This chapter explains how to convert a machine running FireWall-1, Release 2.1 or 3.0, to a machine running SunScreen EFS 3.0, in routing mode.
Topics covered include:
Preparing your FireWall-1 configuration for conversion
Converting FireWall-1 to SunScreen EFS 3.0
SunScreen EFS conversion utility
Generating conversion files
Troubleshooting the fwconvert
utility
Creating the configuration
After conversion
Before installing, review the SunScreen EFS 3.0 Release Notes for the latest information about this product.
Before starting the conversion of your FireWall-1 configuration to a SunScreen EFS 3.0 performing in routing mode, please read this section carefully. There are certain limitations which must be addressed before running the conversion utility. You will experience unrecoverable errors if you do not first review your existing FireWall-1 configurations and modify those that will not convert directly to SunScreen EFS 3.0 rules. The following tables list those limitations that are known.
Prior to converting your FireWall-1 to SunScreen EFS 3.0, you should check your FireWall-1 configuration files and hand edit any that may contain reserved characters in comments and object names, or reserved words used for object names. If any of the following characters or reserved words are mis-used, you will need to first hand-edit these to remove or replace them. See TABLE 7-1 for a list of known reserved characters.
Table 7-1 Known FireWall-1 Reserved Characters
|
Illegal Characters |
Illegal Characters |
---|---|---|
String contains |
` ` (space) |
`+' |
|
`*' |
`?' |
|
`)` |
`)' |
|
`{` |
`}' |
|
`[` |
`]' |
|
`!' |
`#' |
|
`<` |
`>' |
|
`=' |
`,' (comma) |
|
`:' (colon) |
`:' (semicolon) |
|
`'' (quote) |
``' (back quote) |
|
`"' (double quote) |
`/' (slash) |
|
`\' (back slash) |
`\t' (tab) |
Table 7-2 contains a list of known reserved words which must not appear in the FireWall-1 object names, and must be edited prior to conversion:
Table 7-2 Known FireWall-1 Reserved Words
"accept" |
"expcall" |
"hosts" |
"modify" |
"pass" |
"set" |
"and" |
"expires" |
"if" |
"navy blue" |
"r_arg" |
"skippeer" |
"black" |
"firebrick" |
"ifaddr" |
"netof" |
"r_cdir" |
"src" |
"blue" |
"foreground" |
"ifid" |
"nets" |
"r_cflags" |
"static" |
"broadcasts" |
"forest" |
"in" |
"nexpires" |
"r_ckey" |
"sync" |
"green" |
"call" |
"format" |
"inbound" |
"not" |
"r_connarg" |
"targets" |
"date" |
"from" |
"interface" |
"or" |
"r_ctype" |
"day" |
"fwline" |
"interfaces" |
"orange" |
"r_entry" |
"tod" |
"define" |
"fwrule" |
"ipsecmethods" |
"origsport" |
"r_proxy_action" |
"ufp" |
"delete" |
"gateways" |
"ipsecdata" |
"origdst" |
"r_xlate" |
"wasskipped" |
"do" |
"gold" |
"keep" |
"origsrc" |
"record" |
"xlatedport" |
"domains" |
"gray 101" |
"limit" |
"other" |
"red" |
"xlatedst" |
"drop" |
"green" |
"log" |
"outbound" |
"refresh" |
"xlatesport" |
"dst" |
"hold" |
"magenta" |
"packet" |
"reject" |
"xlatesrc" |
"dynamic" |
"host" |
"medium slate" |
"packetid" |
"routers" |
"xor" |
"r_tab_status" |
"vanish" |
"direction" |
"get" |
"kbuf" |
"gateways" |
"netobj" |
"resourceobj" |
"servobj" |
"servers" |
"tracks" |
"cyan" |
"dark green" |
"dark orchid" |
"forest green" |
"medium slate blue" |
"red" |
"sienna" |
"yellow" |
"to" |
|
There are known limitations when converting from a machine running FireWall-1 configurations to a machine running SunScreen EFS 3.0. Certain object-types and rules will migrate with no difficulty, while others will not. Those rules which are known not to migrate contain an operation which is performed on the Source, Destination, or Service in the original FireWall-1 rule, as SunScreen EFS 3.0 does not support any of these operations. Table 7-3 lists what is known to migrate and what is known not to migrate when converting from FireWall-1 to SunScreen EFS 3.0.
