   .
   .
   .                                            InJoy Firewall Version 1.4
   .                                                       Getting Started
   .                                                      February 1, 2000
   .
   .
   .
   .
   .
   .
   .  ___ _   _     _  _____   __
   . |_ _| \ | |   | |/ _ \ \ / /
   .  | ||  \| |_  | | | | \ V /
   .  | || |\  | |_| | |_| || |
   . |___|_| \_|\___/ \___/ |_|
   .
   .  _____ ___ ____  _______        ___    _     _
   . |  ___|_ _|  _ \| ____\ \      / / \  | |   | |
   . | |_   | || |_) |  _|  \ \ /\ / / _ \ | |   | |
   . |  _|  | ||  _ <| |___  \ V  V / ___ \| |___| |___
   . |_|   |___|_| \_\_____|  \_/\_/_/   \_\_____|_____|
   .
   .
   .
   .
   .
   .
   .
   .
   .
   .
   .                                                    F/X Communications
   .                                                       DK-4300 Holbaek
   .                                                               Denmark
   .                                                 E-mail: support@fx.dk
   .                                                      http://www.fx.dk
   .
   .
   .
   .
   .
   .     Copyright (c) 1999-2000, F/X Communications, All Rights Reserved.
   .     Your usage of this product and its documentation are subject to
   .     your acceptance of the license agreement included with this product.
   .
   .     IBM and OS/2 are registered trademarks of International
   .     Business Machines, Inc. All other trademarks, registered trade
   .     marks, service marks and other registered marks are the property
   .     of their respective owners.




==========================================================================
 	C O N T E N T S
==========================================================================



   1.  Scope of Document
   2.  Introduction
   3.  Product Levels
   4.  System Requirements
   5.  Before Installation
   6.  Installing the InJoy Firewall
   7.  Installing the Device Driver
   8.  Running the InJoy Firewall
   9.  Configuring LAN clients
   10. Network Interface Configuration
   11. Gateway Configuration File
   12. Command Line Parameters
   13. Uninstalling
   14. Registration
   15. Troubleshooting
   16. Acknowledgments
   17. Contacts



==========================================================================
 1. 	S C O P E   O F   D O C U M E N T
==========================================================================



   This document describes how to install, configure and operate the
   InJoy Firewall. You should read this document prior to firewall.txt,
   but after checking for readme files with last minute instructions.

   For more information about configuration of the Filter and Firewall
   plugins, please refer to the FILTER.TXT and FIREWALL.TXT respectively.

   For more information about IPSec VPNs, please click the appropriate
   icon in the information folder.

   For more information about PPP over Ethernet, please check the 
   PPPOE.TXT and PPPOEFAQ.TXT documents.



==========================================================================
 2. 	I N T R O D U C T I O N
==========================================================================



   The InJoy Firewall allows corporations using the IBM OS/2 operating
   system to securely connect the computers of a private LAN to the
   Internet.

   The InJoy Firewall was designed with Cable Modems and xDSL in
   mind. With minimal effort, the InJoy Firewall lets you connect
   and share a LAN-2-LAN connection among multiple work stations.
   
   You can run most standard networking applications on the LAN clients,
   without any reconfiguration of those applications.

   Implemented as a native, low-level Internet Firewall solution, the
   InJoy Firewall makes full use of the OS/2 system capabilities such as: 
   32-bit code, the layered NDIS communications model, OS/2 multi-
   threading and the robust OS/2 TCP/IP Stack (incl. DHCP).
   
   Operating beneath the routing layer, on raw packets, the InJoy Firewall
   offers a powerful platform for providing industry leading security and
   the best possible performance.

   Used in combination with the InJoy Firewall Plugin and sound security 
   policies, the InJoy Firewall turns into a powerful firewall providing
   a secure technology to regulate both in-bound and out-bound 
   communications. Add on the IPSec Plugin, and you have a unique OS/2
   product, supporting today's predominant VPN standard for interconnecting
   private networks over the Internet.

   Among the latest features, you will find full support for the PPP over
   Ethernet (PPPoE) protocol. PPPoE allows the Firewall operator to connect
   to the ISP's that are implementing this new protocol.



