Version 3.1
SC31-8418-00
Note: | Before using this information and the product it supports, be sure to read the general information under Appendix I. "Notices". |
First Edition (May 1997)
This edition applies to the IBM Firewall licensed program. This is a major revision, which replaces the previous editions, SC31-8279 and SC31-8280.
Publications are not stocked at the address given below. If you want more IBM publications, ask your IBM representative or write to the IBM branch office serving your locality.
A form for your comments is provided at the back of this document. If the form has been removed, you may address comments to:
IBM Corporation Department CGM P.O. Box 12195 Research Triangle Park, North Carolina 27709-2195 U.S.A.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Chapter 1. Using the IBM Firewall Command Line Interface
Chapter 2. Using Report Utilities
Chapter 3. Providing Your Own Authentication Methods
Chapter 4. Using Network Management with the IBM Firewall
Chapter 5. Using the Make Key File Utility (MKKF)
Chapter 6. Troubleshooting and Testing
Appendix B. Hardening for AIX System Configuration
Appendix C. SNMP Management Information Base (MIB)
Appendix D. ESP Specification for CDMF
Appendix E. Obtaining Requests for Comments (RFCs)
Appendix F. Creating a Socks Configuration File for AIX
Appendix G. The Crontab Command
This book is intended as a reference for network or system security administrators who install, administer, and use the IBM Firewall Version 3.1 on an AIX/6000. To use client programs such as Telnet or FTP, please see the user's guide for your TCP/IP client programs.
It is important that you have a sound knowledge of TCP/IP and network administration before you install and configure the IBM Firewall. Because you will set up and configure a firewall that controls the access in and out of your network, you must first understand how the network operates. Especially, you need to understand the basics of IP addresses, fully qualified names, and subnet masks.
The IBM Firewall offers a rich variety of functions.
In addition to the command line and SMIT interfaces, the IBM Firewall can be administered through a Java**-based graphical user interface (known as the configuration client). The configuration client allows an administrator to perform remote configuration and administration. To ensure confidentiality and integrity the remote configuration connection can be authenticated using any of several mechanisms and encrypted using Secure Sockets Layer (SSL).
Network Security Auditor is a tool that checks your network for security holes or configuration errors. You will want to periodically verify that the firewall has not been modified in a way that creates a security vulnerability.
By periodically running the Network Security Auditor, you can make sure nothing has changed, especially after you put the firewall on-line.
The Secure Remote Client is software that is installed on a client PC or an AIX workstation offering secure communication. Data sent between a PC and the firewall is encrypted with the 56-bit Data Encryption Standard (DES) and is authenticated. Also because the Secure Remote Client follows IPSec standards, it is interoperable with non-IBM firewalls.
The Secure Remote Client does not tie you to a specific Point-to-Point Protocol (PPP) server. The TCP/IP address that is assigned by your PPP server is irrelevant. You can change PPP server and TCP/IP addresses and it does not affect the operation of the Secure Remote Client. Other vendors are sensitive to the specific TCP/IP address and if you change the address, you must reconfigure your client.
Report Utilities generates files of administrative information that are organized and formatted for easy mapping to relational database tables. These tables help the firewall administrator analyze:
The format of the firewall log record is generally not readable. Using the report utilities, the administrator can create a readable text file of the messages. Additionally, tabulated files can be generated and imported into tables in a relational database system, such as DB2/6000 or DB2/2. The administrator can then use the Structure Query Language (SQL), or other tools like IBM's Visualizer or Query Management Facility to query the data and generate reports.
Real Time Log Monitor notifies the administrator of a detected threshold condition on a real time basis.
Log Viewer is a tool for viewing logs from the configuration client.
Alerts viewer provides a view of the alerts through an easy to read formatted screen.
The IBM Firewall now supports its own Safemail mail gateway. Sendmail 8.7.X has been dropped from the firewall.
Password rules for the firewall now match AIX password rules. The administrator sets passwords to expired, thus requiring users to change passwords on the first use.
Transparent proxy provides easy access from the secure side of the firewall (your private network) to the nonsecure side of the firewall. You can telnet or FTP transparently through the IBM Firewall. Transparent proxies require no firewall authentication, therefore users of transparent proxies do not have to be defined as firewall proxy users.
The filter rules have been enhanced to allow for time-of-day, day, and date selection. For example, you can specify:
permit ftp to IP address between 8:00am and 6:00pmOr you can restrict the filter validity to a particular day or set of days.
Filter rules allow IP addresses for interfaces (versus secure/nonsecure) to better support multiple interfaces.
Filter storage allocation has been changed from static to dynamic. This allocates less storage than currently required for 512 rules, while allowing the storage to dynamically grow as filters are added.
The filter rules now support Hostname. The filter process has been modified to accept hostnames in addition to IP addresses. The DNS will be contacted to determine the IP address for the first occurence of a hostname in the filter file. If contact can not be established with the DNS, a firewall file will be checked to use a pre-defined IP address for the hostname. The file will automatically be updated when the IP address for the host changes at the Domain Name Server.
The Simple Network Management Protocol (SNMP), which is widely used in the TCP/IP environment for network management, can also be used to monitor IBM Firewall server status and generate traps. There are a significant number of SNMP managers existing in customer environments that can be used to monitor the resources and components without introducing the overhead of a management framework and requiring new application programs. Therefore, using SNMP with the IBM Firewall is a natural extension of management of IBM Firewall servers.
A Hypertext Transfer Protocol proxy efficiently handles browser requests and responses through the firewall. Filter rules permit or deny HTTP transactions.
The IBM Firewall continues to provide protection in the event of a hardware failure. Firewall operations are automatically shifted to a backup system. The technology for maintaining business critical applications is called High Availability Cluster Multi Processor (HACMP) for AIX version 4.2. It is the leading high availability technology for UNIX. If a hardware failure occurs, a backup system takes over within seconds to maintain network availability.
You can find more information on HACMP at URL: http://hawww.ak.munich.ibm.com/HACMP/HA-FW/HA-FW.html.
Necessary changes are implemented to support the AIX/6000 SP processor. Installation and hardening steps are enhanced for SP configuration requirements.
A default firewall user, fwdfuser, is created during installation. If a user attempting to login is not defined to the firewall, the firewall will authenticate the user with the authentication method defined for fwdfuser. This feature supports any user-defined authentication method.
You do not need to be user root to perform administrative functions. Any user designated as a firewall administrator can perform administrative functions. These functions are customizable. You can limit an administrator's authority over specific functions, such as administering proxy users.
The IBM Firewall enables an export version of DES. This encryption is available in addition to the currently supported CDMF.
AIX 4.1.5 and 4.2 are supported, exclusive of the AIX Common Desktop Environment.
The IBM Firewall separate installable components are:
For directions on how to install the Windows 95 secure remote client, refer to the IBM Firewall User's Guide for more information.
To install the PDF version of this manual and the IBM Firewall Reference download the following files from the :xph.fwbooks:exph. directory on the IBM Firewall CDROM to your workstation:
Use the Adobe Acrobat** Reader to view these books. If you do not have the Adobe Acrobat Reader installed, you can go to the Adobe Web Site at: :hp2.www.adobe.com/prodindex/acrobat/:ehp2. to learn more about the Adobe Acrobat Reader and to get a copy.
When you configure your firewall, you will be asked to enter IP addresses. You should enter a complete dotted-decimal IP address, with all 4 octets, in the format:
nnn.nnn.nnn.nnnwhere each nnn is a set of three numbers in the range 000-255.
When using the configuration client to configure or administer the IBM Firewall, you can click on the Help button to get online help for the menu you are using.
For additional information about security on the Internet, see the Bibliography.
Additional information about the IBM Firewall can be found on the firewall home page at URL http://www.ics.raleigh.ibm.com/firewall.
The IBM Support Center provides you with telephone assistance in problem diagnosis and resolution. You can call the IBM Support Center at any time; you will receive a return call within eight business hours (Monday-Friday, 8:00 a.m.-5:00 p.m., local customer time). The number to call is 1-800-237-5511.
Outside the United States or Puerto Rico, contact your local IBM representative or your authorized IBM supplier.
This chapter discusses commands and command parameters that you can use from an IBM Firewall command line.
The following information applies to the commands:
(secaddr="11.22.33.1 11.22.33.2")
The commands are organized into these categories:
Network address translation (NAT) provides a solution to the IP address depletion problem by allowing addresses inside your secured IP network to be reused by any other IP network.
The NAT configuration file controls the translation of IP addresses in a secured IP address space to IP addresses in an unsecured IP address space. The NAT configuration file can contain up to 512 of the following entries:
RESERVE 195.9.5.0 255.255.255.0 30
TRANSLATE 126.1.2.0 255.255.255.0
EXCLUDE 128.1.2.0 255.255.255.0
MAP 126.1.2.6 195.9.5.6
Note: | NAT commands operate on addresses and masks. |
fwnat cmd=list | update | verify |shutdown | startlog | stoplog
Performs the indicated operations:
To add a reserve entry to fwnat.cfg:
fwnat cmd=add | change type=reserve addr=Addr mask=Mask [timeout=minutes]
To add a translate entry to fwnat.cfg:
fwnat cmd=add | change type=translate addr=Addr mask=Mask
To add an exclude entry to fwnat.cfg:
fwnat cmd=add | change type=exclude addr=Addr mask=Mask
To add a map entry to fwnat.cfg:
fwnat cmd=add | change type=map secaddr=SecureAddr remaddr=RegisteredAddr
The Domain Name Service (DNS) provides full domain name service to hosts inside the secure network while providing minimal information to hosts outside the secure network. Three domain name servers are required to accomplish this:
Note: |
|
fwdns cmd=list | change |delete
Performs the indicated operations:
To list the DNS configuration entry:
fwdns cmd=list
To change the DNS configuration entry:
fwdns cmd=change secdomain=SecureDomainName secaddr=x.x.x.x | "x.x.x.x x.x.x.x x.x.x.x" remaddr=x.x.x.x | "x.x.x.x x.x.x.x x.x.x.x"
fwdns cmd=list
Lists the current DNS configuration.
This command is used to do the daily administrative tasks with the firewall.
fwuser cmd=add|change username=LoginName [fullname="UsersRealName"] [password={yes|no}] [pwdvalue=Password] [level={proxy|admin}] [secshell=SecureShell] [remshell=NonSecureShell] [loclogin=LocalLoginAuthentication] [secftp=SecureFTPauthentication] [remftp=NonSecureFTPauthentication] [secauth=SecureTelnetAuthentication] [remauth=NonSecureTelnetAuthentication] [secip=SecureIPSecClientAuthentication] [remip=NonSecureIPSecClientAuthentication] [secadmin=SecureAdminAuthentication] [remadmin=NonSecureAdminAuthentication] [key="SecureNet Key Code"] [warntime=IdleWarningTime] [disctime=IdleDisconnectTime] [histexpire=HistoryExpiration] [histsize=HistorySize] [loginretries=LoginRetries] [maxage=MaxAge] [maxexpired=MaxExpiredAge] [maxrepeats=MaxRepeatChars] [minalpha=MinAlphaChars] [mindiff=MinDifferentChars] [minlen=MinLength] [minother=MinNonAlphaChars] [pwdwarntime=PasswordWarnTime] [modeallowed=host|none] [fg_all={yes|no}] [fg_addrtrans={yes|no}] [fg_dns={yes|no}] [fg_interfaces={yes|no}] [fg_logmonitor={yes|no}] [fg_logs={yes|no}] [fg_mail={yes|no}] [fg_netobjs1={yes|no}] [fg_netobjs2={yes|no}] [fg_pagers={yes|no}] [fg_proxyserver={yes|no}] [fg_server={yes|no}] [fg_user={yes|no}] [fg_snmp={yes|no}] [fg_traffic={yes|no}] [fg_vpn={yes|no}]
Adds a new user or modifies one or more attributes of an existing firewall user. All parameters either have default values or are unnecessary in certain circumstances. For cmd=add, default values will be stored; for cmd=change, the existing values will be preserved.
Fundamental Parameters
Login Shells
Authentications
Idle Proxy Parameters
Password Rule Parameters
chsec -f /etc/security/lastlog -s username -a |unsuccessful_login_count
Administration Functional Groups
modeallowed indicates the login modes allowed:
To lists all attributes of all firewall users or of a single specified firewall user:
fwuser cmd=list [username=username] [type=[short|long}]
To remove a user from the firewall:
fwuser cmd=delete username=username
fwadapter cmd=list | change
Performs the indicated operations:
To list the adapters attached to this machine:
fwadapter cmd=list [addr=AdapterAddress]
To set the secure/nonsecure state of the adapter:
fwadapter cmd=change addr=AdapterAddress state={secure|nonsecure}
The firewall command line does not provide an interface to modify the filter configuration. See the IBM Firewall User's Guide for more information on setting up the configuration. The firewall does provide a command line interface to control the configuration that was built with the configuration client.
fwfilters cmd=update | verify | list | shutdown | startlog | stoplog
Performs the indicated operations:
Log file management manages the size of your log and archive files.
The fwlog command adds, modifies and deletes records in the file /etc/syslog.conf and optionally also in the log-file-management config file.
fwlog cmd=add facility=Facility priority=Priority logfile=LogFileName [arcfile=ArchiveFileName logtime=DaysToKeepInLog arctime=DaysToKeepInArchive workspace=workspace directory]
Valid values for facility:
Valid values for priority:
The logfile parameter indicates where the syslog entries should be sent. Valid values for logfile are:
Note: |
Files identified for local1 or local4 should be different from each other and
different from the files for any other log facility if firewall features will
be used to process these files.
It is important that ONLY local4 messages appear in files input to report utilities. No other facility should be directed to the same file as local4 or local1. |
The arcfile, logtime, arctime, and workspace parameters are optional, and are only valid when the logfile parameter specifies a file name. All four parameters must be specified if any are specified.
The arcfile parameter must contain a fully qualified path name indicating the file that archived syslog records will be sorted. A valid arcfile name must end in .a.
The logtime parameter indicates how many days a syslog entry will remain in the logfile before being moved to the archive file.
The arctime parameter indicates how many days a syslog record will remain in the archive file before being purged.
The workspace parameter specifies a directory the archiving program should use for temporary work files when archiving syslog files.
fwlog cmd=change index=Index [facility=Facility] [priority=Priority] [logfile=LogFileName] [arcfile=ArchiveFileName] [logtime=DaysToKeepInLog] [arctime=DaysToKeepInArchive] [workspace=WorkspaceDirectory]
If a change, particularly the initial instance, fails to create a syntactically correct log file (for example, the log file that was created has missing fields), a warning is issued and the Firewall will not log data. If you have a crontab running, remove the crontab entry.
fwlog will maintain both the syslog.conf and the log-file-management config file. To perform logging but no archiving, only the facility, priority, and logfile parameters are required. To disable log archival once it's started, blank out the archive, logtime, and arctime parameters. If you have crontab running, remove the crontab entry.
fwlog cmd=list
Lists the current log-file configuration data.
fwlog cmd=delete index=index of entry to delete
Deletes the syslog entry specified by the index number returned for the entry on the fwlog cmd=list command.
fwfschk [cmd={-? | -&-u | -f}]
Invokes the File System Integrity Checker. See "Testing the Firewall Ports Using fwice" for more information. This utility is run from a crontab see Appendix G. "The Crontab Command" for more information.
fwice [hosts=HostsFileName] [services=ServicesFileName] [results=ResultsFileName]
Invokes fwice to test the firewall's filter rules.
fwlogmgmt -1 or fwlogmgmt -a
Invokes the logfile archiver to maintenance Log facilities that have been configured for archiving.
This chapter discusses using the report utilities of the IBM Firewall. The primary purpose of the report utilities is to generate tabulated files of administrative information from local4 log files.
The utilities also allow the administrator to create a readable text file of the local4 messages. Tabulated text files can be generated and imported into tables in a database system, such as DB2/6000 or DB2/2. The administrator can then use the Structured Query Language (SQL) or other tools like IBM's Visualizer or Query Management Facility to query the data and generate reports.
In addition to processing the firewall log file, the administrator can use the utilities to process the AIX su log file (usually /var/adm/sulog). This file contains information about attempted uses of the AIX su command. Logged-in users use the AIX su command to switch to a different user ID, potentially acquiring greater authority. Both successful and unsuccessful attempts are logged. The result of processing the su log file is a tabulated file that can be imported into a database system.
Report utilities consist of the following programs and files:
To use the report utilities, you should have some knowledge of relational databases and the use of an appropriate relational database product.
The DDL and DML files are specific to the DB2 family, but can be modified for use with other database management systems. DEL format files can be readily imported (loaded) into DB2/6000, DB2/2, and other database and file systems. Their simple format should allow conversion to other formats, if necessary.
This information explains how to use report utilities from the command line and SMIT. Refer to the IBM Firewall for AIX User's Guide for information on using the report utilities from the configuration client.
To view the firewall log file from the command line, use the fwlogtxt utility. See "Generating Messages from the Firewall Log File" for more information. To view the firewall log file in SMIT, select the Create Expanded Text Message File option. See "The SMIT Layout Panel" for more information.
To generate reports based on log information:
Note: | The first three steps need to be done once, while the remaining steps are repeated each time new log data is available. |
Each entry of the firewall log file has the format:
Date Time firewall_name:year;pid:msg_num; msg_ID;var_1;...;var_n;where
Note: | Do not direct other syslog records to the same file as the Firewall log. Such records will not conform to the format required by the report utilities and results are not predictable. |
Use the command fwlogtxt to generate readable messages from the entries of a firewall log file.
The parameters include:
fwlogtxt syntax |
---|
fwlogtxt Example: fwlogtxt < fw961031.log >logtxt.out fwlogtxt < fw961031.log | grep ICA31 tail -f /var/adm/messages | fwlogtxt |
There are no parameters for fwlogtxt; it takes information from the standard input and puts results to the standard output.
Note that the second example filters the output to show full text of only those messages that start with 'ICA31'. Additional kinds of filtering can be done using standard AIX facilities or user-provided scripts/programs. The third example of invocation (tail -f) permits dynamic monitoring of an active log and could also be filtered.
Use the command fwar2asc to extract the named files from an archive library file into an ASCII file. The resulting ASCII file can be used as an input for both fwlogtxt and fwlogtbl. The archive library file is assumed to be in the format generated by Log File Management (the fwlogmgmt command). That is, the archived logs are compressed and end in '.Z'
fwar2asc syntax |
---|
fwar2asc [-f OutFile] ArchiveFile LogName Example: fwar2asc -f myFwLog myFwLogs.a 961113fwLog.Z fwar2asc myFwLogs.a 961113fwLog.Z |
Use the command fwlogtbl to create, write over, or append to the tabulated files from which the user can populate the database tables for report generation.
The parameters include:
-w, -a, and -su are parameter options
In addition to producing the *.tbl files, fwlogtbl will write a message to standard out the first time it encounters any ICA message number it is not prepared to map to the database from each log it processes.
fwlogtbl syntax |
---|
fwlogtbl -w [-d OutDir] [-su]LogName | -a Example: fwlogtbl -a -d /u/tai/fw/reports fw961031.log |
The output file names are predefined but can be copied or renamed after running fwlogtbl. The output files have delimited ASCII (DEL) file format, with no character string delimiters, and use semicolon (;) as the column delimiters.
For more information on messages, see Appendix A. "Messages".
This section describes files provided with the firewall for creating the database, importing information into the database, and querying reports. If you have DB2, the db2 command can be used with these files. (Functions similar to the db2 command may exist in other database managers. The files may require alteration to be used with such functions.)
To run the db2 command, you must have DB2 installed and an 'instance' defined. (See the DB2 install documentation.) Initially, you must use DB2's create database command to create an empty database. (We suggest calling it 'fwlog'.) To do this, type at the command line:
db2 create database fwlogYou must then connect to fwlog:
db2 connect to fwlog
The -vf options of the db2 command can then be used as follows:
db2 -vf fwschema.ddl > schema.out db2 -vf fwimport.dat > import.out db2 -vf fwqrysmp.dml > report.out
These steps are described in the following sections. In each case, the user should carefully check the standard output (redirected to a file in each of the examples). For import, it is also necessary to check the .msg file produced by each individual import statement.
Your PATH environment variable should include /usr/lpp/FW/sample.
The example db2-vf fwschema.ddl creates all the tables and indexes needed. Issue this command once, preferably soon after installing the firewall. The current user ID at the time this example is run will be the creator ID of the tables. This ID may need to be used as a table name qualifier (such as creatorid.tableName) in later SQL statements, unless they are run under the creator's ID. Thus, if not using the creator's ID, the user will need to edit the fwimport.dat and fwqrysmp.dml files to place the creator ID in front of each table name.
The fwschema.ddl file (/usr/lpp/FW/sample/fwschema.ddl) contains the DDL statements to create the database tables needed to accept records from the tabulated files created by fwlogtbl. You should look at schema.out to determine if your operation was successful. The statements can be used as is or can be modified to work with various database systems. (Users should not change table and column names.)
The example db2 -vf fwimport.dat loads data from all the DEL files into the tables created by the db2-vf fwschema.ddl example.
The fwimport.dat file (/usr/lpp/FW/sample/fwimport.dat) contains sample statements for importing the data from the *.tbl files into the DB2 database. As mentioned in "Creating the Tables", if the user of the imports is not the creator of the tables, the creator ID must be placed in front of each table name.
Each import statement produces information in standard out and additional information in a tblname.msg file, where tblname is specific to each import statement. The user should check both forms of output to determine if the import was successful. When running all the import statements in this file with a program such as db2, the user should direct standard out to a file, then check that file and each of the .msg files. Each one of the import commands produces a separate .msg file. Also, the user should re-issue the db2 -vf ... command whenever they have a new log to reflect in the database.
When importing large log files you may receive SQL error codes with descriptions indicating the need for more memory or disk space. For example, the message may be insufficient heap space or transaction log space. These errors require adjustment of the parameter settings for the database product or for the fwlog database. See the DB2 documentation for more information. A temporary alternative to adjusting the DB2 parameter settings is to split large logs or large tabulated files into smaller files.
The db2 -vf fwqrysmp.dml example runs the sample queries. The fwqrysmp.dml file (/usr/lpp/FW/sample/fwqrysmp.dml) contains sample SQL statements that can provide useful report data, based on some of the query requirements. You can build on these examples to create your own reports. As mentioned in "Creating the Tables", if the user of the imports is not the creator of the tables, the creator ID must be placed in front of each table name.
When running queries from the command line, DB2 allocates the maximum space it might need for each output column. This can result in a report that is difficult to read. You may achieve more satisfactory results by requesting fewer columns in each query or by imbedding these query statements in a program where you can better control the presentation.
Report Utilities are installed as part of firewall install. They can also be separately installed and run on a non-firewall host. The configuration client can be used to run report utilities on a firewall. On a non-firewall, you will use SMIT or the command line.
This diagram illustrates the sequence leading to the panels for a firewall machine.
--------------------------------- | Main SMIT panel | --------------------------------- | | V --------------------------------- | Internet Connection Firewall | --------------------------------- | | V ----------------- | System Logs | ----------------- | | V ------------------------------- | Report Generation Utilities | ------------------------------- | | | | V V -------------------------------- |Selection of File in Archive | -------------------------------- | | | | V V ---------------------------- --------------------------- |Expanded Text Message File| | Tabulated Message Files | ---------------------------- ---------------------------
This is the sequence leading to the panels in a non-firewall machine.
--------------------------------- | Main SMIT panel | --------------------------------- | | V ------------------------------- | Report Generation Utilities | ------------------------------- | | | | V V -------------------------------- |Selection of File in Archive | -------------------------------- | | | | V V ---------------------------- --------------------------- |Expanded Text Message File| | Tabulated Message Files | ---------------------------- ---------------------------
Figure 1. The selection of Report Utility Type
+--------------------------------------------------------------------------------+ | Report Generation Utilities | | | |Move cursor to desired item and press Enter. | | | | Create Expanded Text Message File | | Create Tabulated Message Files | +--------------------------------------------------------------------------------+
Figure 2. The field for Log Archive File Name entry
The panel in figure 2 requests the name of a log archive. See figure 3 for
usage of this information. A similar panel appears if Create Tabulated Message
Files was selected.
+--------------------------------------------------------------------------------+ | Create Expanded Text Message File | | | |Type or select values in entry fields. | |Press Enter AFTER making all desired changes. | | | | | | [Entry Fields] | | Enter Log Archive File Name [] | +--------------------------------------------------------------------------------+
Figure 3. The fields for "Create Expanded Text Message File"
The list for Log File Name field will be the list of names extracted from
the Log Archive named on the preceding panel and shown at the bottom of this
one. The names will end in .Z, since they have been compressed by the
fwlogmgmt command. If no Log Archive name was given on the preceding panel,
the list will show names of all files in the directory SMIT was started from.
It is assumed that these are not compressed files. The Message Filter is used
to select a subset of the log messages (which have an ICA prefix). The default
filter is all messages in the log (ICA). A filter of ICA3 would select all
messages related to SOCKS. A filter of ICA3012 would show the text of only
that one message. The Default Output File is standard output.
For more information, see Appendix A. "Messages".
+--------------------------------------------------------------------------------+ | Create Expanded Text Message File | | | |Type or select values in entry fields. | |Press Enter AFTER making all desired changes. | | | | | | [Entry Fields] | | Log File Name []+ | | Message Filter [] | | Path and File Name for Output Text [] | | Log Archive File Name | +--------------------------------------------------------------------------------+
Figure 4. The fields for "Create Tabulated Message Files"
See the description of the Create Expanded Text Message File panel for
details about the list for Log File Name field. The Default for Directory for
Output Files is the current directory
+--------------------------------------------------------------------------------+ | Create Tabulated Message Files | | | |Type or select values in entry fields. | |Press Enter AFTER making all desired changes. | | | | | | [Entry Fields] | | Log File Name []+ | | Log File Type [Firewall log]+ | | Append to existing files [yes]+ | | Directory for Output Files [] | | Log Archive File Name | +--------------------------------------------------------------------------------+
This section defines the layout of the SQL tables.
Each Firewall log message or system SU log message is mapped to one of the following SQL tables:
ADMIN_ALERT FILTER_INFO FILTER_MATCH FILTER_ACTIVE_RULE FILTER_STATUS NAT_INFO PAGER_INFO PROXY_FTP PROXY_HTTP PROXY_INFO PROXY_LOGIN PROXY_STATUS SERVER_INFO SESSION SOCKS_FTP SOCKS_INFO SSL_INFO SU TUNNEL_CONTEXT TUNNEL_POLICY TUNNEL_STATUS
You should not change the table and column names.
