Results 1 to 8 of 8
  1. #1
    Join Date
    Nov 2002
    Location
    Michigan
    Posts
    695

    HOWTO: Installing Adaptive Firewall from Qube on a RaQ

    Get the two firewall RPMS from http://www.cobaltfaqs.com/download/ (the Adaptive Firewall PKG on the Sun download site doesn't seem to untar properly, so I'm posting the actual RPMS from within the PKG) and install them

    rpm -ivh phoenix*.rpm

    MD5SUM info:

    b51161006b586b77891a03931d5ed958 phoenix-1.7-0.i386.rpm
    bb36c8070d9f48b077ef7724a1ca5448 phoenix-kmodules-1.0-9.i386.rpm

    Note: if you have the SHP patch installed (RaQ 4), you have an older version of the firewall partially installed. Either uninstall it, or use

    rpm -ivh --force --nodeps phoenix*.rpm

    to get the newer version installed. Not sure what the implications to the existing SHP install are, but as it's currently a security hole and should be uninstalled anyway, it shouldn't be a major problem...

    You can verify the RPMs installed properly by doing:

    rpm -qa | grep phoenix

    Then look in /etc/rc.d/rc3.d and ensure the startup script is there:

    ls -alF /etc/rc.d/rc3.d/S*

    You should see

    S72phoenix

    in the list of files.

    Start the firewall by doing:

    /etc/rc.d/init.d/phoenix start

    You'll see this output:

    Loading phoenix module...
    Using /lib/modules/phoenix/phoenix-1.6.6-2.2.16C32_III.o
    Symbol version prefix ''
    phoenix-1.6.6-2.2.16C32_III.o successfully loaded.
    Starting pafserver: pafserver
    Starting thttpd-phoenix: thttpd-phoenix
    Starting paflogd: paflogd
    Establishing Default Firewalls

    Establishing masquerading configuration
    error opening file

    (this 'error opening file' is due to the RPM thinking it's on a Qube; nothing to worry about that I can tell on a RaQ 4)

    Then you need to generate an initial firewall access password:

    /etc/phoenix/scripts/initpassphrase

    Enter passphrase twice when prompted (it's a temp password, which you'll change in the UI, so just use something like 'test' or whatever)

    Then point your browser at the server, port 8181 (www.domain.com:8181 or ip.ad.re.ss:8181) and follow the prompts to bring up the Java UI. (Ignore warning messages for some browsers: it was only QA'd with Internet Exploder 5.5 and 6.0, and Netscape 4.7x. Other browsers should work just fine... I use Konqueror and Mozilla on Linux with no issues)

    There's a user manual (PDF) link in the firewall UI to explain how it works, how to set options, etc.

    Output from the firewall is in /var/log/phoenix.log

    NOTE: It _might_ be possible to lock yourself out of the server, depending on which incoming ports you block.

    There is a "Remote Management" section in the UI which, if enabled, will allow you to telnet into the box. Also provides a checkbox to allow Cobalt mgmt (via port 81).

    As with any firewall, use care when setting up your rules!

  2. #2
    Join Date
    Nov 2002
    Location
    Michigan
    Posts
    695
    Turns out this won't work on a RaQ 4 that has the latest -33 kernel upgrade installed. The .so modules that get placed in /lib/modules/phoenix are loaded based on a 'uname -r' in the startup scripts, and there's no phoenix module that matches the newest kernel...

    Oh well...
    http://www.lamphowto.com/ - LAMP and LAMP+SSL HowTo
    http://www.cobaltfaqs.com/ - Cobalt FAQs and HowTos

  3. #3
    Join Date
    Aug 2000
    Posts
    2,754
    What about the RAq3?

  4. #4
    Join Date
    Nov 2002
    Location
    Michigan
    Posts
    695
    Should work the same on a RaQ 3... I don't have one, though, so I can't actually try it.
    http://www.lamphowto.com/ - LAMP and LAMP+SSL HowTo
    http://www.cobaltfaqs.com/ - Cobalt FAQs and HowTos

  5. #5
    BruceT,

    The latest -33 kernel was also released for the Qube, does that mean the phoenix firewall is broken on that platform?

    If not, then can someone with a Qube put up the correct .so files so that it can work with the latest kernel. I am assuming that the latest -33 kernel for the Qube included newer .so files for the firewall product.

  6. #6
    Join Date
    Nov 2002
    Location
    Michigan
    Posts
    695
    The Qube -33 kernel works ok (for some odd reason), but it's not named the same as on the RaQ (Qube -33 has VPN added).

    So the Qube .so won't work on the RaQ...

    I'm trying to get in touch with old contacts at Sun and see if I can persuade someone to roll me a new .so for the RaQ...
    http://www.lamphowto.com/ - LAMP and LAMP+SSL HowTo
    http://www.cobaltfaqs.com/ - Cobalt FAQs and HowTos

  7. #7
    Join Date
    Mar 2002
    Location
    St. Louis, MO
    Posts
    1,379
    I got this to work on a raq4 with 2.2.16C32_III kernel with bruce's help and it worked just fine!

  8. #8
    Join Date
    Nov 2002
    Location
    Michigan
    Posts
    695
    Also, the Adaptive Firewall PKG file from Sun _does_ untar properly; you just have to decrypt it first:

    gpg --decrypt filename.pkg > filename.tar.gz

    Then

    tar zxvf filename.tar.gz

    This is true for all "new" (Sausalito-based) PKGs for Qube 3, RaQ 550, and RaQ XTR.
    http://www.lamphowto.com/ - LAMP and LAMP+SSL HowTo
    http://www.cobaltfaqs.com/ - Cobalt FAQs and HowTos

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •