Hello.
I'm rebuilding an NT server running ConSeal 2.06 with 2 NICs, one internal LAN and one Internet DSL. All was fine before, but on the new system, with different NICs, ConSeal flips the NICs, so the external NIC is the second tab instead of the first. Internal rules are now on the external NIC and vice versa.
Anyone know why this is happening and how to fix it?
Thanks, nf
It would help if we knew what "rebuilding" means in this context, whether "new system" means different hardware, and whether the OS sees the NICs differently.
Absent that information, I'll guess the problem is likely related to the order in which devices are enumerated on the PCI bus, in which case some juggling of NICs vs PCI slots is likely to resolve it.
Triffid
Thanx for the reply.
Moving same OS and programs to different MB, HDD and NICs. Old AT system's been running near continuous 24/7 for 6 years and HDD's getting noisy.
This seems unlikely, as ISA NICs were not uncommon when old system was built. 'Twould be a very dumb algorithm for discerning which NIC was internal.
Pisser there's 1 ruleset for 2 NICs, and that it's not editable in text form. If there were a separate ruleset for each NIC 'twould be no problem.
The NIC for the external network is on the MB, the one for the internal network is a gigabit PCI card. Won't the MB NIC always have a lower I/O address than a PCI card?
Hard to believe this limitation would be built in to such a fine FW. There must be a way around it.
"Won't the MB NIC always have a lower I/O address than a PCI card?"
Not necessarily. The first NIC the o/s detects is the first one listed. I suspect when you rebuilt the system the gigabit NIC was installed. Hence when the o/s detected both NICs, it chose the gigabit NIC as the first and the one on the mobo second.
If you want to resolve this issue, rebuild the system without the gigabit NIC installed. That way the o/s only detects the one on the mobo and hence it becomes the first NIC. Then install the gigabit NIC and it will become the second NIC.
In closing I will concur that the Conseal Firewall is a damn good firewall. Probably one of the best stateful firewalls available for a PC.
IME firewalls that run on general purpose operating systems take their NIC assignments from the OS, which in turn takes them from the BIOS enumeration order. No avoiding it, NICs are prone to moving around if you add/remove NICs or change the hardware. It has nothing to do with how 'fine' you consider the firewall software to be. We have specific rules regarding order of population of our Checkpoint firewall PCI slots in order to avoid exactly this issue.
If you can't resolve the problem by juggling NICs between slots, or by search and replace in text configuration files, you'll just have to re-do the firewall configuration - because it's not such a 'fine FW' after all.
Triffid
That certainly sounds feasible - but didn't occur to me as I've never dealt with a firewall with fewer than 5 interfaces :-)
Triffid
I can attest with personal experience from my days working with the Elron Firewall (formerly OnGuard Firewall) which supported multiple NICs on an NT4 platform that the above process will work. Yes. It can be a pain in the arse, but it will work.
Thanks for the suggestion. But the OS didn't detect either NIC. I had to manually specify both. And no matter which order they were installed, ConSeal still showed the gigabit NIC as NIC for external network.
Last install put the NICs in same order in both systems: internal NIC is NetworkCards/1, external is NetworkCards/2. So from what is ConSeal making a choice?
The answer to that is unclear, but I did figure out how to flip the NICs. In registry HKLM\\SW\\MS\\Ncpa\\CV, BindFileEx string includes a section for ConSeal protocol, which contains NIC descriptions. By flipping the descriptions, then making a change in bindings to force a reload, I now have ConSeal showing the NICs in the desired order.
nf
Well, it sure was a pain finding the solution to this config problem, but in use ConSeal has seemed fine enough. One possible good thing about this problem is that I found that there is new life for ConSeal in the form of
8Signs. I thought the thing had been killed by Symantec.nf
"But the OS didn't detect either NIC. I had to manually specify both."
I'm glad to hear that you were able to edit the registry and swap things around. Personally I'm not a big fan of messing around with the registry, but sometimes we do what we have to.
If it helps. The o/s not detecting either NIC was the first sign of a problem. Under most circumstances the o/s will detect a NIC. If it doesn't then this is good reason why we'd only want to install one NIC at a time. The idea being that we can install the drivers for the first NIC (the one on the mobo), ensure it's working, etc. Then we can move onto installing the gigabit NIC and if need be, install the drivers, ensure it's working, etc. It is by taking this methodical approach the first NIC (the one on the mobo) would have been listed as first, and the gigabit NIC as second.
And Yes. Conseal Firewall is an excellent firewall. I was glad to have participated in the BETA program for James Grant about five years ago and was very pleased with it. If I remember correctly I think Signal 9 Solutions was original company, they were bought by Deerfield and then by Symantec? It's been so long, I don't remember exactly. The last I read was that James formed 8Signs and is selling the firewall under a new name.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.