Secure Computing Sidewinder FAQs

Sidewinder FAQ

Most Recent Version: G2
(as of: 3/2/2003)

Secure Computing Support number: 800-700-8328
Secure Computing Security Library

Questions:

1) How do I boot into administrative mode?
2) My traffic won't pass through the firewall even though everything is set up.
3) I can't create valid user/network groups
4) I enable password authentication and suddenly, all of my traffic stops
5) How do I get Sidewinder to answer for a second address?
6) Secondary DNS on Sidewinder doesn't resolve correctly.
7) How do I get my users to change their authentication password without me doing all the typing?
8) My DEC500XA 10/100 cards don't work correctly; I get an orange light.
9) I get all kinds of "traffic_filter alarm" messages mailed to me.
10) FTP server doesn't work.
11) My /var/log partition fills up every 6 hours or so.
12) My caching proxy server isn't working.
13) Password expiration notification doesn't work for ftp and telnet.
14) UDP doesn't work correctly.
15) SecureID isn't working.
16) Heavy HTTP proxy traffic generates hanging connections.
17) DNS proxies keep locking up.
18) Lost proxy-arps after installing update 4.
19) How do I accept mail for multiple domains?
20) I boned the /bsd kernel during an upgrade, what do I do?
21) Realaudio doesn't work!
22) I want to add more physical memory (RAM).
23) Typing and X cyclically lock up for about 1/2 second.
24) How do I block spam mail?
25) How do I debug sendmail configuration files?
26) How do I flush mail queues when messages are stuck?
27) How do I debug NTP services?
28) Are there netbios performance issues?
29) How do I do backups/restores?
30) How do I use ipfilter?
31) I get a TSW (traceback) error in a pop-up window when working on COBRA.
32) I can ftp through the firewall, but when I do an ls or dir, I get nothing.
33) How do I get Sidewinder to pass the Reply-To field in mail msg headers?
34) How do I run FTP on a port other than 21?
35) I set up a IPSEC tunnel and the internal tcp/ip stack on Sidewinder hangs.
36) I want to define 2 vpn tunnels to different subnets between 2 Sidewinders.
37) How do I pass source addresses through the Sidewinder?
38) My 3com 3C905B cards don't work, why?
39) VPN gossip.
40) SSL error "Source address not valid in source burb."
41) DNS works for an hour or so, then dies until I restart named.
42) How do I upgrade a Sidewinder?
43) I cannot authenticate to an IIS server through Sidewinder.
44) How do I get rid of a generic proxy?
45) How do I update Sidewinder's database (wtcontrol)?
46) Threshold logging doesn't work for UDP ipfilter rules.
47) Again, for UDP ipfilter rules, I can't seem to get 0.0.0.0 to work for object "A."
48) What are my performance limitations?
49) Logging is hard to follow, what can I do?
50) I have SCSI hangs at boot.
51) What is the deal with licensing?
52) What do I do if I lose my password?

Answers:

1) How do I boot into administrative mode?
There are actually several ways to do this. In the COBRA GUI, under "System Administration /Shutdown," you have the option of restarting into Administrative mode. The command line equivalent of this is "shutdown -g now." If you use either of these options, Sidewinder will ALWAYS reboot into Admin mode, which would be VERY BAD for your users. To undo this, use the command line "shutdown -r now," which will cause Sidewinder to always reboot into Operational mode.
The simplest way to restart without tripping any flags is to interrupt the boot when prompted. You will then get a "boot:" prompt, to which you respond "bsd.sw.admin," which is the name of the administrative kernel (manual, p. 3-40)

