SUMMARY: Firewall-1 problem on 2.6

From: Steve Kilgore (isskilg@dca.ca.gov)
Date: Tue Jan 20 1998 - 11:04:16 CST


ORINIAL POST:

I am having a problem migrating my firewall from Solaris 2.5.1 to 2.6. I currently have Firewall-1 version 2.0 (with some patches)
running on a Sparc 5 under Solaris 2.5.1 with no (significant) problems. I have an identical machine (Sparc 5 with
same network interfaces, etc.) running Firewall-1 under Solaris 2.6 that I want to replace the existing (production)
machine with. I even have two Firewall-1 licenses, one for each machine. The Solaris 2.6 machine has the exact same hostname,
IP addresses, /etc/hosts file, etc. as the production (2.5.1) machine (but is temporarily isolated on it's own set of networks)
so I can do real testing before I put it into production. My problem arises when I try to compile and load the production rule
set on the new (2.6) machine. I have copied the /opt/SUNWfw/conf/objects.C and /opt/SUNWfw/conf/rule.W files as well as
other files in the /opt/SUNWfw/state directory from the production (2.5.1) machine to the 2.6 machine. When I try to
install these rules on the 2.6 machine, I continually get the error message:

rules:
"rules.pf", line 74: ERROR: cannot find <tcp_services> anywhere
Compilation Failed.

However, if I delete about half of these rules on the 2.6 machine, then try to install them, they usually compile fine with
no errors. The error does not appear to be caused by any particular rule either. It seems that the rule set will compile
as long as I reduce the number of rules significantly.

The <tcp_services> appears to be a list of known services in the firewall. It is not found in the rule.W file, rather it is
generated by the firewall at compile time and is found in the rule.pf file. The <tcp_services> is not a service (or something like
that, that I can tell) that can be found in the objects.C file on either machine. Rather, it can only be found in the rule.pf file
(on both machines), but only the new (2.6) machine complains.

Currently, we have about 75 rules, many of them very complicated, so I don't want to re-enter each one in by hand just to upgrade
to Solaris 2.6.

SOLUTION SUMMARY:

Firewall-1 version 2.0 does not run on Solaris 2.6. Firewall-1 must be at version 3.0 (plus some patches) to run on 2.6.
I confirmed this with a call to Sun.

Thanks to Ramon Castillo and Bryan Hodgson for their quick responses.

------------------------------
Steve Kilgore
Unix System Administration
Department of Consumer Affairs

Office: 916-324-8240
   FAX: 916-327-4530
 Email: isskilg@dca.ca.gov
------------------------------



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:29 CDT