==========================================================================
 3. 	P R O D U C T   L E V E L S
==========================================================================



   The InJoy Firewall is modular software that allows you to start small
   and grow as your needs dictate. It ships in following two flavours:

	InJoy Firewall - STANDARD
	InJoy Firewall - PROFESSIONAL

   o The STANDARD version

   is the cost-effective Internet sharing solution. It provides superior
   performance, link monitoring, non-granular protection and much more ... 

   o The PROFESSIONAL version

   provides rule based access control, comprehensive packet filtering, 
   port and address redirection, traffic accounting and more via a special
   feature plugin. The InJoy Firewall Pro. version also supports IPSec
   e-security, the predominant and interoperable VPN standard. PPPoE has
   recently been added to the features available at this level.

   For a complete feature comparison chart, go to:

	http://www.fx.dk/firewall/chart.html



==========================================================================
 4. 	S Y S T E M   R E Q U I R E M E N T S
==========================================================================



   o IBM OS/2 3.0
   o 386SX
   o 8 MB total memory
   o 20 MB free disk space
   o TCP/IP for OS/2 3.0 or newer
   o LAN-to-LAN connection to the Internet
   o At least one 10/100 Mb Network Interface Card



==========================================================================
 5.	B E F O R E   I N S T A L L A T I O N
==========================================================================



   o Caution:

   You are about to install a product that adds a new device driver to
   your OS/2 system. The device driver layers with existing device drivers
   shipped with your LAN adapter(s) and incompatibility or bugs in these 
   drivers CAN (potentially) cause hazard to your OS/2 system. 

   If you are NOT experienced in the following areas:

        * TCP/IP networking and routing
        * OS/2 recovery options (i.e. the Maintenance Desktop)

   THEN please backup critical data before installing this software
   and/or consult a local expert or seek help on the Internet. F/X 
   Communications will in no way be held responsible for malfunctions or 
   data loss inflected by our software.

   o MPTS

   Installation of FXWRAP.SYS makes it impossible for MPTS.EXE to
   correctly process PROTOCOL.INI. If you need to use MPTS to change
   your network and protocol configuration, then uninstall FXWRAP,
   make MPTS changes, and then reinstall FXWRAP. Simply use INSTALL.CMD 
   to install and uninstall FXWRAP. Takes only a few seconds.

   o The Private LAN

   The InJoy Firewall REQUIRES a properly configured private LAN. 
   The computer running the InJoy Firewall MUST have two network interfaces
   defined (NOT neccessarily 2 LAN adapters). One network interface reflects
   the internal network and the other interface reflects the connection to
   the external network (Internet/ISP).

   If you wonder how such a LAN is configured or whether your existing
   configuration is supported, then jump to the "Network Interface 
   Configuration" section.

   o Using proper IP addresses

   Make sure your internal LAN is properly configured to use Private
   IP addresses as specified in RFC1918.

   Private IP address space include these 3 segments:

	10.x.x.x
	172.16.x.x
	192.168.x.x:

   o Testing your LAN

   In an OS/2 window, run the ping command and ping the machines connected
   to your OS/2 gateway PC. The machines you wish to get on the Internet
   must be pingable.

   o Testing your ISP connection

   Try to ping any desired host on the Internet, e.g:

	www.ibm.com
        www.netscape.com
	www.fx.dk

   If you get no response, then try a few more more known hosts and if
   you still get no response, then your networking configuration is 
   incorrect and you should fix it before continuing.



==========================================================================
 6. 	I N S T A L L I N G   T H E   I N J O Y   F I R E W A L L
==========================================================================



   This InJoy Firewall evaluation software distributes as a zipped archive. 
   To install, copy the archive into a directory of your choice and extract
   the files using Info-Zip's UNZIP.EXE.

   If the archive unzips without errors, you can be sure the downloaded 
   archive is intact. 

   With the files in place, run FOLDER.CMD to have a desktop folder created.

   Finally, you are ready to install the device driver. See next section.



==========================================================================
 7. 	I N S T A L L I N G   T H E   D E V I C E   D R I V E R 
==========================================================================



   Run INSTALL.CMD from the product directory. 

