IPfilter
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IPFilter on Solaris 10

from [Corey Johnston] [Permanent Link][Original]
To: "Dave Ockwell-Jenner" <doj@solar-nexus.com>, ipfilter@coombs.anu.edu.au
Subject: Re: IPFilter on Solaris 10
From: "Corey Johnston" <coreyj@gmail.com>
Date: Thu, 4 Jan 2007 09:21:49 +1100
Delivered-to: sp-com-lists@consult.net
Delivered-to: ipfilter-list@securepoint.com
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=Mxp+MUx7srC58wnsTkUZwbULEN+qyLdreUjmNK2B6ZNXPsmkCtMN9p6/XRVuBnu7BynoXC/RJgUxOu4iPMfKSAW1/HgMF8FS8VT5wrrbTiOFGKidptQSKzj9BAPV8/VN9DwymhEZI3EmQve3PA0wCDe2hJK/axOn8lN+kIZNYGA=
In-reply-to: <459BE07D.4070606@solar-nexus.com>
References: <459BE07D.4070606@solar-nexus.com>
Sender: owner-ipfilter@coombs.anu.edu.au
First of all, YMMV (your mileage may vary)...

I found that the installation of IPF (4.0.2, I think) that comes with Solaris 10 has a fairly significant bug.
Significant, if you're running a busy site managing stateful connections. The state table, which is of fixed size, doesn't free active connections properly, which results in machine lock-up, when capacity is reached.

For this reason, I'd strongly suggest compiling the open source release.
There's a great guide which explains how to remove the Sun version and install the open source release at
http://www.colby.edu/personal/j/jaearick/sysadmin/sol10.ipfilter.upgrade

You may need to modify this procedure slightly if you are compiling for an X64 kernel..
There are some notes at http://blogs.sun.com/avalon/entry/ipfilter_4_1_13 which list a few modifications to the build to compile for X64.

I'd recommend using Sun's CC compilers, freely available as part of Studio 11, for compilation, as I'm not sure that gcc is supported yet.

I'm running IPF 4.1.16 with a few of the latest patches, and pfil 2.1.11.
Things work well, except that there appears to be a bug with the FTP NAT proxy, which Darren is looking into.

Hope this helps.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  IPFilter on Solaris 10, Dave Ockwell-Jenner
Next by Date:  Need a one-armed port forwarder, Gary Mills
Previous by Thread:  IPFilter on Solaris 10, Dave Ockwell-Jenner
Next by Thread:  Re: IPFilter on Solaris 10, Jaroslaw Rafa
Indexes:  [Date] [Thread] [Top] [All Lists]