Harley:
This was a FireWall-1 3.0b specific issue. The best way that I found to add
a new interface was to perform an fwstop, plumb the interface, and do an
fwstart. You can then perform an ifconfig on the interface and apply rules as
needed.
When FireWall-1 4.x came out this was not an issue any longer; You can add
interfaces "on-the-fly" without interrupting the FireWall.
Hope that this helps.
hermit1 <[EMAIL PROTECTED]> on 06/07/2000 05:20:19 PM
To: [EMAIL PROTECTED],
[EMAIL PROTECTED]
cc: (bcc: James E Clukey/Rush/RSH)
Subject Re: [FW1] Adding an interface without
: rebooting
I ran into this last week - when I tried to plumb a new interface on the
quad card, I got frozen out. So I went to the console and did it without
any trouble. Then I did ifconfig; never did stop the firewall to make the
interface active. Of course, there weren't any machines on the new subnet
at the time, so I don't know if FW-1 sent traffic there or not. By the
time they got hosts installed, FW-1 had been restarted so it all worked.
hermit1
At 05:31 PM 6/7/00 -0400, [EMAIL PROTECTED] wrote:
>I am trying to add a new interface on a Solaris box running FW-1 3.0b. When
>trying to plumb the new interface, I was hanging up. Going to Phone boy for
>info, I found the following:
>
>While the FireWall-1 kernel loadable module is installed, it prevents new
>interfaces from coming up. To add a new interface
>to your FireWall-1 machine without rebooting (i.e. to do this quickly as
>possible), you will need to un-install, the kernel loadable
>module, bring up the new interfaces, re-install the kernel loadable
>module, and
>reload your security policy.
>
>Warning: Unplug yourself from the network before doing these commands this
>since
> FireWall-1 will not be able
>to enforce your security policy at this time.
>
>The commands are:
>
> # fw ctl uninstall
> < Do your ifconfig commands here >
> # fw ctl install
> # fw fetch localhost
>
>My question is, what would be the difference if you just do a fwstop,
>plumb the
>interface, and do a fwstart again? It seems that this would allow the
>interface
>to be plumbed without opening up the
>network, but much faster than a reboot. I couldn't find any information on the
>ctl uninstall/install. Any information would be greatly appreciated.
>
>Harley Sanders
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
