Friday, July 29, 2005

Q: I had SIC going between firewall and mgt station but I broke it. How do I reestablish SIC?

A:
First, on the enforcement point, do fw unloadlocal. Then run cpconfig and choose the option to reset Secure Internal Communication. Give it a new onetime key. Then go over to your management box and edit the gateway object. "Reset" the communications.

Thursday, July 28, 2005

Q: How do I change the interface IP address or settings from the command line?

A:
Once you have Voyager access to the firewall, setting the IP address, mask, etc. is simple. However, you may not have Voyager access if your IP settings don't yet match the network you are on. Log onto the console and run clish. The show interfaces command will show your IP settings and interface names. Determine the logical name of the interface (such as eth1c0) and its current IP. To remove the current IP address, use: delete interface eth1c0 address 172.16.24.35 Then supply the new IP address and mask in CIDR format: add interface eth1c0 address 192.168.14.3/24 To see if it is working, exit from clish back to the IPSO command line and PING something local.

Q: How do I recover my admin password?

A:
First, boot into single-user mode. On the IP330 and IP380, this is done by cycling power, and going into bootmgr command mode (when prompted). Then type boot -s. Once at the single-user command prompt, use /etc/overpw to give yourself a new password. It's probably best to give a simple password here, then later go into Voyager and change it to something more complex.

Thursday, July 21, 2005

Q: Are address translations done before or after sending the packet through the rulebase?

A:
After. According to Phoneboy's Firewall-1 NG book, any address translations are only done after the packet has cleared the rulebase.

Q: How does the "Add automatic address translation rules" entry in node properties work?

A:
Say you are creating a node object for your web server. You could create the object with the real, physical IP address of the webserver; then, on the NAT pane, put in the public IP address of the server and turn on "add automatic accress translation rules", with translation method "static". This will have the effect, on the "address translation" master table, of adding two rules: IPsrc=www physical, IPdst=any: translate IPsrc to static NAT address you entered and IPsrc=any, IPdst= the static NAT address: translate IPdst to www physical In the rulebase, wherever that node object is used, a match will occur and the rule will fire when the IP address matches either the physical or the NAT address. You could do the same thing manually, instead of using automatic; you would have to add two address translation rules. Also, you would have to create two node objects, one at the physical address, and one at the NAT address, if you wanted both addresses to cause a rule or rules to fire in the rulebase.