 from 169.254.0.0/16 to any
0 block in quick on iprb0 from 192.0.2.0/24 to any
0 block in quick on iprb0 from 204.152.64.0/23 to any
0 block in quick on iprb0 from 224.0.0.0/3 to any
0 block in log quick on iprb0 from 192.168.252.0/24 to any
0 block in log quick on iprb0 from any to 192.168.0.0/16
# ipfstat -ho
0 pass out quick on iprb0 proto tcp/udp from 192.168.252.0/24 to any keep state
0 pass out quick on iprb0 proto icmp from 192.168.252.0/24 to any keep state
Nothing in, nothing out.
What have I missed? Thanks.
-- Tim Evans, TKEvans.com, Inc. | 5 Chestnut Court tkevans@tkevans.com | Owings Mills, MD 21117 http://www.tkevans.com/ | 443-394-3864 http://www.come-here.com/News/ | _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:41:08 EDT