Previous Next Contents

7. Installing the TIS Proxy server

7.1 Getting the software

The TIS FWTK is avaible at ftp://ftp.tis.com/.

Don't make the mistake I did. When you ftp files from TIS, READ THE README's. The TIS fwtk is locked up in a hidden directory on their server. TIS requires you send email to fwtk-request@tis.com with only the word SEND in the body of the message to learn the name of this hidden directory. No subject is needed in the message. Their system will then mails you back the directory name (good for 12 hours) to download the source.

As I'm writing this TIS is releasing version 2.0 (beta) of the FWTK. This version seems to compile well (with a few exceptions) and everything is working for me. This is the version I will be covering here. When they release the final code I'll update the HOWTO.

To install the FWTK, create a fwtk-2.0 directory in your /usr/src directory. Move your copy of the FWTK (fwtk-2.0.tar.gz) to your this directory and untar it (tar zxf fwtk-2.0.tar.gz).

The FWTK does not proxy SSL web documents but there is an addon for it written by Jean-Christophe Touvet. It is avaible at ftp://ftp.edelweb.fr/pub/contrib/fwtk/ssl-gw.tar.Z. Touvet does not support this code.

I am using a modified version that includes access to Netscape secure news servers written by Eric Wedel. It is available at ftp://mdi.meridian-data.com/pub/tis.fwtk/ssl-gw/ssl-gw2.tar.Z.

In our example I will use Eric Wedel's version.

To install it, simply create a ssl-gw directory in your /usr/src/fwtk-2.0 directory and put the files in it.

When I installed this gateway it required a few changes before it would compile with the rest of the toolkit.

The first change was to the ssl-gw.c file. I found it didn't include a needed include file.

  #if defined(__linux)
  #include        <sys/ioctl.h>
  #endif

Second it didn't come with a Makefile. I copied one out of the other gateway directories and replaced the gateway's name with ssl-gw.

7.2 Compiling the TIS FWTK

Version 2.0 of the FWTK compiles much easier then any of the older versions. I still found a couple of things that needed to be changed before the BETA version would compile cleanly. Hopefully these changes will be make in the final version.

To fix it up, start by changing to the /usr/src/fwtk/fwtk directory and coping the Makefile.config.linux file over the Makefile.config file.

DON'T RUN FIXMAKE. The instructions tell you to run this. If you do it will break the makefiles in each directory.

I do have a fix for fixmake. The problem is the sed script add a '.' and '' to the include line of ever Makefile. This sed script works.

  sed 's/^include[        ]*\([^  ].*\)/include \1/' $name .proto > $name 

Next we need to edit the Makefile.config file. There are two changes you may need to make.

The author set the source directory to his home directory. We are compiling our code in /usr/src so you should changed the FWTKSRCDIR variable to reflect this.

  FWTKSRCDIR=/usr/src/fwtk/fwtk

Second, at least some Linux system us the gdbm database. The Makefile.config is using dbm. You might need to change this. I had to for RedHat 3.0.3.

  DBMLIB=-lgdbm

The last fix is in the x-gw. The bug in the BETA version is in the socket.c code. To fix it remove these lines of code.

  #ifdef SCM_RIGHTS  /* 4.3BSD Reno and later */
                       + sizeof(un_name->sun_len) + 1
  #endif

If you added the ssl-gw to your FWTK source directory you will need to add it to the list of directory in the Makefile.

  DIRS=   smap smapd netacl plug-gw ftp-gw tn-gw rlogin-gw http-gw x-gw ssl-gw

Now run make.

7.3 Installing the TIS FWTK

Run make install.

The default installation directory is /usr/local/etc. You could change this (I didn't) to a more secure directory. I chose to change the access to this directory to 'chmod 700'.

All last is left now is to configure the firewall.

7.4 Configuring the TIS FWTK

Now the fun realy begins. We must teach the system to call theses new services and create the tables to control them.

I'm not going to try to re-write the TIS FWTK manual here. I will show you the setting I found worked and explain the problems I ran into and how I got around them.

