Alexandr Nedvedicky

Packet gets blocked eventhough it should pass

Time to time I see a kind of CR which complains IPF falsely blocks packet, which should pass. The blog entry provides a kind of step by step guide what should be checked once you feel IPF goes crazy and starts to eat/drop packets which should be let in/let out.[Read More]

Posted at 06:01PM Jul 16, 2009 by Alexandr Nedvedicky in Sun  |  Comments[3]

State numbers in IPF

The CR 6562745 changes numbers assigned to TCP states in IPF. Currently state numbers used in Solaris and upstream ipfilter are different. The difference might confuse the admins, who are running a various versions of IPF. The fix of CR 6562745 will make problem gone.[Read More]

Posted at 03:24PM Jul 10, 2009 by Alexandr Nedvedicky in Personal  |  Comments[0]

RST for loopback

Blog entry explains how IPF deals with sending RST/ICMP packets to loopback clients. If you don't want to read it all here you onesentence summary: To send RST/ICMP response to loopback client IPF will just reuse the offending packet mblock, will turn it into RST/ICMP response packet and pass it to IP stack, which will rout it the loopback client. [Read More]

Posted at 03:30PM Jun 16, 2009 by Alexandr Nedvedicky in Personal  |  Comments[1]

IPF Tuneables

The post provides introduction to IPF tuneables variables. The most valuable thing offered to the reader is a pointer where to find out information regarding which variable is read only, which requires IPF to be disabled when you need to alter it and which can be changed without any constraints. I intentionally did not create list or some table with overview of those variables, as such those variables are often subject of change.[Read More]

Posted at 01:05PM Aug 10, 2007 by Alexandr Nedvedicky in Sun  |  Comments[2]