2) My traffic won't pass through the firewall even though everything is set up.
This could be due to a variety of reasons, but before calling tech support, check a few basic things. First, make sure the proper proxies are enabled. Check to make sure that the enabled proxies are going in the right direction. For example, for outbound WWW traffic, make sure the INTERNAL burb http proxy is enabled (manual, chapter 5).
Now, assuming the proxies are properly set, check your access control list (ACL). Do you have a rule covering the previously mentioned proxy? The proxy service should appear in the ACL column labeled "service." Is the rule enabled? Does it have the proper source and destination groups? Are you using the agent "server" when you should be using "proxy"? Double check your parameters. Another common problem, especially on inbound traffic, is a previous rule that blocks what you wish to let through. By default, there is a "deny in" rule that blocks all inbound traffic. Since the rules are interpreted in the order they appear, any rules appearing after the "deny in" rule which ALLOW inbound traffic will be ignored (manual, chapter 4).
If you are dealing with a third or fourth burb, you may have to deal with another step. The Network Services Sentry (NSS) servers must be enabled on each additional burb. Even if everything else is correct, you will still not get traffic through to your multiple networks without these servers enabled. See the pamphlet regarding Multiple Networks that came with your software.
And AGAIN, for those of you who were not listening in class, bump up the logging (cf acl setloglevel 4), and "tail -f /var/log/audit.asc." This should give you a hint as to which rule is or is not working properly.

3) I can't create valid user/network groups
As of version 3.0, there were problems with deleting group members. If you deleted a group member, you might have problems adding the member back. The work around is to create a new object and add it to the group.

4) I enable password authentication and suddenly, all of my traffic stops
As of version 3.0, there were problems with authentication. The internal rules which govern traffic passing through the Sidewinder did not know what to do with traffic passing through the internal LAN interface. For some odd reason, this only occurs if authentication is enabled. There should be three rules in the ACL that have "localhost" in their source column. Replace each occurrance of localhost with a network group consisting of two IP addresses: 127.0.0.1 and the IP address of the internal side of Sidewinder.

5) How do I get Sidewinder to answer to a second address?
Do NOT attempt to use proxyarp, even though it seems to work. Use the alias option under ifconfig. Add the following to /etc/host.ifconfig:

#address translation
/sbin/ind ipo1 /sbin/ifconfig ef1 <alias IP> alias
route delete <alias IP>
route add -host <alias IP> 127.1.0.1

This example will cause the external interface (ef1) of Sidewinder to answer to <alias IP> as well as its own External IP. Add an entry for each IP you wish Sidewinder to answer to. Note: from the Sidewinder, you will NOT be able to ping the other IPs you have added. In fact, Sidewinder will complain about the commands. They DO work however. Try pinging the IPs from a machine EXTERNAL to Sidewinder. By contrast, proxyarp will not complain and you can ping other IPs from Sidewinder, but it will NOT work from the outside. Go figure.

6) Secondary DNS on Sidewinder doesn't resolve correctly.
Has zone transfer from the primary server occured? Did you increment the serial number on the primary and restart all DNS servers involved? Sometimes, DNS zones will not transfer even though it looks as if they should. In this case, go into the /etc/namedb.x directory(s) and copy any .bak files to new names. Restart the name server (ndc restart). If the .bak files get recreated, zone transfers are occuring. If not, check and make sure you are transferring the correct zones. For example, perhaps the server thinks it is giving you 1.10.in-addr.arpa, the reverse lookups for the 10.1.x.x class B network. You have your server configured to receive a class C reverse lookup file: 1.1.10.in-addr.arpa. Even though this is a subset of the class B, the domains must match EXACTLY in order for transfer to occur.

7) How do I get my users to change their authentication password without me doing all the typing?
Users can change their own passwords with their browser by going to port 1999 on the firewall. The authentication server may have to be enabled (manual, B-5).

8) My DEC500XA 10/100 cards don't work correctly; I get an orange light.
Fixed as of version 3.1.1 rev B. You must add the string "-link0" for 10MBit or "link0" for 100Mbit cards as follows to /etc/host.ifconfig:

/sbin/ind ip0 /sbin/ifconfig de0 inet 10.1.0.1 -link0 burb 0 netmask 255.255.0.0 link1

This is done automatically in the newer releases of the software. Note: it has been reported that link0 and -link0 functions are occasionally reversed for 10 and 100Mbit connections.

9) I get all kinds of "traffic_filter alarm" messages mailed to me.
If you have NETBIOS enabled over TCP/IP on your internal network, all of those broadcasts are hitting your firewall. They are setting off high traffic alarms. You can ignore them by adding the following lines to /etc/sidewinder/auditbotd.conf:

ignore(0 udp * netbios-ns * *)
ignore(0 udp * netbios-dgm * *)
ignore(0 tcp * netbios-ssn * *)
ignore(0 udp * * * netbios-ns)
ignore(0 udp * * * netbios-dgm)
ignore(0 tcp * * * netbios-ssn)

Note if you mistype this information bad things will happen such as your hard disk filling up with error messages. Make sure you place these lines near the bottom of the file. If you place them at the top, you will interfere with the definitions section. Note also, you probably should not ignore EXTERNAL netbios stuff, because you may not log an attack.