Table 7-3 What Does and Does Not Convert From FireWall-1
Does Migrate |
Does Not Migrate |
---|---|
Host Objects |
Resources |
Group Objects |
NAT Mappings |
Network Objects |
Gateway Objects |
Most Rules |
Encryption and Authentication Information/Rules |
|
Domain Objects |
|
Router Objects |
|
Switch Objects |
|
Logical Objects |
|
FW-1 Services or User Defined Services |
|
Install Objects |
|
Rules which contain any Object or Service that can not migrate |
|
Using an Object Type as an Object Name |
|
|
|
|
|
|
NETWORK is not a supported type in SunScreen EFS 3.0. You must modify objects of this type first, before trying to access the configuration (called a "Policy" in SunScreen EFS 3.0) using the Administration GUI.
The following procedures explain how to install, generate, and run the conversion utility.
Open a terminal window and become root on the FireWall-1 machine, if you are not already.
Insert the SunScreen EFS 3.0 CD-ROM into the CD-ROM drive.
Mount the CD-ROM by typing:
# volcheck |
Add the software by typing:
For SPARC systems: # pkgadd -d /cdrom/cdrom0/sparc SUNWfwcnv For x86 systems: # pkgadd -d /cdrom/cdrom0/i386 SUNWfwcnv |
Continue the installation when prompted by pressing Return.
The various files in SUNWfwcnv are displayed as they are installed. The installation ends with the following message: Installation of SUNWfwcnv was successful.
The SunScreen EFS conversion utility is now installed in /opt/SUNWfwcnv/bin.
The following procedures explain how to generate conversion files.
The fwconvert
utility, located in the /opt/SUNWfwcnv/bin directory, is used to generate files that create the SunScreen EFS 3.0 configuration from the original FireWall-1 configuration. The fwconvert
utility examines the rules and objects in your FireWall-1 security policy and generates new configuration files with commands for configuring SunScreen EFS 3.0.
fwconvert
uses the following FireWall-1 configuration files:
policy.name.W, for FireWall-1, Release 2.1, files
policy.name.pf, for FireWall-1, Release 3.0, files
objects.C, for FireWall-1, Release 2.1 and 3.0 files
where policy.name is either default or the name you have given your policy. These files are located in the /opt/SUNWfw/conf directory.
Verify the location of these files and the name of the policy file (indicated by the .pf or .W extension) before you run fwconvert.
You must run the conversion utility on the FireWall-1 machine, even if you are configuring SunScreen EFS 3.0 on another machine.
Open a terminal window and become root on the FireWall-1 machine, if you are not already.
Run the conversion program by typing:
# /opt/SUNWfwcnv/bin/fwconvert & |
fwconvert
displays the FW-1 Configuration Convertor dialog box with the default values already inserted, as shown in Figure 7-1.
Type the path name where the FireWall-1 conversion files are located, or accept the default, if appropriate.
Type the name of the policy file you want to convert, if different from the default.
Do not type the .pf or .W extension.
Type the name of the directory where you want to store the new configuration files, or accept the /opt/SUNWfwcnv/output default.
Pull down the Version menu and choose the release number of your FireWall-1 software, or accept the default, if appropriate.
Click Proceed to start the conversion.
fwconvert
reads the file policy.name.pf (or policy.name.W) and the objects.C files and generates the files used to generate the SunScreen EFS configuration.
When fwconvert
completes successfully, the FireWall-1 Configuration Convertor dialog box displays a DONE button.
Click DONE to exit fwconvert
.
fwconvert
UtilityThe following section describes how to troubleshoot the fwconvert
utility.
The following conditions can cause the conversion to fail:
You do not have permission to read files in /opt/SUNWfw/conf or the directory you specified as the location of the FireWall-1 configuration files.
You do not have permission to write files into the directory that you specified for storing the results of fwconvert
.
The path names that you specified to the Convertor are incorrect.
The policy name that you specified is incorrect.
One of the FireWall-1 configuration files you need to convert is missing.
When fwconvert
encounters these conditions, it displays an error message in the FW-1 Convertor dialog box, as shown in Figure 7-2.
fwconvert
When data can not be parsed, this error is displayed on the terminal window and not in the FW-1 Converter dialog box.
Click the OK bar to clear the error message in the FW-1 Convertor dialog box.
Change permissions on the affected directories, if applicable.
Fill in the corrected information in the fwconvert
FW-1 Convertor dialog box, making sure you have the accurate path names and file names that you need to specify.
Click the Retry button.
When it completes successfully, the FireWall-1 Configuration Converter displays the DONE button.
Click DONE to exit fwconvert
.
fwconvert
creates a set of files that are used to generate the SunScreen EFS configuration.
Verify the converted Rules.
For more information, see the following section, Verifying the Converted Rules.
After the conversion is complete, the generated configuration files are located in the directory you specified in the FireWall-1 Configuration Converter dialog box, /opt/SUNWfwcnv/output by default. The policy.name_Objects and policy.name_Rules files must reside in the same directory as policy.name_efscfg before you can run the policy.name_efscfg generation program. It is suggested you first examine these files to confirm that the information was correctly converted.