   INSTALL.CMD will show a list of installed LAN adapters and you
   should choose the LAN adapter that is connected to the external
   network (i.e. Internet Link / ISP).

   INSTALL.CMD backs up CONFIG.SYS and PROTOCOL.INI before updating
   the files with the required changes. 

   The FXWRAP.SYS file will be automatically copied from the product 
   directory to x:\IBMCOM\MACS, where x: is the drive where MPTN is installed.

   o Reboot System.

   To load the newly installed device driver, please reboot your system.

   IMPORTANT: A new device driver can potentially cause malfunction and
   failure to boot. This can be caused by conflict with hardware or other 
   device drivers and although unlikely, this may happen to you.
   If you experience such troubles, you need to use OS/2 Warp's Maintenance 
   Desktop to recover your system. When you boot OS/2, you will see a white 
   box in the upper left hand corner followed by "OS/2." Hit ALT-F1, and a 
   menu pops up with several options such as immediately dropping to a 
   command line. Dropping to a command line allows you to manually uninstall
   (see troubleshooting section). Having done that you be able to reboot 
   normally and contact F/X Communications for further help.



==========================================================================
 8. 	R U N N I N G   T H E   I N J O Y   F I R E W A L L
==========================================================================



   After installing the device driver and rebooting, simply execute 
   GATEWAY.EXE directly from the product directory. If you prefer to run 
   the software via a desktop icon, then run FOLDER.CMD from the product 
   directory to have icons created.

   o Testing the Firewall

   First step in testing the (running) firewall is to ping a desired host
   on the Internet. Pinging should work, just like it did before you
   installed the InJoy Firewall.

   Once able to access Internet servers, you can proceed to set up the
   LAN clients.



==========================================================================
 9. 	C O N F I G U R I N G   L A N   C L I E N T S
==========================================================================



   There is no master check list as your current configuration 
   affects what steps you have to take (like, do you already have
   TCP/IP configured?).

   How to configure the many TCP/IP stacks available for the various
   Operating Systems is outside the scope of this document, but in
   general all you need to configure on the LAN clients is:

   1) Clients MUST reference an external name server (as it will now have 
      Internet access).

   2) Clients must have the InJoy firewall PC configured as the default 
      route (a.k.a. default gateway).

   Unlike proxy based solutions, you do not need to reconfigure
   the various TCP/IP applications running on the LAN clients.

   With this configuration in place, you should now be able to use
   the Internet through your copy of the InJoy Firewall. If you can't
   then please study the "Network Interface Configuration" and the
   troubleshooting section. As always, the F/X support crew is only
   an e-mail away (support@fx.dk).

   If you use PPPoE (PPP over Ethernet), then be sure to consult the
   PPPoE Guide for MTU considerations.



==========================================================================
 10.	N E T W O R K   I N T E R F A C E   C O N F I G U R A T I O N
==========================================================================



   There are two possible LAN configurations in which this product
   will work:

	1) Using one (1) LAN adapter in the firewall PC and using a hub for 
           the external connection to the Internet.

	2) Using two (2 - or more) LAN adapters in the firewall PC, with
           one LAN adapter connected directly to the external interface
           and the other connected to your internal interface.

   Using 2 LAN adapters is the more secure option as it physically separates
   the Internet & your intranet into 2 collision domains.
   This product handles both of the above setups identically, but the
   TCP/IP stack must be configured with respect to your setup.

   If in doubt about the network configuration to choose, concider
   the following 2 scenarios:

	* It is a typical 2-NIC installation if there are real-world
          IP addresses present inside the internal network.
          
          The reason:
          If a router is connected to the same network-hub as your
          internal network, then the router can bypass the Firewall
          and instead send packets directly to the internal clients.
          In this case, hackers on the Internet will have transparent 
          access to the internal PC.

          Internal computers using internal IP addresses are generally
          not at risk, as they are not directly addressable from the 
          Internet (unless the ISP cannot be trusted - see next scenario).

          Using two NICs, all packets must pass through the Firewall and
          access attempts for the internal real-world IP addresses will be
          denied - unless specifically allowed by rule.

