The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: Has only loopback (lo) interfce, aborting...

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


Q:

When attempting to install a policy, I get the following error message:

    Installing Security Policy foobar on [email protected] 
    Has only loopback (lo) interface, aborting... 
    Failed to Load Security Policy: No such file or directory 
    Fetching Security Policy from firewall failed

A:

It is also possible that FireWall-1 has no clue about any of the interfaces that are loaded. You can force FireWall-1 to refresh it's interface list by uninstalling and reinstalling the kernel module as follows:

    # fw ctl uninstall 
    # fw ctl install 
    # fw fetch localhost

You should also check the Interfaces tab on the workstation object representing your firewall. If the interfaces listed are incorrect or missing, perform an SNMP Get and reset Anti-Spoofing as appropriate. You should then be able to install your policy.

This error may also be caused by backing out a service pack on Solaris (Sparc and i386). If the back out process fails, /etc/init.d/fw1boot and /etc/init.d/fw1bootd may not be restored correctly. As a result, FireWall-1 may give an error saying it recognizes only the loopback interface. A workaround is to backup the files /etc/init.d/fw1boot and /etc/init.d/fw1bootd before backing out the service pack and restoring them after backing out the service pack.

This error may also come up because the FireWall-1-specific startup scripts are either non-existent or are symlinks on a Solaris platform (for some reason, these don't work right). A copy of /etc/init.d/fw1bootd should be in /etc/rc2.d/S00fw1bootd and a copy of /etc/init.d/fw1boot should be named /etc/rcS.d/S25fw1boot.

This error message may also come up as a result of missing a dumb terminal definition in terminfo (happens frequently on Solaris), which can easily be fixed as follows:

    # cd /usr/share/lib/terminfo
    # cp v/vt100 d/dumb

Another person suggested moving $FWDIR/conf/product.conf to $FWDIR/conf/inst.conf and re-running fwconfig or cpconfig. You should also check to see /etc/fwboot/if.dev has the correct interface types listed there. This can happen when re-running fwconfig or cpconfig.

A person from Check Point explains the "accept" or "deny" in this file:

The deny/accept sets only the way the FW talks to the driver. If it will use DLPI or not. DLPI is supported on some adapters, and not supported by others. If you would change all the 'deny' to 'accept' you could have extremly odd behaviour with the FW. It is best not to touch the file, and if cpconfig asks you about cards that do not appear in the file, it is recommended that if in doubt about the capabilities of the NIC you should choose to deny DLPI.

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.