A log record representing a particular firewall event should appear only once in the database. If an administrator imports the same tabulated file multiple times or if another tabulated file derived from the same log file is imported, a log record could appear more than once.
To help avoid this problem, the database definition sample file, fwschema.dll, defines a unique index on each of the tables using these three fields:
This index prevents you from loading the same line number from the same named file more than once. This, combined with careful management of your log file names, should prevent duplication of log events in your database.
Adding other indexes to your database may enhance performance of your most common queries. Consult your database documentation for more information.
This section maps firewall log messages to tables and columns and points to information you may wish to query for your reports. All messages that are mapped to a particular table are listed in the note at the end of the table. Messages that provide data for particular columns are listed in that column's description.
For more information on firewall log messages, see Appendix A. "Messages".
In the Data Type column in the following descriptions, 'int' implies SMALLINT column type for DB2; 'long int' implies DB2 INTEGER type. A date-time Data Type implies DB2 TIMESTAMP. In the timestamp, the microseconds value will always be "000000".
If a description is marked "required", this means a value must be specified to enter the record in the table.
The three columns that serve as the unique index are omitted from these
table definitions because their definitions are identical and there is usually
no reason to query them.
This table contains messages related to intrusion alerts from the a_alert.tbl file. | ||||
Column | Data Type | Short Description | ||
---|---|---|---|---|
DATE_TIME | date_time | Date and time for the action (required) | ||
FIREWALL | char(100) | Fully qualified name of the firewall machine (required) | ||
PID | int | Process ID (required) | ||
MSG_NUM | int | Message number (required) | ||
USERID | char(8) | User ID (ICA0001, ICA0002, ICA0003, ICA0004, ICA2001, ICA2002, ICA2003, ICA2026, ICA2043, ICA2068, ICA3001, ICA3012, ICA3018) | ||
ACTION | char(7) | "connect" (ICA3012) or "bind" (ICA3018) | ||
NUM_COUNT | int | Number of authentication failures (ICA0001, ICA0002, ICA0003); number of log entries for TAG_MSG_NUM (ICA0004); number of days for (ICA9000) | ||
TAG_MSG_NUM | char (8) | Tag message number (ICA0004) | ||
SRC_IP | char(15) | Source IP address (ICA2001, ICA2028, ICA2079, ICA3012, ICA3018) | ||
DST_IP | char(15) | Destination IP address (ICA2028, ICA2079, ICA3012, ICA3018) | ||
AUTH_METHOD | char(20) | Authentication Method (ICA2002) | ||
NETWORK | char(25) | Network name (ICA2001, ICA2002) | ||
HOST_NAME | char(100) | Host name (ICA0003, ICA2002) | ||
TIMEOUT_SEC | int | Time out seconds (ICA2026) | ||
CONN_USERID | char(8) | Socks connect user name (for ICA3001) | ||
APPLICATION | char(10) | Application name - "telnet", "ftp", ... (ICA3012) | ||
|
This table contains active FILTER rules from the f_rule.tbl file. | ||||
Column | Data Type | Short Description | ||
---|---|---|---|---|
DATE_TIME | date_time | Date and time for the action (required) | ||
FIREWALL | char(100) | Fully qualified name of the firewall machine (required) | ||
PID | int | Process ID (required) | ||
MSG_NUM | int | Message number (required) | ||
RULE_NUM | int | Rule number (required) | ||
RULE | char(150) | Rule (required) | ||
|
This table contains error or general information messages related to FILTERS from the f_info.tbl file. | ||||
Column | Data Type | Short Description | ||
---|---|---|---|---|
DATE_TIME | date_time | Date and time for the action (required) | ||
FIREWALL | char(100) | Fully qualified name of the firewall machine (required) | ||
PID | int | Process ID (required) | ||
MSG_NUM | int | Message number (required) | ||
RULE_NUM | int | Filter rule number (ICA1005) | ||
ERROR_NUM | int | System Error number -- AIX errno (ICA1007, ICA1008, ICA1009, ICA1011
ICA1013, ICA1015, ICA1021, ICA1023, ICA1024)
Text corresponding to this error number is obtainable via the _strerror function. | ||
LOAD_PATH | char(100) | Kernel extension load path (ICA1011, ICA1012) | ||
DVC_DRV | char(25) | Device driver (ICA1021) | ||
TERM_SIG | char(25) | Termination signal (ICA1260) | ||
FILE_NAME | char(100) | File name (ICA1024) | ||
RC | int | Internal firewall return code (ICA1019) | ||
|
This table contains the filter rules matched from the f_match.tbl file. | ||||
Column | Data Type | Short Description | ||
---|---|---|---|---|
DATE_TIME | date_time | Date and time for the action (required) | ||
FIREWALL | char(100) | Fully qualified name of the firewall machine (required) | ||
PID | int | Process ID (required) | ||
MSG_NUM | int | Message number (required) | ||
RULE_NUM | int | Rule number (required) | ||
ACTION | char(6) | Rule type: permit, deny, etc. | ||
DIRECTION | char(8) | Direction the packet was traveling inbound or outbound (required) | ||
SRC_IP | char(15) | IP address of the sender(required) | ||
DST_IP | char(15) | IP address of the recipient(required) | ||
PROTOCOL | char(7) | High-level protocol (required)
For example, UDP, IPIP, ICMP, TCP or TCP/ACK | ||
SRC_PORT | int |
| ||
DST_PORT | int |
| ||
ROUTING | char(5) | Routing affiliation of the packets: route or local (required) | ||
INTERFACE | char(10) | Interface type: secure or non-secure (required) | ||
FRAGMENT | char(8) | Identifies if the packet is fragment or non-fragment (required) | ||
TUNNEL_ID | int | Tunnel ID (required) | ||
ENCRYPTION | char(7) | Encryption algorithm
DES_CBC or CDMF or none | ||
BYTES | long int | Length of the specific packet (required) | ||
|
This table contains information on status changes of filters from the f_stat.tbl file. | ||||
Column | Data Type | Short Description | ||
---|---|---|---|---|
DATE_TIME | date_time | Date and time for the action (required) | ||
FIREWALL | char(100) | Fully qualified name of the firewall machine (required) | ||
PID | int | Process ID (required) | ||
MSG_NUM | int | Message number (required) | ||
DAEMON | char(25) | Filter logging daemon (ICA1004), such as /usr/sbin/fwlogd. | ||
VERSION | int | Version number (ICA1004, ICA1033) | ||
RELEASE | int | Release number (ICA1004, ICA1033) | ||
PACKET_LOGGING | char(8) | Status of packet logging (ICA1035) enabled or disabled | ||
|
This table contains Network Address Translation message information from the nat_info.tbl file. | ||||
Column | Data Type | Short Description | ||
---|---|---|---|---|
DATE_TIME | date_time | Date and time for the action (required) | ||
FIREWALL | char(100) | Fully qualified name of the firewall machine (required) | ||
PID | int | Process ID (required) | ||
MSG_NUM | int | Message number (required) | ||
VERSION | int | NAT Version number (ICA9033) | ||
RELEASE | int | NAT Release number (ICA9033) | ||
IP | char(15) | IP address (ICA9035, ICA9036) | ||
|
This table contains information related to the paging feature of the Firewall, from the pgr_info.tbl file, for those pager messages that are mapped to the database. | ||||
Column | Data Type | Short Description | ||
---|---|---|---|---|
DATE_TIME | date_time | Date and time for the action (required) | ||
FIREWALL | char(100) | Fully qualified name of the firewall machine (required) | ||
PID | int | Process ID (required) | ||
MSG_NUM | int | Message number (required) | ||
USERID | char(8) | User ID (ICA4036, ICA4174, ICA4175) | ||
ERROR_NUM | int | System Error number - AIX errno | ||
PROGRAM | char(25) | Program name (ICA4000) | ||
SIGNAL | int | Termination signal (ICA4000) | ||
ID | int | Identifier (ICA4036) | ||
PRIORITY | int | Priority (ICA4036) | ||
PERIOD | int | Period (ICA4036) | ||
RETRY_COUNT | int | Number of retries (ICA4036) | ||
FROM_ENTRY | char(15) | Function name (ICA4036) | ||
HOST_NAME | char(100) | Host name (ICA4174, ICA4175) | ||
MESSAGE_TEXT | char(250) | Text of the page (ICA4036) | ||
SERVICE | char(25) | Service name (ICA4017) | ||
SOCKET | int | Socket number (ICA4017) | ||
FILENAME | char(100) | Filename (ICA4154) | ||
|
This table contains FTP action information from FTP sessions from the p_ftp.tbl file. | ||||
Column | Data Type | Short Description | ||
---|---|---|---|---|
DATE_TIME | date_time | Date and time for the action (required) | ||
FIREWALL | char(100) | Fully qualified name of the firewall machine (required) | ||
PID | int | Process ID (required) | ||
MSG_NUM | int | Message number (required) | ||
USERID | char(8) | User ID (required) | ||
SRC_IP | char(15) | IP Address of the User (required) | ||
DST_IP | char(15) | IP address of the remote machine (required) | ||
ACTION | char(5) | File transfer action. put or get (required) | ||
FILE_NAME | char(100) | File name | ||
BYTES | long int | Amount of data transfered. | ||
SID | long int | Unique session id (required) | ||
|
This table contains HTTP action information from Proxy sessions from the p_http.tbl file. | ||||
Column | Data Type | Short Description | ||
---|---|---|---|---|
DATE_TIME | date_time | Date and time for the action (required) | ||
FIREWALL | char(100) | Fully qualified name of the firewall machine (required) | ||
PID | int | Process ID (required) | ||
MSG_NUM | int | Message number (required) | ||
STATUS | int | Status (required) | ||
SRC_IP | char(15) | IP Address of the User (required) | ||
REQUEST | char(250) | Content of the HTTP request (required) | ||
BYTES | long int | Amount of data transfered. | ||
|
This table contains error or general information messages related to PROXY from the p_info.tbl file. | ||||
Column | Data Type | Short Description | ||
---|---|---|---|---|
DATE_TIME | date_time | Date and time for the action (required) | ||
FIREWALL | char(100) | Fully qualified name of the firewall machine (required) | ||
PID | int | Process ID (required) | ||
MSG_NUM | int | Message number (required) | ||
USERID | char(8) | User ID (ICA2018, ICA2019, ICA2057, ICA2058) | ||
ERROR_NUM | int | System Error number - AIX errno (ICA2005, ICA2006, ICA2009, ICA2029,
ICA2035, ICA2038, ICA2039, ICA2052, ICA2054, ICA2055, ICA2056, ICA2057,
ICA2058, ICA2059, ICA2063, ICA2064, ICA2065, ICA2066, ICA2067, ICA2068,
ICA2069, ICA2069, ICA2070, ICA2071, ICA2074, ICA2110, ICA2111, ICA2113,
ICA2114, ICA2115, ICA2118, ICA2119, ICA2121, ICA2122, ICA2123, ICA2124)
Text for errno (AIX System Errors) is obtainable via the _strerror function. | ||
OPTION_VAL | char(20) | Option flag or parm value (ICA2014, ICA2015, ICA2049, ICA2050) | ||
TIME | char(15) | Invalid time interval (ICA2044) | ||
RC | int | Internal Firewall return code (ICA2007, ICA2030, ICA2031, ICA2033, ICA2034, ICA2054, ICA2057, ICA2058, ICA2065, ICA2120) | ||
INVOC_NAME | char(20) | Invocation name for socket or port at time system error occurred (ICA2055, ICA2056) | ||
AUDIT_TYPE | char(7) | Unknown audit-type (7 hex digits) (ICA2004) | ||
HOST_NAME | char(100) | Host name (ICA2106, ICA2107, ICA2126) | ||
FILE_NAME | char(100) | File name (ICA2029, ICA2030, ICA2072) | ||
LINE_NUM | int | Line number (ICA2029, ICA2030) | ||
PROTOCOL | char(25) | Invalid protocol name (ICA2112, ICA2116) | ||
CUSTOMIZED_ATTR | char(25) | Line number (ICA2105, ICA2106, ICA2125) | ||
ODM_ERR_NUM | int | Error number from Object Data Manager (ICA2102, ICA2103, ICA2104, ICA2105, ICA2107, ICA2108, ICA2109,ICA2125) | ||
|
This table contains information (primarily regarding authentication) about successful PROXY logins from the p_login.tbl file. | ||||
Column | Data Type | Short Description | ||
---|---|---|---|---|
DATE_TIME | date_time | Date and time for the action (required) | ||
FIREWALL | char(100) | Fully qualified name of the firewall machine (required) | ||
PID | int | Process ID (required) | ||
MSG_NUM | int | Message number (required) | ||
USERID | char(8) | User ID (required) | ||
APPLICATION | char(10) | Application name which can be one of:
| ||
AUTH_METHOD | char(15) | Authentication method (required) | ||
NETWORK | char(25) | Network (secure/nonsecure - may have additional info also) (required) | ||
HOST_NAME | char(100) | Host name (required) | ||
|
This table contains PROXY status information from the p_stat.tbl file. | ||||
Column | Data Type | Short Description | ||
---|---|---|---|---|
DATE_TIME | date_time | Date and time for the action (required) | ||
FIREWALL | char(100) | Fully qualified name of the firewall machine (required) | ||
PID | int | Process ID (required) | ||
MSG_NUM | int | Message number (required) | ||
USERID | char(8) | User ID (ICA2008, ICA2016, ICA2021) | ||
SRC_IP | char(15) | Source IP address (ICA2000, ICA2008, ICA2010, ICA2011, ICA2012, ICA2013, ICA2141) | ||
DST_IP | char(15) | Destination IP address (ICA2000, ICA2010, ICA2011, ICA2012, ICA2013) | ||
REMOTE_HOST | char(100) | Remote host name (from perspective of firewall machine) (ICA2021, ICA2022, ICA2027) | ||
|
This table contains information about Configuration Server status and activities from the srv_info.tbl file. | ||||
Column | Data Type | Short Description | ||
---|---|---|---|---|
DATE_TIME | date_time | Date and time for the action (required) | ||
FIREWALL | char(100) | Fully qualified name of the firewall machine (required) | ||
PID | int | Process ID (required) | ||
MSG_NUM | int | Message number (required) | ||
USERID | char(8) | User ID (ICA9003, ICA9004) | ||
ERROR_NUM | int |
System Error number - AIX errno (ICA9008, ICA9009) Text for errno (AIX System Errors) is obtainable with the strerror
function.
| ||
|
This table contains SOCKS and PROXY session start/stop information from the session.tbl file. | ||||
Column | Data Type (length) | Short Description | ||
---|---|---|---|---|
DATE_TIME | date_time | Date and time for the action (required) | ||
FIREWALL | char(100) | Fully qualified name of the firewall machine (required) | ||
PID | int | Process ID (required) | ||
MSG_NUM | int | Message number (required) | ||
USERID | char(8) | User ID (required) | ||
SERVICE_TYPE | char(10) | Service type which can be one of:
| ||
APPLICATION | char(10) | Application name - telnet, ftp, .... (required) | ||
SRC_IP | char(15) | IP Address of the User (required) | ||
DST_IP | char(15) | IP address of the remote machine (required) | ||
SESSION_EVENT | char(5) |
| ||
BYTES | long int | Amount of data transfered during the session. If the row is for PROXY, this column is only for ftp. | ||
SID | long int | Unique session identifier, generated by the Firewall, based on clock time. | ||
|
This table contains SOCKS FTP action information from FTP sessions from the s_ftp.tbl file. | ||||
Column | Data Type | Short Description | ||
---|---|---|---|---|
DATE_TIME | date_time | Date and time for the action (required) | ||
FIREWALL | char(100) | Fully qualified name of the firewall machine (required) | ||
PID | int | Process ID (required) | ||
MSG_NUM | int | Message number (required) | ||
USERID | char(8) | User ID (required) | ||
SRC_IP | char(15) | IP Address of the User (required) | ||
DST_IP | char(15) | IP address of the remote machine (required) | ||
DATA_BIND | char(5) |
| ||
BYTES | long int | Amount of data transfered. | ||
|
This table contains error or general information messages related to SOCKS from the s_info.tbl file. | ||||
Column | Data Type | Short Description | ||
---|---|---|---|---|
DATE_TIME | date_time | Date and time for the action (required) | ||
FIREWALL | char(100) | Fully qualified name of the firewall machine (required) | ||
PID | int | Process ID (required) | ||
MSG_NUM | int | Message number (required) | ||
USERID | char(8) | User ID (ICA3044, ICA3045, ICA3046, ICA3047, ICA3049) | ||
ACTION | char(7) | "connect" (ICA3044, ICA3049) or "bind" (ICA3046, ICA3047) | ||
ERROR_NUM | int | System Error number - AIX errno (ICA3013, ICA3019, ICA3031, ICA3032, ICA3040, ICA3044, ICA3101, ICA3102, ICA3103, ICA3104, ICA3106, ICA3107, ICA3108, ICA3122, ICA3124, ICA3125, ICA3126, ICA3128) | ||
SRC_HOST | char(25) | Source host name (ICA3019, ICA3035) | ||
DST_HOST | char(25) | Destination host name (ICA3016, ICA3045) | ||
SRC_IP | char(15) | Source address (ICA3042, ICA3043, ICA3044, ICA3045, ICA3046, ICA3047, ICA3049) | ||
DST_IP | char(15) | Destination address (ICA3044, ICA3045, ICA3046, ICA3047, ICA3049) | ||
LINE_NUM | int | Line number (ICA3022, ICA3023, ICA3024, ICA3025, ICA3026, ICA3109,
ICA3110, ICA3111, ICA3112, ICA3115, ICA3116, ICA3117, ICA3118, ICA3119,
ICA3120);
or Number of lines (ICA3113) | ||
EXEC_STATUS | int | Exec status (ICA3027) | ||
CMD | char(36) | Command, such as login (ICA3027, ICA3039, ICA3042, ICA3044, ICA3048) note: for ICA3042, the command is in hexadecimal format | ||
FILE_NAME | char(100) | File name (ICA3030, ICA3032, ICA3105, ICA3109, ICA3110, ICA3111, ICA3112, ICA3113, ICA3114, ICA3115, ICA3116, ICA3117, ICA3118, ICA3119, ICA3120) | ||
APPLICATION | char(10) |
Application name telnet, ftp.... (ICA3044, ICA3045, ICA3049)
| ||
VERSION | char(10) | Socks version number in hex (ICA3043) | ||
|
This table contains information about SSL status and activities from the ssl_info.tbl file. | ||||
Column | Data Type | Short Description | ||
---|---|---|---|---|
DATE_TIME | date_time | Date and time for the action (required) | ||
FIREWALL | char(100) | Fully qualified name of the firewall machine (required) | ||
PID | int | Process ID (required) | ||
MSG_NUM | int | Message number (required) | ||
Client_IP | char(15) | IP address of the client | ||
|
This table contains details about SU activities from the su.tbl file. | ||
Column | Data Type | Short Description |
---|---|---|
DATE_TIME | date_time | Date and time for the action (required)
Because AIX does not record the year in the su log file, the year portion of the DATE_TIME column is set to either the current year or the previous year, based on the month/day settings (if month/day is later than current month/day, assume it is last year.) |
FROM_USERID | char(8) | User ID. (required) |
TO_USERID | char(8) | User ID. (required) |
LOGIN_STATUS | char(7) | Status of login attempt: success or failure (required) |
This table contains active TUNNEL context specifications from the t_cntxt.tbl file. | ||||
Column | Data Type | Short Description | ||
---|---|---|---|---|
DATE_TIME | date_time | Date and time for the action (required) | ||
FIREWALL | char(100) | Fully qualified name of the firewall machine (required) | ||
PID | int | Process ID (required) | ||
MSG_NUM | int | Message number (required) | ||
TUNNEL_ID | long int | Tunnel ID (required) | ||
SRC_IP | char(15) | Source IP address (required) | ||
DST_IP | char(15) | Destination IP address (required) | ||
ENCRYPTION | char(7) | Encryption algorithm
DES_CBC or CDMF | ||
|
This table contains TUNNEL policy statememts from the t_policy.tbl file. | ||||
Column | Data Type | Short Description | ||
---|---|---|---|---|
DATE_TIME | date_time | Date and time for the action (required) | ||
FIREWALL | char(100) | Fully qualified name of the firewall machine (required) | ||
PID | int | Process ID (required) | ||
MSG_NUM | int | Message number (required) | ||
POLICY | char(60) | Policy statement read from fwpolicy file (required) | ||
|
This table contains information on status changes of TUNNELS from the t_stat.tbl file. | ||||
Column | Data Type | Short Description | ||
---|---|---|---|---|
DATE_TIME | date_time | Date and time for the action (required) | ||
FIREWALL | char(100) | Fully qualified name of the firewall machine (required) | ||
PID | int | Process ID (required) | ||
MSG_NUM | int | Message number (required) | ||
SESSION_SCKT | long int | Session socket port (for ICA1038) | ||
MASTER_SCKT | long int | Master socket port (for ICA1038) | ||
TUNNEL_ID | long int | Tunnel ID deleted (for ICA1041) | ||
|
This chapter gives you information on providing your own authentication methods.
There are two methods for user-supplied authentication:
You can use either method but not both. If fwuserpt and fwuserau are present in /usr/bin, then method 1 is used.
To use user-supplied authentication as an authentication method, the firewall administrator must provide two executables: fwuserpt and fwuserau. The fwuserpt code provides the text that will prompt the user for an authentication token. The fwuserau code authenticates the user based on the response to the prompt.
If you choose the user-supplied authentication method for a firewall proxy user, the IBM Firewall takes these actions when that user logs on :
fwuserpt executes a printf statement to display a prompt to the user.
The executables, fwuserpt and fwuserau reside in /usr/bin. These subroutines are supported when compiled in an AIX machine compatible with the version of the firewall the subroutines are intended to run on. Once executed, the ownership is transferred to root.
fwuserpt takes user name as the input. It performs a database lookup or calculation and outputs a string using a printf statement. For example, if John is the user, fwuserpt can create one of the following as output:
The return codes for fwuserpt and fwuserau are zero if successful and non-zero if unsuccessful.
The input to fwuserau are the user name and the strings of 'password' supplied by the user. If the password consists of a sequence of strings as in the case of Secure Key, they are in argv[2], argv[3], argv[4], argv[5] and so on.
The string fwuserpt issues with printf must not contain any special character like '\n' or '\r', otherwise, the result is unpredictable. It must contain a fflush statement after printf. The fwuserau must not contain any print statements, otherwise, the result is unpredictable.
The following is an example of fwuserpt and fwuserau with authentication performed.
Compile the following and name the output file fwuserpt.
int main (int argc, char **argv) {char *user = NULL; /* name of user to be authenticated */ user = argv [1]; if (user == NULL) {return 1;} /* Note, if you cannot validate the userid, return 1 and fwuserau will not be called */ printf ("User Supplied auth invoked. Please supply your password."); (void) fflush(stdout); return 0;}
Compile the following and name the output file fwuserau.
int main(int argc, char **argv) {char *user = NULL; /* name of user to be authenticated*/ user = argv[1]; if (user == NULL) {return 1;} /* retrieve the authentication token from argv[2], argv[3], etc depending on the interface, ie, the number of tokens the user is expected to input at the prompt and validate the user. return 0 if successful. return 1 if unsuccessful*/}
Sample code using Secure Key as an example of user- supplied authentication is provided in the /usr/lpp/FW/sample directory. These files are:
These files have been used to test our user-supplied authentication API code and are provided as is.
User-supplied iteration enables you to require multiple responses from a user attempting to logon, instead of just one prompt and one reply.
The following diagram depicts the user-supplied support for telnet:
Client Server(test99) telnet test99 login ------------------------------> prompt user <----------------------------- user reply ------------------------------> enter your new credential <----------------------------- user reply ------------------------------> re-enter new credential <----------------------------- user reply ------------------------------> login OK or not OK <-----------------------------
The following diagram depicts the user-supplied support for ftp:
Client Server(test99) ftp test99 login ------------------------------> prompt user <----------------------------- user reply ------------------------------> OK or not OK <-----------------------------
The following sections explain how to accomplish iterative prompting.
You must supply the library functions that the Firewall invokes. The name of the shared library file is fwuser.o. This file must reside in /usr/lib. In addition, fwuser.exp must be present in /usr/lib. This library must contain the following functions:
Note: | A FTP client cannot be propted more than once in an iterative fashion. |
During installation of the IBM Firewall, copies of fwuser.o and fwuser.exp are installed in /usr/lib. If a copy of fwuser.o already exists in /usr/lib, it will not be replaced during installation.
When you invoke the IBM-supplied fwuser.o, a message reminding you to supply your own version of user-written authentication is put into the local4 log.
The IBM-supplied fwuser.o denies authentication for FTP and telnet.
fw_prompt prompts the user for the returned string, password, for example.
fw_prompt displays messages to the user.
fw_prompt takes two arguments, a pointer to username (characters) and ret_code. ret_code is a pointer to a data structure called fw_ret_struct which is defined in fwuser.h. fwuser.h can be found in the /usr/lpp/FW/sample subdirectory.
In the argument ret_code, the req_rsp_code is set to FW_AUTH_REQ (request for prompt for username).
Following is an example of the function for fw_prompt. This can be found in /usr/lpp/FW/sample/fwprompt.c.
#include <stdio.h> #include <stdlib.h> #include "fwuser.h" int fw_prompt (char *username, struct fw_ret_struct *ret_code) { strcpy(ret_code->return_str, "Please enter password"); ret_code->req_rsp_code = FW_AUTH_OK; return FW_AUTH_OK; }
fw_tn_authenticate authenticates the user using telnet.
fw_tn_authenticate takes three arguments: a pointer to username, a pointer to response and a pointer to a data structure called ret_code. ret_code, also called fw_ret_struct, is defined in fwuser.h. The description of the various arguments are as follows:
username always points to a NULL terminated string or user ID of the user.
response points to a NULL terminated string or NULL. If response points to NULL and the req_rsp_code is set to FW_AUTH_REQ, this is the first time fw_tn_authenticate is called for the user specified by the username. For example, when a telnet session is initiated, before any prompt is displayed to the user, fw_tn_authenticate is called with response set to NULL and req_rsp_code set to FW_AUTH_REQ,
The ret_code is used to pass information between the firewall and fw_tn_authenticate.