	* It is a typical 2-NIC installation if there are no real-world 
          IP addresses on the internal network, but the ISP is concidered
          an untrusted interface.

          The reason:
          Many of the the Cable Internet Providers have thousands of
          customers connected into one big common network. On this
          network, internal IP addresses are likely to be somewhat valid
          and on account of faulty routing and lack of filtering, a route
          to your network could potentially be left open.

          Packets with internal IP addresses (e.g. 192.168.x.x) are not
          valid, nor routed over the public Internet, but within an ISP
          they could be broadcasted around or routed directly. Using the
          appropriate tools, a hacker can easily scan for openings
          and follow up with an attack using only internal IP addresses.

          If packets with internal IP addresses hit your network-hub, 
          then they can be routed further to your internal LAN clients,
          bypassing the firewall.

          Such attacks are very dangerous and also very hard to track
          down, but in a 2-NIC installation they are are rendered
          completely harmless.

   In your network scenario does does not match the above, then a 
   1-LAN setup is probably acceptable, but if in doubt, go for the
   dual NIC setup.


   1) Using 1 LAN adapter
                                                 ___
                                                |___|  PC with
                    HUB/Switch                  |___|  InJoy Firewall
        Uplink     __________                   | _ |
        ______    |+_+_+_+_+_|                  | _ |
              \____| | | | |____________________| _ |
                     |   |                    __|___|__
                     |...|________
                     |             To other PCs
                     |____________

   The firewall PC should be configured with two TCP/IP network interfaces. 
   First network interface is for the uplink connection to the ISP. This 
   net is typically configured via DHCP.

   Second network interface is the internal net using IP addresses from 
   the private internet address space (e.g. 192.168.x.x).

   Example (based on the following values):

         uplink IP address is 123.45.67.2      (IP address ISP)
         uplink netmask is 255.255.255.252
         our IP address is 123.45.67.1         (ISP assigned)
         our interface name is lan0
         internal net is 192.168.1.0
         internal IP address is 192.168.1.254  (RFC1918-style IP address)
         internal netmask is 255.255.255.0

   Step by step configuration:

   NOTE: In case of DHCP you can skip first two steps.

       	 Configure interface:

          ifconfig lan0 123.45.67.1 netmask 255.255.255.252

       	 Set default route to uplink:

          route add default 123.45.67.2 1

       	 Configure alias interface for internal net:

          ifconfig lan0 192.168.1.254 netmask 255.255.255.0 alias

          'alias' parameter at the end of command allows two different 
          nets within one real LAN adapter.

	 Enable forwarding:

          ipgate on

   You can use the OS/2 TCP/IP GUI to update your configuration, but many 
   find it easier to update SETUP.CMD located in \MPTN\BIN). SETUP.CMD
   should include these lines after configuration:

	ifconfig lan0 123.45.67.1 netmask 255.255.255.252
	route add default 123.45.67.2 1
	ifconfig lan0 192.168.1.254 netmask 255.255.255.0 alias
	ipgate on


   2) Using 2 (or more) LAN adapters:

                  ___  PC with InJoy Firewall
                 |___|
                 | _ |       HUB/Switch
        Uplink   | _ |      __________
        ______   | _ |     |+_+_+_+_+_|
              \__| _ |______| | | | |______
               __|___|__      |   |
                              |...|________
                              |             To other PCs
                              |____________


   For this configuration it is required for the firewall PC to have 
   two (or more) LAN adapters installed.

   Example (based on following values):

         uplink IP address is 123.45.67.2      (IP address ISP)
         uplink netmask is 255.255.255.252
         our IP address is 123.45.67.1         (ISP assigned)
         our interface name is lan0
         internal net is 192.168.1.0
         internal IP address is 192.168.1.254  (RFC1918-style IP address)
         internal netmask is 255.255.255.0
         name of internal net is lan1

   Step by step configuration:

   NOTE: In case of DHCP you can skip first two steps.

