Patch-ID# 103338-04 Keywords: firewall Synopsis: Firewall-1 2.0: Jumbo patch for Solstice FireWall-1 2.0 VPN Date: Sep/11/96 Solaris Release: 1.1.1 1.1.2 SunOS release: 4.1.3_U1 4.1.4 Unbundled Product: Firewall-1 Unbundled Release: 2.0 BugId's fixed with this patch: 1218432 1204303 1238880 1240190 1245181 1245330 Changes incorporated in this version: Relevant Architectures: sparc Patches accumulated and obsoleted by this patch: 102629-01 103208-01 103338-01 Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: fw fwc fwinfo fwstart fwstop fwui fwcisco fwciscoget fwciscologin fwciscoput base.def crypt.def table.def code.def objects.C fwmod.4.1.3.o Patch Description: This patch fixes a number of bugs that were in the 2.0 FCS release of Solstice FireWall-1: o Log formats are sometimes not found by the log application. o GUI crashes when SRC is 'Any' and action is 'User Auth'. o Translated ping returns packets with miscompared bytes. o FWD enters an infinite loop when ICMP encryption fails. o Solaris-2 machines crash upon successive encryption. o RST is not recognized as a TCP session termination. o Internet Explorer v2.0 does not work with ahttpd. o FWUI does not allow user names with spaces. o Log Viewer does not resolve services on x86. o Unidirectionality of connections not enforced. o No properties for Real-Audio and VDOLive. o SecurID New-PIN Protocol not supported. o MD5 fails between two x86 machines. o TCP packet rejection sometimes fails. o FTP PORT command must have \n. o Uninstall on Cisco routers fails. o Real-Audio v2 not supported. o 'fw fetch' fails on x86. o Duplication of last rule in rulebase causes the new line to display incorrect information o Illegal and empty IP addresses in host or gateway configuration cause code generator to dump core, or possibly generate non-compiling code o Authenticated HTTP daemon asks for a password each time a new URL is access, regardless of user settings o Peer receives illegal reply when translating and encrypting addresses simultaneously o Log entries generated by an authentication daemon sometimes contain invalid strings o Authenticated HTTP daemon requests incorrect S/Key password o Encrypted connections in progress hang for three minutes after loading new security policy o Domain names don't work properly as rule's source and/or destination o Cannot handle more than 4K of log formats and domain names o FW-1 fails to operate properly on Solaris 2.x Token Ring interface o Broadcast address 255.255.255.255 is not handled correctly o Fwd dumps core after rejecting encryption request (x86 only) o GUI accepts illegal object names and fails to compile o Authenticated HTTP daemon sends cryptic messages o Fwinfo command unable to find gzip to compress output Patch Installation Instructions: 1. Stop FireWall-1 by executing the following command: # /etc/fw/bin/fwstop 2. Execute the installpatch script as follows (supercedes standard instructions which follow this section): # ./installpatch 3. Restart FireWall-1 by issuing the following command: # /etc/fw/bin/fwstart Patch Backout Instructions: 1. Stop FireWall-1 by issuing the following command: # /etc/fw/bin/fwstop 2. Back out the patch: # ./backoutpatch 3. Execute the following commands: # /etc/fw/bin/fw putlic -k (This step re-installs your FireWall-1 license into the restored kernel module image.) # /etc/fw/bin/fwconfig When in fwconfig, select option 1 to reset group permissions for restored files and to install the old kernel module. 4. Restart FireWall-1 by issuing the following command: # /etc/fw/bin/fwstart