10) FTP server doesn't work.
Version 3.1.1 rev B is busted. Look for a fix. Ironically, it worked fine under 3.0.1, but it is currently undergoing security revisions. Should work at version 3.2.

11) My /var/log partition fills up every 6 hours or so.
There is a UDP proxy memory leak in version 3.1.1 rev B. Eventually, no more memory can be allocated to the proxy, and error messages quickly fill the logging partition. A patch has been released called "Update_2." Until you get it, turn off UDP proxying.

12) My caching proxy server isn't working.
Disable it and save, then enable it and save. Rebooting doesn't work. On version 3.0x, you may get a weird error message in a pop-up window when attempting to start the proxy server. This is the result of an improperly set type enforcement permission on a configuration file. If you look in /var/log/audit.asc, it will tell you which file it is. You need to run a "chtype" command on it so that it has the same type as two other files which have similar names in that directory.

13) Password expiration notification doesn't work for ftp and telnet.
True. What can I say?

14) UDP doesn't work correctly.
You can only specify a range of 1000 ports at a time.

15) SecureID isn't working.
You must use a port higher than 1024, even though that is not the default.

16) Heavy HTTP proxy traffic generates hanging connections.
There is a fix called the "qvc patch." Unsure which version this applies to. Does not apply to 3.2 and above.

17) DNS Proxies keep locking up.
If both DNS server and proxy server are running on the same burb they can conflict. If you restart the DNS server, the proxy shuts down. Solution: stop then start proxy.

18) Lost proxy-arps after installing update 4.
Update 4 (version 3.1.1) overwrites host/etc/host.ifconfig so any proxy-arps that are in that file will be lost. Copy file and reinsert proxy-arps after installing update.

19) How do I accept mail for multiple domains?
You must do several things. First, DNS must be set up to route mail for all the domains to the outside address of the firewall. Next, you must modify the mail routing tables. They are in the /etc directory, and are named mailertable.mta0 and mailertable.mta1. At the bottom of /etc/mailertable.mta1, there are two lines:

<your domain>    mfil:<sidewinder>
.<your domain>    mfil:<sidewinder>

This information allows the mail for your domain (as well as any subdomains, represented by the .<your domain>) to be sent from the external mailer (1) to the mail filter (mfil) on the firewall. Any additional domains must be added here in the same format as the default mail domain.
We are halfway there. Now you have to route the mail from your mfilter to your internal mail machine. In order to do this, edit the bottom of /etc/mailertable.mta0. You will see:

<your domain>    smtp:<internal mail host>
.<your domain>    smtp:<internal mail host>

Just like before, add:

<your second mail domain>    smtp:<internal mail host>
.<your second mail domain>    smtp:<internal mail host>

This will forward the mail from the firewall to your internal mail host. Incidentally, this does not have to be the same mail host that you are sending your original mail.
Now one thing remains. Sendmail uses a hashed database for all of its configuration files. You must convert the text files to hashed data files. Use the following commands (one for each textfile):

/usr/sbin/makemap hash /etc/mailertable.mta0.db < /etc/mailertable.mta0
/usr/sbin/makemap hash /etc/mailertable.mta1.db < /etc/mailertable.mta1

Once these commands have been run, you should start receiving mail for your added domains.

20) I boned the /bsd kernel during an upgrade, what do I do?
Delete the /bsd kernel and reinstall. It would be a good idea to back up all kernels involved and write down what names go with what kernel.

21) Realaudio doesn't work!
First of all, make sure you are passing realaudio and not some other audio protocol. Second, the latest version of realaudio (4.0) is not supported by Sidewinder as of release 3.2. Patches to update 3 should fix this for realaudio 4.0 and 5.0.

22) I want to add more physical memory (RAM).
   If you upgrade the physical memory without resizing the swap partition, you will not have enough disk to write core dumps. If you cannot send core dumps to SCC, they will not be able to give you tech support. What do you do?
    a) Do a level0.backup
    b) Add RAM
    c) Boot from boot diskette
    d) Stick in install diskette, and type RESTORE instead of INSTALL.   This will install from your backup tape.
    Note: if you go above 96MB RAM, you should get more than the standard 2GB of disk space.