         Configure interface:

          ifconfig lan0 123.45.67.1 netmask 255.255.255.252

         Set default route to uplink:

          route add default 123.45.67.2 1

         Configure alias interface for internal net:

          ifconfig lan1 192.168.1.254 netmask 255.255.255.0

         Enable forwarding:

          ipgate on

   You can use the OS/2 TCP/IP GUI to update your configuration, but many 
   find it easier to update SETUP.CMD located in \MPTN\BIN). SETUP.CMD
   should include these lines after configuration:

	ifconfig lan0 123.45.67.1 netmask 255.255.255.252
	route add default 123.45.67.2 1
        ifconfig lan1 192.168.1.254 netmask 255.255.255.0
	ipgate on



===========================================================================
11.	G A T E W A Y   C O N F I G U R A T I O N   F I L E
===========================================================================



   The InJoy Firewall receives the basic configuration from an ASCII
   configuration file.

   The distribution archive contains the file "GATEWAY.CF_", which can 
   optionally be put into effect by removing the trailing underscore from 
   the file name (i.e. "copy gateway.cf_ gateway.cf").

   The GATEWAY.CF_ includes several optional configuration sections:

   [net]

      This section contains the following parameters:

	 internal_net
         netmask
         firewall_transparent

      o internal_net & netmask

      The 'internal_net' and 'netmask' variables together define the
      IP addresses considered internal by the InJoy Firewall.

      The Firewall LAN-interface typically denotes the default interface.
      All packets that are not specifically routed, will go to this 
      interface and require Firewall processing. This includes packets
      that may be incorrectly or illegally routed to the firewall.

      The rough filter denoted by these variables provide an easy mechanism
      for filtering away all unwanted traffic before it is processed by the
      actual Firewall engine. This saves performance and the need for
      superfluous rules.

      The net and netmask are specified using the standard 32 bit netmask
      format. The following example defines an internal network of 255 IP
      addresses from 192.168.1.1 to 192.168.1.255.

         [net]
         Internal_net=192.168.1.0
         Netmask=255.255.255.0

      If one or both of the above net parameters are omitted, all packets 
      going to the external network will be processed by the firewall.

      Incorrectly routed packets can fill up the Firewall NAT table and
      prevent your own internal PC's from using the Firewall. It is
      recommended to specify the internal net and effectively prevent bogus
      packets and misconfigurations to interfere with your security policy.

      o firewall_transparent

      The 'firewall_transparent' flag specifies whether the firewall PC is
      connected directly to the Internet or working indirectly through NAT.

      Setting the value to "yes" (default) provides a completely transparent
      Internet connection for the firewall PC. The transparent connection is
      convinient for running servers, VPN gateways or non-translateable 
      protocols, such as certain multi media applications. Unsolicited 
      incoming connections are possible in this state and the user should
      either maintain a strong security policy for the services launched
      or define specific firewall rules to block the open ports.

      Setting the 'firewall_transparent' attribute to "no" will run packets
      to and from the firewall PC through the NAT engine. NAT prevents
      unsolicited incoming connections, but allows outgoing connections. 

      Enabling NAT for the firewall PC denotes an extremely simple and 
      effective security measure that doesn't prevent the operator from
      defining additional firewall rules. Firewall rules can be used to
      allow transparent access to servers, but also enable transparency
      for selected outgoing connections, removing the NAT engine strain.

      With NAT enabled, the firewall PC will experience the same benefits
      and drawbacks as internal LAN clients. Refer to FIREWALL.TXT for more
      information about Network Address Translation.

      Internal PC's, behind the Firewall are not effected by this option.

   [license]

      This section is used to specify license name and licensee code.

         name
         code
         filter
         firewall
       
      The Firewall Product itself and certain feature plugins have separate
      registration codes. Please, refer to REGISTER.TXT for more information.

      Notice, the registration information is sent in a form which allows
      you to simply copy it directly from the source into the GATEWAY.CF file.

   [GUI]

      The [GUI] section includes variables telling the Firewall whether to
      accept connections from the (YET UNRELEASED) Java GUI.

         allow_remote
         port
         userid
         password

      The "allow_remote" variable specifies whether only local Java GUI's
      can connect to the Firewall or also GUI's running on remote systems.
      Per default, there is no access to your system from remote computers.

