Fetch me my LART, boy!

So yeah. Back in one of my previous jobs, we got a new firewall machine to replace the crappy firewall that was there when I started. After a few months, we got a second machine so I could make a hot-swap firewall box. And I decided to take time to make sure this was set up right, and that I understood what was running on it and why.

Hah.

Fat chance.

Admittedly I'm (a) not an NT person and (b) complicating things by having to run DNS off the NT box, but anyway. This is an approximate account of the problems I had.

Step 1. Install windows NT

This is amusing in itself. I would like a standalone server, fine, but what's all this crap about choosing per-seat licensing or the other kind? I'd imagine it's not applicable if you're doing standalone, in which case it should be asked after they ask you if you're doing PDC, BDC or standalone. But heck, I don't know.

Then we come to driver fun. NT4SP0 (i.e. a raw install) won't find a 3com 10/100 PCI NIC. So, you need floppies. Hope you have (a) a floppy drive and (b) a net-connected machine or drivers with your cards. Also, it failed to recognise my ATI Rage Widgety Bang Splat video card. So I grabbed drivers, and installed them. And it failed to recognise my ATI Rage Widgety Bang Splat video card. So I reinstalled the drivers. And it failed to... you get the idea. Despite the fact that it was happy to apparently install the drivers, it wasn't really installing them. It was going through the motions pretty convincingly, though, even requiring a reboot after it had finished not installing the drivers. The trick, I learned, was to apply SP4, and then install the drivers. Thanks, Microsoft. Or ATI. Whichever.

Incidentally, I didn't have NT drivers for the box because it was supplied by Dell who won't supply a desktop box with NT preloaded. They won't even supply a desktop box with an NT disk cunningly hidden in the packaging. At least, not the desktop box I ordered, anyway.

And all the rebooting. I know, you moved your mouse, reboot. Hah hah. How about: install NT. reboot. finish install. reboot. install service pack 4. reboot. install Y2K patches. reboot. install FW-1. reboot. install FG-1. reboot. install DNS, no reboot, cool. Whoops, forgot to install SNMP. install SNMP. reboot. install SP4. reboot. install Y2K patches. reboot. are we there yet?

2. Install Firewall & Floodgate

Ha ha. Funny guys at Checkpoint. The basic install disks they provided first time around are incompatible with each other - Floodgate wanted a patched-up Firewall to run, but you don't get the patches unless you're an annointed one. Conveniently annointed as I am, this isn't a problem, but really. What's wrong with providing a patches ftp site like the rest of the planet?

In the interests of convenience, I copied all the install CDs onto the local disk. Woah. Firewall 1's installer doesn't like this. It finds some extra products, it seems, and then the installer craps out when you try to install FW-1. Two GPFs, and it keeps on truckin'. So, trash the directory, install from CD. Don't forget to reboot!

Installing Floodgate produced some interesting errors in the Event Log; the errors are caused by something (NT? Event Log? Floodgate?) complaining that it can't find text or something for the error messages, and then adding the error text into the Event Log report. So I'm getting errors from Floodgate reporting that all is well. Go fig. Never mind that the Floodgate control panel is written in Java. Gah. Losers.

Finally, I wanted to copy my firewall setup from the live box. Checkpoint and Phoneboy's FW-1 FAQ have differing opinions on the files you need. Checkpoint say "objects.C and <rulebase>.W". Phoneboy's FW-1 FAQ has a whole rake of stuff, admittedly some of it intended more for total-failure backups rather than cutovers. Colm at Entropy (who trained me) said "to be safe, copy the whole conf directory, and the databases directory too." - again refering to backups. Well, after about an hour, I can tell you that Checkpoint have the "replication" answer, except for one itty bitty detail. There's a file called fwrulebases.fws (I think) which stores the names of all the rulebases your policy manager knows about. Never mind actually looking in the directory; it relies SOLELY on this file for information. Once I'd figured this out, presto, firewall mirror.

Almost.

I left the firewall sitting on a desk, disconnected from the world (IP clashes, dontcha know!), and DOING NOTHING.

I came in the next morning, and there was a message on the console:

- Error _ [] X
Event Log is full.
[OK]

I looked in the event log, and FW-1 was busy telling me every so often that "fw_xlate_anticipate" had failed with a stack underflow or something.

Did I mention that it wasn't connected to anything?

Rip and reinstall job. *sigh*

3. Installing BIND

This apparently simple task had caused me at least one full reinstall. Why? Because I'd stupidly followed a guide to stripping down an NT default install to make it secure. Ditching services and suchlike.

BIND, for some reason, would like the LanManWorkstation service, please. Which wants some other services - Adrian suggested RPC - before it's happy. I gave up trying to figure out dependencies (after all, the OS setup is supposed to figure out dependencies FOR you, right?) and ripped and reinstalled.

So. Now that I've got to rip and reinstall anyway, I guess I can progressively stop services until DNS falls over, then I'll know what I can leave out of the next build.

Postscript

I never did bother with the last step above - I just configured the firewall in a somewhat paranoid fashion and crossed my fingers, since I simply didn't have the resources (read: time, or an assistant to do the other stuff) to research the dependencies. Subsequent to swapping in the new firewall, I encountered a bizarre problem whereby the firewall, though correctly configured and behaving as expected, counted IP addresses from the outside world as if they were internal. Since firewall-1 is licensed based on the number of IPs it sees, this very quickly blew out the 50-machine license on the firewall and filled up the Event Log with reminders of this fact. I trawled the net and as many firewall geeks as I could lay hands on to sort it out, and eventually gave up and installed an at job to restart the firewall with an empty IP database every three hours. Resource constraints in the IT department are a terrible, terrible thing.


Waider "None shall pass!"
-- The Black Knight