Skip to Main Content
Forums

Infrastructure Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

How to get pfil STREAM module working ?

807557Aug 18 2007 — edited Aug 19 2007
Hello

I changed /etc/ipf/pfil.ap to filter packets on my network interfaces, as instructed in the man page, but pfil module is not automatically pushed when my interface is opened with ifconfig plumb. My network/pfil service starts normaly bat network/ipfilter will not start because pfil is not plumbed on any network interfaces.

Here is my scenario 
# echo >/var/svc/log/network-ipfilter:default.log
# cat /var/svc/log/network-ipfilter:default.log

# svcadm disable ipfilter
# svcadm disable pfil
# cat /etc/ipf/pfil.ap
   # IP Filter pfil autopush setup
   #
   # See the autopush(1M) manpage for more information.
   #
   # Format of the entries in this file is:
   #
   #major  minor lastminor modules

   #iprb   -1      0       pfil
   #elxl   -1      0       pfil
   #e1000g -1      0       pfil
   #bge    -1      0       pfil
   #nf     -1      0       pfil
   #fa     -1      0       pfil
   #ci     -1      0       pfil
   #el     -1      0       pfil
   #ipdptp -1      0       pfil
   #lane   -1      0       pfil
   #dnet   -1      0       pfil
   #pcelx  -1      0       pfil
   #spwr   -1      0       pfil
   rtls0   -1      0       pfil
   rtls1   -1      0       pfil 

# ifconfig rtls1 unplumb  
# ifconfig rtls0 unplumb
# svcadm -v enable pfil
svc:/network/pfil:default enabled.
# svcs -v pfil
STATE          NSTATE        STIME    CTID   FMRI
online         -             22:49:44      - svc:/network/pfil:default
# ifconfig rtls0 plumb
# ifconfig rtls0 modlist
0 arp
1 ip
2 rtls 
# ifconfig rtls1 plumb modlist
0 arp
1 ip
2 rtls
# ifconfig rtls1 unplumb
# ifconfig rtls0 unplumb
# svcadm -v enable network/ipfilter
svc:/network/ipfilter:default enabled.
# svcs -v network/ipfilter
STATE          NSTATE        STIME    CTID   FMRI
maintenance    -             22:53:03      - svc:/network/ipfilter:default
# cat /var/svc/log/network-ipfilter:default.log

   [ AUG 18 22:48:30 Leaving maintenance because disable requested. ]
   [ AUG 18 22:48:30 Disabled. ]
   [ AUG 18 22:53:03 Enabled. ]
   [ AUG 18 22:53:03 Executing start method ("/lib/svc/method/ipfilter start") ]
   pfil not plumbed on any network interfaces.
   No network traffic will be filtered.
   See ipfilter(5) for more information.
   [ AUG 18 22:53:03 Method "start" exited with status 96 ]
# ifconfig rtls0 plumb modlist
0 arp
1 ip
2 rtls
# ifconfig rtls1 plumb modlist
0 arp
1 ip
2 rtls
#
Now I can insert the module manualy with ifconfig modinsert, but still NAT will not work for my home network (I have two computers).
Here is what I get
# ifconfig rtls0 modinsert pfil@2 modlist
0 arp
1 ip
2 pfil
3 rtls
# ifconfig rtls1 modinsert pfil@2 modlist
0 arp
1 ip
2 pfil
3 rtls
# svcs -v enable network/ipfilter
svcs: Pattern 'enable' doesn't match any instances
STATE          NSTATE        STIME    CTID   FMRI
maintenance    -             22:53:03      - svc:/network/ipfilter:default
# svcadm -v enable network/ipfilter
svc:/network/ipfilter:default enabled.
# svcs -v network/ipfilter
STATE          NSTATE        STIME    CTID   FMRI
maintenance    -             22:53:03      - svc:/network/ipfilter:default
# svcadm clear network/ipfilter
# svcs network/ipfilter
STATE          STIME    FMRI
online         23:00:30 svc:/network/ipfilter:default
# ipfstat -o
pass out log from any to any
# ipfstat -i
pass in log from any to any
# ipnat -l
List of active MAP/Redirect filters:
map rtls0 192.168.0.0/24 -> 89.136.127.37/32 portmap tcp/udp 10000:40000
rdr rtls0 0.0.0.0/0 port 50404 -> 192.168.0.4 port 50404 tcp/udp
rdr rtls0 0.0.0.0/0 port 50405 -> 192.168.0.4 port 50405 tcp/udp
rdr rtls0 0.0.0.0/0 port 50406 -> 192.168.0.4 port 50406 tcp/udp
rdr rtls0 0.0.0.0/0 port 50407 -> 192.168.0.4 port 50407 tcp/udp
rdr rtls0 0.0.0.0/0 port 50408 -> 192.168.0.4 port 50408 tcp/udp
rdr rtls0 0.0.0.0/0 port 50409 -> 192.168.0.4 port 50409 tcp/udp
rdr rtls0 0.0.0.0/0 port 50410 -> 192.168.0.4 port 50410 tcp/udp
rdr rtls0 0.0.0.0/0 port 50411 -> 192.168.0.4 port 50411 tcp/udp
rdr rtls0 0.0.0.0/0 port 50412 -> 192.168.0.4 port 50412 tcp/udp
rdr rtls0 0.0.0.0/0 port 50413 -> 192.168.0.4 port 50413 tcp/udp

List of active sessions:
# ipmon
After the invocation of ipmon I do some traffic and I get no log output.
# ifconfig rtls0 auto-dhcp primary start
# ifconfig rtls1 192.168.0.1/24 up
# ifconfig rtls0
rtls0: flags=1004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4> mtu 1500 index 2
        inet 89.136.127.37 netmask fffffc00 broadcast 89.136.127.255
        ether 0:4:61:94:33:f2
# ifconfig rtls1
rtls1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
        inet 192.168.0.1 netmask ffffff00 broadcast 192.168.0.255
        ether 0:ee:b1:4:2b:ab
# ping www.google.com
www.google.com is alive
# ping www.yahoo.com
www.yahoo.com is alive
#
Am I inserting the pfil module in the right position ?
What can I do to get NAT working ? My internet connection on the server is ok.

Thank you,
Timothy Madden,
Romania
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Sep 16 2007
Added on Aug 18 2007
#oracle-solaris, #solaris-10
3 comments
268 views