[Search for users]
[Overall Top Noters]
[List of all Conferences]
[Download this site]
| Title: | SEAL |
|
| Moderator: | GALVIA::SMITH |
|
| Created: | Mon Mar 21 1994 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 1989 |
| Total number of notes: | 8209 |
1958.0. "First impressions of a new baby" by CHEFS::16.37.11.61::PITT (Gone with the winsock ...) Fri May 16 1997 11:40
Well, I have now (almost!) completed my first real
install of AFWU V3.0, and I thought it was worth
recording some initial reactions ...
Overall, I am very impressed. Congratulations, once
again, to the folks at Galway. This is an impressive
step forward from an already impressive product. There
are, however, a lot of new things to learn, particularly
for someone like me who can never resist configuring
things outside the GUI!!!!
Here are a few potential "gotchas":
1) You absolutely have to have the new DNS. It will not
work without it. Don't be tempted to blow it all away
and set up conventional hidden DNS ... (There's a page
on my WWW site on sector.gmt.dec.com explaining how I
think it works - thanks to Dermot in Galway who
patiently explained it at least three times!)
2) As supplied, the firewall can be at most authoritative
for one domain name, and one reverse lookup domain - I
think. If you want more than that, there is a patch on
the Galway ftp site. (Once again, thanks, Dermot!)
2a) It appears that you cannot fully test DNS until you
are connected to at least the internal network, if you
point to an internal DNS server ... Note also that zone
transfers are only permitted when the request comes from
a machine that is listed in a file called secondaries, or
something like that...
3) There are a couple of bugs with the mail relay as
supplied. One corrupts headers - the symptom is that
"smart" mail clients like Exchange and cc:Mail don't
interpret the headers, but dump them into the body of
the mail message. The other gives protocol errors
occassionally. Both are fixed in a patch on the ftp site.
4) There is apparently a bug in the WWW proxy that will
occassionally corrupt a file - I forget which one. The
patch is on the ftp site.
5) At least if you want authenticated WWW proxy access,
DNS reverse lookup of the client machine must work, as
supplied. If this isn't possible, then put a line in
wwwproxy.conf saying
allowfake=TRUE
6) It was not clear to me that if you want to use the
tunnel that is provided for remote management, you set
up the tunnel and create its keys from inside the firewall
GUI. I'd done it outside, and carefully talked the customer
through it by the time I discovered this!
7) The tunnel kit that's supplied supports "one concurrent
tunnel" - yes, that might be an oxymoron! If you want
more, ensure that the customer buys a Workgroup edition
tunnel server BEFORE the firewall is installed. Then
when you install, install the Workgroup edition Tunnel
Server instead of the one on the firewall CD, and then
install the firewall.
8) Don't remove the /bin directory - it's a link to /usr/bin.
It is fairly fatal to everything. (This is just a dig at
myself - I did a mv * when I was at / instead of somewhere
else, and didn't notice the damage! Mark L had to piece it
all back together from single user ...)
I'm sure there were other things, but I have forgotten them
already. I'm sure I'll post some more things later. At least
there are a number of apparent bugs left that Galway are
looking at for me, and I'm sure you'll hear about them soon.
T
| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 1958.1 | | BIGUN::nessus.cao.dec.com::Mayne | A wretched hive of scum and villainy | Sun May 18 1997 20:35 | 6 |
| Where is this FTP site and directory with the patches?
I looked at sector.gmt.dec.com and couldn't see anything that looked like an
explanation of how DNS works?
PJDM
|
| 1958.2 | | WOTVAX::16.42.0.41::hattos | I'm back - as a matter of fact | Fri May 23 1997 07:35 | 8 |
| Perhaps Tony hadn't finished putting up the page?
Its there now on
http://sector.gmt.dec.com/firewall/dns/3.html
Cheers
|
| 1958.3 | wwwproxy bug, patches? | MIPSBX::"[email protected]" | Sebastian L�lsdorf | Thu May 29 1997 09:06 | 15 |
| Hi,
re .0: the wwwproxy corrupted the file
/usr/dfws/config/module.name
(I came over it when the alarms screen on the GUI suddenly complained about
modified files. Fortunatley the original file is under /usr/dfws/defaults.)
/var/adm/syslog/reporting.log also looks very strange, I mean even less human-
readable than the other logfiles are, and somewhat remembers me to WWW.
Where are the patches for the wwwproxy?
Sebastian
[Posted by WWW Notes gateway]
|
| 1958.4 | | EEMELI::EINAMO | | Thu May 29 1997 12:18 | 8 |
| remote management
I had to edit the httpd cofig file in orger to get remote managemet work is this
right.
The error was forbidden by rule .
Marko
|
| 1958.5 | | BIGUN::nessus.cao.dec.com::Mayne | Meanwhile, back on Earth... | Thu Jun 05 1997 03:57 | 13 |
| Something that hasn't changed: the uselessness of gated.
We spent a whole afternoon last week, and a few hours today, trying to get it
working. It would pick up the RIP routes, then make them vanish for no
particular reason. It would define useless routes and refuse to change them. It
did everything except work, so we've now gone back to the tried and true method
of throwing it away and filling in /etc/routes, which we should have done in the
first place.
BTW Tony, good Web page, but could you please remove the animated GIF, it plays
havoc with IE's CPU usage.
PJDM
|
| 1958.6 | | NCMAIL::SMITHB | | Fri Jun 06 1997 11:18 | 1 |
| Unfortunately, we will need it for OSPF...
|