Ret_code can have these values:
If ret_code is set to anything other than these values, fw_tn_authenticate is called again. You should define a code, such as FW_AUTH_INIT, that you use to indicate authentication is continuing and fw_tn_authenticate should be called again.
The return_str is the string Firewall will display to the user for response. This return_str must NOT contain any special characters like '\n'.
For example, if an authentication uses a sequence of passwords defined by the user, the user can define FW_AUTH_CONT_REQ as 3 and FW_AUTH_INIT_REQ as 2 and put these in fwuser.h. When fw_tn_authenticate is first called, the second parameter is set to NULL and req_rsp_code is set to FW_AUTH_REQ. Then fw_tn_authenticate can put a string like "Enter the initial code" in the return_str and set req_rsp_code to be FW_AUTH_INIT_REQ.
When fw_tn_authenticate is called again, the second parameter will point to a string of response and the req_rsp_code will be FW_AUTH_INIT_REQ (the one being returned by fw_tn_authenticate). If fw_tn_authenticate wants further input from the user, fw_tn_authenticate can put "enter your second response" and set the req_rsp_code to FW_AUTH_CONT_REQ. When fw_tn_authenticate is called again, the second parameter will point to the second reponse given by the user and the req_rsp_code will be FW_AUTH_CONT_REQ.
If fw_tn_authenticate is satisfied with the response, fw_tn_authenticate will set req_rsp_code to FW_AUTH_OK and return FW_AUTH_OK.
If fw_tn_authenticate is not satisfied with the user response, it will set req_rsp_code to be FW_AUTH_FAILED and return.
Following is an example of fw_tn_authenticate that implements the above scenario. In this example, the user is first asked to enter "password" and the second authentication asks the user to enter the "password" again.
/* This is an example of two iteration authentications. It first asks user to input a response and based on the response, asks the user for a second reponse for authentication */ #include <stdio.h> #include <stdlib.h> #include "fwuser.h" int fw_tn_authenticate (char *username, char *response, struct fw_ret_struct *ret_code) { if (username == NULL) { return FW_AUTH_FAILED; } if (ret_code == NULL) { return FW_AUTH_FAILED; } memset(ret_code->return_str, 0x00, sizeof(ret_code->return_str)); if ((response == NULL) &&;amp; (ret_code->req_rsp_code == FW_AUTH_REQ)) { ret_code->req_rsp_code = FW_AUTH_INIT_REQ; strcpy(ret_code->return_str, "Please enter password"); return FW_AUTH_OK; } else { switch (ret_code->req_rsp_code) { case FW_AUTH_INIT_REQ: if (strcmp(response, "password") == 0) { ret_code->req_rsp_code = FW_AUTH_CONT_REQ; strcpy(ret_code->return_str, "Please enter password"); return FW_AUTH_OK; } else { ret_code->req_rsp_code = FW_AUTH_FAILED; return FW_AUTH_FAILED; } /* endif */ break; /* put other case statement defined in fwuser.h */ case FW_AUTH_CONT_REQ: if (strcmp(response, "password") == 0) { ret_code->req_rsp_code = FW_AUTH_OK; } else { ret_code->req_rsp_code = FW_AUTH_FAILED; } return FW_AUTH_OK; /* put other case statement defined in fwuser.h */ default: ret_code->req_rsp_code = FW_AUTH_FAILED; return FW_AUTH_FAILED; break; } /* switch */ } return FW_AUTH_FAILED; }
fw_ftp_authenticate authenticates the user using FTP.
The argument taken by fw_ftp_authenticate is identical to that of fw_tn_authenticate. It can only return FW_AUTH_FAILED or FW_AUTH_OK. Any value other than FW_AUTH_OK in req_rsp_code will be taken to be failure.
If the authentication is successful, the value in req_rsp_code must be set to FW_AUTH_OK and the returned value of the function is FW_AUTH_OK. Returning non-zero by the function or setting req_rsp_code to be anything other than FW_AUTH_OK means authentication failed. This file can be found in /usr/lpp/FW/sample/fwauthen.c.
Following is an example of fw_tn_authenticate.
/* * The following is an example of user authentication. It uses a * two stage authentication method. This procedure is provided as * is. The first time this procedure is invoked, it asks the * user to respond with "password". * If the user responds properly, it asks the user * to repsond with "changed password". If the user responds properly, then * the user is authenticated. Otherwise, the authentication fails. * FW_AUTH_INIT_REQ and FW_AUTH_CONT_REQ are user defined constants that * are defined in fwuser.h. The IBM Firewall does not use * these two constants. The constants are defined in fwuser.h. * The IBM Firewall uses (and user must not redefine) FW_AUTH_FAILED, FW_AUTH_OK *and FW_AUTH_REQ. * The fwuser.o that is being installed was not compiled using this program. */ #include <stdio.h> #include <stdlib.h> #include "fwuser.h" int fw_tn_authenticate (char *username, char *response, struct fw_ret_struct *ret_code) { if (username == NULL) { return FW_AUTH_FAILED; } if (ret_code == NULL) { return FW_AUTH_FAILED; } memset(ret_code->return_str, 0x00, sizeof(ret_code->return_str)); if ((response == NULL) &&;amp; (ret_code->req_rsp_code == FW_AUTH_REQ)) { ret_code->req_rsp_code = FW_AUTH_INIT_REQ; /* In here, the program makes a computation or database lookup for username. It then comes up with a prompt for the user to enter the reponse. In this example, the user is asked to enter 'password' as a string. It can be changed to 'please enter your password' or 'please enter your code' or any appropriate message to prompt the user for response. */ strcpy(ret_code->return_str, "Please enter password"); return FW_AUTH_OK; } else { switch (ret_code->req_rsp_code) { case FW_AUTH_INIT_REQ:/* The program is checking the response to see if it is valid.*/ if (strcmp(response, "password") == 0) { ret_code->req_rsp_code = FW_AUTH_CONT_REQ;/* In this example, the first reponse from the user is valid and the user is asked to enter the'changed password'. If the administrator, after looking up the user's credential, determines that the password has expired, a prompt requesting user change the password can be issued. */ strcpy(ret_code->return_str, "Please enter changed password"); return FW_AUTH_OK; } else { ret_code->req_rsp_code = FW_AUTH_FAILED; return FW_AUTH_FAILED; } break; /* put other case statement defined in fwuser.h */ case FW_AUTH_CONT_REQ: /* Computation is done to check the validity of the response. */ if (strcmp(response, "changed password") == 0) { ret_code->req_rsp_code = FW_AUTH_OK; return FW_AUTH_OK; } else { ret_code->req_rsp_code = FW_AUTH_FAILED; return FW_AUTH_FAILED; } /* put other case statement defined in fwuser.h */ default: ret_code->req_rsp_code = FW_AUTH_FAILED; return FW_AUTH_FAILED; break; } /* switch */ } return FW_AUTH_FAILED; }
Following is an example of fw_ftp_authenticate.
/* The following procedure is called after user responses to fwprompt. */ /* It only check to see if the response is password */ int fw_ftp_authenticate (char *username, char *response, struct fw_ret_struct *ret_code) { if (username == NULL) return FW_AUTH_FAILED; if (response == NULL) return FW_AUTH_FAILED; /* checking the validity of the response based on the return */ if (strcmp(response, "password") == 0) { ret_code->req_rsp_code = FW_AUTH_OK; return FW_AUTH_OK; } else { ret_code->req_rsp_code = FW_AUTH_FAILED; return FW_AUTH_FAILED; } }
Following is an example of a makefile for making fwuser.o. In this example, fwauthen.c contains fw_tn_authenticate and fw_ftp_authenticate. fwprompt.c contains fw_prompt. Call this makefile Makefile.lib. This information can be found in/usr/lpp/FW/sample/Makefile.lib.
CDEBUGFLAGS= LDFLAGS= CDEBUGFLAGS= HASSTDLIB=-DHASSTDLIB LIB=fwuser.o LIBOBJS=fwauthen.o fwprompt.o CFLAGS=$(CDEBUGFLAGS) $(HASSTDLIB) all: $(LIB) $(LIB): $(LIBOBJS) cc $(HASSTDLIB) -o fwuser.o $(LIBOBJS) -bE:fwuser.exp -bM:SRE -e _t fwauthen.o: fwauthen.c fwuser.h fwprompt.o: fwprompt.c fwuser.h
fwuser.o can be obtained by executing the following command after renaming fwuser.exp.df to fwuser.exp:
The sample files Makefile.lib, fwuser.h, fwauthen.c and fwprompt.c are in /usr/lpp/FW/sample. A copy of fwuser.exp.df is also in /usr/lpp/FW/sample. To compile the sample files, rename fwuser.exp.df to fwuser.exp.
If both of the files /usr/bin/fwuserau and /usr/bin/fwuserpt are present, the functions in /usr/lib/fwuser.o will not be called. If you want to use the functions in fwuser.o, fwuserau or fwuserpt must be removed or renamed.
This chapter describes how to use the Simple Network Management Protocol (SNMP) to monitor your IBM Firewall resources.
SNMP is an open application protocol used in a TCP/IP environment for managing network functions. This chapter assumes familiarity with SNMP. The IBM Firewall uses the Management Information Base (MIB) and the SNMP Subagent to monitor the status of servers (INETD, FWPAGERD, FWMAILD, NAMED, PHTTPD, and SOCKD) and critical log records.
Management information is the abstraction of managed resources. These resources are defined as managed objects. The collection of managed objects is called a MIB. The MIB acts as the information store of the definition and specification of SNMP managed objects. The SNMP Subagent is a program or process that handles a specific portion of the MIB. The MIB registers with the SNMP agent so the agent knows where to send requests for the variables requested.
The SNMP agent performs all management operations as inspections or alterations of managed objects. The management operations are get or getnext. However, the firewall subagent does not support set.
The subagent can also emit unsolicited messages through "traps".
To set up SNMP traps:
There is a line in this file that defines where the traps are sent. It looks like this:
trap public 1.23.456.78 1.2.3 fe where community name is public IP address of the manager to receive the trap is 1.23.456.78 view=1.2.3 traps to be blocked is feThe last field (fe) indicates what traps you want to block:
fe block no traps (1111 1110) 7e block coldStart trap (0111 1110) be block warmStart trap (1011 1110) 3e block coldStart trap and warmStart trap (0011 1110)There are many coldStart traps that are issued when SNMP starts. The mask of 7e may be used to block the coldStart traps.
trap public 9.67.128.41 1.2.3 fe
Note: | Only one trap statement is allowed. If more than one trap statement is added, there is no error message on startup, but only the first trap definition entry specifications are used. |
These are servers and codes received when a trap is received on the manager and monitored by the Firewall SUBAGENT. (For example, 69 6E 65 74 64 is not running.) The numerical codes are the ASCII representation of the server names.
Not Running 6E 6F 74 20 52 75 6E 6E 49 62 67 Running 6E 49 6E 47 Not Running INETD 69 6E 65 74 64 / / FWPAGERD 66 77 70 61 67 65 72 64 / / FWMAILD 66 77 6D 61 69 6C 64 / / NAMED 6E 61 6D 61 64 / / PHTTPD 70 68 74 74 70 64 / / SOCKD 73 6F 63 66 64 / /
The subagent monitors the local4 log facility for -e, -i, and -w alert messages of emergency warning or information levels, and notifies the SNMP daemon of these alerts. A local4 log facility of at least information priority should be created.
SNMP trappable events ICA0001e Threshold conditions for authentication failures have been satisfied ICA0002e Threshold conditions for detecting a specific log message have been satisfied ICA0003e Threshold conditions for authentication failures from any specific host have been satisfied ICA0004e Threshold conditions for detecting a specific log message have been satisfied ICA0012e Daemon is abending or received terminate signal. Previous log messages would provide detail. ICA1010i The /usr/sbin/fwlogd daemon must be started under root authority ICA2001e A user, without an account, attempted to use ftp proxy from the network ICA2002e Firewall is unable to authenticate the indicated username using the specified authentication method ICA2026i Connection attempt timed out for specified user. Potential network routing problem or remote host is not available ICA2043i Authentication type for this user is 'password' and no password was found. ICA3001e Real user is ident username,not socks connect username ICA3012w refused -- Connect from ser(real_user)@src_addr to dst_addr (application) ICA9000i Internet Connection IBM Firewall (FW) evaluation expires in number of days
SystemView Agent and SystemView Mapper are installed before the SNMP subagent can be invoked.
Note: | The hostname must be known to itself. The /etc/hosts should have an entry of itself. |
An SNMP manager is refreshed when an SNMP manager is added or deleted from the IBM Firewall.
If the filter is active, start an SNMP manager by:
The user must define filter rules to enable traps to go through the firewall.
A default.config file is shipped upon new installation. During the installation, no filter is activated. A pre-defined SNMP filter can be selected. If no permit on the filter rules is selected, all SNMP traffic is denied. If traffic does not match a permit rule or a denied rule, the traffic is denied.
Neither the SNMP daemon network agent (snmpd) or the SNMP firewall subagent is started during installation. Later when the subagent is started through the configuration client or SMIT and the firewall is brought down abruptly, rebooting the firewall starts the subagent automatically using the operational values given in the /etc/security/fwsubagt.cfg . If this file is missing, default values are used and /etc/security/fwsubagt.cfg is created.
Only the root authority can make changes to the Firewall Manager or starting subagent.
See Appendix C. "SNMP Management Information Base (MIB)" for more information on the MIB.
MKKF is used to create public-private key pairs and certificate requests, receive certificate requests into a key ring, and manage keys in a key ring.
You cannot have a secure SSL network connection until you have:
You need to use MKKF to create the initial server key, key ring file, and certificate request. MKKF is also used to receive the initial certificate into a key ring and stash your key file password.
You can create a key file for the firewall machine that can be used for both IPSEC and the configuration server.
Since the key file must be owned by the root username, you should run this utility logged on as root.
Note: | Do not give any other user or group ownership of the key file. |
# mkkf MKKF Key Manager Copyright IBM Corp. 1996 All Rights Reserved
Key Ring Menu Currently Selected Key Ring: (none) N - Create New Key Ring File O - Open Key Ring File X - Exit Enter a command: n
Enter 'n' as shown above to create a new key file.
You will be prompted for a file name to use for the key file. You can use any filename, but it must end in .kyr. By default, the firewall looks for a file named fwkey.kyr.
Enter a name for the key ring file, or press ENTER to accept the default of fwkey.kyr
MKKF will create a new key file and display the key ring menu. Note that the key file will be listed as the currently selected key ring.
Key Ring Menu Currently Selected Key Ring: fwkey.kyr N - Create New Key Ring File O - Open Key Ring File S - Save Key Ring File A - Save Key Ring as Another File P - Set Password for Key Ring File C - Create Stash File for Key Ring File R - Receive a Certificate into a Key Ring File W - Work with Keys and Certificates X - Exit Enter a command: w
Enter 'w',as shown above, to go to the Key menu.
Key Menu Currently Selected Key Ring: fwkey.kyr Selected Key Entry: (none) L - List/Select a key to work with C - Create a New Key and Certificate Request I - Import a key from an Armored key file X - Exit this menu Enter a command: c
Enter 'c', as shown above, to create a new key.
Before a key can be stored in a key file, the key file must be password protected. MKKF will prompt you to enter a password to use to protect the key file. The password will not display when you type it. MKKF will also ask if the password should expire. Enter 'n' as shown below:
Note: | underlined indicates an example of text entered by the user. |
Enter password to use for the key file: password Enter the password again for verification: password Should the password expire? Enter Y for yes or N for no: n Password successfully set. Press ENTER to continue
MKKF will prompt you for the type of key to create.
Choose Certificate Type Menu S - Server Certificate L - Low Assurance C - Cancel Enter a command: s
Enter 's', as shown above, to create a Server Certificate. MKKF will generate an empty certificate:
Compose Secure Server Certificate Menu Current Certificate Information Key Name: (none) Key Size: 0 Server Name: (none) Organization: (none) Organization Unit: (none) City/Locality: (none) State/Province: (none) Postal Code: (none) Country: (none) M - Modify the Certificate Fields R - Ready To Create Key and Certificate Request C - Cancel Enter a command: m
Enter 'm' to modify the empty certificate. You will be prompted to enter information about the new certificate:
Enter a name to use for the key entry: Firewall Key
1: 508 2: 512 Enter the number corresponding to the key size you want: 2
Enter the server's fully qualified TCP/IP domain name or press Enter by itself to leave the field blank jupiter.raleigh.ibm.com
Enter Organization Name for the certificate or press ENTER by itself to leave the field blank. AAA Inc.
Enter Organizational Unit Name for the certificate or press ENTER by itself to leave the field blank. Network Security Products
Enter Locality/City Name for the certificate or press ENTER by itself to leave the field blank. RTP
Note: | Due to the specifications for certificates, this field must be a minimum of three characters, so two letter state abbreviations are not valid. |
Enter State/Province Name for the certificate or press ENTER by itself to leave the field blank. State/Province must be at least three characters long. N.C.
Enter Postal Code for the certificate or press ENTER by itself to leave the field blank. 27709
Enter Country Code for the certificate or press ENTER by itself to leave the field blank. Country code must be exactly two characters long. US
After MKKF has collected all the information from you, the certificate will be displayed:
Compose Secure Server Certificate Menu Current Certificate Information Key Name: Firewall Key Key size: 512 Server Name: jupiter.raleigh.ibm.com Organization: AAA Inc. Organizational Unit: Network Security Products City/Locality: RTP State/Province N.C. Postal Code: 27709 Country: US M - Modify the Certificate Fields R - Ready To Create Key and Certificate Request C - Cancel Enter a command: r
If there are any mistakes in the certificate information, you can enter 'm' to make corrections. If the information is correct, enter 'r' to create the new key and its associated key file.
MKKF will prompt you for a file to store the certificate. You can use any file name, but a good convention to follow is to use the same base name as the key file and add .cert as the extension:
Enter file to store the certificate request in: fwkey.cert Creating Private Key... Private key was successfully created. Creating certificate request... certificate request was successfully created Adding new key to key file. The new key and certificate request were created successfully. Press ENTER to continue
After the key and certificate have been created, the Key menu will be displayed. The newly created key will be listed as the Selected Key Entry:
Key Menu Currently Selected Key Ring: fwkey.kyr Selected Key Entry: Firewall Key L - List/Select a Key To Work With S - Show Information about Selected Key D - Delete Selected key C - Create a New Key and Certificate Request I - Import a Key From an Armored Key File E - Export Selected Key To an Armored Key File F - Make Selected Key the Default Key for this Key Ring U - Unmark Selected Key's Trusted Root Status R - Create A Certificate Request for Selected Key X - Exit This Menu Enter a command: f
You must make the newly created key the default key in the key file. Enter 'f' as shown in the previous example. You will be prompted to confirm the action:
Key Menu Currently selected key: Firewall Key Are you sure you want to make this key the default? Enter Y for yes or N for No: y Key was made the default key. Press ENTER to continue
After the key has been marked as the default, the Key Menu is displayed:
Key menu Currently Selected Key Ring: fwkey.kyr Selected Key Entry: Firewall Key L - List/Select a Key To Work With S - Show Information about Selected Key D - Delete Selected key C - Create a New Key and Certificate Request I - Import a Key From an Armored Key File E - Export Selected Key To an Armored Key File F - Make Selected Key the Default Key for this Key Ring U - Unmark Selected Key's Trusted Root Status R - Create A Certificate Request for Selected Key X - Exit This Menu Enter a command: xExit the Key menu by entering 'x'.
The Key Ring menu will be displayed:
Key Ring Menu Currently Selected Key Ring: fwkey.kyr N - Create New Key Ring File O - Open Key Ring File S - Save Key Ring File A - Save Key Ring as Another File P - Set Password for Key Ring File C - Create Stash File for Key Ring File R - Receive a Certificate into a Key Ring File W - Work with Keys and Certificates X - Exit Enter a command: r
Note: | Since the firewall does not use SSL for authentication purposes, your certificate does not have to be signed by a certificate authority. |
Enter file name or press ENTER for Cert.txt. fwkey.cert This is a self-signed certificate. Add it to the key file? Enter Y for yes or N for no: y Certificate added to key ring. Press ENTER to continue
After the certificate has been added to the key ring, the Key Ring Menu is displayed:
Key Ring Menu Currently Selected Key Ring: fwkey.kyr N - Create New Key Ring File O - Open Key Ring File S - Save Key Ring File A - Save Key Ring as Another File P - Set Password for Key Ring File C - Create Stash File for Key Ring File R - Receive a Certificate into a Key Ring File W - Work with Keys and Certificates X - Exit Enter a command: c
You need to create a stash file for the key file. Enter 'c' as shown in the previous example. MKKF will use the same base name as the key file name and .sth as the extension:
Stashed password file saved to fwkey.sth Press ENTER to continue
After the stash file has been created, the Key Ring Menu is displayed:
Key Ring Menu Currently Selected Key Ring: fwkey.kyr N - Create New Key Ring File O - Open Key Ring File S - Save Key Ring File A - Save Key Ring as Another File P - Set Password for Key Ring File C - Create Stash File for Key Ring File R - Receive a Certificate into a Key Ring File W - Work with Keys and Certificates X - Exit Enter a command: x
Your key file is now ready to be used. Enter 'x' as shown above to exit MKKF and enter 'y' to save changes to your key file as shown:
Key ring file has been changed. Save? Enter Y for yes or N for no: y Key ring saved to fwkey.kyr Press ENTER to continue #
After exiting the MKKF, check the file permissions on your key file, stash file and certificate file.
For security reasons, these files should be owned by root. If the files are not owned by root, change the owner using this command:
#ls -l fwkey* -rw-r--r-- 1 root security 1025 Mar 18 10:01 fwkey.cert -rw------ 1 root security 3682 Mar 18 10:10 fwkey.kyr4 -rw------ 1 root security 129 Mar 18 10:09 fwkey.sth
After creating the keyfile, you must specify the key file name in the configuration server parameter file.
Edit the file /etc/security/rcsfile.cfg and look for the line that starts 'sslfile =' and modify it so the file name it lists matches the fully qualified path name of the keyfile you just created.
If you are using SSL encryption for the configuration server, you also need to modify the line that starts 'encr=none' and modify it to be 'encr=ssl'.
Note: | This line does not have to be changed if you are using the key file only for IP SEC. |
This chapter tells you how to troubleshoot some of the common problems encountered when setting up and configuring a firewall. It also tells you how to test the firewall ports using the fwice command.
If you are having problems, first create a local4 log debug priority to increase the information sent to your logs. See "Log File Management" for more information.
This problem is caused by not rebooting the firewall after installation.
The IBM Firewall provides a feature on the Security Policy panel entitled "Test IP Routing", which can be useful for debugging routing problems. Enable this checkbox, activate your Connection configuration, and enable Connection Rules Logging. Then examine your local4 log to view detailed information about all packets flowing through your firewall.
Perform these tests first using IP addresses, then using host names. If your traffic routes, properly using addresses but not using names, see "DNS Problems" for more information.
netstat -rn
The output should be as follows for Protocol Family 2:
Figure 5. Sample output from netstat -rn
Destination Gateway Flags .... default nrr.nrr.nrr.nrr UG nnn.nnn.nnn nnn.nnn.nnn.nnn U sss.sss.sss sss.sss.sss.sss U ss1.ss1.ss1 srr.srr.srr.srr UG 127 127.0.0.1 U
You should have an interface route for each interface and your default route should point to the router on the nonsecure side of the Firewall.
The firewall DNS resolves names by querying the secure name server. The secure name server resolves all names in the secure network. The secure name server forwards requests for nonsecure names to the firewall name server. The firewall name server queries the nonsecure name server to resolve the request.
Here are some examples to lead you through each step of this method using the nslookup utility in order to isolate the problem. In these examples, we will use the following placeholders:
These values can be obtained from the "Domain Name Services" panel in the Configuration Client. You will need these values as you work through these exercises.
Note: | The nslookup command requires the additional dot following the hostname to prevent nslookup from appending your secure domain name. |
Use the predefined services whenever possible, particularly with FTP traffic.
db2 -vf fwschema.dll > schema.out db2 -vf fwimport.dat > import.out db2 -vf fwqrysmp.dml > sample.out
ar: 0707-106 Internal error while reading the fixed header of archive file /foobar.a"ar" of "foobar.Z" failed in /foobar.a Check disk space.This indicates insufficient disk space in either the working directory or the destination directory.
This section tells you how to test the Firewall ports using fwice. When you installed the IBM Firewall, you also installed a set of test programs that you can run from workstations inside or outside the secure network to test how well the IBM Firewall protects your network. Fwice gives information on every port.
Use the fwice command to test the ports on your Firewall host to see if they are responding from inside and outside the secure network. To use fwice, you need two files:
Running fwice might generate an ICA2000e message error. This might trigger a threshold violation from your log monitor facility.
Here is a sample entry in a hosts file:
124.8.7.4 test7.okla.norm.edu
If you do not supply a hosts file, /etc/hosts is used.
In the services file, each line has the format:
function port_no protocol
or
function port_no/protocol
If you do not supply a services file, the standard /etc/services on your system is used.
The fwice command stores its results in the results file you supply. If you do not supply one, the file./results is used. Figure 6 shows sample entries in the ./results file.
Figure 6. Sample Entries in the results File
9.67.96.243 tcp 7 (echo) is alive and listening. No connection to 9.67.96.243 on udp 7 (echo) 9.67.96.243 tcp 9 (discard) is alive and listening. No connection to 9.67.96.243 on udp 9 (discard) No connection to 9.67.96.243 on tcp 11 (systat) 9.67.96.243 tcp 13 (daytime) is alive and listening. No connection to 9.67.96.243 on udp 13 (daytime) No connection to 9.67.96.243 on tcp 15 (netstat) No connection to 9.67.96.243 on tcp 17 (qotd) 9.67.96.243 tcp 19 (chargen) is alive and listening. No connection to 9.67.96.243 on udp 19 (chargen) No connection to 9.67.96.243 on tcp 20 (ftp-data)
This appendix gives you the following information about the IBM Firewall messages:
The numbers 0000 - 9999 are further classified into the following categories:
ICA0001 ALERT - count authentication failures.
Explanation: Threshold conditions for authentication failures have been satisfied.
