Firewall-1
has several loading stages. After the kernel module is loaded, at run level 2,
the S00fwbootd script is executed which among other things pushes the firewall
over
the
interfaces that it recognized as firewall-able based on the /etc/fw.boot/ifdev
list. At run level 2 init also executes two relatively simple scripts, S69-cppreinet
and S69zcppostinet,
that make
sure S69inet does not turn on IP forwarding.
At run
level 3 the S95firewall1 executes, which simply runs $FWDIR/bin/fwstart. You
might want to look at some of the customization you have done and make sure
your firewall
loads
appropriately at the various stages.
If you are
using StoneBeat you might want to look at the StoneBeat startup scripts and
make sure if brings up your interfaces correctly.
Also, there
is a Release notes doc that explains what the service pack does. Please read it
carefully to get acquainted with the information in it.
If you are
really curious about what exactly it does you can go through the pre- and post-
install scripts and the pkgmap(s). It shouldn’t take you more than a few
minutes.
George
-----Original
Message-----
From: Johan Henell (TIM)
[mailto:[email protected]]
Sent: Monday, July 16, 2001 1:40
PM
To:
'[email protected]'
Subject: RE: [FW1] "bad file
number" after installing sp4
I've solved
(ok.. worked around...) this and as the support for checkpoint is that crap I'd
like to share the info with interested people.
No, the etc/fwboot/ifdev
file was 100% ok.
I used one of these
hardening scripts, in my case yassp, before installing fw-1. After this I
there's no trouble with the original installation of fw-1, but SP4 fails.
It gives no error message or any kind of helpful information. FW-1 simply do
not start. I did not take sufficient time to investigate exactly how but it's
at least in the pre- and/or postpatch script.
For example I found out
that the correct startup file were not copied to /etc/rc2.d and the
installation did not process all of the postpatch script - it left some
temporary files in /etc/init.d.
Solution: Don't use any
hardening scripts on fw-1 boxes, do it by hand.
Alternative solution:
Install another firewall-product. One that comes with install and support
documentation/help for service packs.
BR /J
-----Original Message-----
From: Ron Atkinson
[mailto:[email protected]]
Sent: Wednesday, July 11, 2001
2:45 PM
To: Johan Henell (TIM)
Subject: Re: [FW1] "bad file
number" after installing sp4
You said that you verified the
/etc/fw.boot/ifdev file, but does it really contain everything that was in it
before the service pack install? Any additions that were done after installing
the firewall software, such as new interfaces for StoneBeat FullCluster or
other products, tend to get wiped out when patches are installed. A default
FireWall-1 file is put in place.
I'm the one that actual sent the
/etc/fw.boot/ifdev file info to the phoneboy site, but for some reason he
didn't seem to include the reason to check for this file and what to actually
look for.
good luck to ya
Ron
"Johan Henell (TIM)" wrote:
After
applying SP4 (I redid it after failing because of too large directory name - if
that have anything to do with it) fw1 (v4.1 on solaris sparc 2.7) fails to
install the security policy. The message is:
....
...
Compiled OK
....
Downloading on localhost succeded.
Installing
security policy on
Has only loopback (lo) interface, aborting.
Failed to load security policy. Bad file number.
Installing security policy on localhost failed.
* I tried
uninstalling the service pack, but no change.
* When doing "fw ctl iflist" it only lists the loopback
interface.
* The license seems to be ok.
* I tried the things in one FAQ I found on www.phoneboy.com:
"fw ctl uninstall/install", dumb terminal file, verifiying
/etc/init.d/firewall1 exists and verified /etc/fw.boot/ifdev. Well.. everything
except "cpconfig -install".
What to do
except reinstalling (if I lose the policy it doesn't matter, I can always redo
it)
Any help would be appreciated.
BR /J