Patch-ID# 102890-02 Keywords: address firewall memory leak hang lock router permissions Synopsis: Solstice Firewall-1 1.2.1: Jumbo Patch W/Network Address Translation Date: Nov/15/95 Solaris Release: 1.1.1A 1.1.2 SunOS Release: 4.1.3_U1A 4.1.4 Unbundled Product: Solstice Firewall-1 Unbundled Release: 1.2.1 Relevant Architectures: sparc BugId's fixed with this patch: 1212746 1195829 1201649 1223318 1223316 1201809 1225213 Changes incorporated in this version: Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: fw fwciscoput fwconfig fwui fwmod.4.1.3.o fwui_head.def fwxlate.ps fwxlate.txt fwxlconf xlate.conf Problem Description: This patch enhances the Solstice FireWall-1 1.2.1 release to include NAT, or Network Address Translation functionality. The previous -01 NAT patch had a few bugs, which are now fixed: . DST rule used with host on directly attached Token Ring network caused panic . Log viewer colors not working Also, several known bugs in the Solstice FireWall-1 1.2.1 FCS release are fixed: . Kernel module memory leak when rejecting non-TCP traffic . Lockups when loading filter module during heavy swapping on gateway . Cisco 10.x IOS timeouts during ACL download to router . (Solaris 2.x only) Wellfleet router SNMP operations disabled . Permanent files (in none class) being writable by group when group permissions used . External network interface designator not being configured . Licensing problem when trying to load ruleset on a remote gateway, while the control station is running with 'control' as a single license option . (SunOS 4 only) Kernel module group permissions unconditionally set to 0600 Patch Installation Instructions: 1. Stop FireWall-1 by executing the following command: # /etc/fw/bin/fwstop 2. Execute the installpatch script as follows (supercedes standard instructions which follow this section): # ./installpatch NOTE: When this patch is installed, files are saved to the patch directory (this directory). If you wish to retain the ability to use ./backoutpatch to de-install this patch, do not delete this patch directory after installation. 3. After installpatch completes, run the fwconfig command as follows, to re-establish correct group permissions: # /etc/fw/bin/fwconfig (An updated fwconfig utility is provided in this patch, which replaces the original utility found in the 1.2.1 FCS package. The original utility was unable to properly set group permissions when /etc/fw, a symlink itself, pointed to another symlink. In addition, files and directories in the FireWall-1 directory hierarchy which are normally not written to are no longer set to writable by the FireWall-1 administrative group, if such a group is used. You may wish to make a copy of the updated fwconfig utility and manually copy it back, if you back out this patch and wish to continue using the updated utility.) NOTE: While you are running fwconfig, if you have the Light Internet Gateway or Medium Internet Gateway packages, select option 6, "Specify this host's external network interface name" and enter the name of your gateway's external network interface. This will get rid of "External interface not configured correctly" messages printed to the console. (The messages are harmless.) 4. Restart FireWall-1 by issuing the following command: # /etc/fw/bin/fwstart See documentation provided in the $FWDIR/doc directory for more information on how to use the NAT facility. The documentation filenames are fwxlate.ps and fwxlate.txt. Patch Backout Instructions: 1. Stop FireWall-1 by issuing the following command: # /etc/fw/bin/fwstop 2. Back out the patch: # ./backoutpatch 3. Run the fwconfig command and select option 1 to reinstall the old kernel module and set correct group permissions: # /etc/fw/bin/fwconfig 4. Restart FireWall-1 by issuing the following command: # /etc/fw/bin/fwstart