ICA0002 ALERT - count authentication failures for user user_name.
Explanation: Threshold conditions for detecting a specific log message have been satisfied.
ICA0003 ALERT - count authentication failures from host host IP address.
Explanation: Threshold conditions for authentication failures from any specific host have been satisfied.
ICA0004 ALERT - Tag message_id with count log entries.
Explanation: Threshold conditions for detecting a specific log message have been satisfied.
ICA0005 Log monitor - out of memory.
Explanation: Process ran out of memory.
ICA0006 Log monitor - failure accessing services file: errno
Explanation: Could not find entry for fwlogmond in /etc/services.
ICA0007 Log monitor - socket creation failed: errno
Explanation: Could not open socket - see error message.
ICA0008 Log monitor - bind() failed: errno
Explanation: Could not bind socket - see error message.
ICA0009 Could not open threshold definition file: errno
Explanation: Problem accessing threshold definition file - see error message.
ICA0010 Log monitor - fatal read error: errno
Explanation: Problem reading from socket - see error message.
ICA0011 Could not get status of threshold definition file: errno
Explanation: Problem accessing threshold definition file - see error message.
ICA0012 Log monitor daemon shutting down.
Explanation: Daemon is abending or received terminate signal. Previous log messages would provide detail.
ICA0013 Log monitor caught terminate signal.
Explanation: Daemon received terminate signal and will shut down.
ICA0014 Starting log monitor daemon.
Explanation: Daemon has been started.
ICA0015 Could not create daemon for log monitor: errno
Explanation: Daemon creation failed - see error message.
ICA0016 Could not open process id file - daemon may already be active.
Explanation: Daemon could not open process id file.
ICA0017 Could not write process id (process id) to file.
Explanation: Daemon could not write process id to the file.
ICA0018 Log monitor - empty read.
Explanation: Received packet with no data - discarded.
ICA0019 Log monitor - short read. Tag discarded.
Explanation: Received packet with not enough data - discarded.
ICA0020 Log monitor - misformatted ICA tag.
Explanation: Received packet with misformatted data - discarded.
ICA0021 Log monitor - misformatted authentication data.
Explanation: Received packet with misformatted data - discarded.
ICA0022 Invalid syntax in threshold definition file (invalid entry).
Explanation: The indicated entry in the threshold file is syntactically incorrect.
ICA1001 Unable to create file with process id
Explanation: Filter logging daemon encountered an error when writing the file fwlogd.pid.
User Response: Check the system where directory /etc/security resides. Possible out-of-space condition exists.
ICA1002 Communications with cfgfilt program not possible
Explanation: Due to the fwlogd.pid file not being created, communication between the fwlogd daemon and the cfgfilt application (required for filter control) is not possible.
User Response: Check the system where directory /etc/security resides. Possible out-of-space condition exists.
ICA1003 Continuing with logging daemon initialization
Explanation: The fwlogd daemon will continue start-up processing.
ICA1004 Filter logging daemon /usr/sbin/fwlogd (level version.release) initialized at time on date
Explanation: The IP packet logging daemon has been started. If packet logging is enabled, daemon fwlogd will write the required records to the syslog, local4, file.
ICA1005 Suppressed logging of filter_rule_no packet message(s) due to buffer overflow
Explanation: The fwlogd daemon filter log buffer has overflowed. A packet for the specified filter rule cannot be logged.
User Response: Check the log. Your firewall may be under a deny-of-service attack or you may be logging messages that are not required. For example, broadcast messages should have a deny rule with log control set to no (l=n) to prevent filling up the log.
ICA1007 Unable to fork child process: errno
Explanation: During startup of /usr/sbin/fwlogd daemon, the indicated system error was encountered.
User Response: Based on the error displayed, take corrective action.
ICA1008 Error return from setpgrp routine: errno
Explanation: During startup of /usr/sbin/fwlogd daemon, the indicated system error was encountered.
ICA1009 Unable to fork second child process: errno
Explanation: During startup of /usr/sbin/fwlogd daemon, the indicated system error was encountered.
ICA1010 This daemon must run with root authorization
Explanation: The /usr/sbin/fwlogd daemon must be started under root authority.
User Response: Restart with root authority.
ICA1011 sysconfig call to query kernel extension load_path failed: errno
Explanation: During startup of /usr/sbin/fwlogd daemon, the indicated system error was encountered.
ICA1012 AIX kernel extension netinet not loaded cannot continue
Explanation: The netinet device driver does not contain filter support.
User Response: Install the Firewall code. Potentially, the code has been installed but the reboot has not been performed.
ICA1013 Socket creation call failed: errno
Explanation: During startup of /usr/sbin/fwlogd daemon, the indicated system error was encountered.
ICA1014 AIX netinet device driver not at required level
Explanation: The netinet device driver and fwlogd daemon are not the same level.
User Response: Resolve the conflict. Possible reboot required after installing new Firewall level.
ICA1015 Error on ioctl() call (SIOCGFWLOG): errno
Explanation: During startup of /usr/sbin/fwlogd daemon, the indicated system error was encountered.
ICA1016 Cannot get current deferred log queue
Explanation: Additional information associated with immediately preceding log message.
ICA1017 Error return from SIOCGFWLOG ioctl() call
Explanation: During startup of /usr/sbin/fwlogd daemon, the indicated system error was encountered.
ICA1019 Unexpected error exit with rc internal_fw_return_code
Explanation: During startup of /usr/sbin/fwlogd daemon, the indicated error was encountered.
ICA1021 Error on open /dev/ipsp_poif: errno
Explanation: The indicated device driver has not been installed.
User Response: If the Firewall code has been installed, check the /tmp/rc/net.out file for possible error messages.
ICA1022 Filter support verification failed
Explanation: Due to error ICA1021e, filter support cannot be verified.
ICA1023 Error on ioctl() call (SIOCGFWLVL): errno
Explanation: During startup of /usr/sbin/fwlogd daemon, the indicated system error was encountered.
User Response: Verify the correct level of the Firewall netinet device driver has been installed and the machine has been rebooted since the installation.
ICA1024 Error writing file /etc/security/fwlogd.pid: errno
Explanation: Due to the indicated system errno, fwlogd was unable to write the specified file.
User Response: Correct the indicated problem and restart the filter logging daemon.
ICA1032 Filter rules updated at time on date
Explanation: IP packet filtering rules have been updated.
ICA1033 Filter support (level version.release) initialized at time on date
Explanation: Firewall filter support has been initialized.
ICA1034 Filter support deactivated at time on date
Explanation: IP packet filtering now using default filter rules.
ICA1035 Status of packet logging set to enabled/disabled at time on date
Explanation: Status of packet logging has changed. Message indicates current state with time stamp.
ICA1036 #:rule_no R: rule_type direction: interface s:src_addr d: dst_addr p: protocol tag: scr_port/icmp_type tag: dst_port/icmp_code r:routed/local a: secure/non_secure f:yes/no T:tunnel_id e:C/D/n l:packet_length
Explanation: Log record indicating a processed IP packet and the corresponding filter rule it matched. For this record to be written, the matched filter rule must have log control set to yes. If the IP packet which matched this rule is a fragment, the ports/icmp type/code information appears for the header packet but is shown as zero for packets other than the header packet.
ICA1037 #:rule_no action src_addr src_mask dst_addr dst_mask protocol logical_op value logical_op value interface_type routing directionl= log_control f=fragment_controlt= tunnel_ID enc_alg auth_alg
Explanation: When filters rules are updated, the activated rules are written to the log. This log message describes one of the activated rules.
ICA1038 Session Key engine started, using session socket port:port_no and master socket port:port_no
Explanation: Encryption tunnel started using specified UDP port numbers, as defined in /etc/services.
ICA1039 Policy being (re)defined as:
Explanation: Policy cache being (re)defined using file /etc/security/fwpolicy. Following lines show the new policy cache.
ICA1040 >Policy statement: tunnel_origin tunnel_end tunnel_ID encrypt_flag/authenticate_flag
Explanation: Line logged was read from the /etc/security/fwpolicy file.
ICA1041 Context specification deleted for tunnel:tunnel_ID
Explanation: The tunnel context, for the listed ID, is no longer operational.
ICA1042 The following tunnel context specification(s) is defined:
Explanation: Tunnel context specifications are being defined, as listed on the following log records.
ICA1043 >tunnel_ID:number, src_addr:IP_address, dst_addr:IP_address, encryption: algorithm
Explanation: Message lists specific attributes of activated tunnel context.
ICA1044 Host Counter Warning: IP(IP Address) Overlimit
Explanation: There are too many secure hosts try to connect with firwall machine
System Action: pass connections
ICA1045 TCP Overlimit: IP Address(Port)->IP Address(Port) rejected
Explanation: There are too many TCP sessions through firwall machine
System Action: reject connections
ICA1046 UDP Overlimit: IP Address(Port)->IP Address(Port) rejected.
Explanation: There are too many UDP sessions through firwall machine
System Action: reject connections
ICA1047 Grace Period Warning : too many TCP sessions,IP Address(Port)->IP Address( Port) passed
Explanation: There are too many TCP sessions through firwall machine
System Action: pass connections
ICA1048 Grace Period Warning : too many UDP sessions,IP Address(Port)->IP Address( Port) passed
Explanation: There are too many UDP sessions through firwall machine
ICA1049 Invalid ipsec package: s:%1$s d:%2$s protocol:%3$s spi:%4$s
ICA1200 Terminating logging daemon due to above errors
Explanation: Due to errors recorded prior to this message, fwlogd daemon is terminating.
System Action: IP filter logging will not be activated.
User Response: Correct indicated errors and restart /usr/sbin/fwlogd.
ICA1260 Filter logging daemon terminating at time on date due to receipt of termination signal
Explanation: The fwlogd daemon received the indicated termination signal and is stopping.
ICA1305 \"unknown\"
Explanation: In formatting an IP packet for syslog, a record was found with an unknown protocol specification. Protocols IP, ICMP, TCP, UDP and IPSP are the recognized protocols. Note IPSP is IBM's designation for the encrypted packets passed through a tunnel.
ICA2000 New FTP session to IP_address from IP_address (non-secure site).
Explanation: Starting a new FTP session from non-secure site.
ICA2001 Authentication failed for user name (unknown) from net FTP:IP_address.
Explanation: A user, without an account, attempted to use FTP proxy from the network.
User Response: See your firewall administrator to set up a proxy account.
ICA2002 Authentication failed for user name with authentication method from network: host name.
Explanation: Firewall is unable to authenticate the indicated user name using the specified authentication method.
User Response: See your Firewall administrator.
ICA2003 No shells configured for user name.
Explanation: The identified user attempted a proxy login and no login shell has been defined.
User Response: See your Firewall administrator to correct this user login profile.
ICA2004 Unknown audit event of 0xhex_value received.
Explanation: An unknown audit request was received by the module tcpip_audit.c.
ICA2005 Error writing to client: errno.
Explanation: Unable to communicate with client; see logged system message.
ICA2006 ptelnetd: auditproc: errno.
Explanation: Indicated error returned by telnet audit process. System files might be corrupted.
ICA2007 ptelnetd: panic state=value.
Explanation: Unknown error detected. System files might be corrupted.
ICA2008 Non-firewall user name from :IP_address telneted in.
Explanation: A user, without a firewall account, attempted to use telnet proxy.
System Action: Assume Generic Authentication used.
ICA2009 /bin/login: errno.
Explanation: Fatal error during system login. See indicated system error message.
ICA2010 Connect to IP_address from IP_address (non-secure).
Explanation: Successful connection between indicated IP addresses through the non-secure interface.
ICA2011 Connect to IP_address from IP_address (secure).
Explanation: Successful connection between indicated IP addresses through the secure interface.
ICA2012 New FTP session to IP_address from IP_address (secure site).
Explanation: Starting a new FTP session.
ICA2013 New Telnet session to IP_address from IP_address.
Explanation: New telnet session established.
ICA2014 Option value not supported.
Explanation: The indicated flag is not supported, see preceding message.
ICA2015 Option -value not supported.
Explanation: The indicated flag is not supported, see preceding message.
ICA2016 Remote user-id \"name\".
Explanation: FTP connection request for indicated user.
ICA2018 SNK not found for user name.
Explanation: SecureNetKey value was not found for indicated user_ID.
User Response: See your Firewall administrator for possible login configuration problem.
ICA2019 SNK not read properly for user name.
Explanation: SecureNetKey value was not readable as octal digits for indicated user_ID.
User Response: See your Firewall administrator for possible login configuration problem.
ICA2020 /usr/bin/fwuserau or /usr/bin/fwuserpt does not exist.
Explanation: Authentication using user-supplied authentication method is aborted.
System Action: Authentication is aborted.
User Response: Make sure that /usr/bin/fwuserau and /usr/bin/fwuserpt exist and the owner is the root. If the executable does not exist, user should make an executable using a compiler compatible with the operating system of the firewall and name it /usr/bin/fwuserau or /usr/bin/fwuserpt.
ICA2021 Trying to connect to remote host name with user-id name.
Explanation: Trying to establish a new FTP connection.
ICA2022 Trying to connect to remote host name.
Explanation: Trying to establish a new FTP connection.
ICA2023 Usage: ptelnetd [-n] [-s].
Explanation: Unknown flag specified when starting the ptelnet daemon.
User Response: Use only flags -n and/or -s.
ICA2024 User name successfully authenticated using method authentication from network: host name.
Explanation: FW authenticated the indicated user name using the specified authentication method.
ICA2025 User name logged in using method authentication from network :host name.
Explanation: FTP user logged in.
ICA2026 User name timed-out after n seconds at current time.
Explanation: Connection attempt timed out for specified user. Either there is a potential network routing problem or the remote host is not available.
ICA2027 Connection from remote host at time.
Explanation: Net FTP connection established to Firewall.
ICA2028 FTP connection attempt to IP_address from IP_address refused. This machine does not support FTP from non-secure site.
Explanation: Generally indicates an attempt to establish an FTP connection to Firewall across the nonsecure interface.
System Action: Reject the connection.
ICA2029 System error with errno = - in in line line.
Explanation: The system call encountered a problem while executing a system call.
System Action: System execution halted.
User Response: Get the log, find out the meaning of errno and try to resolve the problem. If cannot be resolved, contact IBM service.
ICA2030 Function call with return code = - in in line line.
Explanation: The function call encounters a problem.
System Action: Error returned
User Response: get the log, find out the meaning of return code try to resolve the problem. If cannot be resolved, contact IBM service.
ICA2031 sdi function call creadcfg() rc = -.
Explanation: The function call encounters a problem.
System Action: Error returned
User Response: Consult the SDI Reference for explanation.
ICA2032 Lost connection.
Explanation: Lost FTP connection.
User Response: Reestablish session.
ICA2033 sdi function call sd_init rc = -.
Explanation: The function call encountered a problem.
System Action: Error returned
User Response: Consult the SDI Reference for explanation.
ICA2034 sdi function call sd_check rc = -.
Explanation: The function call encounters a problem.
System Action: Error returned
User Response: Consult the SDI Reference for explanation.
ICA2035 setsockopt(): errno.
Explanation: System error on setsockopt call.
ICA2036 Telnet Session session id started for user user id (source IP addr:dest IP addr).
Explanation: Message generated at the start of each Telnet session. A session begins when userid, source IP and destination IP are all known to the firewall. The session ID is a unique identifier generated by the firewall.
ICA2037 User fwdfuser or fwdpuser tried to login, is not allowed.
Explanation: fwdfuser and fwdpuser are reserved users and should not be used.
System Action: Login is refused.
User Response: The administrator should investigate who is using this user.
ICA2038 ttloop: peer died: errno.
Explanation: Error occurred while flushing the network output buffer. Appears that peer process has died.
ICA2039 ttloop: read: errno.
Explanation: Error occurred while flushing the network output buffer.
ICA2040 Authentication set to password or none is not allowed for user ID fwdfuser.
Explanation: fwdfuser is a reserved user ID and should not use password or n none as the authentication method.
System Action: Login is refused.
User Response: The administrator should change the authentication method for user ID fwdfuser.
ICA2041 FTP session session id started for user id (source IP addr:dest IP addr).
Explanation: Message generated at the start of each FTP session. A session begins when userid, source ip and destination ip are all known to the firewall. The session id is a unique identifier generated by the firewall.
ICA2042 req_rsp_code is incorrectly set to FW_AUTH_REQ.
Explanation: fw_tn_authenticate is not allowed to set req_rsp_code to FW_AUTH_REQ.
System Action: Abort the authentication.
User Response: Change fw_tn_authenticate, make the library fwuser.o again, and put it into the Firewall.
ICA2043 Could not get password for user_name.
Explanation: Authentication type for this user is 'password' and no password was found.
User Response: See your Firewall administrator.
ICA2044 Incorrect time (value) specified for -t.
Explanation: The time value shown contains characters outside the numeric range of 0 to 9 or exceeds the maximum allowed value.
ICA2045 Option -T not supported on firewall.
Explanation: Indicated option is not supported.
ICA2046 Option -k not supported on firewall.
Explanation: Indicated option is not supported.
ICA2047 Option -s not supported on firewall.
Explanation: Indicated option is not supported.
ICA2048 Option -u not supported on firewall.
Explanation: Indicated option is not supported.
ICA2049 Unknown flag -value ignored.
Explanation: Indicated flag was specified and is not recognized.
ICA2050 Unknown parm value.
Explanation: Indicated value, specified as an option, is not recognized.
ICA2051 adapt_addr conversion error on address.
Explanation: IP address shown is not valid.
User Response: The file /etc/security/fwsecadpt.cfg might be corrupted. Remove the file, reconfigure your secure interface(s), and reinitialize the filters.
ICA2052 afopen failed to open /etc/security/login.cfg: errno.
Explanation: Unable to authenticate user; open error on indicated file.
ICA2053 Could not open secure interface file.
Explanation: A secure interface has not been configured.
User Response: If a secure interface should be defined, use Firewall commands/GUI panels to define the secure interface(s).
ICA2054 enduserdb rc=value, errno.
Explanation: Received indicated system error code when attempting to retrieve user login profile information.
User Response: See your Firewall administrator to verify your login account.
ICA2055 getpeername() (invocation name): errno.
Explanation: System error when FTP daemon attempted to get socket name.
ICA2056 getsockname() (invocation name): errno.
Explanation: System error when FTP daemon attempted to get port name.
ICA2057 getuser non-secure shell rc=value for user_ID, errno.
Explanation: Received indicated system error code when attempting to retrieve shell name for connection from nonsecure side of Firewall.
User Response: See your Firewall administrator to set a shell for your user login profile.
ICA2058 getuser secure shell rc=value for user_ID, errno.
Explanation: Received indicated system error code when attempting to retrieve shell name for connection from secure side of Firewall.
User Response: See your Firewall administrator to set a shell for your user login profile.
ICA2059 ioctl(): errno
Explanation: System error on ioctl() call for SIOCSPGRP.
ICA2060 ptelnetd: ftok for shared memory failed.
Explanation: Unable to allocate shared memory segment.
User Response: Contact the Firewall administrator.
ICA2061 ptelnetd: shmat for shared memory failed.
Explanation: Unable to allocate shared memory segment.
User Response: Contact the Firewall administrator.
ICA2062 ptelnetd: shmget for shared memory failed.
Explanation: Unable to allocate shared memory segment.
User Response: Contact the Firewall administrator.
ICA2063 setsockopt() (SO_DEBUG): errno.
Explanation: Indicated error message returned from system call 'setsockopt'.
ICA2064 setsockopt() (SO_KEEPALIVE): errno.
Explanation: Indicated error message returned from system call 'setsockopt'.
ICA2065 setuser rc=value, errno.
Explanation: Received a bad return code on a system call for the indicated reason.
ICA2066 signal(): errno.
Explanation: System error when FTP daemon attempted to establish signal handler.
ICA2067 Fatal pFTPd initialization error - bind(): errno
Explanation: pFTPd server initialization failed, daemon terminated.
User Response: Correct the indicated system problem and restart pFTPd. The most likely cause of this error is another FTP daemon already listening on the standard FTP port (21).
ICA2068 Fatal pFTPd initialization error - listen(): errno
Explanation: pFTPd server initialization failed, daemon terminated.
User Response: Correct the indicated system problem and restart pFTPd.
ICA2069 Fatal pFTPd error - main accept(): errno
Explanation: pFTPd server main routine failed, daemon terminated.
User Response: Correct the indicated system problem and restart pFTPd.
ICA2070 Fatal pFTPd initialization error - socket(): errno
Explanation: pFTPd server initialization failed, daemon terminated.
User Response: Correct the indicated system problem and restart pFTPd.
ICA2071 PFTPd error - spawn(): errno
Explanation: Attempt to spawn child to handle a FTP request failed.
ICA2072 FTP configuration file (filename) is not available.
Explanation: FTP daemon attempted to open the specified FTP configuration file but it either does not exist or could not be opened.
System Action: FTP daemon processing uses the default configuration
User Response: None, unless the file should exist, in which case it should be created or moved to the location specified in the message.
ICA2073 Unable to obtain storage for FTP language table.
Explanation: Storage required to represent a REPLYLANGUAGE statement in the FTP configuration file could not be obtained.
System Action: Processing continues.
User Response: Increase the region size or reduce the entries in the configuration file.
ICA2074 Processing complete for FTP config statement: configuration statement
Explanation: FTP has processed the indicated configuration statement.
System Action: Processing continues.
User Response: None
ICA2075 FTP for user id (source IP addr:dest IP addr), operation file name, numbytes bytes. sid: session id.
Explanation: Message generated for each file transfer on open FTP sessions. The sid is a unique identifier generated by the firewall at session start.
ICA2076 FTP Session session id ended for user id (source IP address:dest IP addr), duration seconds, numbytes bytes.
Explanation: Message generated at the end of each FTP session. The sid is a unique identifier generated by the firewall at session start.
ICA2077 Telnet Session session id ended for user id (source IP address:dest IP addr), numbytes bytes.
Explanation: Message generated at the end of each Telnet session. The sid is a unique identifier generated by the firewall at session start.
ICA2078 Disconnected proxy user user - idle for time minutes.
Explanation: User's session has exceeded maximum allowable idle time.
ICA2079 Attention - Unauthorized connection attempt to IP_address from IP_address.
Explanation: Generally indicates an attempt to establish a connection to Firewall across the non-secure interface.
System Action: Reject the connection.
ICA2080 Syntax error (reason) near column column in FTP configuration file line line: configuration statement
Explanation: The FTP configuration statement at the given line is in error. The reason for the error and the location where the error was detected is provided.
System Action: Statement is ignored.
User Response: Correct the statement in the FTP configuration file.
ICA2081 No message catalog given by FTP configuration statements is usable.
Explanation: Attempts to open the message catalogs given by the REPLYLANGUAGE FTP configuration statements failed. No client message catalog can be used.
System Action: Client message catalog is forced to the English language in the C directory.
User Response: Ensure that there are catalog files in each of the directories associated with the language directories in the FTP configuration REPLYLANGUAGE statements. Also check that the NLSPATH environment variable is correctly set to allow substitution of both the sub-directory from the LANG environment variable (%L) and the catalog name (%N).
ICA2082 Unable to set FTP LANG environment variable to sub-directory, reason: reason
Explanation: A system error (given by the reason) occurred when the FTP daemon was trying to change the setting of the LANG environment variable to the sub-directory specified.
System Action: Processing continues. Recovery may generate other messages.
User Response: Use the reason given to determine if this is a system error or programming error.
ICA2083 Unable to open FTP client message catalog in directory: sub-directory, reason: reason
Explanation: FTP daemon could not open the message catalog in the given sub-directory. The reason given is the errno returned from catopen().
System Action: Processing continues. Recovery may generate other messages.
User Response: Ensure that there is a catalog in the directory associated with the language directory provided. Check that the NLSPATH environment variable is correctly set to allow substitution of both the sub-directory (%L) and the catalog name (%N).
ICA2084 Forcing FTP client message catalog to English via the C sub-directory.
Explanation: Due to previously listed errors, the FTP daemon has forced the client message catalog to the English language using the C sub-directory.
System Action: If the language can be forced to the C message catalog processing continues. If it can not, the program exits.
User Response: Correct the error from the previous messages. If the program also existed, create the message catalog in the C sub-directory and set the NLSPATH environment variable correctly.
ICA2085 Telnet Session ended for pid Process id (source IP address).
Explanation: Message generated at the end of each Telnet session.
ICA2086 Misconfigured user file; user user with no key (key).
Explanation: FTPd found requested user in user file, but could not find key - misconfigured user file.
User Response: use Firewall commands/smit panels to correct this problem.
ICA2087 FTPd could not find the specified user user in the user config file.
Explanation: the username specified has not been configured or the user.cfg file is corrupt.
User Response: use Firewall commands/smit panels to correct this problem.
ICA2088 FTPd could not open user configuration file.
Explanation: FTPd made a call to fopen which failed because it could not open the user config file.
User Response: Make sure the user config file (user.cfg by default) is availible; use Firewall commands/smit panels
ICA2089 Authorization type from user file (Authorization type) did not match any entries in table (struct tab2 authtab[]).
Explanation: The authorization type of the specified user (returned from user.cfg) does not match any supported types (such as deny,none,snk,sdi,password,etc.)
User Response: Check user.cfg file integrity or configuration; use Firewall commands/smit panels to correct this problem.
ICA2090 Authentication failed for user 'user name' from client ip because KEY=DENY in the user.cfg file.
Explanation: Authentication failed due to user.cfg file specifications set by the Firewall administrator.
User Response: See your Firewall administrator.
ICA2091 User 'user name' not allowed to FTP to the non-secure port (firewall ip).
Explanation: User tried to FTP into the firewall server via a non-secure port (nsp) - all nsp users must have their 'fwnsFTP' key properly configured to a valid authorization type (in the user.cfg file).
User Response: Check user.cfg file integrity or configuration; use Firewall commands/smit panels to correct this problem.
ICA2092 Internal Error: nt_gwauth() failed.
Explanation: nt_gwauth() normally returns one of three values (AUTHENTICATED,NOT_AUTHENTICATED or DENY) in this
ICA2093 User '%1$s' not allowed to FTP to the secure port (%2$s).
Explanation: User tried to FTP into the firewall server via a secure port (sp) - all sp users must have their 'fwsFTP' key properly configured to a valid authorization type (in the user.cfg file).
User Response: Check user.cfg file integrity or configuration; use Firewall commands/smit panels to correct this problem.
