| Title: | SEAL |
| Moderator: | GALVIA::SMITH |
| Created: | Mon Mar 21 1994 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 1989 |
| Total number of notes: | 8209 |
Hello, As I haven't found usefull informations when I scanned the conference before our recent installation of an ASE Firewall, so I write these words to help futur candidates for this kind of installation ... From a technical point of view, it works ... -------------------------------------------- The configuration was two Alpha Server 400 with a BA350 connected by two KZPSA. We (THE ASE Expert ;-) and me) have created disk service with two floating addresse. I've installed AVFW 2.1 on each system and move the /usr/dfws /var/syslog /var/wwwproxy_cache /var/spool/mqueue on the ASE service mount point. After some customizations in the starting scripts, the solution works fine. Pb found : iprsetup -f1 cause some NETWORK PARTIONNING between the two systems. We have used iprsetup -s (ipforwarding/ipgateway enabled) with screend for the rejection of packets (Pings have to be authorized). The consequence is that Transparent Gateway for ftp and telnet don't works (If the engineering (ASE and FW) could do something for that it will be great). We need to open the portmap port. (121/UDP). Because of this we need to add some filtering at the ISP router. So, from a Security point of view the solution isn't ideal but it can be delivered when the preceding constraint are accepted by the customer. Your feedback are welcome. Cheer, Stephane Nota : I planned to make a more detailed document on the configuration. I'll advertise this in SEAL ...
| T.R | Title | User | Personal Name | Date | Lines |
|---|---|---|---|---|---|
| 1802.1 | CSC32::D_LOWRY | Wed Feb 26 1997 12:30 | 19 | ||
Hi,
Kevin Carey has been doing this and in fact I have installed this
solution at a customer site.
You have to use an alternative flag for iprsetup in the screend startup
script (resides in /sbin/init.d) I belive you use f3.
There is a plan for a rollout of this as a product in the near future,
as I understand it...
There are a number of gotchas for this besides the screend issue, and I
would recommend that it not be sold until the procedure can be
completely documented and tested.
Just my thoughts...
Dan Lowry
| |||||
| 1802.2 | QUICHE::PITT | Alph a ha is better than no VAX! | Thu Feb 27 1997 05:15 | 4 | |
Dan, you can't hurry Kevin along with his write-up, can you? He told us in late January that it was a week away, and we're all holding our breathe ... ;-) T | |||||
| 1802.3 | What does the firewall option really mean | NNTPD::"[email protected]" | Arturo Lopez | Thu Jun 05 1997 13:38 | 6 |
I would like to know, what the firewall option in iprsetup really mean ? Is it needed for transparent proxies ? Arturo [Posted by WWW Notes gateway] | |||||