23) Typing and X cyclically lock up for about 1/2 second.
You probably have 10/100 ethernet cards that are not plugged in to a hub or other device. The cards are trying to determine whether they are 10MBit or 100MBit by probing a non-existant wire. Either plug them in to a device or change the interface setting from "auto" to 10 or 100.

24) How do I block spam mail?
OPTION 1: Anti-Spamming: Block external to internal email mail from "user@abc.com" and anything from "def.com" (Pam Olsen, SCC support)

Create a file, /etc/sidewinder/sendmail/spammers, of type "mtac:conf" with the following contents: user@abc.com
Create a second file, /etc/sidewinder/sendmail/spamdomains, also of type "mtac:conf" with the contents: def.com
Edit the /etc/sidewinder/sendmail/sidewinder.1.mc. Search for the line "LOCAL_CONFIG". There are actually 2 instances of it. Find the second one.   Insert the following lines after the LOCAL_CONFIG line:

F{Spammer} /etc/sidewinder/sendmail/spammers
F{SpamDomains} /etc/sidewinder/sendmail/spamdomains

LOCAL_RULESETS

Scheck_mail
R<$={Spammer}>     $#error $@ 5.7.1 $: "551 We don't accept mail From You!!!"
R<$={Spammer}.>     $#error $@ 5.7.1 $: "551 We don't accept mail From You!!!"
R$*             $: $>3 $1
R$*<@$={SpamDomains}.>$*     $#error $@ 5.7.1 $: "551 We don't accept mail From You!!!"
R$*<@$={SpamDomains}>$*    $#error $@ 5.7.1 $: "551 We don't accept mail From You!!!"
R$={Spammer} $#error $@ 5.7.1 $: "551 We don't accept mail From You!!!"
R$={Spammer}. $#error $@ 5.7.1 $: "551 We don't accept mail From You!!!"
Save the above changes, and run config_sendmail. (Always remember if you have made any manual updates to /etc/sendmail.cf.mta<n>, you'll lose them when you run config_sendmail.)
cf server restart sendmail

That should be all you need. Here is a sample response:

> Date: Thu, 13 Nov 1997 18:58:06 GMT
> From: Mail Delivery Subsystem <MAILER-DAEMON@freenet.msp.mn.us>
> To: farmerie@freenet.msp.mn.us
> Subject: Returned mail: Service unavailable
>
> The original message was received at Thu, 13 Nov 1997 18:57:55 GMT
> from farmerie@freenet [206.8.96.2]
>
> ----- The following addresses had permanent fatal errors -----
> <a@gfy.securecomputing.com>
>
> ----- Transcript of session follows -----
> ... while talking to gfy.securecomputing.com.:
> >>> MAIL From:<farmerie@freenet.msp.mn.us> SIZE=103
> <<< 551 <farmerie@freenet.msp.mn.us>... We don't accept mail from you!
> 554 <a@gfy.securecomputing.com>... Service unavailable

OPTION 2: Anti-Relaying. Only allow mail destined for /etc/RelayTo domains.

1) Edit the file /etc/sidewinder/sendmail/sidewinder.1.mc and add the following lines under the line right near the end of the file that reads: LOCAL_CONFIG

F{LocalIP} /etc/LocalIP
F{RelayTo} /etc/RelayTo

LOCAL_RULESETS

Scheck_rcpt
# first: get client addr
R$+     $: $(dequote "" $&{client_addr} $) $| $1
R0      $| $* $@ ok
R$={LocalIP}$* $| $*     $@ ok
# not local, check rcpt
R$* $| $*     $: $>3 $2
# remove local part, maybe repeatedly
R$+     $:$>remove_local $1
# still something left?
R$*<@$+>$*     $#error $@ 5.7.1 $: 550 we do not relay

Sremove_local
# remove RelayTo part (maybe repeatedly)
R$*<@$*$={RelayTo}.>$*     $>3 $1 $4
R$*<@$=w.>$*     $: $>remove_local $>3 $1 $3
R$*<@$*>$*     $@ $1<@$2>$3
# dequote local part
R$-     $: $>3 $(dequote $1 $)
R$*<@$*>$*     $: $>remove_local $1<@$2>$3

Remember that in sendmail the white space above separating the left and right hand sides of the rewrite rules are TAB's! This is very important because the rules will not work without them.