ICA2094 Login Failed: expected format: "PASS <password>" after: "USER <user name>"; received invalid cmd.
Explanation: Authentication failed because the FTP client did not send the expected format (PASS 'password' per RFC959)
User Response: Type "user <username>"; enter correct password. See your Firewall administrator.
ICA2095 Login Failed: (via method auth method) failed authentication of user 'user name' from client ip (client site).
Explanation: Authentication failed due to an invaild input (by client for specified authentication type) - such as user entered invalid password, snk key, etc.
User Response: See your Firewall administrator.
ICA2096 Authenticated: (via method auth method) successful authentication of user 'user name' from client ip (client site).
Explanation: Authentication succeeded
ICA2097 httpd --> Starting HTTP proxy server version HTTP Proxy Version.
Explanation: HTTP Proxy for WWW access starting.
ICA2098 httpd --> Shutting down HTTP proxy server.
Explanation: HTTP Proxy for WWW access shutting down.
ICA2099 httpd --> Status: <HTTP Status code> from client <IP address>, who requested <\" HTTP GET request\"> for <number of bytes> bytes.
Explanation: Status of client HTTP request for some file thru the proxy.
ICA2100 Socket address equals zero.
Explanation: An invalid destination address was found in the local request.
ICA2101 Socket address family error: sin_family_type.
Explanation: An invalid address family type was found in the local request.
ICA2102 Error initializing odm: odmerrno.
Explanation: An odm_initialize() error occurred for ODM (Object Data Manager).
ICA2103 Error setting odm default path: odmerrno.
Explanation: An odm_set_path() error occurred for ODM (Object Data Manager). object class, OCSvhost.
ICA2104 Error locking odm database: odmerrno.
Explanation: An odm_lock() error occurred for ODM (Object Data Manager).
ICA2105 Error opening odm object Customized_Attribute: odmerrno.
Explanation: An odm_open_class() error occurred for ODM (Object Data Manager).
ICA2106 Error searching odm object OCS_virtual_host: odmerrno.
Explanation: An odm_get_first() error occurred for ODM (Object Data Manager). object class, OCSvhost.
ICA2107 Error closing odm object OCS_virtual_host: odmerrno.
Explanation: An odm_close_class() error occurred for ODM (Object Data Manager). object class, OCSvhost.
ICA2108 Error unlocking odm database: odmerrno.
Explanation: An odm_unlock() error occurred for ODM (Object Data Manager).
ICA2109 Error terminating odm: odmerrno.
Explanation: An odm_terminate() error occurred for ODM (Object Data Manager).
ICA2110 Error getting server by name: errno.
Explanation: An getservbyname() error occured. The host Login Monitor service, lm, is not specified properly in the /etc/services file.
ICA2111 byname() error: errno.
Explanation: An gethostbyname() error occured. The host machine name is not specified properly in /etc/hosts.
ICA2112 Invalid protocol name: protocol_name.
Explanation: The protocol name specified in the ODM object class, OCSvhost, is is not supported.
ICA2113 Error opening socket to LM: errno.
Explanation: A socket() error occurred to host machine where the Login Monitor resides.
ICA2114 Error binding local address: errno.
Explanation: A bind() error using the local address for this OCS node.
ICA2115 Error connecting socket to LM: errno.
Explanation: A connect() error occurred to the host machine where the Login Monitor resides.
ICA2116 Protocol type error: protocol_type.
Explanation: The virtual terminal protocol type used to communicate with the host Login Monitor is invalid.
ICA2117 Malloc error on LM message.
Explanation: A malloc() error occurred when dynamically allocating space for the variable-length Login Monitor message.
ICA2118 Error transmitting msg to LM: errno.
Explanation: A send() error occurred when sending Login Monitor a request to open the correct host device.
ICA2119 Error receiving msg from LM: errno.
Explanation: A recv() error occurred when Login Monitor returns an acknowledgement.
ICA2120 Status error from LM: status.
Explanation: The acknowledgement from Login Monitor indicates that host device was NOT successfully opened.
ICA2121 Error opening OCS administration device: errno.
Explanation: The OCS administration device was not successfully opened.
ICA2122 Failed coverting IP address to TBM ID: errno.
Explanation: ioctl() OCS_GET_TBMID error occurred. ioctl command OCS_GET_TBMID failed on the OCS administration device.
ICA2123 Error Connectting TBM determined by rlogin: errno.
Explanation: ioctl() OCS_IS_TBM_CONNECTED error occurred. ioctl command OCS_IS_TBM_CONNECTED failed on the OCS administration device.
ICA2124 No host nodes are connected: errno.
Explanation: There are no host nodes connected to this OCS node from the list of possible host nodes.
ICA2125 Error getting list for ODM(Object Data Manager): Customized_Attribute: odmerrno.
Explanation: An odm_get_list() error occurred for ODM object class, CuAt(Customized Attribute).
ICA2126 No OCS host node name associated with: hostnode_to_connect.
Explanation: The CuAt(Customized Attribute) entry was found but there was no hostnode/ocsnode match.
ICA2127 Malloc error on Host array.
Explanation: A malloc() error occurred when dynamically allocating space for the array of possible host names.
ICA2128 User (unknown) from client ip (client site) attempted a command 'invalid command' before authentication.
Explanation: A user attempted actions before entering in username and password for authentication - users must first be authenticated before any further processing may continue.
User Response: Please login with USER and PASS
ICA2129 gethostbyname (invocation name): errno
Explanation: System error when FTPd attempted to get host information corresponding to the host name.
ICA2130 User (username) from client ip (client site) attempted a command 'invalid command' .
Explanation: Specified user attempted invalid command.
User Response: Only commands USER, QUOTE SITE and QUIT are allowed until you specify "quote site destination".
ICA2131 Authentication failed for user 'user name' from client ip because of an error in the user.cfg file.
Explanation: Authentication failed due to a user.cfg file specifications set by the Firewall administrator (check previous logs).
User Response: See your Firewall administrator.
ICA2132 User 'user' from ip client ip (client site) attempted the invalid command 'invalid command' .
Explanation: The user attempted an invalid command. The only valid commands at this point are SITE,USER, and QUIT.
ICA2133 Error: function call failed in instance:line (WSAGetLastError() = WSAGetLastError): errno
Explanation: General error message; check logs
ICA2134 Notice: FTPd: connect() (in instance) could not reach IP (WSAGetLastError() = WSAGetLastError): errno .
Explanation: Connect() could not find the requested address; check WSAGetLastError result.
User Response: double-check your address - may be DNS or network error
ICA2135 Data transfer completed: Received bytes bytes (from source IP); sent bytes bytes (to destination IP).
Explanation: This information reflects a single data transfer during a particular FTP session.
ICA2136 Error: CreateThread() failed in instance: errno.
Explanation: FTPd could not create a thread
ICA2137 Data connection established; server: source ip client: destination ip.
Explanation: Successful data connection.
ICA2138 Insufficient memory: pFTPd: malloc(bytes) returned NULL in function instance.
Explanation: Unable to allocate enough memory - malloc returned NULL.
ICA2139 LogonUser() failed: reason.
Explanation: The Windows NT (SAM) API LogonUser (for password authentication) failed due to specified reason(s).
User Response: Contact the Firewall administrator.
ICA2141 FTP session to IP_address from IP_address terminates.
Explanation: The FTP session to firewall terminates no matter if quote site to the destination.
ICA2142 fw_tn_authenticate authenticated userid successfully.
Explanation: fw_tn_authenticate has authenticated the specified user ID.
System Action: Login is successful.
ICA2143 fw_tn_authenticate authentication for userid failed.
Explanation: fw_tn_authenticate cannot authenticate the specified user ID.
System Action: Login is refused.
User Response: If fw_tn_authenticate has any logging facilities, then the administrator n should look at the log file to determine the cause.
ICA2144 fw_tn_authenticate did not return successfully.
Explanation: The value returned by fw_tn_authenticate is not zero. The function n fw_tn_authenticate might be missing.
System Action: Login is refused.
User Response: Look at fw_tn_authenticate carefully to see if it ever returns n a non-zero value and correct it if it occurs. If that is the case, make the n library fwuser.o again and put it into the Firewall.
ICA2145 The system returned return code rc in file filename at line linenumber.
Explanation: A system call failed. The library fwuser.o might be absent.
System Action: Authentication is aborted.
User Response: Make sure that /usr/lib/fwuser.o is present. If it is, n contact your IBM representative.
ICA2146 The IBM-supplied fwuser.o has not been replaced.
Explanation: You are using the IBM-supplied fwuser.o because you have not n replaced it with your own fwuser.o.
System Action: Authentication is aborted.
User Response: You should write and compile your own authentication if you n defined any user to use User-Supplied authentication. The IBM-supplied n fwuser.o denies access to all non-AIX and non-Firewall users.
ICA2147 fwtelnet: user user id started a transparent telnet session from source IP addr (secure side) to dest IP addr.
Explanation: Message generated at the start of each transparent proxy session (fwtelnet).A session begins when userid, source ip and destination ip are all known to the firewall. Only session started from secure side is allowed.
System Action: allow the transparent telnet.
ICA2148 Attention -- Unauthorized connection attempt for user user id from source IP addr (nonsecure side) to dest IP addr, is not allowed.
Explanation: Generally indicates an attempt to establish a connection to Firewall across the non-secure interface.
System Action: Reject the connection.
User Response: You should telnet from secure side using transparent proxy.
ICA2149 fwtelnet: a LOGIN_ADAPTER_ERROR occured while starting a transparent telnet session from source IP addr to dest IP addr.
Explanation: A LOGIN_ADAPTER_ERROR occured when calling q_check_secure(0).
System Action: Reject the connection.
User Response: check the secure adapter.
ICA2150 PFTPd error - failing function: return code = 0xfunction return code
Explanation: The pFTPd server detected an error in the indicated function. The daemon terminates.
User Response: Correct the indicated system problem and restart pFTPd.
ICA2151 ogin refused.
Explanation: This message is to be displayed to user who tries to login but not allowed.
ICA2152 wlogin: write to device failed.
Explanation: Cannot write to the device.
ICA2153 wlogin: read from device failed.
Explanation: Cannot read to the device.
ICA2154 rror in portname with reason.
Explanation: This Firewall encountered a problem.
ICA2155 PFTPd error - failing function: system error message
Explanation: The pFTPd server detected an error in the indicated function. The daemon terminates.
User Response: Correct the indicated system problem and restart pFTPd.
ICA2156 Attention -- User user id tried to use transparent FTP from NONSECURE side source IP addr to dest IP addr , was not allowed.
Explanation: Generally indicates an attempt to establish a connection to Firewall across the non-secure interface.
System Action: Reject the connection.
User Response: You should FTP from secure side using transparent proxy.
ICA2157 User user id from source IP addr is not allowed to use transparent proxy to dest IP addr.
Explanation: Generally indicates an attempt to establish a connection to Firewall while transparent proxy is not configured.
System Action: Reject the connection.
User Response: turn fwtpproxy FTP = on
ICA2158 Option value was specified incorrectly.
Explanation: Indicated flag was specified incorrectly.
ICA2159 Timeout value not specified for -t option.
Explanation: A timeout value must be supplied for the -t option.
ICA2160 Password changed for user user ID from network :host name.
Explanation: An FTP user has successfully changed his password in the password database.
System Action: None
User Response: None
ICA2161 User user ID attempted login using expired password from network :host name.
Explanation: An FTP user attempted to establish a connection to the Firewall using an expired password.
System Action: The FTP login validation fails and the user is returned to the FTP command shell.
User Response: The user must attempt to validate again through the FTP USER command or by re-establishing the FTP connection and passing the password string of the form "old_password/new_password/new_password".
ICA2162 Password change failure for user user ID from network :host name.
Explanation: An FTP user attempted to change his password and the password validation routine failed. The possible reasons for the failure include:
ICA2163 Fwmaild started.
Explanation: Starting fwmaild.
ICA2164 Fwmaild stop.
Explanation: stopping fwmaild.
ICA2165 Interrupted telnet session.
Explanation: Telnet session is ending, but it cannot retrieve its session information from the pipe. The session was probably interrupted during startup by the client, thus the session was not fully initialized.
ICA3001 Real user is ident user name, not socks connect user name
Explanation: Possible security breach attempt; user name not authenticated.
ICA3006 count bytes from client, count bytes from server
Explanation: Message indicating number of bytes transferred between the sockd daemon and its respective client and server hosts.
ICA3010 connected -- Bind from user(real_user)@src_addr for dst_addr ( destination port)
Explanation: Connection established.
ICA3011 connected -- Connect from user(real_user)@src_addr to dst_addr ( application)
Explanation: Successful socket connection to external network.
ICA3012 Connection refused -- Connect from user(real_user)@src_addr to dst_addr ( application)
Explanation: Remote host refused connection.
ICA3013 select() errno
Explanation: System error.
ICA3014 Connection terminated -- Bind from user(real_user)@src_addr for dst_addr ( destination port).(count bytes from client, count bytes from server)
Explanation: Connection terminated; see log message.
ICA3015 terminated -- Connect from user(real_user)@src_addr to dst_addr ( destination host).(count bytes from client, count bytes from server)
Explanation: Connection to server terminated; see log message.
ICA3016 Cannot find appropriate interface to communicate with destination host
Explanation: File /etc/sockd.route does not contain routing information for the specified destination host.
ICA3017 Cannot execute shell command for pid sockd process
Explanation: Sockd daemon unable to execute a /bin/sh command.
User Response: Verify the /bin/sh shell is available on the system.
ICA3018 refused -- Bind from user(real_user)@src_addr for dst_addr
Explanation: Remote host refused connection.
ICA3019 Error in GetDst() from host socks_src_name: errno
Explanation: Error in resolving destination address for requested connection.
ICA3022 Invalid ?= field at line line number
Explanation: Invalid entry found in /etc/sockd.conf file.
ICA3023 Invalid comparison at line line number
Explanation: Invalid entry found in /etc/sockd.conf file.
ICA3024 Invalid entry at line line number
Explanation: Invalid entry found in /etc/sockd.route file.
ICA3025 Invalid permit/deny field at line line number
Explanation: Invalid entry found in /etc/sockd.conf file.
ICA3026 Invalid port number at line line number
Explanation: Invalid entry found in /etc/sockd.conf file.
ICA3027 Shell Command Failed (exec status) for \"cmd\"
Explanation: Displayed shell command failed.
User Response: Verify shell processor is available on the system.
ICA3030 Unable to open config file (/etc/sockd.conf)
Explanation: Open request against indicated file failed.
ICA3031 Unable to open routing file (/etc/sockd.route): errno
Explanation: Open request against indicated file failed.
User Response: See your Firewall administrator. A default file was provided during Firewall installation.
ICA3032 Unable to open userfile (user name file): errno
Explanation: The filename specified for *=userlist on a permit rule could not be found.
ICA3033 Unexpected result from Validate()
Explanation: Identd verification of the user name was specified. Identd responded with unexpected result.
ICA3035 Cannot connect to identd on client host
Explanation: Identd verification of the user name was specified. Identd does not respond.
ICA3039 Error -- shell command \"cmd\" contains no alphanumeric characters.
Explanation: Invalid shell command; see log message.
ICA3040 Error -- shell_cmd fork() errno
Explanation: Sockd daemon unable to switch to child process via 'fork()'.
ICA3041 Error -- unable to get client address.
Explanation: Error return from 'getpeername()' call.
User Response: Check routing and DNS configuration.
ICA3042 Error -- undefined command (0xhex-command-received) from host client address
Explanation: Invalid command received from client application.
User Response: Possible client configuration problem or mismatch on client and Firewall support level.
ICA3043 Error -- wrong version (0xhex-version-number) from host client address.
Explanation: Firewall supports socks version 4.2.
User Response: Possible client configuration problem or mismatch on client and Firewall support level.
ICA3044 Failed -- Connect from user(real_user)@src_addr to dst_addr ( application). Error code: command causing failure errno.
Explanation: Connection request failed.
ICA3045 Failed -- Bind from user(real_user)@src_addr for dst_addr. Error: connected to wrong host dst_name (dst_port (application)).
Explanation: Bind request failed.
ICA3046 Failed -- Bind from user(real_user)@src_addr for dst_addr. Error code: command causing failure errno.
Explanation: Bind request failed.
ICA3047 Timed-out -- Bind from user(real_user)@src_addr for dst_addr
Explanation: Connection timed out.
ICA3048 Shell command too long: command...
Explanation: The command to be executed, from the /etc/sockd.conf file, is too long.
ICA3049 Timed-out -- Connect from user(real_user)@src_addr to dst_addr ( application)
Explanation: Connection timed out; see log message.
ICA3050 matched sockd.conf filter rule
Explanation: Filter rule from the /etc/sockd.conf file which matched the socks connection.
ICA3051 AIX sockd_route() cannot find interface for remote address.
Explanation: Could not find interface route information.
ICA3052 Error setting userid to "nobody".
Explanation: Could not set userid of the child sockd process to "nobody".
ICA3053 Error on popen(AIX route script): system error message
Explanation: Failure running script to find routing information.
ICA3054 Fatal memory allocation failure in AIX sockd_route().
Explanation: Memory allocation failure trying to gather routing information.
ICA3055 Fatal error AIX sockd_route() parsing for first space in: input line
Explanation: Error parsing system route information.
ICA3056 Fatal error AIX sockd_route() parsing for second space in: input line
Explanation: Error parsing system route information.
ICA3057 Fatal error in AIX sockd_route() reading route script output: system error message
Explanation: Error reading script output.
ICA3058 Error on popen(AIX adapter script): system error message
Explanation: Failure running script to find interface information.
ICA3101 Sockd error sending data - select(): system error message
Explanation: (SOCKS422) Error while sending data.
ICA3102 Sockd error sending data - write(): system error message
Explanation: (SOCKS422) Error while sending data.
ICA3103 Sockd error receiving data - select(): system error message
Explanation: (SOCKS422) Error while receiving data.
ICA3104 Sockd error receiving data - read(): system error message
Explanation: (SOCKS422) Error while receiving data.
ICA3105 Cannot create process id file filename.
Explanation: (SOCKS422) Process id file creation/write failed.
ICA3106 Sockd failed to fork child: system error message
Explanation: (SOCKS422) Attempt to fork child to handle a SOCKS request failed.
ICA3107 Set inbound socket SO_LINGER option failed: system error message
Explanation: (SOCKS422) not critical
ICA3108 Set outbound socket SO_LINGER option failed: system error message
Explanation: (SOCKS422) not critical
ICA3109 Invalid entry at line line number in file filename.
Explanation: (SOCKS422) Incorrect configuration entry syntax.
ICA3110 Illegal interface field at line line number in file filename.
Explanation: (SOCKS422) Incorrect configuration entry syntax.
ICA3111 Illegal destination IP at line line number in file filename.
Explanation: (SOCKS422) Incorrect configuration entry syntax.
ICA3112 Illegal destination mask at line line number in file filename.
Explanation: (SOCKS422) Incorrect configuration entry syntax.
ICA3113 Parsed number of lines lines in file filename.
Explanation: (SOCKS422) Incorrect configuration entry syntax.
ICA3114 No valid lines found in file filename.
Explanation: (SOCKS422) Configuration file empty, or incorrect syntax.
User Response: Correct the indicated configuration file.
ICA3115 Invalid 'permit/deny' field at line line number in file filename.
Explanation: (SOCKS422) Incorrect configuration entry syntax.
ICA3116 Invalid '?=' field at line line number in file filename.
Explanation: (SOCKS422) Incorrect configuration entry syntax.
ICA3117 Illegal source IP at line line number in file filename.
Explanation: (SOCKS422) Incorrect configuration entry syntax.
ICA3118 Illegal source mask at line line number in file filename.
Explanation: (SOCKS422) Incorrect configuration entry syntax.
ICA3119 Invalid comparison at line line number in file filename.
Explanation: (SOCKS422) Incorrect configuration entry syntax.
ICA3120 Invalid port number at line line number in file filename.
Explanation: (SOCKS422) Incorrect configuration entry syntax.
ICA3121 Received SIGUSR1 - dumping socks configuration.
Explanation: (SOCKS422) Signal to dump active configuration to log file, following this message.
ICA3122 Sockd could not fork daemon: system error message
Explanation: (SOCKS422) Fork to initialize sockd daemon failed.
User Response: Correct the indicated system problem and restart sockd.
ICA3123 Sockd server starting.
Explanation: (SOCKS422) Sockd has successfully initialized and is awaiting connections.
ICA3124 Fatal sockd initialization error - bind(): system error message
Explanation: (SOCKS422) Sockd server initialization failed, daemon terminated.
User Response: Correct the indicated system problem and restart sockd.
ICA3125 Fatal sockd initialization error - listen(): system error message
Explanation: (SOCKS422) Sockd server initialization failed, daemon terminated.
User Response: Correct the indicated system problem and restart sockd.
ICA3126 Fatal sockd error - main accept(): system error message
Explanation: (SOCKS422) Sockd server main routine failed, daemon terminated.
User Response: Correct the indicated system problem and restart sockd.
ICA3127 Sockd server received terminate signal.
Explanation: root or nobody killed the process, daemon terminated.
User Response: Restart sockd if the administrator so desires (type "sockd").
ICA3128 Fatal sockd initialization error - socket(): system error message
Explanation: Sockd server initialization failed, daemon terminated.
User Response: Correct the indicated system problem and restart sockd.
ICA3129 Fatal sockd initialization error - failing function: system error message
Explanation: Sockd server initialization failed in the indicated function, daemon terminated.
User Response: Correct the indicated system problem and restart sockd.
ICA3130 Sockd error - failing function: system error message
Explanation: The sockd server detected an error in the indicated function. The daemon continues, but connections may be refused or terminated.
User Response: If the problem persists, stop sockd, correct the indicated system problem and restart sockd.
ICA3131 Error reading file name. Previously cached data will be used.
Explanation: The file could not be read or contained incorrect data. A previous message should describe the problem. Sockd will continue to operate with cached data from the previous version of the file.
User Response: Correct the error in the indicated file.
ICA3132 Unknown flag -value.
Explanation: The indicated flag is not recognized, daemon terminated.
User Response: Correct the syntax and restart sockd.
ICA3133 Unknown parameter value.
Explanation: The indicated parameter is not recognized, daemon terminated.
User Response: Correct the syntax and restart sockd.
ICA3134 Conflicting options option1 and option2.
Explanation: The indicated options cannot be specified together, daemon terminated.
User Response: Correct the syntax and restart sockd.
ICA3135 Sockd error - failing function: return code = 0xfunction return code
Explanation: The sockd server detected an error in the indicated function. The daemon terminates.
User Response: Correct the indicated system problem and restart sockd.
ICA3700 WinSocket initialization error : WinSocket error
Explanation: Error occured when initializing WinSocket.
User Response: Correct the indicated system problem and restart sockd.
ICA4000 program - Warning: Received signal signal, terminating
Explanation: Termination due to receipt of signal.
ICA4001 STOP program as PID processId
Explanation: Informational message.
ICA4002 Temporary ID
Explanation: Informational message.
ICA4003 Problem with child process processId.
Explanation: Could not create a child process.
ICA4004 Fatal Error. Killing fwpagerd on signal signal.
Explanation: Signal handler.
ICA4005 No fwpagerd daemon running, program not found.
Explanation: Could not send a page because the daemon was not active.
ICA4006 No fwpagerd daemon running with process ID processId.
Explanation: Could not find the process Id of the daemon process.
ICA4007 START program as PID processId
Explanation: Informational message.
ICA4008 Cannot set sigignore for SIGPIPE.
Explanation: Failure while setting up to ignore the broken pipe signal.
ICA4009 Cannot set sigset for SIGCHILD.
Explanation: Failure while setting up to catch a dying child signal.
ICA4010 Cannot set termination process.
Explanation: Failure while setting signal to catch termination process.
ICA4011 Cannot open socket.
Explanation: Failure while opening socket.
ICA4012 Cannot set sigset for SIGTERM.
Explanation: Failure while setting up to catch SIGTERM and SIGINT signals.
ICA4013 Cannot set socket reuse option.
Explanation: Failure while setting socket reuse option.
ICA4014 Cannot set socket linger option.
Explanation: Failure while setting socket linger option.
ICA4015 Cannot bind the socket to the port.
Explanation: Failure while binding the socket to the port.
ICA4016 Cannot set listen on socket.
Explanation: Failure while setting up to listen on socket.
ICA4017 Service servName using TCP socket socket.
Explanation: Informational msg.
ICA4018 Function call select() failed.
Explanation: Internal function call failure.
ICA4019 Severe error from new_work().
Explanation: Internal severe error from new_work routine.
ICA4020 Error(program): Could not write to stream socket: socket
Explanation: Possible system error.
User Response: Check socket usage.
ICA4021 Problem receiving response.
Explanation: Problem receiving response from modem.
User Response: Check modem connections and the initialization string.
ICA4022 Request successful.
Explanation: Informational message.
ICA4023 Request failed.
Explanation: Request to send page has failed.
ICA4024 Error(program): Priority out of range (minpri - maxpri).
Explanation: Incorrect priority range.
User Response: Correct priority range. Valid values are from -1 through 5.
ICA4025 Error(program): Address must be in the form of ID@carrier when -n option is used.
Explanation: Incorrect command usage syntax.
User Response: Correct the command syntax.
ICA4026 Error(program): Unknown host hostname
Explanation: Could not resolve hostname.
User Response: Check hostname.
ICA4027 Error(program): Could not open stream socket : errno
Explanation: Could not create a new socket.
ICA4028 Error(program): Could not set socket options : errno
Explanation: Could not set socket linger option.
ICA4029 Error(program): Could not connect to host : errno.
Explanation: Could not connect to the host.
User Response: Check serial port configuration and existence of device driver file.
ICA4030 Error(program): Could not write to stream socket : errno.
Explanation: Could not write to the stream socket.
ICA4031 Problem receiving response. Condition of message unknown.
Explanation: Problem receiving response from modem.
ICA4032 Message sent successfully to queue.
Explanation: Informational message. Message has been sent to queue.
ICA4033 Message failed. No message(s) sent.
Explanation: Could not send the message onto the pager queue.
ICA4034 date Failed (ID ID Pri priority Secs period Tries retryCount) [ fromEntry] personName: mesage.
Explanation: The page could not be sent.
ICA4035 Cannot re-queue message mesg from program to person.
