Memoirs of Fls'Zen

Friday, September 11, 2009

Solaris 10u7 IPFilter return-rst

I was recently confused by the ipf implementation in Solaris 10 5/09. The confusion was in regards to the return-rst parameter of the block rule. When I first tried to use it, it didn't appear to be working. Google led me to this website, which said something about having to have a specific out rule to allow the reset packet to be sent because of the way Solaris streams worked. Unfortunately in this release, streams are no longer used (the pfil module). So that helped to mislead me.

Also of no help was the IPFilter HOWTO, which one small section that deals with return-rst doesn't do so from the perspective of blocking all incoming, then allowing only specific ports, which is my usual method.

Finally, in the end, I discovered that all I needed was the following two lines to perform the blocking I desired. Of course, if I had stuck with it instead of trying to find the solution with Google, I would have arrived at the solution much sooner. To everyone to has posted information about return-rst not working, please update your content to state that is now working in later releases.

# Block-all policy.
block in on ce0 all
block return-rst in on ce0 proto tcp all



Post a Comment

Subscribe to Post Comments [Atom]

<< Home