Results 1 to 8 of 8
-
12-18-2002, 09:20 PM #1Web Hosting Master
- Join Date
- Nov 2002
- Location
- Michigan
- Posts
- 695
HOWTO: Installing Adaptive Firewall from Qube on a RaQ
Get the two firewall RPMS from http://www.cobaltfaqs.com/download/ (the Adaptive Firewall PKG on the Sun download site doesn't seem to untar properly, so I'm posting the actual RPMS from within the PKG) and install them
rpm -ivh phoenix*.rpm
MD5SUM info:
b51161006b586b77891a03931d5ed958 phoenix-1.7-0.i386.rpm
bb36c8070d9f48b077ef7724a1ca5448 phoenix-kmodules-1.0-9.i386.rpm
Note: if you have the SHP patch installed (RaQ 4), you have an older version of the firewall partially installed. Either uninstall it, or use
rpm -ivh --force --nodeps phoenix*.rpm
to get the newer version installed. Not sure what the implications to the existing SHP install are, but as it's currently a security hole and should be uninstalled anyway, it shouldn't be a major problem...
You can verify the RPMs installed properly by doing:
rpm -qa | grep phoenix
Then look in /etc/rc.d/rc3.d and ensure the startup script is there:
ls -alF /etc/rc.d/rc3.d/S*
You should see
S72phoenix
in the list of files.
Start the firewall by doing:
/etc/rc.d/init.d/phoenix start
You'll see this output:
Loading phoenix module...
Using /lib/modules/phoenix/phoenix-1.6.6-2.2.16C32_III.o
Symbol version prefix ''
phoenix-1.6.6-2.2.16C32_III.o successfully loaded.
Starting pafserver: pafserver
Starting thttpd-phoenix: thttpd-phoenix
Starting paflogd: paflogd
Establishing Default Firewalls
Establishing masquerading configuration
error opening file
(this 'error opening file' is due to the RPM thinking it's on a Qube; nothing to worry about that I can tell on a RaQ 4)
Then you need to generate an initial firewall access password:
/etc/phoenix/scripts/initpassphrase
Enter passphrase twice when prompted (it's a temp password, which you'll change in the UI, so just use something like 'test' or whatever)
Then point your browser at the server, port 8181 (www.domain.com:8181 or ip.ad.re.ss:8181) and follow the prompts to bring up the Java UI. (Ignore warning messages for some browsers: it was only QA'd with Internet Exploder 5.5 and 6.0, and Netscape 4.7x. Other browsers should work just fine... I use Konqueror and Mozilla on Linux with no issues)
There's a user manual (PDF) link in the firewall UI to explain how it works, how to set options, etc.
Output from the firewall is in /var/log/phoenix.log
NOTE: It _might_ be possible to lock yourself out of the server, depending on which incoming ports you block.
There is a "Remote Management" section in the UI which, if enabled, will allow you to telnet into the box. Also provides a checkbox to allow Cobalt mgmt (via port 81).
As with any firewall, use care when setting up your rules!
-
12-19-2002, 06:16 PM #2Web Hosting Master
- Join Date
- Nov 2002
- Location
- Michigan
- Posts
- 695
Turns out this won't work on a RaQ 4 that has the latest -33 kernel upgrade installed. The .so modules that get placed in /lib/modules/phoenix are loaded based on a 'uname -r' in the startup scripts, and there's no phoenix module that matches the newest kernel...
Oh well...http://www.lamphowto.com/ - LAMP and LAMP+SSL HowTo
http://www.cobaltfaqs.com/ - Cobalt FAQs and HowTos
-
12-20-2002, 12:35 PM #3Web Hosting Master
- Join Date
- Aug 2000
- Posts
- 2,754
What about the RAq3?
-
12-20-2002, 01:33 PM #4Web Hosting Master
- Join Date
- Nov 2002
- Location
- Michigan
- Posts
- 695
Should work the same on a RaQ 3... I don't have one, though, so I can't actually try it.
http://www.lamphowto.com/ - LAMP and LAMP+SSL HowTo
http://www.cobaltfaqs.com/ - Cobalt FAQs and HowTos
-
12-24-2002, 02:59 AM #5New Member
- Join Date
- Jul 2002
- Posts
- 3
BruceT,
The latest -33 kernel was also released for the Qube, does that mean the phoenix firewall is broken on that platform?
If not, then can someone with a Qube put up the correct .so files so that it can work with the latest kernel. I am assuming that the latest -33 kernel for the Qube included newer .so files for the firewall product.
-
12-24-2002, 03:33 PM #6Web Hosting Master
- Join Date
- Nov 2002
- Location
- Michigan
- Posts
- 695
The Qube -33 kernel works ok (for some odd reason), but it's not named the same as on the RaQ (Qube -33 has VPN added).
So the Qube .so won't work on the RaQ...
I'm trying to get in touch with old contacts at Sun and see if I can persuade someone to roll me a new .so for the RaQ...http://www.lamphowto.com/ - LAMP and LAMP+SSL HowTo
http://www.cobaltfaqs.com/ - Cobalt FAQs and HowTos
-
12-29-2002, 12:35 AM #7Web Hosting Master
- Join Date
- Mar 2002
- Location
- St. Louis, MO
- Posts
- 1,379
I got this to work on a raq4 with 2.2.16C32_III kernel with bruce's help and it worked just fine!
-
12-29-2002, 03:08 PM #8Web Hosting Master
- Join Date
- Nov 2002
- Location
- Michigan
- Posts
- 695
Also, the Adaptive Firewall PKG file from Sun _does_ untar properly; you just have to decrypt it first:
gpg --decrypt filename.pkg > filename.tar.gz
Then
tar zxvf filename.tar.gz
This is true for all "new" (Sausalito-based) PKGs for Qube 3, RaQ 550, and RaQ XTR.http://www.lamphowto.com/ - LAMP and LAMP+SSL HowTo
http://www.cobaltfaqs.com/ - Cobalt FAQs and HowTos