Explanation: Could not send into paging queue.
ICA4036 SUCCEEDED (ID ID Pri priority Secs period Tries retryCount) [ fromEntry] personName: mesage.
Explanation: The page is sent successfully.
ICA4037 DUMPED to dumpFile (ID ID Pri priority Secs period Tries retryCount) [ fromEntry] personName: mesage.
Explanation: Pages that are not sent immediately are dumped to a file to be tried later.
ICA4038 Cannot write to dump file dumpFile.
Explanation: Dump file cannot be written into.
User Response: Check file system permissions.
ICA4039 IpcKey: 0xIpcKey
Explanation: Informational message.
ICA4040 Retry time of retryTime minutes exceeded.
Explanation: Failed to initialize modem after the specified minutes.
User Response: Check initialization string.
ICA4041 Found alphanumeric message for numeric pager.
Explanation: Numeric pagers cannot contain alphanumeric data.
User Response: Correct using the user interface menu.
ICA4042 Person cannot receive pages.
Explanation: Pager is probably not activated.
User Response: Check pager for activation.
ICA4043 Carrier carrier does not exist.
Explanation: Carrier specified does not exist.
User Response: Correct using the user interface menu.
ICA4044 Carrier carrier does not have a DTMF phone number.
Explanation: Carrier specified does not have the DTMF phone number.
User Response: Correct using the user interface menu.
ICA4045 Pager number pagerNumber is too long for carrier's maximum of carrLen.
Explanation: Pager number is too long for carrier's maximum.
User Response: Use another shorter pager number less than that of the carrier's maximum.
ICA4046 Pager number pagerNumber is too long for default length of defaultCarrLen.
Explanation: This message occurs when the default length is too less.
User Response: Correct using the user interface menu. Increase default length.
ICA4047 Problem at line lineNumber of modem file ModemfilePathname.
Explanation: Modem definition file contains an invalid character.
User Response: Correct using the user interface menu.
ICA4048 Cannot open modem on device /dev/deviceName.
Explanation: Could not open modem on specified device.
User Response: Check or re-configure serial port. Check device.
ICA4049 Modem open on /dev/deviceName.
Explanation: Modem has been successfully detected on the serial port.
ICA4050 Cannot set modem characteristics.
Explanation: Failed while trying to set modem characteristics.
User Response: Check modem initialization string.
ICA4051 Cannot initialize modem after numInitTries retries.
Explanation: Modem could not be initialized.
User Response: Check modem initialization string and serial port configuration.
ICA4052 Cannot dial pager number pagerNumber
Explanation: Pager number cannot be dialed.
User Response: Check pager number validity.
ICA4053 Cannot hangup modem.
Explanation: Cannot hangup modem.
User Response: Check modem initialization string and hangup command used.
ICA4054 Cannot dial message message
Explanation: Cannot dial message.
ICA4055 Problem at line lineNumber in modem file filename.
Explanation: Invalid modem definition file.
User Response: Correct using the user interface menu.
ICA4056 Cannot dial carrier carrier's DTMF number (DTMFnumb).
Explanation: DTMF number may have been changed or is incorrect for this carrier.
User Response: Correct using the user interface menu.
ICA4057 Cannot transmit block.
Explanation: Failed while trying to transmit block.
User Response: Check carrier parameters using the user interface menu.
ICA4058 No response to transmitted block.
Explanation: Could not get a response from the carrier after transmitting block.
User Response: Check carrier parameters using the user interface menu.
ICA4059 Cannot receive response to message delivery.
Explanation: Could not get a response from the carrier after message delivery.
User Response: Check carrier parameters using the user interface menu.
ICA4060 Cannot transmit pager ID.
Explanation: Cannot transmit pager id.
User Response: Check pager number and carrier parameters using the user interface menu.
ICA4061 Cannot transmit end <CR> of automatic mode request.
Explanation: Cannot transmit end <CR> of automatic mode request.
User Response: Check carrier parameters using the user interface menu.
ICA4062 Cannot transmit automatic mode request.
Explanation: Cannot transmit automatic mode request signal.
User Response: Check carrier parameters using the user interface menu.
ICA4063 Failed to receive go-ahead from carrier carrier after numTries retries.
Explanation: Carrier may be busy at this time.
User Response: Check carrier parameters using the user interface menu and try later.
ICA4064 Communications error during prompt with carrier carrier.
Explanation: Communications error may occur for a number of reasons. Try again later.
User Response: Check carrier parameters using the user interface menu and try later.
ICA4065 Cannot receive response to logon.
Explanation: Modem cannot receive response to logon.
User Response: Check modem initialization string and carrier parameters.
ICA4066 Carrier carrier did not respond to logon attempt.
Explanation: Carrier did not respond to logon attempt.
User Response: Check carrier parameters using the user interface menu and try later.
ICA4067 Carrier carrier said receiveDataString.
Explanation: Carrier transmitted back some error message or busy message.
User Response: Check carrier parameters using the user interface menu and try later.
ICA4068 Carrier carrier forced a disconnect during logon.
Explanation: Carrier forced a disconnect during logon.
User Response: Check carrier parameters using the user interface menu.
ICA4069 Dumping messages to carrier carrier caused by ConnectRetryMax retry loops.
Explanation: If carrier is busy, the program dumps pages and tries later.
ICA4070 Skipping messages to carrier carrier caused by maxTotalTries session connect tries.
Explanation: Carrier cannot be contacted after a number of tries.
User Response: Check carrier parameters and try again later.
ICA4071 Error(program): Cannot allocate memory for carrier retry: errno.
Explanation: Possible system or memory allocation errors.
ICA4072 Error(program): Cannot add to carrier retry list: errno.
Explanation: Carrier possibly may not exist.
User Response: Check carrier validity and try again.
ICA4073 Data connection to carrier carrier at phoneNumber failed after retryCount retries.
Explanation: Data connection has failed.
User Response: Check modem connections and carrier paramters using the user interface menu.
ICA4074 ID prompt from carrier carrier was not received after numTries retries.
Explanation: Carrier failed to response with an ID or acknowledgement prompt.
User Response: Make sure carrier uses the TeleAlphanumeric Protocol.
ICA4075 Communications error during logon with carrier carrier.
Explanation: Communications error could occur for a number of reasons.
User Response: Check carrier parameters using the user interface menu.
ICA4076 Maximum logon attempts to carrier carrier exceeded.
Explanation: Carrier has failed to respond within the specified attempts.
User Response: Check carrier parameters and try again later.
ICA4077 Message go-ahead not received from carrier carrier.
Explanation: Carrier has failed to response with a go-ahead prompt.
User Response: Check carrier parameters and try again later.
ICA4078 Cannot create blocks.
Explanation: Carrier could not create blocks for transmission.
User Response: Check carrier parameters using the user interface menu.
ICA4079 Carrier carrier did not respond to message delivery.
Explanation: Carrier had trouble delivering the message.
User Response: Check carrier parameters using the user interface menu.
ICA4080 Carrier carrier forced a disconnect during message delivery.
Explanation: Carrier forced a disconnect during message delivery.
User Response: Check carrier parameters and modem initialization string.
ICA4081 Carrier carrier rejected message or Pager ID.
Explanation: Carrier rejected the pager message or pager id.
User Response: Check validity of pager id, activation of pager and carrier parameters.
ICA4082 Communications error during message delivery to carrier carrier.
Explanation: Communications errors could occur for a number of reasons.
User Response: Check carrier parameters using the user interface menu.
ICA4083 Failed to receive confirmation from carrier carrier after maxTries retries.
Explanation: This message occurs if the carrier is busy or cannot establish a connection.
User Response: Check carrier parameters using the user interface menu and try again after a few minutes.
ICA4084 Cannot transmit <EOT>.
Explanation: Modem cannot transmit <EOT>.
User Response: Check modem connections and initialization string.
ICA4085 Cannot receive response to <EOT>.
Explanation: Modem cannot receive response to <EOT>.
User Response: Check modem connections and initialization string.
ICA4086 Carrier carrier did not respond to <EOT>.
Explanation: Carrier cannot respond to transmitted data.
User Response: Check carrier validity and modem connections.
ICA4087 Carrier carrier responded with data unacceptable error because of contents.
Explanation: Carrier cannot respond to transmitted data.
User Response: Check carrier parameters using the user interface menu.
ICA4088 Cannot open defaults file defaultPathname.
Explanation: The modem defaults file may not exist or has incorrect permissions.
User Response: Check file for existence and permissions.
ICA4089 Incomplete defaults file defaultPathname.
Explanation: The modem defaults file has missing data.
User Response: Correct using the user interface menu.
ICA4090 Invalid outside line number in defaults file defaultPathname at line lineNumber.
Explanation: Carrier database file has an invalid outside line number.
User Response: Clean the carrier database file.
ICA4091 Invalid baud rate value in defaults file defaultFile at line lineNumber.
Explanation: Carrier database file has an invalid baud rate.
User Response: Clean the carrier database file.
ICA4092 Invalid data bit value in defaults file defaultFile at line lineNumber.
Explanation: Carrier database file has an invalid data bit value.
User Response: Clean the carrier database file.
ICA4093 Invalid parity value in defaults file defaultFile at line lineNumber.
Explanation: Carrier database file has an invalid parity value.
User Response: Clean the carrier database file.
ICA4094 Invalid stop bit value in defaults file defaultFile at line lineNumber.
Explanation: Carrier database file has an invalid stop bit value.
User Response: Clean the carrier database file.
ICA4095 Unrecognized tag tag id in defaults file defaultFile on line lineNumber.
Explanation: Carrier database file has an invalid tag.
User Response: Clean the carrier database file.
ICA4096 Incorrect number of parameters.
Explanation: Informational message.
ICA4097 Error(program): Cannot create carrier list. Memory problems.
Explanation: Possible system or memory problems.
ICA4098 Error(program): Errors in paging carrier file carrierFile.
Explanation: Carrier database file has some invalid data.
User Response: Check the carrier database file for invalid tags.
ICA4099 Error(program): Cannot get IPC token errno.
ICA4100 Error(program): Cannot create retry list. Possible memory problems.
Explanation: Possible system error or memory problems.
ICA4101 Error(carrier): Cannot create queue, page_q_err: pageQErr.
ICA4102 Error(program): Cannot setup signal catch for SIGTERM/SIGINT: errno.
Explanation: Possible system error.
ICA4103 Error(program): Cannot set modem characteristics for carrier carrier.
Explanation: Could not set up the modem.
User Response: Check serial port configuration and initialization string.
ICA4104 Missing tag tag for carrier carrier.
Explanation: Missing modem information. A tag could be baud rate, outside line, etc..
User Response: Check modem configuration file for invalid characters.
ICA4105 Carrier carrier must have at least one phone number listed.
Explanation: Carrier must contain the phone number.
User Response: Add the phone number using the user interface menu.
ICA4106 Cannot open file CarrierFileName.
Explanation: Carrier database file must exist.
User Response: If not already present, create one using the user interface menu.
ICA4107 Line lineNumber too long.
Explanation: Line in carrier database file is too long.
User Response: Check carrier database file for invalid line.
ICA4108 Unknown tag at line lineNumber.
Explanation: Unknown tag exists in carrier database file.
User Response: Check carrier database file for invalid tag.
ICA4109 Invalid sequence at line lineNumber.
Explanation: Invalid sequence exists in carrier database file.
User Response: Check carrier database file for invalid sequence.
ICA4110 Carrier carrier is not valid and is being skipped.
Explanation: Carrier cannot be used for paging purposes.
User Response: Check validity of carrier.
ICA4111 Cannot add carrier to list.
Explanation: Carrier cannot be added to list.
User Response: Check carrier validity and phone numbers.
ICA4112 Carrier name is missing or too long on line lineNumber.
Explanation: Carrier name is missing.
User Response: Add carrier using the user interface menu.
ICA4113 Cannot allocate new paging carrier: carrier.
Explanation: Carrier cannot be allocated to list.
User Response: Check carrier validity and phone numbers.
ICA4114 Value on line lineNumber is too long.
Explanation: Encountered a line that is too long in carrier database file.
User Response: Cleanup the long line in carrier database file.
ICA4115 Duplicate tag tag on line lineNumber ignored.
Explanation: Encountered a duplicate tag.
User Response: Remove the duplicate tag from carrier database file.
ICA4116 Value on line lineNumber does not exist.
Explanation: Encountered a blank field.
User Response: Use the user interface to add a value in blank field.
ICA4117 Value must be either Y, Yes, N or No on line lineNumber.
Explanation: This field requires either a Y, Yes, N or No.
User Response: Use the user interface to add or change valid data.
ICA4118 Value must be greater than 0 on line lineNumber.
Explanation: This field must be positive.
User Response: Change value using the user interface to a positive value.
ICA4119 Invalid value on line lineNumber.
Explanation: Encountered an invalid value on specified line.
User Response: Change value using the user interface menu.
ICA4120 Carrier is not valid and is being skipped.
Explanation: Encountered an invalid carrier.
User Response: Add a valid carrier using the user interface menu.
ICA4121 Cannot add carrier to list.
Explanation: Cannot add carrier to the paging list.
User Response: Check carrier validity.
ICA4122 Duplicate tag tag on line lineNumber ignored.
Explanation: Encountered a duplicate tag in a carrier stanza.
User Response: Cleanup the carrier stanza containing duplicate values.
ICA4123 Error(program): Could not get IPC token: errNo
Explanation: Program could not get IPC token.
ICA4124 Error(program): Error pageqErr while reading queue.
Explanation: Program could not read queue.
ICA4125 count Queue entries.
Explanation: Informational message.
ICA4126 Message with ID id deleted.
Explanation: Informational message.
ICA4127 ID id not in queue.
Explanation: Informational message.
ICA4128 Error(program): Error pageqErr while attempting to delete ID id.
Explanation: Tried to delete an ID of the queue.
ICA4129 Key is: entryKey content is @ ptr: ptr.
Explanation: Informational message.
ICA4130 Modem Characteristics:
Explanation: Modem initialization information.
ICA4131 Name: modemName
Explanation: Modem initialization information.
ICA4132 Init: initString
Explanation: Modem initialization information.
ICA4133 Command mode: command
Explanation: Modem initialization information.
ICA4134 Command terminator: 0xterminator
Explanation: Modem initialization information.
ICA4135 Dial: dial
Explanation: Modem initialization information.
ICA4136 Dial pause: pause
Explanation: Modem initialization information.
ICA4137 Dial #: diallb
Explanation: Modem initialization information.
ICA4138 Dial *: dialstar
Explanation: Modem initialization information.
ICA4139 Hangup: hangup
Explanation: Modem initialization information.
ICA4140 Valid command response: validCommandresp
Explanation: Modem initialization information.
ICA4141 Valid connect: validConnect
Explanation: Modem initialization information.
ICA4142 Echo: echo
Explanation: Modem initialization information.
ICA4143 Modem debug record: PUTS(id) txd-> outStr
Explanation: Modem handshaking information.
ICA4144 Modem debug record: PUTC(id) txd-> outStr
Explanation: Modem handshaking information.
ICA4145 Modem debug record: GET rxd-> %1$s
Explanation: Modem handshaking information.
ICA4146 Modem debug record: INPUT(%1$s
Explanation: Modem handshaking information.
ICA4147 Modem debug record: ) rxd->
Explanation: Modem handshaking information.
ICA4148 Modem debug record: WAITFOR(%1$s
Explanation: Modem handshaking information.
ICA4149 Could not unblock child signal.
Explanation: Unblocks the SIGCHLD signal.
ICA4150 Could not block the child signal.
Explanation: Blocks the SIGCHLD signal.
ICA4151 Warm start file filePathname does not exist.
Explanation: Informational message.
ICA4152 Cannot open warm start file filePathname
Explanation: Informational message.
ICA4153 Line is too long in warm start file filePathname.
Explanation: The warm start file contains some invalid characters.
ICA4154 Warm start file filePathname has data that is not being used.
Explanation: Informational message.
ICA4155 Warm start file filePathname is empty.
Explanation: Informational message.
ICA4156 Line lineNumber of warm start file filePathname has bad addressee address, ignored.
Explanation: Warm start file has some invalid characters. Informational message.
ICA4157 Line lineNumber of warm start file filePathname has bad format, ignored.
Explanation: Warm start file has some invalid characters. Informational message.
ICA4158 Line lineNumber of warm start file filePathname has no message, ignored.
Explanation: Warm start file has no messages. Informational message.
ICA4159 Error queueing line lineNumber of warm start file filePathname, ignored.
Explanation: Warm start file has some invalid characters. Informational message.
ICA4160 Warm start of count messages from file filePathname complete.
Explanation: Informational message.
ICA4161 Error(program): Too many consecutive child errors.
Explanation: Too many child errors in a row. This occurs if either the carrier or the modem definition file has some invalid characters.
User Response: Check carrier database file and modem definition file using the user interface menu.
ICA4162 Child cannot exec program : errno.
Explanation: Possible system error.
ICA4163 Error(errno): Child cannot fork child : program name.
Explanation: Possible system error.
ICA4164 Could not create paging carrier list.
Explanation: Internal program error.
ICA4165 Errors in paging carrier file carrierFile
Explanation: Carrier database contains some invalid data.
User Response: Check carrier database file using the user interface menu.
ICA4166 Informational message. IPC key is: 0xIpcKey.
Explanation: Informational message.
ICA4167 Could not create queue, page_q_err: pageQerr.
Explanation: Failed while trying to create queue.
ICA4168 Paging Warm Start file created at time
Explanation: Informational message.
ICA4169 priority -p priority numPager from objfrom message
Explanation: Informational message.
ICA4170 priority -p priority alpaPager@carrier from from message
Explanation: Informational message.
ICA4171 priority -p priority -n numPager@carrier from from message
Explanation: Informational message.
ICA4172 End of pager warm start file.
Explanation: Informational message. Denotes end of message.
ICA4173 Cannot write into warm start file warmstrtFile.
Explanation: Warm start file may not exist.
ICA4174 time STATUS-REQUEST from user@host
Explanation: Displays the status request information.
ICA4175 time SUMMARY-REQUEST from user@host.
Explanation: Displays the summary request information.
ICA4176 count queue entries.
Explanation: Counts the number of queue entries in pager queue.
ICA4177 Oldest entry: ID id received at time.
Explanation: Displays the oldest entry in queue.
ICA4178 Re-attaching memory after expansion failed.
Explanation: Possible system error.
ICA4179 Re-attaching memory after expansion failed to align.
Explanation: Possible system error.
ICA4180 Could not down PAGE_Q semaphore in page_q_print() : errno.
Explanation: Possible system error.
ICA4181 Could not up PAGE_Q semaphore in page_q_print() : errno.
Explanation: Possible system error.
ICA4182 link headLink -> message ID: id.
Explanation: Informational message.
ICA4183 Priority: priority.
Explanation: Informational message.
ICA4184 Person: name.
Explanation: Informational message.
ICA4185 Carrier: carrier.
Explanation: Informational message.
ICA4186 Mesg: message.
Explanation: Informational message.
ICA4187 Could not get shared RAM : errno.
Explanation: Possible system error.
ICA4188 Could not get attached shared RAM : errno.
Explanation: Possible system error.
ICA4189 Could not get PAGE_Q semaphore.
Explanation: Possible system error.
ICA4190 Could not initialize PAGE_Q semaphore in page_q_create() : errno.
Explanation: Possible system error.
ICA4191 Could not set PAGE_Q semaphore in page_q_create() : errno.
Explanation: Possible system error.
ICA4192 Could not down PAGE_Q semaphore in page_q_empty() : errno.
Explanation: Possible system error.
ICA4193 Could not up PAGE_Q semaphore in page_q_empty() : errno.
Explanation: Possible system error.
ICA4194 Could not down PAGE_Q semaphore in page_q_enq(name,message) : errno.
Explanation: Possible system error.
ICA4195 Could not up PAGE_Q semaphore in page_q_enq() : errno.
Explanation: Possible system error.
ICA4196 page_q_enq(): ID(id) Pri(priority) Person(name) Mesg(message.
Explanation: Informational message.
ICA4197 Could not down PAGE_Q semaphore in page_q_head() : errno.
Explanation: Possible system error.
ICA4198 Could not up PAGE_Q semaphore in page_q_head() : errno.
Explanation: Possible system error.
ICA4199 Could not down PAGE_Q semaphore in page_q_first() : errno.
Explanation: Possible system error.
ICA4200 Could not up PAGE_Q semaphore in page_q_first() : errno.
Explanation: Possible system error.
ICA4201 Could not down PAGE_Q semaphore in page_q_next() : errno.
Explanation: Possible system error.
ICA4202 Could not up PAGE_Q semaphore in page_q_next() : errno.
Explanation: Possible system error.
ICA4203 Could not down PAGE_Q semaphore in page_q_tail() : errno.
Explanation: Possible system error.
ICA4204 Could not up PAGE_Q semaphore in page_q_tail() : errno.
Explanation: Possible system error.
ICA4205 Could not down PAGE_Q semaphore in page_q_del() : errno.
Explanation: Possible system error.
ICA4206 Could not up PAGE_Q semaphore in page_q_del() : errno.
Explanation: Possible system error.
ICA4207 page_q_del(ID).
Explanation: Debug information.
ICA4208 Could not down PAGE_Q semaphore in page_q_deq() : errno.
Explanation: Possible system error.
ICA4209 Could not up PAGE_Q semaphore in page_q_deq() : errno.
Explanation: Possible system error.
ICA4210 page_q_del(): ID(id) Pri(priority) Person(name) Mesg(message).
Explanation: Informational message.
ICA4211 Could not down PAGE_Q semaphore in page_q_walk() : errno.
Explanation: Possible system error.
ICA4212 Could not up PAGE_Q semaphore in page_q_walk() : errno.
Explanation: Possible system error.
ICA4213 PAGE_Q is full.
Explanation: The paging queue is full.
User Response: Send the page later.
ICA4300 Hanging up.
Explanation: Hanging up the call.
ICA4301 Initializing modem ..
Explanation: Initializing modem with the init string.
ICA4302 Dialing ......
Explanation: Dialing the phone number.
ICA4303 Waiting for connection.
Explanation: Waiting for the modem connection
ICA4304 CONNECTED speed
Explanation: Connecting at |speed| baud rate
ICA4305 CONNECTED!!!!!!!
Explanation: Connected to the pager service provider
ICA4306 Requesting prompt for Automatic Mode.
Explanation: Requesting prompt for automatic mode. Waiting for "ID="
ICA4307 Prompt OK.....
Explanation: Got "ID=" back from the provider.
ICA4308 Sending Automatic Mode Request.
Explanation: Sending ID and SST over to the pager service provider
ICA4309 Send Automatic Mode Request .....OK!
Explanation: Got [p back. Means communication successful
ICA4310 Sending out message
Explanation: Sending out message block over
ICA4311 Waiting for result
Explanation: Waiting for the confirmation
ICA4312 Ack received. Page successful
ICA4313 Nak received, Resend block. Attempt NakTries
Explanation: Nak received. Pager provider is asking for resend
ICA4314 Transaction error. Resend block. Attempt RsTries
Explanation: Transaction error. Resending the block over.
ICA4315 Carrier Terminate Connection.
Explanation: Pager provider terminated the conversation. Call provider for the problem.
ICA4350 fwpage [carrier="..."] [modem="..."] [ID="..."] [msg="..."]
Explanation: fwpage usage. Check your parameters and try again
ICA4351 %1$s file not exist
Explanation: Check the file to see if it is under the right directory. carriers.cfg, modems.cfg, and pager.cfg must be created before using this code.
ICA4352 What file corrupted
Explanation: File has been modified by user and not in the stanza format. All attributes should be entered through GUI.
ICA4353 What too long, please shorten it and try again
Explanation: |What| too long. Shorten it and try again.
ICA4354 What wrong.
Explanation: If baud rate wrong, the valid options are: 600, 1200, If data bit per byte wrong, the valid options are: 7, 8 If stop bits wrong, the valid options are: 1,2 If out line prefix wrong, the inputs should only be numbers. If paging method wrong, only TAP is supported in this version. If pager ID error, check to see if its all numbers. If parity wrong, the valid options are: O(odd), E(even), N(none), S(space), M(mark). If COM port wrong, the valid options are: COM1, COM2 .... COM port should be less than 10 in this versin. If message character wrong, check the message to see if there is special character in it.
ICA4355 Set Parameters in where error.
Explanation: Unable to set parameters in |where|. Check parameters and try again.
ICA4356 when When, COM port reading error.
Explanation: COM port reading error. Set modem echo on and try again
ICA4357 when Where, COM port writing error.
Explanation: COM port write error.
ICA4358 Set What error
Explanation: Set |What| error. Check the log file and pin down the error.
ICA4359 Max tries exceed in Where. Abort program ......
ICA4360 Unknown character in Carrier phone number: *pCarrierPhoneNum
Explanation: an unrecognized character found in the carrier phone number. Please check the number and try again.
ICA4361 Warning!!! Paging provider's modem normally should be less than 2400.
Explanation: This is just a warning. Paging provider's modem speed is normally set less than 2400.
ICA4362 Unable to initialize modem
Explanation: Change modem initialization string and try again.
ICA4363 Modem returned Error.
Explanation: Modem communication error
ICA4364 tries try on open Com port error. Retry in 1 minute
Explanation: Open com port error. Probably another program is using it. Automatically retry in 1 minutes
ICA4365 Send page failed on tries try. Retry in 1 minutes
Explanation: Send page failed. Check log file to find out the exact reason.
ICA4366 Message too long, truncated
Explanation: Just a warning. Message length is too long. Truncate to fit in.
ICA4367 Reset Max message length to the internal defined value:%1$d
Explanation: Reset the max message length to the default ones, because user defined message length is larger the the internal defined, which is 80.
ICA4368 Action: Where error
Explanation: If opening COM port error, check configuration and try again. If close COM handle error, system problem. If purge COM error, system problem. If send dial command error, dialing command problem. Check to see if it is a Haye compatible modem If send ID request error, check if the pager provider supports TAP protocol. If send automatic prompt error, check if the pager service works correctly. If send message error, check the log file to pin down the cause of failure. If prompt error, unable to get a prompt back from the pager provider.
ICA4369 Too many transaction error. aborting ....
Explanation: Too many transaction errors, abort this try.
ICA4370 Too many Nak received, aborting the program .....
Explanation: Too many Nak received from the page provider, abort this try.