Hand edit the line containing the error.
Restart fwconvert
.
See the procedure "To Run the Conversion Utility", if needed.
fwconvert
creates three types of files from the FireWall-1 configuration files: command, executable, and log files. See Table 7-4 for a complete list. These files are described below.
File Type |
File Name |
Description |
---|---|---|
Data File |
policy.name_Objects |
Contains the commands for configuring the SunScreen EFS addresses. |
Data File |
policy.name_Rules |
Contains the commands for adding SunScreen EFS rules that use the generated objects. |
Executable Script |
policy.name_efscfg |
Generates a SunScreen EFS configuration from the commands policy.name_Objects and policy.name_Rules. |
Log File |
policy.name_Obj.log |
Contains the objects from FireWall-1 that are not supported by SunScreen EFS. |
Log File |
policy.name_Rule.log |
Contains the rules from FireWall-1 that could not be added. The rule is shown as a SunScreen EFS rule command with an explanation of the reason why the rule is not supported. |
Log File |
policy.name_Unused.log |
List of the FireWall-1 objects that cannot be used in SunScreen EFS.
|
When you create the new SunScreen EFS 3.0 configuration, you run the configuration program, which then executes the command files. You do not need to take further action on the command and executable files.
Examples of the policy.name_Objects file, policy.name_Rules file, and the policy.name _efscfg file, respectively, follows.
# The address commands may contain other addresses which need to be created. # These objects are logged in the policyname_Obj.log file add_nocheck Address "mailhost-INT" HOST 205.167.60.6 COMMENT "Object from FW-1" add_nocheck Address "mailhost-EXT" HOST 207.82.121.5 COMMENT "Object from FW-1" add_nocheck Address "localnet" NETWORK 205.167.60.00 255.255.255.00 COMMENT "Object from FW-1, will need to be modified before using the GUI" add_nocheck Address "talon" HOST 205.167.60.200 COMMENT "Object from FW-1" add_nocheck Address "exosecure-alc" HOST 207.82.121.254 COMMENT "Object from FW-1" save |
add_nocheck Rule "ip all" "*" "*" ALLOW LOG SUMMARY save |
#!/bin/csh setenv PATH .:/usr/bin:/usr/sbin:/bin:/opt/SUNWicg/SunScreen/bin echo Creating Policy: 4complex ssadm policy -a 4complex echo Adding Policy Addresses /opt/SUNWicg/SunScreen/bin/ssadm edit -P 4complex < 4complex_Objects echo Adding Policy Rules /opt/SUNWicg/SunScreen/bin/ssadm edit -P 4complex < 4complex_Rules echo Finished! |
The log files describe instances where fwconvert
could not directly convert your FireWall-1 policy to an equivalent SunScreen EFS 3.0 policy. After conversion, you should review the contents of the log files to determine further actions that might be necessary for the new SunScreen EFS 3.0 configuration.
The policy.name_Obj.log file lists objects found in your FireWall-1 security policy that were not directly supported in SunScreen EFS 3.0. Table 7-5 lists the FireWall-1 objects and shows whether they were converted to SunScreen EFS.
Table 7-5 How Conversion to SunScreen EFS Affects FireWall-1 Objects
FireWall-1 Object |
EFS Equivalent |
Conversion Status |
---|---|---|
Host |
Host |
Yes. |
Network |
None |
Yes. Does not appear in the GUI but will show up on the command line. To make them visible in the GUI, manually change the NETWORK objects to RANGE objects via the command line. |
Router |
None |
No. See the policy.name_Obj.log file for details. |
Switch |
None |
No. See the policy.name_OBJ log file for details. |
Domain |
None |
No. See the policy.name_OBJ log file for details. |
Group |
Group |
Yes. |
Gateways |
None |
No. However, they are logged in the policy.name_OBJ.log file. Gateways require more configuration within SunScreen EFS to assure that the IP addresses of the gateway are correct. See the ss_interfaces man pages for more information. |
Following is a sample which shows the policy.name_Obj.log file, similar to the file that you can generate from your FireWall-1 policy.
/***** SunScreen EFS 3.0: Firewall-1 conversion log *****/ /***** @(#)ObjStore.java 3.6 99/03/03 Sun Microsystems, Inc. *****/ Objects of type: gateway, need some user decisions You had a gateway with name "skil" ipaddr 205.167.60.13 If this is the gateway on which SunScreen is being installed please refer to the 'ssadm edit' command to enable the interfaces |
This file shows rules generated from FireWall-1 rules that cannot be used in the SunScreen EFS environment without modification. The policy.name_Rule.log file explains why these rules were not added to the SunScreen EFS firewall, for example:
Source, Destination, or Installed on objects are of a type not supported by SunScreen EFS 3.0
FireWall-1 Service is of a type not supported by SunScreen EFS 3.0
FireWall-1 Action is not supported by SunScreen EFS 3.0
SunScreen EFS 3.0 does not support FireWall-1 encryption, user authentication, or client authentication. Encryption in SunScreen EFS 3.0 is accomplished through SKIP, as explained in the SunScreen EFS 3.0 Reference Manual. For more information regarding SKIP, see the SunScreen SKIP 1.5 User's Guide.
