Bugtraq mailing list archives

Re: Gauntlet 5.0 BSDI warning

From: strange () CULTURAL COM (Strange)
Date: Mon, 18 Oct 1999 12:19:46 -0500


On Mon, 18 Oct 1999, Keith Young wrote:

      This issue will appear if you do the following in sequence:
      1) Install BSDI 3.1
      2) Install Gauntlet 5.0
      3) Install BSDI patch M310-049
      4) Install Gauntlet 5.0 kernel patch level 2


According to the folks we asked at NAI in June about the Gauntlet install
procedure (on all supported OSes), the install order to be used is:

Install OS
Install OS patches
Install Gauntlet
Install Gauntlet patches
never install any OS patches again

Because of that last nasty gotcha, we use a firewall builder box when we
want to "patch" the firewalls.  We then pull the newly-built drives, and
swap them into the extant firewall box.  Lather, rinse, repeat.

SOLUTIONS -
      A) Install M310-049 *before* installing Gauntlet 5.0.


Interestingly, this is what the vendor told us to *always* do, under *all*
circumstances.  I'd say that if you're going to apply vendor patches, you
should assume you have to do a full Gauntlet reinstall because Gauntlet
5.0 replaces some key kernel items.

Gauntlet 5.5 apparently avoids some of these issues by getting in front of
the stack (much like ipf does) rather than replacing kernel code.  OTOH,
Mike Frantzen, in our summer-long "break the firewall"  party, had some
issues with some intentional 5.5 behaviors.  Mike F. again deserves
accolades for his magic ability to decompile code in his head.

              1) # cp /usr/local/sys.gauntlet/i386/OBJ/ip_input.o
/usr/src/sys/i386/OBJ
              2) # sh /usr/local/sys.gauntlet/build_kernel/build_kernel 50.1
              3) # reboot


I.e., a vendor patch replaced code that the gauntlet had already replaced.

I am wondering if this is *really* a Gauntlet bug or a Gauntlet vendor
documentation bug (they do not, as far as we could tell, make it plain
that you should not apply vendor patches after installing the firewall).
We got our clear answer only by calling support.

      -M

Michael Brian Scher (MS683/MS3213)  Anthropologist, Attorney, Policy Analyst
            Mainlining Internet Connectivity for Fun and Profit
   strange () netural com     strange () cultural com     strange () ispfh org
     Give me a compiler and a box to run it, and I can move the mail.

Current thread:

Xerox DocuColor 4 LP D.O.S, (continued)
- - - Xerox DocuColor 4 LP D.O.S Jason Lutz (Oct 13)
  - Security of "Virtual Network Computer" Mikael Olsson (Oct 12)
    - Re: Security of "Virtual Network Computer" Cameron Simpson (Oct 12)
    - Re: Security of "Virtual Network Computer" Dan Foster (Oct 12)
    - Re: Security of "Virtual Network Computer" Luca Berra (Oct 13)
    - Finjan Alert: WinNT.Infis Trojan by way of Tim Wieneke (Oct 13)
    - The old "." problem nblasgen () NICK REFRACT COM (Oct 13)
    - Re: The old "." problem David Zverina (Oct 14)
    - Re: The old "." problem S.Faust (Oct 16)
    - Gauntlet 5.0 BSDI warning Keith Young (Oct 18)
    - Re: Gauntlet 5.0 BSDI warning Strange (Oct 18)
    - Re: Gauntlet 5.0 BSDI warning Keith Young (Oct 18)
    - Email virus on the prowel Albert Hopkins (Oct 19)
    - Another Microsoft Java Flaw Disovered Gary McGraw (Oct 14)
    - Administrivia Elias Levy (Oct 14)
  - SCO OpenServer 5.0.5 cancel overflow Brock Tellier (Oct 12)
- Re: BUG: Win NT TCP/IP Security filters does not get enforced Todd Sabin (Oct 09)
- Re: BUG: Win NT TCP/IP Security filters does not get enforced Bill Stackpole (Oct 12)