ICA4371 szComPort on COM port with function FunctionName return Error Number
Explanation: check the parameters and try again.
ICA4372 Modem return error message...... ReturnMessag
Explanation: Messages are. Not connected Ringing, but not connected No carrier No dial tone Busy No answer unknown code, please report it.
ICA5022 The sslrctd daemon process is successfully activated.
Explanation: The Windows 95 Secure Remote Client SSL Server has been successfully activated.
ICA5023 Cannot start the sslrctd daemon process
Explanation: The Windows 95 Secure Remote Client SSL Server has not been activated. This may have been caused by the Windows 95 Secure Remote Client SSL Server not being able to find the SSL keyring file. See Chapter 5. "Using the Make Key File Utility (MKKF)" for more information.
ICA5028 Invalid Login Request.
Explanation: The Windows 95 Secure Remote Client SSL Server received an invalid Login request packet.
ICA5030 Unknown Remote Client ID: UserID
Explanation: The Windows 95 Secure Remote Client SSL Server Received an invalid UserID during the login sequence.
ICA5035 Invalid Logout Request
Explanation: The Windows 95 Secure Remote Client SSL Server received an invalid logout request packet.
ICA5060 Tunnel up for client UserID
Explanation: The Windows 95 Secure Remote Client SSL Server started a tunnel for UserID.
ICA5082 Tunnel to client UserID has been disconnected.
Explanation: The Windows 95 Secure Remote Client SSL Server stopped a tunnel for UserID.
ICA5087 Authentication failed for UserID
Explanation: The Windows 95 Secure Remote Client SSL Server received an invalid password for UserID.
ICA9000 IBM Firewall evaluation expires in number of days.
Explanation: This software is branded as an evaluation copy and will disable itself as indicated.
ICA9001 File System Integrity Checker Warning - warning description text
Explanation: fwfschk found a discrepancy in the system - potential security threat.
ICA9002 last message repeated number times
Explanation: Message generated by AIX syslogd when an identical message is logged without any intervening message. The message is kept here for Log Monitor to be able to detect the condition. This message must be in whatever language the real syslogd message is being written.
ICA9003 Authentication failed for user name on the configuration server.
Explanation: FW configuration server is unable to authenticate the indicated user.
User Response: See your FW administrator.
ICA9004 User name successfully authenticated on the configuration server.
Explanation: FW configuration server authenticated the indicated user.
ICA9005 Starting remote configuration server.
Explanation: Configuration server has been started.
ICA9006 Ending remote configuration server.
Explanation: Configuration server is ending.
ICA9007 Remote configuration server unable to open message catalog.
Explanation: One or more message catalogs used by the remote configuration server may be missing.
User Response: See your FW administrator.
ICA9008 Remote configuration server failed on getpeername(): error errno.
Explanation: Configuration server is unable to obtain information about the client.
User Response: See your FW administrator.
ICA9009 Remote configuration server failed on getsockname(): error errno.
Explanation: Configuration server is unable to obtain information about itself.
User Response: See your FW administrator.
ICA9010 Remote configuration server failed obtaining adapter information.
Explanation: Configuration server is unable to obtain adapter information.
User Response: See your FW administrator.
ICA9011 Configuration server not enabled for remote configuration.
Explanation: Configuration server has local=yes set in its configuration file and the client is on a remote machine.
User Response: See your FW administrator.
ICA9012 Remote configuration server unable to read logon request.
Explanation: Configuration server cannot read in the client logon request.
User Response: See your FW administrator.
ICA9013 Remote configuration server received incorrect logon request.
Explanation: Logon request contained incorrect information.
User Response: See your FW administrator.
ICA9014 Remote configuration server unable to create pipe.
Explanation: Configuration server cannot create a pipe for authentication.
User Response: See your FW administrator.
ICA9015 Remote configuration server unable to create process.
Explanation: Configuration server cannot create a process for authentication.
User Response: See your FW administrator.
ICA9016 Starting EFM daemon.
Explanation: The EFM daemon has been started on the managed firewall.
ICA9017 Ending EFM daemon; rc = value.
Explanation: The EFM daemon is ending with the specified return code.
ICA9018 EFM daemon unable to open message catalog.
Explanation: One or more message catalogs used by the EFM daemon may be missing.
User Response: See your FW administrator.
ICA9020 Unable to switch the running user ID.
Explanation: failed to make the system call to switch the running user ID.
User Response: See your FW administrator.
ICA9021 This firewall does not support logon mode.
Explanation: This firewall does not support this particular mode.
User Response: See your FW administrator.
ICA9022 user is not authorized to logon to the firewall in logon mode.
Explanation: This username is not authorized to logon using this particular mode.
User Response: See your FW administrator.
ICA9023 Unable to load EFM DLL.
Explanation: failed to load the efm dll.
User Response: See your FW administrator.
ICA9032 NAT configuration updated at time on date.
Explanation: NAT configuration has been updated.
ICA9033 NAT support (level version.release) initialized at time on date.
Explanation: Firewall NAT support has been initialized.
ICA9034 NAT support deactivated at time on date.
Explanation: NAT now is disabled.
ICA9035 NAT unable to allocate Registered Address for Secured Address Secured IP Address.
Explanation: Registered Address not translated
ICA9036 NAT released Registered Address Registered IP Address to address pool.
Explanation: Registered Address is released to registered IP address pool
Hardening is a process that maximizes security and efficiency by turning off unnecessary daemons and disabling unauthorized user IDs. Hardening is part of installation of the IBM Firewall software and edits the system resources that might compromise security.
The hardening process:
When the hardening process is complete, the file system integrity checker database is generated.
This appendix gives detail of the Firewall MIB.
-- IBMFW-fwMib DEFINITIONS ::= BEGIN -- This component represents a system configured with IBM's -- Internet Connection IBM Firewall (FW) product. -- The groups defined are as follows: -- the FW Syslog Trap group -- the FW Server Status Trap group -- the FW Component ID group -- the FW Software Component Information group -- the FW Subagent group -- the FW Server Table group -- the ftpd Proxy Server Group -- the telnetd Proxy Server Group -- the Mail Server Table Group -- the Log File Management Table group -- the FW Server Status Table group -- the FW Server Concurrency Status Table group -- the FW Configuration File Table group -- the FW Filter Status group -- the Network Configuration group -- the Threshold Configuration Table group -- the Active IP Tunnel Table group -- the Network Address Translation Table IMPORTS Counter, enterprises FROM RFC1155-SMI OBJECT-TYPE FROM RFC-1212 DisplayString FROM RFC1213-fwMib TRAP-TYPE FROM RFC-1215; -- -- The MIB was registered under the original name Secured Network Gateway -- (SNG). -- internet OBJECT IDENTIFIER ::= { iso org(3) dod(6) 1 } private OBJECT IDENTIFIER ::= { internet 4} enterprises OBJECT IDENTIFIER ::= { private 1 } ibm OBJECT IDENTIFIER ::= { enterprises 2 } ibmProd OBJECT IDENTIFIER ::= { ibm 6 } ibmSNG OBJECT IDENTIFIER ::= { ibmProd 129 } fwMib OBJECT IDENTIFIER ::= { ibmSNG 1 } fwSubagent OBJECT IDENTIFIER ::= { ibmSNG 2 } -- FW Syslog Trap Group ======================================= fwSyslogTrapGrp OBJECT IDENTIFIER ::= {fwMib 1} fwSyslogFacility OBJECT-TYPE SYNTAX DisplayString (SIZE (0..20)) ACCESS not-accessible STATUS mandatory DESCRIPTION "syslog facility that generated the record." -- The string can be one of the following: -- "local1" -- "local4" ::= {fwSyslogTrapGrp 1} fwSyslogLogFileName OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS not-accessible STATUS mandatory DESCRIPTION "File where the syslog record was entered." ::= {fwSyslogTrapGrp 2} fwSyslogDate OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS not-accessible STATUS mandatory DESCRIPTION "Date of the syslog record." ::= {fwSyslogTrapGrp 3} fwSyslogTime OBJECT-TYPE SYNTAX DisplayString (SIZE (0..20)) ACCESS not-accessible STATUS mandatory DESCRIPTION "Time of the syslog record." ::= {fwSyslogTrapGrp 4} fwSyslogHost OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS not-accessible STATUS mandatory DESCRIPTION "Host in the syslog record." ::= {fwSyslogTrapGrp 5} fwSyslogPid OBJECT-TYPE SYNTAX INTEGER ACCESS not-accessible STATUS mandatory DESCRIPTION "Process id in the syslog record." ::= {fwSyslogTrapGrp 6} fwSyslogMsgText OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS not-accessible STATUS mandatory DESCRIPTION "Message text in the syslog record." ::= {fwSyslogTrapGrp 7} -- FW Server Status Trap Group ================================== fwSvrStatTrapGrp OBJECT IDENTIFIER ::= {fwMib 2} fwSvrName OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS not-accessible STATUS mandatory DESCRIPTION "The server's name." ::= {fwSvrStatTrapGrp 1} fwSvrProgram OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS not-accessible STATUS mandatory DESCRIPTION "The server executable name" ::= {fwSvrStatTrapGrp 2} fwSvrState OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS not-accessible STATUS mandatory DESCRIPTION "The server's current running state." -- The string can be one of the following: -- "running" -- "not running" ::= {fwSvrStatTrapGrp 3} fwSvrStateValue OBJECT-TYPE SYNTAX INTEGER { vUnknown (0), vNotRunning (1), vRunning (2) } ACCESS not-accessible STATUS mandatory DESCRIPTION "The server's current running state (integer form)." ::= {fwSvrStatTrapGrp 4} fwSvrTrapTimestamp OBJECT-TYPE SYNTAX DisplayString (SIZE (0..30)) ACCESS not-accessible STATUS mandatory DESCRIPTION "Timestamp at which the server status trap generated." ::= {fwSvrStatTrapGrp 5} fwSvrTrapHost OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS not-accessible STATUS mandatory DESCRIPTION "Hostname from where the trap generated." ::= {fwSvrStatTrapGrp 6} -- FW Component ID Group ===================================== fwComponentIdGroup OBJECT IDENTIFIER ::= {fwMib 3} fwManufacturer OBJECT-TYPE SYNTAX DisplayString (SIZE (0..32)) ACCESS read-only STATUS mandatory DESCRIPTION "The company that produced this component." -- The string is: "IBM Corporation". ::= {fwComponentIdGroup 1} fwProduct OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS read-only STATUS mandatory DESCRIPTION "The name of this component or product." -- The string is: "IBM FW SNMP Subagent." ::= {fwComponentIdGroup 2} fwVersion OBJECT-TYPE SYNTAX DisplayString (SIZE (0..16)) ACCESS read-only STATUS mandatory DESCRIPTION "The version string for this component." ::= {fwComponentIdGroup 3} fwVerify OBJECT-TYPE SYNTAX INTEGER -- { -- vAnErrorOccurred;CheckStatusCode (0), -- vThisComponentDoesNotExist (1), -- vTheVerifyIsNotSupported (2), -- vReserved (3), -- vComponent'sFunctionalityUntested (4), -- vComponent'sFunctionalityUnknown (5), -- vComponentIsNotFunctioningCorrectly (6), -- vComponentFunctionsCorrectly (7) -- } ACCESS read-only STATUS mandatory DESCRIPTION "A code that provides a level of verification that the component is still installed and working. This value is 2 for this release." ::= {fwComponentIdGroup 4} fwVerifyString OBJECT-TYPE SYNTAX DisplayString (SIZE (0..32)) ACCESS read-only STATUS mandatory DESCRIPTION "A string that corresponds to the aVerify value. The string for this release will be: Verify is not supported." ::= {fwComponentIdGroup 5} -- FW Software Component Information Group ======================== fwSoftwareCompInfoGroup OBJECT IDENTIFIER ::= {fwMib 4} fwMajorVersion OBJECT-TYPE SYNTAX DisplayString (SIZE (0..16)) ACCESS read-only STATUS mandatory DESCRIPTION "Major version of this fwSoftware component." ::= {fwSoftwareCompInfoGroup 1} fwMinorVersion OBJECT-TYPE SYNTAX DisplayString (SIZE (0..16)) ACCESS read-only STATUS mandatory DESCRIPTION "Minor version of this fwSoftware component." ::= {fwSoftwareCompInfoGroup 2} fwRevision OBJECT-TYPE SYNTAX DisplayString (SIZE (0..16)) ACCESS read-only STATUS mandatory DESCRIPTION "Revision of this fwSoftware component." ::= {fwSoftwareCompInfoGroup 3} fwTargetOperatingSystem OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The operating system for which this fwSoftware component is intended." ::= {fwSoftwareCompInfoGroup 4} fwLanguageEdition OBJECT-TYPE SYNTAX DisplayString (SIZE (0..16)) ACCESS read-only STATUS mandatory DESCRIPTION "The language edition of this fwSoftware component. This string will be : English." ::= {fwSoftwareCompInfoGroup 5} fwTargetOsString OBJECT-TYPE SYNTAX DisplayString (SIZE (0..32)) ACCESS read-only STATUS mandatory DESCRIPTION "The operating system for which this fwSoftware component is intended. This is AIX for this release." ::= {fwSoftwareCompInfoGroup 6} -- FW Subagent Group ========================================== fwSubagentGroup OBJECT IDENTIFIER ::= {fwMib 5} fwSubagtName OBJECT-TYPE SYNTAX DisplayString (SIZE (0..32)) ACCESS read-only STATUS mandatory DESCRIPTION "The name of this subagent is IBM FW Subagent. The string is: IBM FW Subagent." ::= {fwSubagentGroup 1} fwSubagtUpTime OBJECT-TYPE SYNTAX DisplayString (SIZE (0..26)) ACCESS read-only STATUS mandatory DESCRIPTION "The date and time the FW subagent was last started." ::= {fwSubagentGroup 2} fwCritlogPoll OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "Polling interval (in minutes) for critlog thread." ::= {fwSubagentGroup 3} fwCritlogTimestamp OBJECT-TYPE SYNTAX DisplayString (SIZE (0..26)) ACCESS read-write STATUS mandatory DESCRIPTION "Beginning timestamp for monitoring critlog records." ::= {fwSubagentGroup 4} fwCritlogLocation OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS read-write STATUS mandatory DESCRIPTION "Location of critlog file(s)." ::= {fwSubagentGroup 5} fwSvrStatPoll OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "Polling interval (in minutes) for server status thread." ::= {fwSubagentGroup 6} -- FW Server Table Group ======================================= -- FwSvrEntry has to start with an upper case otherwise mosy gives an error fwSvrTbl OBJECT-TYPE SYNTAX SEQUENCE OF FwSvrEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "A list of entries for FW servers configured on this host." ::= {fwMib 6} aFwSvrEntry OBJECT-TYPE SYNTAX FwSvrEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "" INDEX {fwServerName} ::= {fwSvrTbl 1} FwSvrEntry ::= SEQUENCE { fwServerName DisplayString, fwServerSocketType DisplayString, fwServerProtocol DisplayString, fwServerWait DisplayString, fwServerUser DisplayString, fwServerProgram DisplayString, fwServerArgs DisplayString } fwServerName OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "The name of the FW or inet server." -- The string can be one of the following: -- "Unknown" -- "FTPD Proxy" -- "Telnetd Proxy" -- "Http Proxy" -- ... or any service in the file /etc/services. ::= {aFwSvrEntry 1} fwServerSocketType OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "The type of socket the server is using." -- The string can be one of the following: -- "stream" -- "dgram" -- "sunrpc_udp" -- "sunrpc_tcp" ::= {aFwSvrEntry 2} fwServerProtocol OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "The communication protocol the server is using." -- The string can be one of the protocols found in the -- file /etc/protocols. ::= {aFwSvrEntry 3} fwServerWait OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "The wait/no wait attribute of the server." -- The string can be one of the following: -- "wait" -- "nowait" ::= {aFwSvrEntry 4} fwServerUser OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "The username inetd uses to start the server." ::= {aFwSvrEntry 5} fwServerProgram OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS read-only STATUS mandatory DESCRIPTION "Full pathname of the server that inetd shuold execute." ::= {aFwSvrEntry 6} fwServerArgs OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "Command line arguments used in starting the server." ::= {aFwSvrEntry 7} -- ftpd Proxy Server Group ======================================= fwFtpdSvrGrp OBJECT IDENTIFIER ::= {fwMib 7} fwFtpdSvrName OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "The name of the FW server." -- The string is "pftpd" ::= {fwFtpdSvrGrp 1} fwFtpdSvrSocketType OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "The type of socket the server is using." -- The string can be one of the following: -- "stream" -- "dgram" -- "sunrpc_udp" -- "sunrpc_tcp" ::= {fwFtpdSvrGrp 2} fwFtpdSvrProtocol OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "The communication protocol the server is using." -- The string can be one of the protocols found in the -- file /etc/protocols. ::= {fwFtpdSvrGrp 3} fwFtpdSvrWait OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "The wait/no wait attribute of the server." -- The string can be one of the following: -- "wait" -- "nowait" ::= {fwFtpdSvrGrp 4} fwFtpdSvrUser OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "The user who invoked the server." ::= {fwFtpdSvrGrp 5} fwFtpdSvrProgram OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS read-only STATUS mandatory DESCRIPTION "Full pathname of the server that inetd shuold execute." ::= {fwFtpdSvrGrp 6} fwFtpdSvrArgs OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "Command line arguments used in starting the server." ::= {fwFtpdSvrGrp 7} -- telnetd Proxy Server Group ===================================== fwTelnetdSvrGrp OBJECT IDENTIFIER ::= {fwMib 8} fwTelnetdSvrName OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "The name of the FW server." -- The string is "ptelnetd" ::= {fwTelnetdSvrGrp 1} fwTelnetdSvrSocketType OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "The type of socket the server is using." -- The string can be one of the following: -- "stream" -- "dgram" -- "sunrpc_udp" -- "sunrpc_tcp" ::= {fwTelnetdSvrGrp 2} fwTelnetdSvrProtocol OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "The communication protocol the server is using." -- The string can be one of the protocols found in the -- file /etc/protocols. ::= {fwTelnetdSvrGrp 3} fwTelnetdSvrWait OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "The wait/no wait attribute of the server." -- The string can be one of the following: -- "wait" -- "nowait" ::= {fwTelnetdSvrGrp 4} fwTelnetdSvrUser OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "The user who invoked the server." ::= {fwTelnetdSvrGrp 5} fwTelnetdSvrProgram OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS read-only STATUS mandatory DESCRIPTION "Full pathname of the server that inetd shuold execute." ::= {fwTelnetdSvrGrp 6} fwTelnetdSvrArgs OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "Command line arguments used in starting the server." ::= {fwTelnetdSvrGrp 7} -- FW Mail Servers Group =======================================- - FwMailSvrEntry has to start with an upper case otherwise mosy gives an error fwMailSvrTbl OBJECT-TYPE SYNTAX SEQUENCE OF FwMailSvrEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "A list of entries for FW mail servers configured on this host." ::= {fwMib 9} aFwMailSvrEntry OBJECT-TYPE SYNTAX FwMailSvrEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "" INDEX {fwMailSecDomName} ::= {fwMailSvrTbl 1} FwMailSvrEntry ::= SEQUENCE { fwMailSecDomName DisplayString, fwMailSecNKSvr DisplayString, fwMailPubDomName DisplayString } fwMailSecDomName OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS read-only STATUS mandatory DESCRIPTION "The name of the FW Secure Domain Name." -- The first column in /etc/security/mail.conf ::= {aFwMailSvrEntry 1} fwMailSecNKSvr OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS read-only STATUS mandatory DESCRIPTION "The name of the FW Secure Network Mail Server." -- The second column in /etc/security/mail.conf ::= {aFwMailSvrEntry 2} fwMailPubDomName OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS read-only STATUS mandatory DESCRIPTION "The name of the FW Public Domain Name." -- The second column in /etc/security/mail.conf ::= {aFwMailSvrEntry 3} -- Log File Management Table Group =============================== fwLogFileMgmtTbl OBJECT-TYPE SYNTAX SEQUENCE OF FwLogFileMgmtEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "table of log files to be Managed" ::= {fwMib 10} aFwLogFileMgmtEntry OBJECT-TYPE SYNTAX FwLogFileMgmtEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "" INDEX {fwLogFileName} ::= {fwLogFileMgmtTbl 1} FwLogFileMgmtEntry ::= SEQUENCE { fwLogFileName DisplayString, fwLogDaysInLog INTEGER, fwLogArchive DisplayString, fwLogDaysInArc INTEGER, fwLogWorkSpace DisplayString, fwLogComments DisplayString } fwLogFileName OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS read-only STATUS mandatory DESCRIPTION "Name of the log file to be Managed." ::= {aFwLogFileMgmtEntry 1} fwLogDaysInLog OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Days to keep in logfile." ::= {aFwLogFileMgmtEntry 2} fwLogArchive OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS read-only STATUS mandatory DESCRIPTION "Archive name." ::= {aFwLogFileMgmtEntry 3} fwLogDaysInArc OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Days to keep in archive." ::= {aFwLogFileMgmtEntry 4} fwLogWorkSpace OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS read-only STATUS mandatory DESCRIPTION "directory where log Management operations take place." ::= {aFwLogFileMgmtEntry 5} fwLogComments OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS read-only STATUS mandatory DESCRIPTION "comments." ::= {aFwLogFileMgmtEntry 6} -- FW Server Status Table Group ================================== fwSvrStatTbl OBJECT-TYPE SYNTAX SEQUENCE OF FwSvrStatEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "A list of status entries for FW servers configured on this host." ::= {fwMib 11} aFwSvrStatEntry OBJECT-TYPE SYNTAX FwSvrStatEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "" INDEX {fwSvrStatServerName} ::= {fwSvrStatTbl 1} FwSvrStatEntry ::= SEQUENCE { fwSvrStatServerName DisplayString, fwSvrStatServerState DisplayString } fwSvrStatServerName OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "The name of the FW or inet server." -- The string can be one of the following: -- "fwsubagt" -- "inetd" -- "fwpagerd" -- "fwmaild" -- "named" ::= {aFwSvrStatEntry 1} fwSvrStatServerState OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "Is the server running?" -- The string can be one of the following: -- "unknown" -- "running" -- "not running" ::= {aFwSvrStatEntry 2} -- FW Server Concurrency Status Table Group ========================= fwSvrConStatTbl OBJECT-TYPE SYNTAX SEQUENCE OF FwSvrConStatEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "" ::= {fwMib 12} aFwSvrConStatEntry OBJECT-TYPE SYNTAX FwSvrConStatEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "" INDEX {fwSvrConStatServerName} ::= {fwSvrConStatTbl 1} FwSvrConStatEntry ::= SEQUENCE { fwSvrConStatServerName DisplayString, fwSvrConStatSessions INTEGER } fwSvrConStatServerName OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "The name of the FW." -- The string can be one of the following: -- "FTPD Proxy" -- "Telnetd Proxy" -- "SOCKS Server" -- "Http Proxy" ::= {aFwSvrConStatEntry 1} fwSvrConStatServerSessions OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of concurrent sessions." ::= {aFwSvrConStatEntry 2} -- FW Configuration File Table Group =============================== fwCfgFileTbl OBJECT-TYPE SYNTAX SEQUENCE OF FwCfgFileEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "Information about FW and FW-related configuration files." ::= {fwMib 13} aFwCfgFileEntry OBJECT-TYPE SYNTAX FwCfgFileEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "" INDEX {fwCfgFileName} ::= {fwCfgFileTbl 1} FwCfgFileEntry ::= SEQUENCE { fwCfgFileName DisplayString, fwCfgUser DisplayString, fwCfgGroup DisplayString, fwCfgTimeStamp DisplayString, fwCfgSize INTEGER, fwCfgStatus INTEGER, fwCheckSum INTEGER } fwCfgFileName OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS read-only STATUS mandatory DESCRIPTION "The monitored file." ::= {aFwCfgFileEntry 1} fwCfgUser OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "The user who owns the file." ::= {aFwCfgFileEntry 2} fwCfgGroup OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "The file's primary group." ::= {aFwCfgFileEntry 3} fwCfgTimeStamp OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "Current timestamp." ::= {aFwCfgFileEntry 4} fwCfgSize OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "File size in bytes." ::= {aFwCfgFileEntry 5} fwCfgStatus OBJECT-TYPE SYNTAX INTEGER { vUnknown (0), vNotFound (1), vFound (2) } ACCESS read-only STATUS mandatory DESCRIPTION "Is the file found?" ::= {aFwCfgFileEntry 6} fwCheckSum OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "checksum on the file" ::= {aFwCfgFileEntry 7} -- FW Filter Status Group ======================================== fwFilterStatGrp OBJECT IDENTIFIER ::= {fwMib 14} fwFilterNumIfs OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of secure interfaces defined." ::= {fwFilterStatGrp 1} fwFilterNumRules OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of rules in filter list." ::= {fwFilterStatGrp 2} fwFilterLevel OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "Netinet filter support code level." ::= {fwFilterStatGrp 3} -- XXX Can status be anything other than 'not available'? fwFilterStat OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "Status of filter support code." ::= {fwFilterStatGrp 4} -- XXX Can status be anything other than 'not available'? fwPktLogStat OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) ACCESS read-only STATUS mandatory DESCRIPTION "Status of packet logging." ::= {fwFilterStatGrp 5} fwFilterRulesTimeStamp OBJECT-TYPE SYNTAX DisplayString (SIZE (0..100)) ACCESS read-only STATUS mandatory DESCRIPTION "Timestamp of last update to rules." ::= {fwFilterStatGrp 6} fwFilterNumRulesUpdates OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of updates to rules since initialization." ::= {fwFilterStatGrp 7} -- Network Configuration Group =================================== fwNetCfgGrp OBJECT IDENTIFIER ::= {fwMib 15} fwSecDomName OBJECT-TYPE SYNTAX DisplayString (SIZE (0..100)) ACCESS read-only STATUS mandatory DESCRIPTION "Secure domain name." ::= {fwNetCfgGrp 1} fwNonSecDomSvrTbl OBJECT-TYPE SYNTAX SEQUENCE OF FwNonsecDomSvrEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "" ::= {fwNetCfgGrp 2} aFwNonsecDomSvrEntry OBJECT-TYPE SYNTAX FwNonsecDomSvrEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "" INDEX {fwNonSecSvraddr} ::= {fwNonSecDomSvrTbl 1} FwNonsecDomSvrEntry ::= SEQUENCE { fwNonSecSvrAddr