2) Create the file /etc/LocalIP and put in lines like the following:

127.1.0.1
127.0.0.1
172.17.161.81
192.168.1.1

where 172.17.161.81 is the external IP address of the SW and 192.168.1.1 is
the internal address of the Sidewinder.

3) Create the file /etc/RelayTo and put in lines like the following:

sctc.com
securecomputing.com
otherdomain.com

where these are all of the second level domains that the Sidewinder should accept mail for. The rules are smart enough to accept mail for any hosts or subdomains within those domains.

4) Change the type enforcement of /etc/LocalIP and /etc/RelayTo with the following commands:
chtype mtac:conf /etc/LocalIP
chtype mtac:conf /etc/RelayTo

5) Run "config_sendmail"

6) Run "cf server restart sendmail"

25) How do I debug sendmail configuration files?
/usr/sbin/sendmail -v -d21.12 -bt -Csendmail.cf.mta0
> 3, 1 mje@company.com
> 3, 2 mje@company.com
> 3, 0 mje@company.com

26) How do I flush mail queues when messages are stuck?
cf server stop sendmail
ind mta1 /usr/sbin/sendmail -v -q
ind mta0 /usr/sbin/sendmail -v -q

# to unlock files
cd /var/spool/mqueue.1
remove all the L* files. these are the lock files
cd /var/spool/mqueue.0
remove all the L* files. these are the lock files
cf server start sendmail

If there are so many files a "rm *" doesn't remove them try removing 20 at a time:
ls -1 | xargs -t -n 20 rm

If all else fails, reboot. Machines left running for several weeks often get "stuck" mail which can only be flushed by a reboot (known for ver 3.1.1).

Another option is to use "cf mail flush srcburb=0 destburb=1 map=<mapname>"

27) How do I debug NTP services?
    You may be considering just proxying the traffic from internal to external... since you may need to pass real IPs to the external clock, I advise against it. To pass a tick from the outside to the inside, you need to be a CLIENT on the outside. The client will take the external "tick" and dump it to the system clock, synching the system clock to the remote timeserver. You then configure yourself as a SERVER on the inside, and set the clock to type "LOCAL". The Server then reads the system clock that has been synched by the external client, and passes the "tick" to the inside. This seems to vary from the "standard" implimentation of NTP on Unix systems (according to Dave anyway), but the bottom line is that it works. This can be confirmed in a couple of ways:
TCPdump between the external interface and the remote timeserver:
    tcpdump -n -i ef1 -a -s 2000 host 123.123.123.123
    "Ticks" are logged to /var/log/messages. There are also two logfiles in /var/log/ntp.....ntp0 & ntp1--I believe that is where error messages are dumped.

28) Are there netbios performance issues?
Yes. High volumes of netbios traffic can impede the performance of the firewall. It might be a good idea to block netbios traffic at your internal router if possible.

29) How do I do backups/restores?

SIDEWINDER LEVEL0 BACKUP PROCEDURES

Go to Administrative kernel Either type reboot or press ctrl+alt+del. This will cause the system to reboot, when it is rebooting interrupt the boot sequence by pressing F1 key then press backspace key. At the prompt type bsd.sw.admin.
At the prompt "Do you want to check and mount all filesystems?" type: N
Once you are in the Administrative Kernel the prompt is now the # sign. Type mount –a
Insert a DAT tape into the tape drive and wait for the Busy light to stop blinking.
TYPE /etc/backups/level0.backup
When you see a "DUMP IS DONE" message, the backup is done and the tape will eject.
It is good idea to label tape with machine name and date of backup.
Place backup tape in SW backup box.

SIDEWINDER COMPLETE RESTORE

You will need:

SIDEWINDER INSTALL DISKETTE
SIDEWINDER BOOT DISKETTE
SIDEWINDER LEVEL0 BACKUP TAPE

COMPLETE RESTORE

Restart system from BOOT DISKETTE
Follow on screen instructions
You will be prompted when to insert INSTALL DISKETTE. When asked to type INSTALL, type RESTORE: it is case sensitive. You will be prompted when to insert LEVEL0 BACKUP TAPE. It will take 15-25 min for the software tape to load.