There are three files that make up these controls.

To get the FWTK functioning, you should edit these files from the bottom up. Editing the services file without the inetd.conf or netperm-table file set correctly could make your system inaccessible.

The netperm-table file

This file controls who can access the services of the TIS FWTK. You should think about the traffic using the firewall from both sides. People outside your network should identify themselves before gaining access, but the people inside your network might be allowed to just pass through.

So people can identify themselves, the firewall uses a program called authsrv to keep a database of user IDs and passwords. The authentication section of the netperm-table controls where the database is keep and who can access it.

I had some trouble closing the access to this service. Note the premit-hosts line I show uses a '*' to give everyone access. The correct setting for this line is '' authsrv: premit-hosts localhost if you can get it working.

  #
  # Proxy configuration table
  #
  # Authentication server and client rules
  authsrv:      database /usr/local/etc/fw-authdb
  authsrv:      permit-hosts *
  authsrv:      badsleep 1200
  authsrv:      nobogus true
  # Client Applications using the Authentication server
  *:            authserver 127.0.0.1 114

To initialize the database, su to root, and run ./authsrv in the /var/local/etc directory to create the administrative user record. Here is a sample session.

Read the FWTK documentation to learn how to add users and groups.

    #
    # authsrv
    authsrv# list
    authsrv# adduser admin "Auth DB admin"
    ok - user added initially disabled
    authsrv# ena admin
    enabled
    authsrv# proto admin pass
    changed
    authsrv# pass admin "plugh"
    Password changed.
    authsrv# superwiz admin
    set wizard
    authsrv# list
    Report for users in database
    user   group  longname           ok?    proto   last 
    ------ ------ ------------------ -----  ------  -----
    admin         Auth DB admin      ena    passw   never
    authsrv# display admin
    Report for user admin (Auth DB admin)
    Authentication protocol: password
    Flags: WIZARD
    authsrv# ^D
    EOT
    #

The telnet gateway (tn-gw) controls are straight forward and the first you should set up.

In my example, I premit host from inside the private network to pass through without authenticating themselves. (permit-hosts 19961.2.* -passok) But, any other user must enter their user ID and password to use the proxy. (permit-hosts * -auth)

I also allow one other system (196.1.2.202) to access the firewall directly without going through the firewall at all. The two inetacl-in.telnetd lines do this. I will explain how these lines are called latter.

The Telnet timeout should be keep short.

  # telnet gateway rules:
  tn-gw:                denial-msg      /usr/local/etc/tn-deny.txt
  tn-gw:                welcome-msg     /usr/local/etc/tn-welcome.txt
  tn-gw:                help-msg        /usr/local/etc/tn-help.txt
  tn-gw:                timeout 90
  tn-gw:                permit-hosts 196.1.2.* -passok -xok
  tn-gw:                permit-hosts * -auth
  # Only the Administrator can telnet directly to the Firewall via Port 24
  netacl-in.telnetd: permit-hosts 196.1.2.202 -exec /usr/sbin/in.telnetd

The r-commands work the same way as telnet.

  # rlogin gateway rules:
  rlogin-gw:    denial-msg      /usr/local/etc/rlogin-deny.txt
  rlogin-gw:    welcome-msg     /usr/local/etc/rlogin-welcome.txt
  rlogin-gw:    help-msg        /usr/local/etc/rlogin-help.txt
  rlogin-gw:    timeout 90
  rlogin-gw:    permit-hosts 196.1.2.* -passok -xok
  rlogin-gw:    permit-hosts * -auth -xok
  # Only the Administrator can telnet directly to the Firewall via Port
  netacl-rlogind: permit-hosts 196.1.2.202 -exec /usr/libexec/rlogind -a

You shouldn't have anyone accessing your firewall directly and that includes FTP so don't put an FTP, server on you firewall.

Again, the permit-hosts line allows anyone in the protected network free access to the Internet and all others must authenticate themselves. I included logging of every file sent and received to my controls. (-log { retr stor })

The ftp timeout controls how long it will take to drop a bad connections as well as how long a connection will stay open with out activity.

  # ftp gateway rules:
  ftp-gw:               denial-msg      /usr/local/etc/ftp-deny.txt
  ftp-gw:               welcome-msg     /usr/local/etc/ftp-welcome.txt
  ftp-gw:               help-msg        /usr/local/etc/ftp-help.txt
  ftp-gw:               timeout 300
  ftp-gw:               permit-hosts 196.1.2.* -log { retr stor }
  ftp-gw:               permit-hosts * -authall -log { retr stor }

Web, gopher and browser based ftp are contorted by the http-gw. The first two lines create a directory to store ftp and web documents as they are passing through the firewall. I make these files owned by root and put the in a directory accessible only by root.

The Web connection should be kept short. It controls how long the user will wait on a bad connections.

  # www and gopher gateway rules:
  http-gw:      userid          root
  http-gw:      directory       /jail
  http-gw:      timeout 90
  http-gw:      default-httpd   www.afs.net
  http-gw:      hosts           196.1.2.* -log { read write ftp }
  http-gw:      deny-hosts      * 

The ssl-gw is really just a pass anything gateway. Be carefull with it. In this example I allow anyone inside the protected network to connect to any server outside the network except the addresses 127.0.0.* and 192.1.1.* and then only on ports 443 through 563. Ports 443 through 563 are known SSL ports.

  # ssl gateway rules:
  ssl-gw:         timeout 300
  ssl-gw:         hosts           196.1.2.* -dest { !127.0.0.* !192.1.1.* *:443:563 }
  ssl-gw:         deny-hosts      *

Here is an example of how to use the plug-gw to allow connections to a news server. In this example I allow anyone inside the protected network to connect to only one system and only to it's news port.

The seconded line allows the news server to pass its data back to the protected network.

Because most clients expect to stay connected while the user read news, the timeout for a news server should be long.

 
  # NetNews Pluged gateway
  plug-gw:        timeout 3600
  plug-gw: port nntp 196.1.2.* -plug-to 199.5.175.22 -port nntp
  plug-gw: port nntp 199.5.175.22 -plug-to 196.1.2.* -port nntp

The finger gateway is simple. Anyone inside the protected network must login first and then we allow them to use the finger program on the firewall. Anyone else just gets a message.

  # Enable finger service 
  netacl-fingerd: permit-hosts 196.1.2.* -exec /usr/libexec/fingerd
  netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger.txt

I haven't setup the Mail and X-windows services so I'm not including examples. If anyone has a working example, please send me email.

The inetd.conf file

Here is a complete /etc/inetd.conf file. All un-needed services have been commented out. I have included the complete file to show what to turn off, as well as how to setup the new firewall services.

 
  #echo stream  tcp  nowait  root       internal 
  #echo dgram   udp  wait    root       internal
  #discard      stream  tcp  nowait  root       internal
  #discard      dgram   udp  wait    root       internal
  #daytime      stream  tcp  nowait  root       internal
  #daytime      dgram   udp  wait    root       internal
  #chargen      stream  tcp  nowait  root       internal
  #chargen      dgram   udp  wait    root       internal
  # FTP firewall gateway
  ftp-gw      stream  tcp  nowait.400  root  /usr/local/etc/ftp-gw  ftp-gw
  # Telnet firewall gateway
  telnet        stream  tcp  nowait      root  /usr/local/etc/tn-gw /usr/local/etc/tn-gw
  # local telnet services
  telnet-a    stream  tcp  nowait      root  /usr/local/etc/netacl in.telnetd
  # Gopher firewall gateway
  gopher        stream  tcp  nowait.400  root  /usr/local/etc/http-gw /usr/local/etc/http-gw 
  # WWW firewall gateway
  http  stream  tcp  nowait.400  root  /usr/local/etc/http-gw /usr/local/etc/http-gw 
  # SSL firewall gateway
  ssl-gw  stream  tcp     nowait  root /usr/local/etc/ssl-gw   ssl-gw
  # NetNews firewall proxy (using plug-gw)
  nntp    stream  tcp     nowait  root    /usr/local/etc/plug-gw plug-gw nntp
  #nntp stream  tcp     nowait  root    /usr/sbin/tcpd  in.nntpd
  # SMTP (email) firewall gateway
  #smtp stream  tcp     nowait  root    /usr/local/etc/smap smap
  #
  # Shell, login, exec and talk are BSD protocols.
  #
  #shell        stream  tcp     nowait  root    /usr/sbin/tcpd  in.rshd
  #login        stream  tcp     nowait  root    /usr/sbin/tcpd  in.rlogind
  #exec stream  tcp     nowait  root    /usr/sbin/tcpd  in.rexecd
  #talk dgram   udp     wait    root    /usr/sbin/tcpd  in.talkd
  #ntalk        dgram   udp     wait    root    /usr/sbin/tcpd  in.ntalkd
  #dtalk        stream  tcp     waut    nobody  /usr/sbin/tcpd  in.dtalkd
  #
  # Pop and imap mail services et al
  #
  #pop-2   stream  tcp  nowait  root  /usr/sbin/tcpd    ipop2d
  #pop-3   stream  tcp  nowait  root  /usr/sbin/tcpd    ipop3d
  #imap    stream  tcp  nowait  root  /usr/sbin/tcpd    imapd
  #
  # The Internet UUCP service.
  #
  #uucp    stream  tcp  nowait  uucp  /usr/sbin/tcpd  /usr/lib/uucp/uucico -l
  #
  # Tftp service is provided primarily for booting.  Most sites
  # run this only on machines acting as "boot servers." Do not uncomment
  # this unless you *need* it.  
  #
  #tftp dgram   udp     wait    root    /usr/sbin/tcpd  in.tftpd
  #bootps       dgram   udp     wait    root    /usr/sbin/tcpd  bootpd
  #
  # Finger, systat and netstat give out user information which may be
  # valuable to potential "system crackers."  Many sites choose to disable 
  # some or all of these services to improve security.
  #
  # cfinger is for GNU finger, which is currently not in use in RHS Linux
  #
  finger        stream  tcp  nowait  root   /usr/sbin/tcpd  in.fingerd
  #cfinger      stream  tcp  nowait  root   /usr/sbin/tcpd  in.cfingerd
  #systat       stream  tcp  nowait  guest  /usr/sbin/tcpd  /bin/ps -auwwx
  #netstat      stream  tcp  nowait  guest  /usr/sbin/tcpd  /bin/netstat -f inet
  #
  # Time service is used for clock syncronization.
  #
  #time stream  tcp  nowait  root  /usr/sbin/tcpd  in.timed
  #time dgram   udp  wait    root  /usr/sbin/tcpd  in.timed
  #
  # Authentication
  #
  auth          stream  tcp  wait    root  /usr/sbin/tcpd  in.identd -w -t120
  authsrv       stream  tcp  nowait  root  /usr/local/etc/authsrv authsrv
  #
  # End of inetd.conf

The /etc/services file

This is where it all begins. When a client connects to the firewall it connects on a known port (less then 1024). For example telnet connects on port 23. The inetd deamon hears this connection and looks up the name of these service in the /etc/services file. It then calls the program assigned to the name in the /etc/inetd.conf file.

Some of the services we are creating are not normally in the /etc/services file. You can assign some of them to any port you want. For example, I have assigned the administrator's telnet port (telnet-a) to port 24. You could assign it to port 2323 if you wished. For the administrator (YOU) to connect directly to the firewall you will need to telnet to port 24 not 23 and if you setup your netperm-table file, like I did, you will only be able to to this from one system inside your protected network.

 
  telnet-a        24/tcp
  ftp-gw          21/tcp           # this named changed
  auth            113/tcp   ident    # User Verification
  ssl-gw          443/tcp


Previous Next Contents