Run linuxconf
ouch, isn't that package still broked and insecure, or has redhat fixed it
up and made it something that folks would really install on a firewall?
Of course, those running redhat systems as firewalls have stripped out all
the toys and neato little packages that make a firewall not be a firewall,
at least we hope.
Does fw1 only run on redhat systems?
Thanks,
Ron DuFresne
On Tue, 27 Nov 2001, Scott Walker Register wrote:
>
> Yanek-
> We have identified a problem with the interaction of VPN-1/FW-1 4.1 and the 3Com 3c90x driver.
> This problem can be fixed by using the newer 3c59x driver (instructions below), or updating your
> version of VPN-1/FW-1. We have QA'ed extensively and found no problems after either of these solutions.
>
> For anyone who is affected by this and is not able to use the updated 3Com driver, you may either
> upgrade to VPN-1/FW-1 NG (which is stable even with the older 3com driver) or contact Check Point
> Technical Services for a fix which can be applied to VPN-1/FW-1 4.1 SP5 to correct the problem. That
> fix will be incorporated in future VPN-1/FW-1 4.1 releases.
>
> Instructions for using the 3c59x driver:
> Login as root.
> Run linuxconf
> Select Config->Networking -> Client Tasks -> Host name and IP devices.
> Choose the relevant adapters.
> Change the "Kernel module" from "3c90x" to "3c59x"
> Accept the changes.
> New settings will take effect after networking is restarted.
>
> -SwR
>
> ------------------------
> From: Yanek Korff <yanekat_private>
> Subject: RE: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5
> Date: Mon, 19 Nov 2001 13:44:48 -0500
> To: "'vuln-devat_private'" <vuln-devat_private>
> Cc: 'Scott Walker Register' <scott.registerat_private>, 'Andy Magoon' <Andy.Magoonat_private>
>
>
> > I have finally figured out some of the problem. By default RH6.2 will load
> > the 3c59x module for my three 3c905C-TX-M network cards. RH 6.2 does not
> > panic when UDP scanned when using this kernel module.
> >
> > By default RH7.0 will load the 3c90x module for the same 3c905C-TX-M network
> > cards. It does panic when UDP scanned. If I specify "alias eth0 3c59x" in
> > modules.conf, the other module loads and the system no longer crashes.
> > Additionally, I have recompiled a much smaller custom kernel and built the
> > 3c59x drivers directly into the kernel - again, stable.
> >
> > What remains a mystery, to me at least, is what is causing UDP scans to give
> > rise to a kernel panic. Regardless of which driver module I am using, the
> > kernel panics only when firewall-1 is running.
> >
> > Thanks to all for your thoughts & testing.
> >
> > -Yanek.
> >
> > > -----Original Message-----
> > > From: Andy Magoon [mailto:Andy.Magoonat_private]
> > > Sent: Monday, November 19, 2001 10:45 AM
> > > To: 'yanekat_private'
> > > Subject: RE: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5
> > >
> > >
> > > Yanek,
> > >
> > > I am running ckpt-fw1-v41-sp5 without a problem on a similar
> > > configuration. UDP port scans with nmap do not affect my server,
> > > and it behaves much better than the two before it (NT and W2K)
> > > which always rebooted or stopped passing packets.
> > >
> > > Hardware: Dell PowerEdge 2200 with 64MB of RAM, 3Com
> > > EtherLink III 3c905-TX (x2) and 3Com 3c509B (x1)
> > >
> > > Operating System: Red Hat Linux 6.1, kernel 2.2.12-20
> > >
> > > I have had much better luck with Firewall-1 on Linux than on
> > > Windows, and will probably never again consider using a Windows
> > > box as a firewalled gateway.
> > >
> > > Have you considered the warnings in the README that say not to run
> > > Firewall-1 on a 2.4 kernel?
> > >
> > > Andy
> > >
> > >
> > >
> > > ---------------------
> > > Original Message:
> > >
> > > ------------------------------
> > >
> > > Date: Tue, 13 Nov 2001 14:45:02 -0500
> > > From: Yanek Korff <yanekat_private>
> > > Subject: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5
> > >
> > > I'm testing out CP4.1 SP5 on Linux RH7.0. I seem to have
> > > gotten everything
> > > configured the way I want it and am starting to run some
> > > scans to see what I
> > > can see. Well, what I see is: nmap -sU -P0 ip_addr causes
> > > the machine to
> > > instantly crash with a kernel panic, or in some cases,
> > > reboot. I'm not
> > > great at troubleshooting kernel/module troubles so any help
> > > would be greatly
> > > appreciated. IF you happen to have a Linux CP FW-1 box you
> > > could run nmap
> > > against, I'd love to know your results (incl OS/kernel info).
> > > Might want to
> > > do this off-hours, though.
> > >
> > > Without CP-FW1 running (/etc/rc.d/init.d/firewall1 stop), I
> > > cannot cause a
> > > kernel panic with a UDP scan. Has anyone else noticed this behavior?
> > >
> > > Hardware:
> > > Dell Dimension XPSB800r
> > > 128MB RAM
> > > 3Com EtherLink III 3c905-TX (three of them)
> > >
> > > Have been able to reproduce this problem with kernels:
> > > 2.2.19-7 (CUSTOM)
> > > 2.2.16-20 (GENERIC RH 7.0)
> > >
> > > Tail end of the error message (after register & stack dump):
> > > Code: 8b 41 08 3d 2b 2f c3 a5 0f 85 c6 00 00 00 8b 41 0c 85 c0 74
> > > Aiee, killing interrupt handler
> > > Kernel panic: Attempted to kill the idle task!
> > > In swapper task - not syncing
> > >
> > > -Yanek.
> > >
>
> ---------------End of Original Message-----------------
>
> ----------------------------------------------------------------
> Scott.Registerat_private || FireWall-1 Product Manager
> Check Point Software Technologies, Inc.
> 2255 Glades Road / Suite 324A \ Boca Raton, FL 33431
> Voice: 561.989.5418 | Fax: 561.997.5421 | 11/27/01 12:17:00
> ----------------------------------------------------------------
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
This archive was generated by hypermail 2b30 : Tue Nov 27 2001 - 13:03:58 PST