After system reboots ping in all directions from the firewall

30) How do I use ipfilter?
    Note: this is an undocumented and unsupported feature new in version 3.2! It is a packet filter which BYPASSES proxy security on Sidewinder.   Use at your own risk! As of Update_3, ipfilter is incorporated into the cobra GUI under Security Management/IP filter config.
    Use the command ipfilter -l to load the configuration from /etc/sidewinder/ipfilter.conf. The file contains instructions and examples on how to configure itself.
    PPTP: If you are using the GUI, you must do several things. First, follow the instructions for configuring the filter for a PPTP client (give it external registered valid IP OR 0.0.0.0 for all clients, use as address B) and the PPTP server (internal invalid private IP, if using NAT. Use as address A). Both will use 32 significant bits to specify a host.   Apparently, both source and destination must have the same # of bits, since the filter cannot do many-to-one-mappings. Make direction = both, protocol = 47.
    Now for the translation: hit the translate button. You want to map the valid IP destination (external address of the firewall or a proxyarped address) as A, and PPTP server address (internal private IP ) as B. Protocol = 47, direction = both.
    Now the whacked out part: you must create an external-external redirected proxy for TCP port 1723. You must also allow the client source addresses through the firewall! This means editing files by hand as described on the manual on page 5-21. Allow external->internal sources for the new TCP proxy.
    Note that we have had random luck with PPTP. Sometimes it authenticates and sometimes not. Lots of timeout issues. Sometimes authentication is fast, sometimes slow. Try to sniff network and see what is going on. Make sure PPTP client/server are really working by putting them on direct LAN.

31) I get a TSW error in a pop-up window when working on COBRA.
    Various violations of TE or other databases with cause COBRA to barf without any useful info sent to the user. If it is a TE violation, the error will show up in the audit.asc file. Creating proxies can also get you into trouble:
    When a user accidently creates duplicate proxies, cobra chokes and you can't bring it back up. Turns out the names are duplicated in the files and you have to hunt through the /etc/sidewinder/*.conf files deleting duplicates.   Cobra should check for duplicates before inserting a new proxy. Also verify that you do not name your proxy the same name given to that port in the /etc/services file.
    Another error will occur when you are deleting/adding users to the UDB.   If you corrupt the database, you will get TSW errors. You can try doing a:

cf acl q
cf acl repair

If this fails, you may have to restore the database files from a "cf acl query." Build a file by doing a "cf acl query > <filename>". Remove the files /var/db/udb/user.dat and user.idx. Then, rebuild them using "cf -f <filename>."

32) I can ftp through the firewall, but when I do an ls or dir, I get nothing.
Version 3.2 update3 has a feature called socketmating which causes this. You can still transfer files (if you can figure out what they are called). The problem seems to have to do with the fact that data is being transferred too fast, and your client receives signals out of order.
To get around this, disable socketmating (edit /etc/sidewinder/nss.common.conf, go to line that starts: pftp... and add a "-m" to args[]). Secure also has a patch out, but as of 2/1/98, preliminary results indicate instability.

33) How do I get Sidewinder to pass the Reply-To field in mail msg headers?
Here are the steps to take to alleviate the problem with the FROM line:
In your /etc/sendmail.cf.mta0 and /etc/sendmail.cf.mta1 file around line 700 or so, there are a group of lines that look like:

Msmtp, P=[IPC], F=CmDMuX, S=11/31, R=21, E=\r\n, L=990, T=DNS/RFC822/SMTP, A=IPC $h
Mesmtp, P=[IPC], F=CmDMuXa, S=11/31, R=21, E=\r\n, L=990, T=DNS/RFC822/SMTP, A=IPC $h
Msmtp8, P=[IPC], F=mDMuX8, S=11/31, R=21, E=\r\n, L=990, T=DNS/RFC822/SMTP, A=IPC $h
Mrelay, P=[IPC], F=mDMuXa8, S=11/31, R=61, E=\r\n, L=2040, T=DNS/RFC822/SMTP, A=IPC $h

In the 4 occurrences of "F=<options>", you should add the "F"option. For example, in the above line beginning with Msmtp, change "F=CmDMuX" to "F=CmFDMuX". Then you'll would need to stop the sendmail servers and restart them (cf server stop sendmail, start sendmail). Keep in mind that if you ever run config_sendmail in the future, you will lose these updates you made to the sendmail.cf files.