All FireWall-1 rules are generated during the conversion. You must manually remove any rules that you do not need.
The following shows a sample of a policy.name_Rule.log file such as you might find after FireWall-1 to SunScreen EFS conversion.
/***** SunScreen EFS 3.0: Firewall-1 conversion log *****/ /***** @(#)RuleStore.java 3.5 99/03/03 Sun Microsystems, Inc. *****/ Rule below not added as the action Encrypt is configured differently in SunScreen EFS. add_nocheck Rule "smtp" "aiims" "*" Encrypt Rule below not added as the action Encrypt is configured differently in SunScreen EFS. add_nocheck Rule "echo" "aiims" "*" Encrypt Rule below not added as the action User Authentication is not valid in SunScreen EFS. add_nocheck Rule "ftp" "*" "aiims" User Rule below not added as the action Client Encryption/Authentication is not valid in SunScreen EFS. add_nocheck Rule "dns" """ "*" Client |
The following lists FireWall-1 objects encountered in your policy that are not supported by SunScreen EFS.
#Invalid Objects from FW-1 #Wed Mar 31 17:40:23 PST 1999 invalidobj1=gateway skil |
The following procedures explain how you prepare for and generate the new SunScreen EFS 3.0 configuration.
Choosing which of the next two procedures to follow depends on whether you plan to run SunScreen EFS 3.0 on the former FireWall-1 machine or on a new machine. Option 1 discusses preparing the FireWall-1 machine to become a SunScreen EFS 3.0 machine. Option 2 discusses preparing a new machine to run the converted FireWall-1 configurations.
Only one of the following two procedures must be done.
Open a terminal window and become root.
Save the existing FireWall-1 configuration files located in the /opt/SUNWfw/conf directory as a backup.
Use the pkgrm command to remove the SUNWfw package by typing:
# pkgrm SUNWfw |
Upgrade your operating environment to at least Solaris 2.6, if not already done.
See your Solaris documentation for instructions, if necessary.
Install the additional Solaris packages and kernel packages required as listed in Chapter 2, if not already done.
Prior to installing the SunScreen EFS software, make sure that the machine is performing properly as a router.
Insert the SunScreen EFS 3.0 CD-ROM into the CD-ROM drive.
Mount the CD-ROM by typing:
# volcheck |
Add the SunScreen EFS software by typing:
# /cdrom/cdrom0/screenInstaller |
This command sets up the Initial configuration. It is not equivalent to the FireWall-1 policy. The installation wizard performs the initialization required by SunScreen EFS 3.0.
The SunScreen EFS installation wizard's Welcome window appears. The installation wizard will guide you through the installation process. For more detailed instructions, see Chapter 3.
Reboot the system by typing:
# sync; init 6 |
Continue to the section, "To Generate the New SunScreen EFS Configuration."
Prior to installing the SunScreen EFS software, make sure that the machine is performing properly as a router.
Open a terminal window and become root, if not already.
Upgrade your operating environment to at least Solaris 2.6, if not already done.
See your Solaris documentation for instructions, if necessary.
Install the additional Solaris packages and kernel packages required as listed in Chapter 2, if not already done.
Insert the SunScreen EFS 3.0 CD-ROM into the CD-ROM drive.
Mount the CD-ROM by typing:
# volcheck |
Copy the generated configuration files to a directory on the new SunScreen EFS 3.0 machine.
Add the SunScreen EFS 3.0 software on the new SunScreen EFS machine by typing:
# /cdrom/cdrom0/screenInstaller |
The SunScreen EFS Screen Install's Welcome window appears. The installation wizard will guide you through the installation process. For more detailed instructions, see Chapter 3.
Reboot the new SunScreen EFS machine by typing:
# sync; init 6 |
Continue to the section, "To Generate the New SunScreen EFS Configuration."
Open a terminal window and become root, if not already.
Change to the directory where the conversion files were saved and make the policy.name_efscfg file executable by typing:
# chmod 544 policy.name_efscfg |
Verify that the commands in the generated file are accurate.
Run the script by typing:
# ./policy.name_efscfg |
policy.name_efscfg creates the new SunScreen EFS 3.0 configuration from the FireWall-1 configuration, which is similar to the FireWall-1 policy.
See the SunScreen EFS 3.0 Administration Guide for instructions on activating the configuration.