Patch-ID# 105237-09 Keywords: ENCRYPTION INTERNATIONAL security NAT ftp-related EFS crypto CDP international Synopsis: SunScreen EFS 1.1: miscellaneous fixes including NAT Date: Sep/09/99 ****************************************************** The items made available through this website are subject to United States export laws and may be subject to export and import laws of other countries. You agree to strictly comply with all such laws and obtain licenses to export, re-export, or import as may be required. Unless expressly authorized by the United States Government to do so you will not, directly or indirectly, export or re-export the items made available through this website, nor direct the items therefrom, to any embargoed or restricted country identified in the United States export laws, including but not limited to the Export Administration Regulations (15 C.F.R. Parts 730-774). ****************************************************** Solaris Release: 2.4 2.5 2.5.1 SunOS Release: 5.4 5.5 5.5.1 Unbundled Product: SunScreen EFS Unbundled Release: 1.1 Relevant Architectures: sparc BugId's fixed with this patch: 4048431 4050321 4050808 4050942 4066954 4067990 4072637 4082648 4093790 4093795 4093802 4094073 4094938 4094946 4103101 4103955 4104255 4104257 4104260 4110831 4111815 4131004 4131264 4163236 4164158 Changes incorporated in this version: Fixes for NAT problems, memory leaks, and other bugs. Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: SUNWicgSS /opt/SUNWicg/SunScreen/bin/ss_compiler /opt/SUNWicg/SunScreen/bin/ss_server /opt/SUNWicg/SunScreen/bin/natcompiler /opt/SUNWicg/SunScreen/admin/cgi-bin/config_detail /opt/SUNWicg/SunScreen/bin/ss_logd /kernel/drv/screen /usr/kernel/misc/screen_ftp /usr/kernel/drv/screen_skip SUNWicgSA /opt/SUNWicg/SunScreenAdmin/bin/spf_admin_install /opt/SUNWicg/SunScreenAdmin/bin/.jumpstart/finish.spf Problem Description: 4164158 Dynamic NAT does not work with FTP servers that send data on high ports (SUNWicgSS) (from 105237-08) 4131264 EFS can crash processing UDP port 1640 packets that are not CDP (SUNWicgSS) 4163236 can crash screen with SKIP packets to port during screen's first boot (SUNWicgSS) (from 105237-07) 4131004 EFS 1.1b drops to OK prompt when using NAT (SUNWicgSS) (from 105237-06) 4110831 ftp with NAT fails if the public/private addresses differ in length (SUNWicgSS) 4111815 NAT fail with mix of DYNAMIC and STATIC mappings (SUNWicgSS) (from 105237-05) 4103101 STATIC NAT's net traffic from external to internal host ends up in EFS server. (SUNWicgSS) 4103955 Compiler dumps core when compiling bad skip rule (SUNWicgSS) 4104255 memory leak with ICMP rejects on failed packets (SUNWicgSS) 4104257 memory leak with SNMP alerts on failed packets (SUNWicgSS) 4104260 Screen's root partition gets filled up (SUNWicgSS) (from 105237-04) correct a build issue (from 105237-03) 4094073 Some Dynamic NAT configurations caused system panic. (SUNWicgSS) (from 105237-02) 4082648 NAT problems when using STATIC NAT (SUNWicgSS) (from 105237-01) 4048431 Can delete active config - no warning - screen can't be managed any longer (SUNWicgSS) 4050321 Screen panics at boot time - STACK UNDERFLOW (SUNWicgSS) 4050808 ss_client fails every other time - error: thread1: unexpected exit (SUNWicgSS) 4050942 ss_server dies - core dump - Bus Error (SUNWicgSS) (SUNWicgSS) 4066954 ndd-get panics the system (SUNWicgSS) 4067990 EFS 1.1 panic when doing a Rename of a custom svc from sas_main (SUNWicgSS) 4072637 cannot get session logging to work for encrypted rules (SUNWicgSS) 4093790 passive ftp fails (SUNWicgSS) 4093795 NAT occurs when it should not (between two private addresses) (SUNWicgSS) 4093802 public source address corrupted when mapping a list of networks 4094938 screen can be accessed during install cycle (SUNWicgSA) 4094946 spf_admin_install netmask prompt looks like a "y/n" question (SUNWicgSA) Instructions to install patch on SunScreen EFS 1.1 Administration Station ------------------------------------------------------------------------- Note: Only the SUNWicgSA part of the patch will be applied to the Administration Station with this part of the procedure. 1. Become root on the Admin Station. 2. Transfer patch file to Admin Station via floppy or ftp (where 3 MB free). 3. Then type: # uncompress 105237-09.tar.Z # tar xf 105237-09.tar # 105237-09/installpatch 105237-09 4. Restart any EFS administrative applications. Instructions to install patch on SunScreen EFS 1.1 Screen --------------------------------------------------------- Note: Both parts of the patch (SUNWicgSA and SUNWicgSS) will be applied to the screen with this part of the procedure. 1. Become root on the Screen. 2. Transfer patch file to the Screen via floppy or ftp (where 3 MB free). 3. Then type: # uncompress 105237-09.tar.Z # tar xf 105237-09.tar # 105237-09/installpatch 105237-09 4. Reboot the EFS system. 5. Compilation and activation of the currently active configuration is required to have the NAT bug (4131004) fix applied. Instructions for identifying patches installed on system: ---------------------------------------------------------- 1. To identify the patch level on your SunScreen EFS 1.1 Screen, execute the commands: % ls -lt /var/sadm/patch > screen.pkginfo % pkginfo -l >> screen.pkginfo 2. To identify the patch level on your SunScreen EFS 1.1 Administration Station, execute the commands: % ls -lt /var/sadm/patch > admin.pkginfo % pkginfo -l >> admin.pkginfo Instructions to backout patch on SunScreen EFS 1.1 Administration Station ------------------------------------------------------------------------- 1. Become root on the Screen. 2. Then type: # cd /var/sadm/patch # 105237-09/backoutpatch 105237-09 Instructions to backout patch on SunScreen EFS 1.1 Screen --------------------------------------------------------- 1. Become root on the Screen. 2. Then type: # cd /var/sadm/patch # 105237-09/backoutpatch 105237-09