34) How do I run FTP on a port other than 21?
It is not possible to do this job with a generic proxy but, way back at Sidewinder 2.1 we patched pftp so that it could run on ports other than (and in addition to) port 21. Here's how to do it:

I think it has to be done in the admin kernel so, do a 'shutdown -g now'.

Edit /etc/services and add an ftpline for your non-standard port. For example: ftp2 4021/tcp # non-standard ftp proxy

Add an ACL for this new service. The easiest way to do this is probably to use COBRA's "Duplicate" feature and dup the original ftp_out acl> then> modify> it. Or, just use cflike this: cf acl add name=ftp2_out pos=14 action=allow agent=proxy authneeded=no \ destburb=external service=ftp2 sourceburb=internal \ comments='Allow ftp access from burb 0 to burb 1 on port 4021'.

Edit/etc/sidewinder/nss.conf.internal and add the new service line (this is just like adding a new entry to /etc/inetd.conf for a UNIX box that uses inetd to launch services): t_proxy(ftp2 0 0 on stream tcp pftp ip_addresses[])

Boot back into the ops kernel and you'll now have two pftp processes: one listening on port 21 and the other on port 4021. Everything should work ok. I can't remember but, it [might be possible to do this in the Ops kernel and then send a SIGHUP to the nss in the burb that you want the proxy to run, Jeff Gieser]

35)I set up IPSEC tunnel and now internal TCP/IP stack on Sidewinder hangs.
With Compaq or Celebris, using ISA NICs with IPsec creates packet sizes up around max_mtu, causing the TCP/IP stack to hang. Try using PCI NICs: they invoke a different driver.

36)I want to define 2 VPN tunnels to different subnets between 2 Sidewinders.
If a second VPN has the same Tunnel IP address as the existing one , Sidewinder won't allow you to this, you will get a message stating that youy have duplicate keys even though they are different. There is no solution for this yet giving the second VPN an alias address doesn't work. One work around would be to define entire ip address space behind each firewall then only one VPN would be needed however that might mean you have to re IP a bunch of machines.

37) How do I pass source addresses through the Sidewinder?
You can pass source addresses for generic proxies and http and ftp, no others (v 3.2)! First, close the proxy window if it is open. Then edit the config file (/etc/sidewinder/proxy/*.conf). For any UDP proxy, this is pudp.conf. The following should exist at the beginning of the file:

begin_rules
use_client_address(src_burb dst_burb)
end rules

Below this, add:     use_client_address(internal external)
This example would pass source addresses from the internal burb to the external for the given service.
    For TCP proxies, then edit the /etc/sidewinder/nss.common.conf file.   Find the line that begins with t_proxy_controls (proxyname. At the end of the line, add -X to the args[], like so: args[-X].
   For UDP, edit the /etc/server.conf file, and add a -X to args[] in the line beginning with server=(udpproxy.
    Now, the book says you should bring up the proxy window, disable the proxy and save, enable the proxy and save. That might work, but you might also have to reboot.

38) My 3com 3C905B cards don't work, why?
It should be obvious, Sidewinder does not have drivers for the 3C905B cards, only the 3C905 cards. Switch it Intel Etherexpress.

40) SSL error "Source address not valid in source burb."
You can only proxy SSL 9119 traffic to non-directly connected SSL servers (eg, Internet routers will work, yours won't). It is a CERN proxy problem.

41) DNS works for an hour or so, then dies until I restart named.
Check the SOA record of your data file. It will say:

@ IN SOA <host.domain> <email.host.domain> (

Make sure <domain> is the domain your records are for. If it is not, that is what is causing the problem.