      The "port" variable specifies which tcp port to utilize for
      incoming TCP/IP connections from the Java GUI.

      Setting this variable to 0 will completely disable Java GUI access, 
      even from the PC where the Firewall is running.

      The "userid" and "password" set the authentication parameters. A
      Java GUI operator must know this information to gain GUI access to
      your system.

   [identd]

      Identd is an authentication server (protocol) used to authenticate IRC 
      clients. Standard NAT does NOT provide for incoming identd requests to
      pass through the Firewall, so to allow authentication of internal IRC 
      clients an ident daemon must be started (on the firewall PC). The InJoy 
      Firewall includes such an identd, capable of acting as a proxy for 
      the other PCs on your private LAN.

      The [identd] section contains these variables:

	 Enable
         UserID

      Set "Enable = Yes" to have the built-in identd automatically started.
      With the identd daemon running, incoming identd requests are first
      received by the built-in daemon and then forwarded to the appropriate
      LAN client. Notice, a possible identd (built into most IRC clients) 
      running on your LAN client STILL gets to do the real authentication.

      There can be only one identd daemon running on a single PC, so if you 
      use our built-in identd, then you can't run another identd on the
      firewall PC. This means that our identd daemon must be fully capable
      of authenticating IRC clients running on the firewall PC and to provide
      this feature, you have the possibility to specify the 'UserID' to be
      used in this case (see the sample configuration file).

   [hardware]

      The [hardware] section contains these variables:

	 SMC_fix
         Fragment
         MTU
         Rescan_ip

      o SMC_fix

      SMC 8417T (10base-T, SMC8000 driver) NIC can give TRAP-E's under
      heavy load.  Enable the work-around if you use this card.

      o Fragment

      Enable the "fragment" flag to assemble fragmented IP packets prior to
      firewall processing AND to split them up again (using the MTU) as
      they leave the firewall. Fragmentation is enabled per default, which
      allows IPSec, firewall and filter rules to operate on full IP packets.
      Fragmentation introduces a small performance hit. 

      o MTU

      The Maximum Transmission Unit (MTU) specifies the largest packet that
      is output from the InJoy fragment operation.

      o Rescan_ip

      Seconds between scanning the external firewall LAN interface for a
      new IP address (e.g. a DHCP lease). Specify 0 to turn off this feature.
      Avoid scanning too often as the scan can cause unwanted harddisk
      activity.

   [filter]

      This section contains the following variable:

         filter_rules

      This variable instructs the filter plugin where to find the 
      filtering rules.

   [firewall]

      This section contains the following variable:

         firewall_config

      This variable instructs the firewall plugin where to find
      its configuration files.

  [ipsec]

      This section contains the following variable:

         enable

      Set "Enable = Yes" to have the IPSec Plugin automatically loaded.

      Refer to the IPSec documentation for more information.

   [pppoe]

      This section contains the following variable:

         enable

      Set "Enable = Yes" to have the PPPoE Plugin automatically loaded.

      PPPoE (PPP Over Ethernet) enables PPP with an xDSL or Cable ISP.
      You can configure PPPoE ISP profiles by using the GWPM.EXE program
      or you can point an ASCII editor to: /PPPOE/PPPOE.CNF

      Set the MTU (see hardware section) to 1492 (or lower) when 
      using PPPoE.

      Refer to the PPPoE documentation for more information.


   NOTE: Editing the GATEWAY.CF file should be done in a text editor 
         that preserves the ASCII format of file. For example you can 
         use the OS/2 System Editor for this purpose (E.EXE).



===========================================================================
12. 	C O M M A N D   L I N E   P A R A M E T E R S
===========================================================================



   This product is intended to be run WITHOUT command line parameters,
   but the following parameters are available.

   o Command Line Parameters

	-?  or -h   Show help message                     (text version only)
	-t          Enable packet tracing                 (text version only)
        -p<xx>      Priority from 1 to 100 (100 is max)   (text version only)
        -f<file>    Override default configuration file   (text version only)
	-l[<file>]  Log messages into file                (PM version only)
        -d          Extra debug info to output screen     (both versions)

    Option -t (trace)

     Enables packet tracing and should be used for diagnostic purposes
     only. Enabling this option in a production environment will 
     significantly reduce product performance.

