Run linuxconf ouch, isn't that package still broked and insecure, or has redhat fixed it up and made it something that folks would really install on a firewall? Of course, those running redhat systems as firewalls have stripped out all the toys and neato little packages that make a firewall not be a firewall, at least we hope. Does fw1 only run on redhat systems? Thanks, Ron DuFresne On Tue, 27 Nov 2001, Scott Walker Register wrote: > > Yanek- > We have identified a problem with the interaction of VPN-1/FW-1 4.1 and the 3Com 3c90x driver. > This problem can be fixed by using the newer 3c59x driver (instructions below), or updating your > version of VPN-1/FW-1. We have QA'ed extensively and found no problems after either of these solutions. > > For anyone who is affected by this and is not able to use the updated 3Com driver, you may either > upgrade to VPN-1/FW-1 NG (which is stable even with the older 3com driver) or contact Check Point > Technical Services for a fix which can be applied to VPN-1/FW-1 4.1 SP5 to correct the problem. That > fix will be incorporated in future VPN-1/FW-1 4.1 releases. > > Instructions for using the 3c59x driver: > Login as root. > Run linuxconf > Select Config->Networking -> Client Tasks -> Host name and IP devices. > Choose the relevant adapters. > Change the "Kernel module" from "3c90x" to "3c59x" > Accept the changes. > New settings will take effect after networking is restarted. > > -SwR > > ------------------------ > From: Yanek Korff <yanekat_private> > Subject: RE: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5 > Date: Mon, 19 Nov 2001 13:44:48 -0500 > To: "'vuln-devat_private'" <vuln-devat_private> > Cc: 'Scott Walker Register' <scott.registerat_private>, 'Andy Magoon' <Andy.Magoonat_private> > > > > I have finally figured out some of the problem. By default RH6.2 will load > > the 3c59x module for my three 3c905C-TX-M network cards. RH 6.2 does not > > panic when UDP scanned when using this kernel module. > > > > By default RH7.0 will load the 3c90x module for the same 3c905C-TX-M network > > cards. It does panic when UDP scanned. If I specify "alias eth0 3c59x" in > > modules.conf, the other module loads and the system no longer crashes. > > Additionally, I have recompiled a much smaller custom kernel and built the > > 3c59x drivers directly into the kernel - again, stable. > > > > What remains a mystery, to me at least, is what is causing UDP scans to give > > rise to a kernel panic. Regardless of which driver module I am using, the > > kernel panics only when firewall-1 is running. > > > > Thanks to all for your thoughts & testing. > > > > -Yanek. > > > > > -----Original Message----- > > > From: Andy Magoon [mailto:Andy.Magoonat_private] > > > Sent: Monday, November 19, 2001 10:45 AM > > > To: 'yanekat_private' > > > Subject: RE: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5 > > > > > > > > > Yanek, > > > > > > I am running ckpt-fw1-v41-sp5 without a problem on a similar > > > configuration. UDP port scans with nmap do not affect my server, > > > and it behaves much better than the two before it (NT and W2K) > > > which always rebooted or stopped passing packets. > > > > > > Hardware: Dell PowerEdge 2200 with 64MB of RAM, 3Com > > > EtherLink III 3c905-TX (x2) and 3Com 3c509B (x1) > > > > > > Operating System: Red Hat Linux 6.1, kernel 2.2.12-20 > > > > > > I have had much better luck with Firewall-1 on Linux than on > > > Windows, and will probably never again consider using a Windows > > > box as a firewalled gateway. > > > > > > Have you considered the warnings in the README that say not to run > > > Firewall-1 on a 2.4 kernel? > > > > > > Andy > > > > > > > > > > > > --------------------- > > > Original Message: > > > > > > ------------------------------ > > > > > > Date: Tue, 13 Nov 2001 14:45:02 -0500 > > > From: Yanek Korff <yanekat_private> > > > Subject: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5 > > > > > > I'm testing out CP4.1 SP5 on Linux RH7.0. I seem to have > > > gotten everything > > > configured the way I want it and am starting to run some > > > scans to see what I > > > can see. Well, what I see is: nmap -sU -P0 ip_addr causes > > > the machine to > > > instantly crash with a kernel panic, or in some cases, > > > reboot. I'm not > > > great at troubleshooting kernel/module troubles so any help > > > would be greatly > > > appreciated. IF you happen to have a Linux CP FW-1 box you > > > could run nmap > > > against, I'd love to know your results (incl OS/kernel info). > > > Might want to > > > do this off-hours, though. > > > > > > Without CP-FW1 running (/etc/rc.d/init.d/firewall1 stop), I > > > cannot cause a > > > kernel panic with a UDP scan. Has anyone else noticed this behavior? > > > > > > Hardware: > > > Dell Dimension XPSB800r > > > 128MB RAM > > > 3Com EtherLink III 3c905-TX (three of them) > > > > > > Have been able to reproduce this problem with kernels: > > > 2.2.19-7 (CUSTOM) > > > 2.2.16-20 (GENERIC RH 7.0) > > > > > > Tail end of the error message (after register & stack dump): > > > Code: 8b 41 08 3d 2b 2f c3 a5 0f 85 c6 00 00 00 8b 41 0c 85 c0 74 > > > Aiee, killing interrupt handler > > > Kernel panic: Attempted to kill the idle task! > > > In swapper task - not syncing > > > > > > -Yanek. > > > > > ---------------End of Original Message----------------- > > ---------------------------------------------------------------- > Scott.Registerat_private || FireWall-1 Product Manager > Check Point Software Technologies, Inc. > 2255 Glades Road / Suite 324A \ Boca Raton, FL 33431 > Voice: 561.989.5418 | Fax: 561.997.5421 | 11/27/01 12:17:00 > ---------------------------------------------------------------- > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
This archive was generated by hypermail 2b30 : Tue Nov 27 2001 - 13:03:58 PST