Sparcitecture

I don’t know if anyone else has confirmed this, but the latest Cisco VPN client for Solaris causes problems with IPF on Solaris 10. Earlier today I was trying to demonstrate with netcat the various responses one should get from a closed port, an open port, and a filtered port. When things were not behaving as expected I did a little investigating.

My primary workstation is a SunBlade 1500 with one bge0 card, a SunPCI kit, and an add-in qfe card so I can play on a private lan with zones. Checking the status of ipfilter with ipfstat -io showed the correct running ruleset, but I was still able to telnet to any port I ran netcat on from another host on the private lan. Running ifconfig qfe0 modlist returned the qfe module, the ip module, and an ipsec module, but no pfil.

Unplumbing the interface and plumbing it again should have forced autopush to insert the pfil module, but it still did not show up. Manually inserting the pfil module onto an interface in either position 2 or 3 would load the module, but an unplumb/plumb would drop it again. At no point was it filtering traffic as expected.

Uninstalling the Cisco VPN client restored the expected behavior of ipfilter.

[composed and posted with ecto]