    Option -p (priority)

     The priority parameter specifies the priority that OS/2 will assign 
     to the InJoy Firewall. 

       -- Any value larger than 75 percent, will register the gateway as 
          a time critical process. Being time critical is a logic choice
          for a program handling the CPU demanding COM port.

       -- However, raising the value much above 75 percent may cause
          system hangs as the OS/2 scheduler will not allow other 
          processes to "wake up" when they are really needed.

    Option -f (set config file)

      Gives possibility to override default configuration file (gateway.cf).



===========================================================================
13. 	U N I N S T A L L I N G
===========================================================================



   Uninstalling is done in three simple steps:

	1) Uninstall Device Driver
        2) Uninstall Firewall software
        3) Reboot

   o Uninstall FXWRAP.SYS

   Uninstalling FXWRAP.SYS is done using the UNINSTAL.CMD and when running
   it, you will be prompted for an action:

          <I> to install FXWRAP
          <U> to uninstall previously installed FXWRAP

   Press 'U' followed by <Enter> to start uninstalling the device
   driver. The files CONFIG.SYS and PROTOCOL.INI will be updated.

   o Uninstall Firewall

   In order to uninstall the InJoy Firewall, simply delete files from 
   from the product directory.

   o Reboot System



===========================================================================
14. 	R E G I S T R A T I O N
===========================================================================



   After successful evaluation of this product, you can register
   it by obtaining a registration key from one of the resellers.
   Reseller information can be found in:

	1) REGISTER.TXT from the distribution archive

   Most current pricing information and online registration services are
   available at the following address:

        2) http://www.fx.dk/firewall/register.htm

   Once registered, you need to fill your registration code into the
   gateway.cf file - for example:

	[license]
	name=Joe Pepper
	code=1cdf3ade75679893
        filter=1cdf3ade75679894
        firewall=1cdf3ade734329894
   
   NOTICE: Above name and codes are presented as an example. These are NOT
           numbers, so don't try ...

   For more information contact sales@fx.dk



===========================================================================
15.	T R O U B L E S H O O T I N G
===========================================================================


>  Everything installed successfully! Had Internet access before installing,
>  but now firewall PC and client systems cannot access the Internet.

   Q:  I have installed everything successfully, but the firewall PC
       and the clients CANNOT access the Internet.
   A:  Check if it helps to stop the GATEWAY.EXE daemon.

   Q:  Stopping GATEWAY.EXE does not help.
   A:  Seems FXWRAP.SYS or PROTOCOL.INI changes are harming your system. 
       Uninstall and contact support@fx.dk

   Q:  Stopping GATEWAY.EXE does help.
   A:  Check if the auto detected information in the output of GATEWAY.EXE
       looks correct. If it doesn't, contact support@fx.dk

   Q:  Auto detected information looks good and GATEWAY.EXE reports no errors.
   A:  Did you specify an 'internal_net' and 'netmask' in the .cf file?
       If you did, try to comment out those variables.

   Q:  I even removed my GATEWAY.CF file, but still NO Internet access.
   A:  Did you install FXWRAP for the proper LAN adapter? The LAN adapter
       which is connected to the external interface!

   Q:  I did install to the right LAN adapter, I'm sure.
   A:  Uninstall and contact support@fx.dk


>  Everything installed successfully and the firewall PC has Internet access,
>  but client systems CANNOT access the Internet.

   Q:  I have installed everything successfully, but clients are unable
       to ping an outside server.
   A:  Check if the Firewall itself can access servers on the Internet
       (with the GATEWAY.EXE daemon running).

   Q:  firewall PC is definitely okay, only clients won't work!
   A:  Did you remember to enable IP forwarding ("ipgate on" in SETUP.CMD).

   Q:  The client PC just stalls when it tries to access a host name on
       the Internet. I can ping IP numbers on the Internet.
   A:  Your name server on the client PC is not specified correctly. You
       need to specify a real name server that is able to resolve names on
       the Internet. Use the same one as your Firewall computer.

   Q:  Everything looks okay, but still clients cannot get out.
   A:  You must specify the firewall PC as being the default route (a.k.a
       default gateway) for your client system.

   Q:  Everything looks okay, but still clients cannot get out.
   A:  If you have only one LAN adapter in the gateway PC, then you must
       define your internal ip address using the 'alias' parameter.

       E.g: "ifconfig lan0 192.168.1.1 alias"

       Check /mptn/bin/setup.cmd

   Q:  My routing really seems okay, but still no clients can get out.
   A:  Contact support@fx.dk


>  I want to UNinstall the FXWRAP.SYS device driver, but INSTALL.CMD
>  doesn't seem to do the job right.

   Q:  Uninstalling fails for some reason, but I did make backup copies 
       of CONFIG.SYS and PROTOCOL.INI before installing.
   A:  Good, restore the system so it uses your old backup copies and
       reboot.

   Q:  Uninstalling fails for some reason, but I did NOT make any backup
       copies of CONFIG.SYS and PROTOCOL.INI before installing.
   A:  INSTALL.CMD backs up these files. Locate the files and restore
       your system. Then reboot.

   Q:  I wish to uninstall the changes manually.
   A:  Caution: Your networking won't work if you uninstall the wrong way, 
       but step by step instructions follow (use at your own risk):

       1) Locate PROTOCOL.INI (usually located at in \IBMCOM directory).
       2) Open PROTOCOL.INI in OS/2 System editor.
       3) Locate FXWRAP section - should look like this:

               [FXWRAP_nif]
               Drivername = FXWRAP1$
               Bindings   = DC21X4

          Note Bindings parameter 
          (DC21X4 is the network card used in our example).

          Walk through PROTOCOL.INI, in order to locate the Bindings 
          parameter in each section. If a Binding parameter exists and
          it points to FXWRAP, then replace each occurrence of FXWRAP_nif 
          with DC21X4.

          Now, remove the FXWRAP_nif section and save PROTOCOL.INI.

       4) Open CONFIG.SYS in OS/2 System editor.
       5) Locate line where FXWRAP.SYS is installed and remove this line.
       6) Save CONFIG.SYS and close editor.
       7) Reboot your computer to deactivate FXWRAP.SYS

       If you see error messages during boot-up or your network does not 
       work properly, then you should reboot into the Maintenance Desktop
       and start a command line window. Using the command line window you
       should check your uninstallation.


>After some time of operation, the Firewall produces the message:
>"Error: NAT table full - no more clients accepted!"
>but my number of clients doesn't exceed the number of clients licensed.

   Q:  How to avoid this error?
   A:  Uncomment and set the variables 'internal_net' and 'netmask' 
       in the [net] section of gateway.cf.



>I have ADSM processing backup of my PC and experienced trap 0D (or trap 0E)
>when backup process is started and Firewall is running.

   Q:  Is this trap produced by bug in Firewall?
   A:  No. This is a bug in TCP/IP stack 4.1.
       But FXWRAP.SYS can make this bug appear more often because
       of more intensive use of TCP/IP stack.

   Q:  How do I avoid the trap?
   A:  Install most recent update of TCP/IP 4.1.
       Available at:
       http://service.software.ibm.com/pbin-usa-ps/
              getobj.pl?/pdocs-usa/latest41.html



==========================================================================
16.	A C K N O W L E D G M E N T S
==========================================================================



   F/X would like to thank ALL the people who helped during the
   development phase and the beta testing phase. Last, but not
   least, a thanks to our customers.



==========================================================================
17.	C O N T A C T S
==========================================================================



   The below resources are pointers to where you might find more help in
   using InJoy products.

   Support:       Our FREE mail list has more than 400 people connected
                  and they will gladly take a stab at almost any problem. 
                  See below for help on subscribing to the list.

   Mailing lists: Subscribe at http://www.fx.dk/contadd.html

   Support:       support@fx.dk

   Web:           http://www.fx.dk/firewall

                  The most recent news about this product is posted at 
                  the F/X Communications site.





       Copyright (c) 1999-2000 F/X Communications.  All rights reserved.




