firewall-upgrade-plan.txt

Firewall upgrade:
=================

The firewall3.jnb2 and firewall4.jnb2 servers are reference builds for
where we want to go with stabilization and standardization.  They have
both amd64 and i386 versions of the FIREWALLNG kernel config in their
/usr/src tree, but their /usr/obj is (obviously) only built for amd64.
They are referred to in the instructions below as "good server".

The "New firewall pair" lab's firewall1.jnb1 and firewall1.jnb2 have
/usr/src and /usr/obj ready to go for an upgrade.  They can be used to
test the process.

On each firewall in the pair, starting with firewall2:
------------------------------------------------------
* Make this firewall the backup.
* rm -rf /usr/src /usr/obj /usr/ports
* mkdir /usr/obj
* Copy over /usr/src and /usr/ports from good server.
* Stop quagga.
* cd /usr/ports/net/quagga && make -DFORCE_PKG_REGISTER install clean
* Copy over /usr/local/etc/rc.d/quagga from good server.
* Copy over these files from /var/db/firewall on good server:
        Makefile
        scripts/vlanrulegen
* Edit /var/db/firewall/firewall.head to avoid the "indirect"
  keyword, using /var/db/firewall/firewall.head on good server
  as a reference.
* cd /var/db/firewall && make all
* Copy over /etc from good server to /etc.new on this server.
* Take BOOT_COMCONSOLE_SPEED out of /etc/make.conf.
* Set KERNCONF=FIREWALLNG in /etc/make.conf.
* Delete /boot.conf and empty out /boot/loader.conf.
* cd /usr/src && make buildworld && make buildkernel
* make installkernel && make installworld
* cd /etc &&
        cp passwd group login.conf newsyslog.conf \
           crontab sysctl.conf profile /etc.new/
        cp ssh/sshd_config /etc.new/ssh/
* cd / && mv etc etc.orig
* mv etc.new etc
* reboot
* Use ifconfig, vtysh and ipfw utilities to verify configuration.
* Make this firewall the master.
* Use ping tests to confirm connectivity for managed, truserv and
  inter-DC.