Installing Policy was not successfull

Stefan
2011-06-15
2013-03-05
  • Stefan
    Stefan
    2011-06-15

    Hi,

    My new firewall is based on OpenBSD 4.9 PF and currently I was doing the testing to install firewall policy but not successfull.
    I have configured sudo and test the account to login to the firewall using putty client and successfull, but when I use fwbuilder to install policy, the policy can't be installed and executed successfully.

    Below is the error:

    Summary:
    * Running as user : fwadmin
    * Firewall name : chicago
    * Installer uses user name : fwadmin
    * Management address : 172.16.1.215
    * Platform : pf
    * Host OS : openbsd
    * Loading configuration from file D:/testingopenbsd49.fwb

    Installation plan:
    Copy file: D://chicago.conf -> /etc/fw/chicago.conf
    Copy file: D://chicago.fw -> /etc/fw/chicago.fw
    Run script echo '-**-**-'; chmod +x /etc/fw/chicago.fw; sudo -S /etc/fw/chicago.fw && (echo 'Policy activated'; sleep 2; echo)

    Copying D://chicago.conf -> 172.16.1.215:/etc/fw/chicago.conf
    Running command 'C:/FWBuilder423545/pscp.exe -load fwb_session_with_keepalive -pw XXXXXX -q D://chicago.conf fwadmin@172.16.1.215:/etc/fw/chicago.conf'
    SSH session terminated, exit status: 0
    Copying D://chicago.fw -> 172.16.1.215:/etc/fw/chicago.fw
    Running command 'C:/FWBuilder423545/pscp.exe -load fwb_session_with_keepalive -pw XXXXXX -q D://chicago.fw fwadmin@172.16.1.215:/etc/fw/chicago.fw'
    SSH session terminated, exit status: 0
    Running command 'C:/FWBuilder423545/plink.exe -ssh -t -load fwb_session_with_keepalive -pw XXXXXX -v -l fwadmin 172.16.1.215 echo '-**-**-'; chmod +x /etc/fw/chicago.fw; sudo -S /etc/fw/chicago.fw && (echo 'Policy activated'; sleep 2; echo)'
    Looking up host "172.16.1.215"
    Connecting to 172.16.1.215 port 22
    Server version: SSH-2.0-OpenSSH_5.8
    We claim version: SSH-2.0-PuTTY_Release_0.60
    Using SSH protocol version 2
    Doing Diffie-Hellman group exchange
    Doing Diffie-Hellman key exchange with hash SHA-256
    Host key fingerprint is:
    ssh-rsa 2048 fe:8c:b6:5b:ee:d5:ad:27:f8:19:17:3c:04:c6:f6:33
    Initialised AES-256 SDCTR client->server encryption
    Initialised HMAC-SHA1 client->server MAC algorithm
    Initialised AES-256 SDCTR server->client encryption
    Initialised HMAC-SHA1 server->client MAC algorithm
    Using username "fwadmin".
    Keyboard-interactive authentication refused
    Sent password
    Access granted
    Opened channel for session
    -**-**-
    Logged in
    Allocated pty (ospeed 38400bps, ispeed 38400bps)
    Started a shell/command
    Password:
    Have you considered trying to match wits with a rutabaga?
    Un1ted5t4t35
    Password:
    You speak an infinite deal of nothing
    Password:
    Un1ted5t4t35

    Activating firewall script generated Wed Jun 15 11:57:52 2011 by fwadmin
    net.inet.ip.forwarding: 1 -> 1

    # Adding ip address: vic0 172.16.1.80 netmask 0xffffff00
    # Adding ip address: vic0 172.16.1.80 netmask 0xffffffff

    Network error: Software caused connection abort
    FATAL ERROR: Network error: Software caused connection abort
    SSH session terminated, exit status: 1
    Firewall policy installation failed
    ===============================================================================================
    The password is correct but I don't understand why the installation was not successfull.
    The firewall mgmt workstation IP is 172.16.1.22 which is already added in the fwbuilder menu.
    The firewall mgmt mgmt interface ip is 172.16.1.215
    IP address 172.16.1.80 is a NAT ip on vic0 interface

    Thank you in advance.

    Stefan

     
  • Mike Horn
    Mike Horn
    2011-06-15

    It looks like for some reason Firewall Builder is trying to add the NAT IP twice, but with different netmasks.  Do you have the NAT IP configured as an IP Address object on the firewall's interface?  By default Firewall Builder will add the virtual IP addresses for NAT automatically.  This double configuration may be causing the issue.

    Try either deleting the interface IP object for the NAT IP address OR going into the Firewall Settings -> Script tab and unchecking the option for "Add virtual addresses for NAT".