Created
April 3, 2009 10:13
-
-
Save sheldonh/89693 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Firewall upgrade: | |
================= | |
The firewall3.jnb2 and firewall4.jnb2 servers are reference builds for | |
where we want to go with stabilization and standardization. They have | |
both amd64 and i386 versions of the FIREWALLNG kernel config in their | |
/usr/src tree, but their /usr/obj is (obviously) only built for amd64. | |
They are referred to in the instructions below as "good server". | |
The "New firewall pair" lab's firewall1.jnb1 and firewall1.jnb2 have | |
/usr/src and /usr/obj ready to go for an upgrade. They can be used to | |
test the process. | |
On each firewall in the pair, starting with firewall2: | |
------------------------------------------------------ | |
* Make this firewall the backup. | |
* rm -rf /usr/src /usr/obj /usr/ports | |
* mkdir /usr/obj | |
* Copy over /usr/src and /usr/ports from good server. | |
* Stop quagga. | |
* cd /usr/ports/net/quagga && make -DFORCE_PKG_REGISTER install clean | |
* Copy over /usr/local/etc/rc.d/quagga from good server. | |
* Copy over these files from /var/db/firewall on good server: | |
Makefile | |
scripts/vlanrulegen | |
* Edit /var/db/firewall/firewall.head to avoid the "indirect" | |
keyword, using /var/db/firewall/firewall.head on good server | |
as a reference. | |
* cd /var/db/firewall && make all | |
* Copy over /etc from good server to /etc.new on this server. | |
* Take BOOT_COMCONSOLE_SPEED out of /etc/make.conf. | |
* Set KERNCONF=FIREWALLNG in /etc/make.conf. | |
* Delete /boot.conf and empty out /boot/loader.conf. | |
* cd /usr/src && make buildworld && make buildkernel | |
* make installkernel && make installworld | |
* cd /etc && | |
cp passwd group login.conf newsyslog.conf \ | |
crontab sysctl.conf profile /etc.new/ | |
cp ssh/sshd_config /etc.new/ssh/ | |
* cd / && mv etc etc.orig | |
* mv etc.new etc | |
* reboot | |
* Use ifconfig, vtysh and ipfw utilities to verify configuration. | |
* Make this firewall the master. | |
* Use ping tests to confirm connectivity for managed, truserv and | |
inter-DC. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment