Discussion:
What happens if IP Filter fails?
(too old to reply)
J. Joseph Felten
2010-09-24 15:51:39 UTC
Permalink
Sorry if this is obvious to IP Filter veterans. I searched the FAQ
and Solaris IP Filter documentation and the mailing list etc. etc. and
have not found an answer.

I've created a very simple IP Filter rules set on Solaris 10 to block
access to a particular port from particular IP addresses. This works
well but what happens if IP Filter fails in some way (perhaps putting
the service in to a maintenance state)? Isn't the kernel module's
default to pass all?
Saša Nedvědický
2010-09-24 16:39:24 UTC
Permalink
Then the packet passes.
you can check ruleset in kernel in such moment to tell the IPF state.
typing like 'ipfstat -ionh' will tell you if there are any working rules in
IPF.

regards
sasha
Sorry if this is obvious to IP Filter veterans.  I searched the FAQ
and Solaris IP Filter documentation and the mailing list etc. etc. and
have not found an answer.
I've created a very simple IP Filter rules set on Solaris 10 to block
access to a particular port from particular IP addresses.  This works
well but what happens if IP Filter fails in some way (perhaps putting
the service in to a maintenance state)?  Isn't the kernel module's
default to pass all?
Blaster
2010-09-25 12:49:12 UTC
Permalink
IPFilter doesn't "fail". It's not a process that can die. It's a
kernel module. If it "dies" the system panics and you have no Solaris.

I've been using IPFilter for 15 years, it's never "failed".
Post by J. Joseph Felten
Sorry if this is obvious to IP Filter veterans. I searched the FAQ
and Solaris IP Filter documentation and the mailing list etc. etc. and
have not found an answer.
I've created a very simple IP Filter rules set on Solaris 10 to block
access to a particular port from particular IP addresses. This works
well but what happens if IP Filter fails in some way (perhaps putting
the service in to a maintenance state)? Isn't the kernel module's
default to pass all?
Loading...