Local users and remote non-trusted users that have routes through the firewall can bypass all Gauntlet Firewall security rules. No activity will appear in the '/var/log/messages' log file and the internal network will be exposed to attack.
Vulnerable systems:
Gauntlet 5.0 BSDI with latest Gauntlet patches
Non vulnerable systems:
Other Gauntlet 5.0 patched systems Unpatched Gauntlet 5.0 BSDI
This issue will appears if you did the following in sequence:
1) Install BSDI 3.1
2) Install Gauntlet 5.0
3) Install BSDI patch M310-049
4) Install Gauntlet 5.0 kernel patch level 2 Please note:
A) This behavior occurs if the connection is through any adaptive proxy (http-pdk), "old" proxy (http-gw) or no proxy at all (any TCP connection).
B) Packets will not be NATed by firewall, so to be 100% successful; a route will need to be published to get to your internal network through your firewall.
C) Adding NATs to Gauntlet does not change the packets.
Workaround:
If patching is not possible (although it is highly recommended that you do) you can do any of the following:
A) Install M310-049 before installing Gauntlet 5.0.
B) Workaround - (Doing this may adversely affect your system and may void tech support.)
Do the following as root:
# cp /usr/local/sys.gauntlet/i386/OBJ/ip_input.o /usr/src/sys/i386/OBJ
# sh /usr/local/sys.gauntlet/build_kernel/build_kernel 50.1
# reboot
How to reproduce: (Technical Details)
Network configuration:
[client]====[firewall]====[WWW/FTP-server]
(internal) (external)
Client/Server: either Win98 or RedHat Linux 6.0, P2-350, 128MB RAM Firewall: P2-350, 256MB RAM, 10GB hard drive, any BSDI-compatible NIC
All network connections done via 10baseT crossover cables, however users can be across hubs or routers.
Listed here are the exact steps needed to reproduce this problem.
1) Install BSDI 3.1, March 1998. Use automatic install, however you may install minimal packages if you wish.
2) Mount the Gauntlet 5.0 CD-ROM. Execute /cdrom/fwinstall
3) Install Gauntlet 5.0.
4) Reboot after installation.
5) Login as root.
6) Enter "Fast GUI Setup". Fill in appropriate Interface settings for external and internal interfaces. If necessary, configure ESPM hosts, DNS settings, and admin users.
7) Quit gauntlet-admin, save changes, and rebuild.
8) After proxies have reconfigured, reboot machine.
9) Since M310-049 is required for Gauntlet kernel patch install, and M310-046 is required for M310-049 installation, download both from: ftp://ftp.bsdi.com/bsdi/patches/patches-3.1/
File info:
M310-046 1194 Kb Wed Oct 14 00:00:00 1998
M310-049 116 Kb Wed Dec 16 00:00:00 1998
Both patches are considered "OK" by the Gauntlet support site: http://www.tis.com/support/bsd31.html
10) Bring machine to single-user mode by executing "kill -term 1".
11) Execute "perl5 M310-046 apply" to install BSDI libc patch.
12) Execute "perl5 M310-049 apply" to install IP DoS fix.
13) Execute "cd /sys/compile/GAUNTLET-V50/".
14) Build new kernel as required by M310-049 IP DoS kernel fix.
# make clean
# make depend
# make
15) After kernel is rebuilt, reboot machine.
16) Download Gauntlet 5.0 kernel and cluster patch:
File info:
cluster.BSDI.patch 12623 Kb Wed Sep 01 19:33:00 1999
kernel.BSDI.patch 414 Kb Wed Aug 04 17:54:00 1999
(Please note, the because the kernel.BSDI.patch has been updated, this can no longer be reproduced without the original kernel patch)
17) As noted in patch install directions, execute the following:
# sh ./cluster.BSDI.patch
# sh ./kernel.BSDI.patch
# cd kernel.BSDI.patch
# sh ./apply
# cd ../cluster.BSDI.patch
# sh ./apply
18) After patches are installed, reboot machine.
19) Install ESPM-GUI on client machine. Start ESPM-GUI. Add client machine to trusted network group. Apply changes.
20) Start web browser on client machine. Set web proxy setting to internal interface of firewall. Attempt to connect to external web server. Access is allowed. This behavior is correct.
20) Remove http-gw from trusted network services. Apply changes. Attempt to connect to external web server. Access is denied. This behavior is correct.
==Problem starts here==
21) Remove proxy setting in web browser on client machine. Set gateway/default route on client machine to internal interface of firewall. Set gateway/default route on server machine to external interface of firewall.
22) Clear web browser cache. Attempt to connect to external web server. Web page is downloaded with no logs in Gauntlet.
23) Start ESPM-GUI. Remove all services from trusted networks services. Remove client machine from ESPM network group. Apply changes.
24) FTP from client machine to server. FTP connection is made though no rule exists.
25) Start telnet server on client machine. Telnet from server to client. Telnet connection is made.
Future recommendation:
NAI recommends that you always install Gaunlet Firewall in the following manner:
1) Install OS
2) Install OS patches
3) Install Gauntlet
4) Install Gauntlet patches
5) Never install any OS patches again
Because of that last nasty gotcha, they recommend that you use a firewall builder box so that when you want to "patch" the firewall OS (on this box), you then pull the newly-built drives, and swap them into the extant firewall box (with no problem).