DisplayString } fwNonSecSvrAddr OBJECT-TYPE SYNTAX DisplayString (SIZE (0..100)) ACCESS read-only STATUS mandatory DESCRIPTION "" ::= {aFwNonsecDomSvrEntry 1} fwSecDomSvrTbl OBJECT-TYPE SYNTAX SEQUENCE OF FwSecDomSvrEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "" ::= {fwNetCfgGrp 3} aFwSecDomSvrEntry OBJECT-TYPE SYNTAX FwSecDomSvrEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "" INDEX {fwSecSvrAddr} ::= {fwSecDomSvrTbl 1} FwSecDomSvrEntry ::= SEQUENCE { fwSecSvrAddr DisplayString } fwSecSvrAddr OBJECT-TYPE SYNTAX DisplayString (SIZE (0..100)) ACCESS read-only STATUS mandatory DESCRIPTION "" ::= {aFwSecDomSvrEntry 1} -- Threshold Configuration Group ================================== fwThrCfgGrp OBJECT IDENTIFIER ::= {fwMib 16} fwMailToTbl OBJECT-TYPE SYNTAX SEQUENCE OF FwMailToEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "Table of users to notify of threshold violations" ::= {fwThrCfgGrp 1} aFwMailToEntry OBJECT-TYPE SYNTAX FwMsgThrEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "" INDEX {fwMailToId} ::= {fwMailToTbl 1} FwMailToEntry ::= SEQUENCE { fwMailToId DisplayString, fwMailToComments DisplayString } fwMailToId OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS read-only STATUS mandatory DESCRIPTION "mail address to send threshold violation notice to" ::= {aFwMailToEntry 1} fwMailToComments OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS read-only STATUS mandatory DESCRIPTION "comments" ::= {aFwMailToEntry 2} fwCommand OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS read-only STATUS mandatory DESCRIPTION "program executed when threshold is reached." ::= {fwThrCfgGrp 2} fwCommandComments OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS read-only STATUS mandatory DESCRIPTION "comments" ::= {fwThrCfgGrp 3} fwSnglAuthThrCount OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "number of failed authentication messages to be detected." ::= {fwThrCfgGrp 4} fwSnglAuthThrTime OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of minutes to detect failed auth messages." ::= {fwThrCfgGrp 5} fwSnglAuthPagerAlert OBJECT-TYPE SYNTAX DisplayString (SIZE (0..20)) ACCESS read-only STATUS mandatory DESCRIPTION "Pager notification" ::= {fwThrCfgGrp 6} fwSnglAuthThrComments OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS read-only STATUS mandatory DESCRIPTION "comments" ::= {fwThrCfgGrp 7} fwMultAuthThrCount OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "number of failed authentication messages to be detected." ::= {fwThrCfgGrp 8} fwMultAuthThrTime OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of minutes to detect failed auth messages." ::= {fwThrCfgGrp 9} fwMultAuthPagerAlert OBJECT-TYPE SYNTAX DisplayString (SIZE (0..20)) ACCESS read-only STATUS mandatory DESCRIPTION "Pager notification" ::= {fwThrCfgGrp 10} fwMultAuthThrComments OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS read-only STATUS mandatory DESCRIPTION "comments" ::= {fwThrCfgGrp 11} fwHostAuthThrCount OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "number of failed authentication messages to be detected." ::= {fwThrCfgGrp 12} fwHostAuthThrTime OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of minutes to detect failed auth messages." ::= {fwThrCfgGrp 13} fwHostAuthPagerAlert OBJECT-TYPE SYNTAX DisplayString (SIZE (0..20)) ACCESS read-only STATUS mandatory DESCRIPTION "Pager notification" ::= {fwThrCfgGrp 14} fwHostAuthThrComments OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS read-only STATUS mandatory DESCRIPTION "comments" ::= {fwThrCfgGrp 15} fwMsgThrTbl OBJECT-TYPE SYNTAX SEQUENCE OF FwMsgThrEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "Table of message threshold definition entries" ::= {fwThrCfgGrp 16} aFwMsgThrEntry OBJECT-TYPE SYNTAX FwMsgThrEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "" INDEX {fwMsgThrTag} ::= {fwMsgThrTbl 1} FwMsgThrEntry ::= SEQUENCE { fwMsgThrTag DisplayString, fwMsgThrCount INTEGER, fwMsgThrTime INTEGER, fwMsgThrPagerAlert DisplayString, fwMsgThrComments DisplayString } fwMsgThrTag OBJECT-TYPE SYNTAX DisplayString (SIZE (0..20)) ACCESS read-only STATUS mandatory DESCRIPTION "" ::= {aFwMsgThrEntry 1} fwMsgThrCount OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "number of failed authentication messages to be detected." ::= {aFwMsgThrEntry 2} fwMsgThrTime OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of minutes to detect failed auth messages." ::= {aFwMsgThrEntry 3} fwMsgThrPagerAlert OBJECT-TYPE SYNTAX DisplayString (SIZE (0..20)) ACCESS read-only STATUS mandatory DESCRIPTION "Pager notification." ::= {aFwMsgThrEntry 4} fwMsgThrComments OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) ACCESS read-only STATUS mandatory DESCRIPTION "" ::= {aFwMsgThrEntry 5} -- FW Active IP Tunnel Table Group =============================== fwActiveTunnelGrp OBJECT IDENTIFIER ::= {fwMib 17} fwIbmTunnelTbl OBJECT-TYPE SYNTAX SEQUENCE OF FwIbmTunnelEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "List of all IBM Tunnels " ::= {fwActiveTunnelGrp 1} aFwIbmTunnelEntry OBJECT-TYPE SYNTAX FwIbmTunnelEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "A list of all IBM Tunnels." INDEX {fwIbmTunnelId} ::= {fwIbmTunnelTbl 1} FwIbmTunnelEntry ::= SEQUENCE { fwIbmTunnelId INTEGER, fwIbmSrcAddr DisplayString, fwIbmDestAddr DisplayString, fwIbmEncrption DisplayString, fwIbmPolicy DisplayString, fwIbmSessionLife INTEGER, fwIbmInitFlag DisplayString } fwIbmTunnelId OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The Identification number of the IBM Tunnel." ::= {aFwIbmTunnelEntry 1} fwIbmSrcAddr OBJECT-TYPE SYNTAX DisplayString (SIZE (0..100)) ACCESS read-only STATUS mandatory DESCRIPTION "The IP address of the local firewall." ::= {aFwIbmTunnelEntry 2} fwIbmDestAddr OBJECT-TYPE SYNTAX DisplayString (SIZE (0..100)) ACCESS read-only STATUS mandatory DESCRIPTION "The IP address of the partner firewall." ::= {aFwIbmTunnelEntry 3} fwIbmEncryption OBJECT-TYPE SYNTAX DisplayString (SIZE (0..20)) ACCESS read-only STATUS mandatory DESCRIPTION "Algorithm used for IP Packet encryption ." -- possible values are DES_CBC_8, CDMF, DES_CBC_4 ::= {aFwIbmTunnelEntry 4} fwIbmPolicy OBJECT-TYPE SYNTAX DisplayString (SIZE (0..20)) ACCESS read-only STATUS mandatory DESCRIPTION "combination of encryption and authentication values." -- Possible values are encr/auth, auth/encr, encr only, auth only, none ::= {aFwIbmTunnelEntry 5} fwIbmSessionLife OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Time in minutes current session can be used." -- Max time is 1440. ::= {aFwIbmTunnelEntry 6} fwIbmInitFlag OBJECT-TYPE SYNTAX DisplayString (SIZE (0..20)) ACCESS read-only STATUS mandatory DESCRIPTION "Identifies which partner starts the session negotiation." -- Possible values are yes, no ::= {aFwIbmTunnelEntry 7} fwManTunnelTbl OBJECT-TYPE SYNTAX SEQUENCE OF FwManTunnelEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "" ::= {fwActiveTunnelGrp 2} aFwManTunnelEntry OBJECT-TYPE SYNTAX FwManTunnelEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "A list of all MAN Tunnels." INDEX {fwManTunnelId} ::= {fwManTunnelTbl 1} FwManTunnelEntry ::= SEQUENCE { fwManTunnelId INTEGER, fwManSrcAddr DisplayString, fwManDestAddr DisplayString, fwManEncryption DisplayString, fwManPolicy DisplayString, fwManSessionLife INTEGER, fwManTargetSPI INTEGER } fwManTunnelId OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The Identification number of the Man Tunnel." ::= {aFwManTunnelEntry 1} fwManSrcAddr OBJECT-TYPE SYNTAX DisplayString (SIZE (0..100)) ACCESS read-only STATUS mandatory DESCRIPTION "The IP address of the local firewall." ::= {aFwManTunnelEntry 2} fwManDestAddr OBJECT-TYPE SYNTAX DisplayString (SIZE (0..100)) ACCESS read-only STATUS mandatory DESCRIPTION "The IP address of the partner firewall." ::= {aFwManTunnelEntry 3} fwManEncryption OBJECT-TYPE SYNTAX DisplayString (SIZE (0..20)) ACCESS read-only STATUS mandatory DESCRIPTION "Algorithm used for IP Packet encryption ." -- possible values are DES_CBC_8, CDMF, DES_CBC_4 ::= {aFwManTunnelEntry 4} fwManPolicy OBJECT-TYPE SYNTAX DisplayString (SIZE (0..20)) ACCESS read-only STATUS mandatory DESCRIPTION "combination of encryption and authentication values." -- Possible values are encr/auth, auth/encr, encr only, auth only, none ::= {aFwManTunnelEntry 5} fwManSessionLife OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Time in minutes manual tunnel will be operational." -- Max time is 44640. ::= {aFwManTunnelEntry 6} fwManTargetSpi OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Target Security Parameter Index for manual tunnel." -- Valid values are 1- 9999 ::= {aFwManTunnelEntry 7} -- FW Network Address Translation Group =========================== fwNatAddrTransGrp OBJECT IDENTIFIER ::= {fwMib 18} fwNatReservedTbl OBJECT-TYPE SYNTAX SEQUENCE OF FwResvRegisterEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "" ::= {fwNatAddrTransGrp 1} aFwResvRegisterEntry OBJECT-TYPE SYNTAX FwResvRegisterEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "" INDEX {fwRegisteredIpAddr} ::= {fwNatReservedTbl 1} FwResvRegisterEntry ::= SEQUENCE { fwRegisteredIpAddr DisplayString, fwRegisteredIpAddrMask DisplayString, fwNatTimeout INTEGER } fwRegisteredIpAddr OBJECT-TYPE SYNTAX DisplayString (SIZE (0..100)) ACCESS read-only STATUS mandatory DESCRIPTION "Defines the IP addresses for outbound connections" ::= {aFwResvRegisterEntry 1} fwRegisteredIpMask OBJECT-TYPE SYNTAX DisplayString (SIZE (0..100)) ACCESS read-only STATUS mandatory DESCRIPTION "The mask specifies the bits in the registered IP addr used to add a range of IP addr to the registered addr pool." ::= {aFwResvRegisterEntry 2} fwNatTimeout OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "minutes an address translation can remain idle." ::= {aFwResvRegisterEntry 3} fwNatTranslateTbl OBJECT-TYPE SYNTAX SEQUENCE OF FwNatTranslateEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "" ::= {fwNatAddrTransGrp 2} aFwNatTranslateEntry OBJECT-TYPE SYNTAX FwNatTranslateEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "" INDEX {fwTranslateSecIpAddr} ::= {fwNatTranslateTbl 1} FwNatTranslateEntry ::= SEQUENCE { fwTranslateSecIpAddr DisplayString, fwTranslateSecIpAddrMask DisplayString } fwTranslateSecIpAddr OBJECT-TYPE SYNTAX DisplayString (SIZE (0..100)) ACCESS read-only STATUS mandatory DESCRIPTION "Defines the IP addresses to be excluded from NAT" ::= {aFwNatTranslateEntry 1} fwTranslateSecIpAddrMask OBJECT-TYPE SYNTAX DisplayString (SIZE (0..100)) ACCESS read-only STATUS mandatory DESCRIPTION "The mask specifies the bits in the secured IP addr used to identify a range of IP addr." ::= {aFwNatTranslateEntry 2} fwNatExcludeTbl OBJECT-TYPE SYNTAX SEQUENCE OF FwNatExcludeEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "" ::= {fwNatAddrTransGrp 3} aFwNatExcludeEntry OBJECT-TYPE SYNTAX FwNatExcludeEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "" INDEX {fwExcludeSecIpAddr} ::= {fwNatExcludeTbl 1} FwNatExcludeEntry ::= SEQUENCE { fwExcludeSecIpAddr DisplayString, fwExcludeSecIpAddrMask DisplayString } fwExcludeSecIpAddr OBJECT-TYPE SYNTAX DisplayString (SIZE (0..100)) ACCESS read-only STATUS mandatory DESCRIPTION "Defines the IP addresses to be excluded from NAT" ::= {aFwNatExcludeEntry 1} fwExcludeSecIpAddrMask OBJECT-TYPE SYNTAX DisplayString (SIZE (0..100)) ACCESS read-only STATUS mandatory DESCRIPTION "The mask specifies the bits in the secured IP addr used to identify a range of IP addr." ::= {aFwNatExcludeEntry 2} fwNatMapTbl OBJECT-TYPE SYNTAX SEQUENCE OF FwNatMapEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "" ::= {fwNatAddrTransGrp 4} aFwNatMapEntry OBJECT-TYPE SYNTAX FwNatMapEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "" INDEX {fwMapSecIpAddr} ::= {fwNatMapTbl 1} FwNatMapEntry ::= SEQUENCE { fwMapSecIpAddr DisplayString, fwMapRegisteredIpAddr DisplayString } fwMapSecIpAddr OBJECT-TYPE SYNTAX DisplayString (SIZE (0..100)) ACCESS read-only STATUS mandatory DESCRIPTION "IP address to be translated into a specified registered IP addr" ::= {aFwNatMapEntry 1} fwMapRegisteredIpAddr OBJECT-TYPE SYNTAX DisplayString (SIZE (0..100)) ACCESS read-only STATUS mandatory DESCRIPTION "IP address into which a specified secured IP address should be translated." ::= {aFwNatMapEntry 2} fwNatStatus OBJECT-TYPE SYNTAX DisplayString (SIZE (0..20)) ACCESS read-only STATUS mandatory DESCRIPTION "The status of Network Address Translation" -- The possible values are active, deactive. ::= {fwNatAddrTransGrp 5} fwNatLogStatus OBJECT-TYPE SYNTAX DisplayString (SIZE (0..20)) ACCESS read-only STATUS mandatory DESCRIPTION "Logging status of Network Address Translation" -- The possible values are enabled, disabled ::= {fwNatAddrTransGrp 6} END
This appendix describes the CDMF security transform for the IP Encapsulating Security Payload (ESP). See RFC1829 EPS DES_CBC for more details.
The secret CDMF key shared between the communicating parties is eight octets in length. This key is a 64-bit quantity used by the CDMF algorithm. The CDMF algorithm first runs a key-shortening algorithm to reduce the 64-bit value (56-bit key) to a 40-bit key. The 40-bit key is stored as 64 bits (eight octets). This 40-bit key is then used for encryption and decryption.
CDMF requires an Initialization Vector (IV) that is eight octets in length.
Each datagram contains its own IV. Including the IV in each datagram ensures that decryption of each received datagram can be performed, even when other datagrams are dropped, or datagrams are reordered in transit.
The method for selection of IV values is implementation dependent.
The CDMF algorithm operates on blocks of eight octets. The CDMF algorithm is essentially the same as running DES_CBC with a weakened key (40 bits versus 56 bits). This often requires padding after the end of the unencrypted payload data.
Both input and output result in the same number of octets, which facilitates in-place encryption and decryption.
On receipt, if the length of the data to be decrypted is not an integral multiple of eight octets, then an error is indicated, as described in RFC-1825.
Figure 7 shows the payload format.
Figure 7. Payload Format
View figure.
In CDMF, the base CDMF encryption function is applied to the XOR of each plaintext block with the previous ciphertext block to yield the ciphertext for the current block. This provides for re-synchronization when datagrams are lost.
Append zero or more octets of (preferably random) padding to the plaintext, to make its modulo 8 length equal to 6. For example, if the plaintext length is 41, 5 octets of padding are added.
Append a Pad Length octet containing the number of padding octets just added.
Append a Payload Type octet containing the IP Protocol/Payload value which identifies the protocol header that begins the payload.
Provide an Initialization Vector (IV) of the size indicated by the SPI.
Encrypt the payload with CDMF, producing a ciphertext of the same length.
Octets are mapped to CDMF blocks in network order with the most significant octet first. (See RFC-1700.) Octet 0 (modulo 8) of the payload corresponds to bits 1-8 of the 64-bit CDMF input block, while octet 7 (modulo 8) corresponds to bits 57-64 of the CDMF input block.
Construct an appropriate IP datagram for the target destination, with the indicated SPI, IV, and payload.
The Total/Payload Length in the encapsulating IP header reflects the length of the encrypted data, plus the SPI, IV, padding, Pad Length, and Payload Type octets.
First, the SPI field is removed and examined. This is used as an index into the local Security Parameter table to find the negotiated parameters and decryption key.
The encrypted part of the payload is decrypted using CDMF.
The Payload Type is removed and examined. If it is unrecognized, the payload is discarded with an appropriate ICMP message.
The Pad Length is removed and examined. The specified number of pad octets are removed from the end of the decrypted payload, and the IP Total/Payload Length is adjusted accordingly.
The IP Header(s) and the remaining portion of the decrypted payload are passed to the protocol receive routine specified by the Payload Type field.
Users need to understand that the quality of the security provided by this specification depends completely on the strength of the CDMF algorithm, the correctness of that algorithm's implementation, the security of the key management mechanism and its implementation, the strength of the key and upon the correctness of the implementations in all of the participating nodes.
Among other considerations, applications may wish to take care not to select weak keys, although the odds of picking one at random are low.
The cut and paste attack exploits the nature of all Cipher Block Chaining algorithms. When a block is damaged in transmission, on decryption both it and the following block will be garbled by the decryption process, but all subsequent blocks will be decrypted correctly. If an attacker has legitimate access to the same key, this feature can be used to insert or replay previously encrypted data of other users of the same engine, revealing the plaintext. The usual (ICMP, TCP, UDP) transport checksum can detect this attack, but on its own is not considered cryptographically strong. In this situation, user or connection oriented integrity checking is needed. (See RFC-1826.)
Requests for comments (RFCs) are documents that present new protocols and establish standards for the Internet protocol suite. Hardcopies of all RFCs are available from the Network Information Center (NIC), either individually or on a subscription basis. You can obtain these documents from:
Government Systems, Inc. Attn: Network Information Center 14200 Park Meadow Drive Suite 200 Chantilly, VA 22021
You can access RFCs from this URL:
http//www.cis.ohio-state.edu/hypertext/information/rfc.html.
Online copies are available from the NIC using FTP to connect to ds.internic.net. You can transfer the files using the following format:
RFC:RFCnnnn.TXT RFC:RFCnnnn.PS
Where:
The format for the RFC index is:
RFC:RFC-INDEX.TXT
Note: |
Many RFCs are only available in text format. Before requesting a PostScript
file, first check the RFC Index to make sure the RFC is available in that
format. You can also request online copies of the RFCs through the electronic
mail, from the automated NIC mail server, by sending a message to
mailserv@ds.internic.net. You must include one of the
following commands in body of your note:
SEND RFCnnnn.TXT or SEND RFCnnnn.PS |
Where:
For example, to request the text format of RFC 812, you would specify in the body of your note:
SEND RFC812.TXT
To request an online copy of the RFC index, include the following command in the body of your note:
SEND RFC-INDEX.TXT
This chapter shows you what a AIX socks client file should look like.
The socks configuration file (/etc/socks.conf) for AIX systems is used by the socks client programs to permit or deny access through the firewall using the socks server, or to redirect a client request to a standard (non-socks) server.
Some socks client programs use this file to determine whether to use a direct or a socks server connection to a given destination host, and to exert access control based on the destination host, the requested service (port number on the destination host), and the effective user ID of the requesting local user.
Web browsers generally have their own socks configuration methods.
Every time a socks client has to make a network connection,the client checks the pending request against the file /etc/socks.conf, one line at a time. When the client finds a line with conditions that are matched by the request, the action specified on that line is taken. The remaining lines of file /etc/socks.conf are skipped. So the order of the lines in the file is extremely important; switch two lines and you might have entirely different results. If no matching line is found throughout the file, the request is denied.
Although there is an implied "deny all" at the end of the control file, you can supply an explicit "deny all" rule, for example:
deny 0.0.0.0 0.0.0.0 : /usr/bin/mail -s 'SOCKS: rejected %S from %u to %Z' root
Connection to address 127.0.0.1 (localhost) and 0.0.0.0 (broadcast) is always done directly, so there is no need to specify those in /etc/socks.conf.
Notes:
The parameter options for the socks file are:
For example, if you specify 255.255.255.255 in the destination_mask field, the actual destination address must match exactly the address specified in the destination_address field.
But if you specify 0.0.0.0 in the destination_mask field, any destination address will match.
Note: | This is the way subnet masks are interpreted in TCP/IP, but is the opposite of how the address masks are used in a router's access-lists. |
The destination_portnumber is a destination port.
The socks server uses the logical operation and the port number to compare to the port number in a request. The destination port in the request, and the destination_portnumber field must relate as stated by the log_op.
For example, if log_op is EQ and destination_port is 23, than the incoming request is allowed ONLY if it is for port 23. If you omit this pair, the rule applies to all ports.
Several shell commands can be strung together "|" or ";".
Consider this sample rule:
sockd @=1.2.3.4 *=boss,root 11.12.13.14 255.255.255.255 eq 23
To match the condition indicated in this line, a request must come from a local user whose effective ID is either boss or root. The destination IP address must be 11.12.13.14 exactly. The destination port must be 23. In that case, connection to host 11.12.13.14 should be done via a socks server on host 1.2.3.4.
The crontab command submits, edits, lists, or removes cron jobs. A cron job is a command run by the cron daemon at regularly scheduled intervals.
crontab syntax |
---|
crontab [-e | -l | -r | -v | File ] |
The default editor is vi.
When you finish creating entries and exit the file, the crontab command copies the file into the /var/spool/cron/crontabs directory and names it with your current username. If a file with your name already exists in the crontabs directory, the crontab command overwrites the existing name.
Alternatively, you can create a crontab file by specifying the File parameter. If the file already exists, it must be in the format the cron daemon expects. If the file does not exist, the crontab command invokes the editor. If the EDITOR environment variable exists, the command invokes the editor it specifies. Otherwise, the crontab command uses the vi editor.
The cron daemon runs commands according to the crontab file entries. Unless you redirect the output of a cron job to standard output or error, the cron daemon mails you any command output or error. If you specify a cron job incorrectly in your crontab file, the cron daemon does not run the job.
The cron daemon examines crontab files only when the cron daemon is initialized. When you make changes to your crontab file using the crontab command, a message indicating the change is sent to the cron daemon. This eliminates the overhead of checking for new or changed files at regularly scheduled intervals.
The /var/adm/cron/cron.allow and /var/adm/cron/cron.deny files control which users can use the crontab command. A root user can create, edit, or delete these files. Entries in these files are user login names with one name to a line. If your login ID is associated with more than one login name, the crontab command uses the first login name that is in the/etc/passwd file, regardless of which login name you might actually be using.
Here is a quick method for setting up a crontab. To learn more about the AIX crontab function, issue "man crontab" from the AIX command line.
To set up a crontab that will compress and archive all log files (that have been configured to be archived) every Sunday at 2am, follow these steps:
Note: | This should bring up an editor session using the editor defined by your $EDITOR variable. If you wish to use another editor, you can either change the value of the $EDITOR vaiable or issue "crontab -1>tempcron". You can then edit the tempcron file and issue "crontab tempcron" to activate your changes to the file. |
minute hour day_of_month month weekday
These fields accept the following values:
To run the fwlogmgmt command every Sunday at 2 am, add the following line to the bottom of the crontab file:
0 2 * * 0 /usr/bin/fwlogmgmt -1
Your crontab file should look something like:
-------------------------------------------------------- #(c) COPYRIGHT International Business Machines Corp. 1989,1994 #All Rights Reserved #Licensed materials - Property of IBM # #US Government Users Restricted Rights - Use, duplication or #disclosure restricted by GSA ADP Schedule Contract with IBM Corp. # #0 3 * * * /usr/sbin/skulker #45 2 * * 0 /usr/lib/spell/compress #45 23 * * * ulimit 5000; /usr/lib/smdemon.cleanu > /dev/null 0 11 * * * /usr/bin/errclear -d S,0 30 0 12 * * * /usr/bin/errclear -d H 90 0 2 * * 0 /usr/bin/fwlogmgmt -1 ----------------------------------------------------------,
References in this publication to IBM products, programs, or services do not imply that IBM intends to make them available in all countries in which IBM operates. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Subject to IBM's valid intellectual property or other legally protectable rights, any functionally equivalent product, program, or service may be used instead of the IBM product, program, or service. The evaluation and verification of operation in conjunction with other products, except those expressly designated by IBM, are the responsibility of the user.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:
Site CounselSuch information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement.
This document is not intended for production use and is furnished as is without any warranty of any kind, and all warranties are hereby disclaimed including the warranties of merchantability and fitness for a particular purpose.
IBM is required to include the following statements in order to distribute portions of this document and the software described herein to which contributions have been made by the University of California and NEC Systems Laboratory.
This product includes software developed by the University of California, Berkeley and its contributors.
Portions Copyright © 1993, 1994 by NEC Systems Laboratory.
This product contains code licensed from RSA Data Security Incorporated.
The following terms are trademarks of the IBM corporation in the United States or other countries or both:
Microsoft, Windows and the Windows 95 logo are trademarks or registered trademarks of Microsoft Corporation.
UNIX is a registered trademark in the United States and other countries licensed exclusively through X/Open Company Limited.
Java and HotJava are trademarks of Sun Microsystems, Inc.
Other company, product, and service names, which may be denoted by a double asterisk (**), may be trademarks or service marks of others.
This glossary contains technical terms that are used in the documentation for many of the IBM networking software products. It includes IBM product terminology as well as selected terms and definitions from:
The following cross-references are used in this glossary: