Re: Gauntlet 5.0 BSDI warning

From: Strange (strangeat_private)
Date: Mon Oct 18 1999 - 10:19:46 PDT

Next message: Max Vision: "Netscape 4.x buffer overflow"

Previous message: michele sensalari: "THE 12th ANNUAL FIRST CONFERENCE"
Maybe in reply to: Keith Young: "Gauntlet 5.0 BSDI warning"
Next in thread: Shivdasani, Meenoo: "Re: Gauntlet 5.0 BSDI warning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 18 Oct 1999, Keith Young wrote:
> 	This issue will appear if you do the following in sequence:
> 	1) Install BSDI 3.1
> 	2) Install Gauntlet 5.0
> 	3) Install BSDI patch M310-049
> 	4) Install Gauntlet 5.0 kernel patch level 2

According to the folks we asked at NAI in June about the Gauntlet install
procedure (on all supported OSes), the install order to be used is:

Install OS
Install OS patches
Install Gauntlet
Install Gauntlet patches
never install any OS patches again

Because of that last nasty gotcha, we use a firewall builder box when we
want to "patch" the firewalls.  We then pull the newly-built drives, and
swap them into the extant firewall box.  Lather, rinse, repeat.

> SOLUTIONS -
> 	A) Install M310-049 *before* installing Gauntlet 5.0.

Interestingly, this is what the vendor told us to *always* do, under *all*
circumstances.  I'd say that if you're going to apply vendor patches, you
should assume you have to do a full Gauntlet reinstall because Gauntlet
5.0 replaces some key kernel items.

Gauntlet 5.5 apparently avoids some of these issues by getting in front of
the stack (much like ipf does) rather than replacing kernel code.  OTOH,
Mike Frantzen, in our summer-long "break the firewall"  party, had some
issues with some intentional 5.5 behaviors.  Mike F. again deserves
accolades for his magic ability to decompile code in his head.

> 		1) # cp /usr/local/sys.gauntlet/i386/OBJ/ip_input.o
> /usr/src/sys/i386/OBJ
> 		2) # sh /usr/local/sys.gauntlet/build_kernel/build_kernel 50.1
> 		3) # reboot

I.e., a vendor patch replaced code that the gauntlet had already replaced.

I am wondering if this is *really* a Gauntlet bug or a Gauntlet vendor
documentation bug (they do not, as far as we could tell, make it plain
that you should not apply vendor patches after installing the firewall).
We got our clear answer only by calling support.

      -M

Michael Brian Scher (MS683/MS3213)  Anthropologist, Attorney, Policy Analyst
            Mainlining Internet Connectivity for Fun and Profit
   strangeat_private     strangeat_private     strangeat_private
     Give me a compiler and a box to run it, and I can move the mail.

Next message: Max Vision: "Netscape 4.x buffer overflow"
Previous message: michele sensalari: "THE 12th ANNUAL FIRST CONFERENCE"
Maybe in reply to: Keith Young: "Gauntlet 5.0 BSDI warning"
Next in thread: Shivdasani, Meenoo: "Re: Gauntlet 5.0 BSDI warning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:07:52 PDT