42) How do I upgrade a Sidewinder?
1. cf acl query > /var/log/acl.conf
2. reboot to admin kernel and do a full system backup
3. copy site-specific scripts to /usr/local/bin
4. Insert the upgrade disk and type: tar xvf /dev/fd0
5. /tmp/upgrade backup
6. Insert blank tape and go for it
7. Install new software
8. When done, do NOT reboot. Rather, type chroot /a sh
9. Put the upgrade disk back in and type: tar xvf /dev/fd0
10. export TERM=ibmpc3
11. /tmp/upgrade restore
12. Reboot to operational kernel and type: cf -f /var/log/acl.conf -u

43) I cannot authenticate to an IIS server through Sidewinder.
You will not be able to do NTLM through the firewall. Back off to Basic authentication only (at least for SSL).

44) How do I get rid of a generic proxy?
To delete a previously-added proxy, here's what you want to do: FOR TCP PROXIES ("proxyname" is the name you gave the proxy, "burbname" steps should be repeated for each "burb" on your Sidewinder, where "burbname" is the name of the burb -- like "internal" or "external"):

1) Quit Cobra.
2) Edit /etc/services to remove the text "proxyname"
3) Edit /etc/sidewinder/nss.common.conf to remove the line with "proxynamep"
4) Edit /etc/sidewinder/nss.common.conf.bak to remove the line with "proxynamep" (if there is one)
5) Edit /etc/sidewinder/nss.conf.burbname to remove the line with "proxyname"
6) Edit /etc/sidewinder/nss.conf.burbname.bak to remove the line with "proxyname" (if there is one)
7) Delete ('rm') /etc/sidewinder/proxy/proxynamep.conf
8) Delete ('rm') /etc/sidewinder/proxy/proxynamep.conf.bak (if it exists)
9) Delete everything in the /var/run/proxy/proxynamep directory ('rm /var/run/proxy/proxynamep/*') NOTE: If you have enabled the proxy, you must reboot into the ADMIN kernel to do this step, since the "sox" file will have been created with a domain type of "Genx" which cannot be removed by the "Admn" domain. (this is NOT true in V3.2, you can delete this in the operational kernel.)
10) Delete ('rmdir') the /var/run/proxy/proxynamep directory
11) Start Cobra.

You should now be able to re-add the "proxyname" proxy (with the _correct_definitions).

FOR UDP PROXIES (again, "proxyname" is the name you gave the proxy):

1) Quit Cobra.
2) Edit /etc/services to remove the text "proxyname"
3) Edit /etc/sidewinder/proxy/pudp.conf to remove the line containing "proxyname"
4) Start Cobra.

46) Threshold logging doesn't work for UDP ipfilter rules.
Version 4.0.1 seems to log everything regardless of what you set the threshold to, and logs it to audit.asc. Probably applies to TCP as well.

47) Again, for UDP ipfilter rules, I can't seem to get 0.0.0.0 to work for object "A."
True. 4.0.1 seems to not like 0.0.0.0 with 0 sig bits. Try 128.0.0.0 1 sig bit. 0.0.0.0 will work in the "B" object.

48) What are my performance limitations?
We can tell you this:

Don't go over ~200 rules
Simple rulesets can pass about 50Mb/s on modern hardware
Databases with more than several hundred objects can cause problems when adding group members. Save often.

49) Logging is hard to follow, what can I do?
Write your own parser, or use ask us for logit.pl!

50) I have SCSI hangs at boot.
If you are using a Compaq (Proliant 3000 or similar) with removable hard disks, you may experience problems getting certain makes of drives (like Seagates) to work, even though they come in a Compaq shell. You must use the exact drive SCC recommends.

51) What is the deal with licensing?
As of version 4.0, you must enter license strings in addition to having software. To license a feature, you must use the 'cf license' command (use 'man cf_license' for details).

52) What do I do if I lose my password?
Boot into the admin kernel (bsd.sw.admin). To change the srole password, type 'passwd admin', and you will be prompted for the new password. To change a UNIX login password, you could do 'passwd <user>', although this may cause problems later as login accounts have both a user database component and a UNIX component, and only one part gets modified. The best thing to do is create a NEW login account with 'useradd', then boot into operational mode and make things right with COBRA.

DISCLAIMER: This support site is provided as a FREE service to our customers. Every effort is made to ensure it is complete and accurate. However, due to changing versions, typos, different environments, etc. information may be inaccurate for your site. Note that we do not assume responsibility for any problems you might encounter using information provided in these pages. Please inform us of any problems you encounter we will make every effort to correct this information. Thank you.