Patch-ID# 102890-02
Keywords: address firewall memory leak hang lock router permissions
Synopsis: Solstice Firewall-1 1.2.1: Jumbo Patch W/Network Address Translation
Date: Nov/15/95

Solaris Release: 1.1.1, 1.1.2

SunOS Release: 4.1.3_U1, 4.1.4

Unbundled Product: Solstice Firewall-1

Unbundled Release: 1.2.1

Relevant Architectures: sparc

BugId's fixed with this patch: 1212746 1195829 1201649 1223318 1223316 1201809 1225213

Changes incorporated in this version: 

Patches accumulated and obsoleted by this patch: 

Patches which conflict with this patch: 

Patches required with this patch: 

Obsoleted by: 

Files included with this patch: 

        fw
        fwciscoput
        fwconfig
        fwui
        fwmod.4.1.3.o
        fwui_head.def
        fwxlate.ps
        fwxlate.txt
        fwxlconf
        xlate.conf

Problem Description: 

        This patch enhances the Solstice FireWall-1 1.2.1 release to
        include NAT, or Network Address Translation functionality.
        The previous -01 NAT patch had a few bugs, which are now fixed:

        . DST rule used with host on directly attached Token Ring network
          caused panic
 
        . Log viewer colors not working
 
        Also, several known bugs in the Solstice FireWall-1 1.2.1 FCS
        release are fixed:
 
        . Kernel module memory leak when rejecting non-TCP traffic
 
        . Lockups when loading filter module during heavy swapping on gateway
 
        . Cisco 10.x IOS timeouts during ACL download to router
 
        . (Solaris 2.x only) Wellfleet router SNMP operations disabled
 
        . Permanent files (in none class) being writable by group when
          group permissions used
 
        . External network interface designator not being configured
 
        . Licensing problem when trying to load ruleset on a remote gateway,
          while the control station is running with 'control' as a single
          license option
 
        . (SunOS 4 only) Kernel module group permissions unconditionally
          set to 0600


    Patch Installation Instructions: 

	1. Stop FireWall-1 by executing the following command:

		# /etc/fw/bin/fwstop

	2. Execute the installpatch script as follows (supercedes
	   standard instructions which follow this section):

		# ./installpatch

	   NOTE: When this patch is installed, files are saved to the
	   patch directory (this directory). If you wish to retain the
	   ability to use ./backoutpatch to de-install this patch, do
	   not delete this patch directory after installation.

	3. After installpatch completes, run the fwconfig command as
	   follows, to re-establish correct group permissions:

		# /etc/fw/bin/fwconfig

	   (An updated fwconfig utility is provided in this patch,
	   which replaces the original utility found in the 1.2.1 FCS
	   package. The original utility was unable to properly set
	   group permissions when /etc/fw, a symlink itself, pointed
	   to another symlink. In addition, files and directories
	   in the FireWall-1 directory hierarchy which are normally
	   not written to are no longer set to writable by the FireWall-1
	   administrative group, if such a group is used. You may wish
	   to make a copy of the updated fwconfig utility and manually
	   copy it back, if you back out this patch and wish to continue
	   using the updated utility.)

	   NOTE: While you are running fwconfig, if you have the Light
	   Internet Gateway or Medium Internet Gateway packages, select
	   option 6, "Specify this host's external network interface name"
	   and enter the name of your gateway's external network interface.
	   This will get rid of "External interface not configured correctly"
	   messages printed to the console. (The messages are harmless.)
	
	4. Restart FireWall-1 by issuing the following command:

		# /etc/fw/bin/fwstart


	See documentation provided in the $FWDIR/doc directory for more
	information on how to use the NAT facility. The documentation
	filenames are fwxlate.ps and fwxlate.txt.



Patch Backout Instructions:

	1. Stop FireWall-1 by issuing the following command:

		# /etc/fw/bin/fwstop

	2. Back out the patch:

		# ./backoutpatch

	3. Run the fwconfig command and select option 1 to reinstall the
	   old kernel module and set correct group permissions:

		# /etc/fw/bin/fwconfig

	4. Restart FireWall-1 by issuing the following command:

		# /etc/fw/bin/fwstart
