|
|
| Previous | Table of Contents | Next |
The host rules that permit and deny access to the telnet proxy can be modified by a number of additional options, or rules that have other host access permissions. As seen in table 6.3, the host rules are stated:
tn-gw: deny-hosts unknown tn-gw: hosts 192.33.112.* 192.94.214.*
These statements indicate that hosts that cannot be found in the DNS in-addr.arpa domain are unknown, and therefore denied, or that hosts connecting from the network 192.33.112 and 192.94.214 are allowed to connect to the proxy. Optional parameters, which begin with a hyphen, further restrict the hosts that can connect to the proxy, or where the remote host can connect to behind the firewall.
Earlier output showed that the connect request to sco.sco.com was denied by the proxy because the user was not permitted to connect to that host. This was configured by using the rule:
tn-gw: permit-hosts 204.191.3.* -dest *.fonorola.net -dest !* -passok -xok
This rule states that any host from the 204.191.3 network is allowed to contact any machine in the fonorola.net domain, but no others. This example illustrates the -dest option, which restricts which hosts can be connected. The -dest parameter, described in table 6.5 with the other optional parameters, is used to specify a list of valid destinations. If no list is specified, then the user is not restricted to connecting to any host.
| Rule | Description |
|---|---|
| -dest pattern -dest { pattern1 pattern2 … } | Specifies a list of valid destinations. If no list is specified, all destinations are considered valid. The -dest list is processed in order as it appears on the options line. -dest entries preceded with a “!” character are treated as negation entries. |
| -auth | Specifies that the proxy should require a user to authenticate with a valid user id prior to being permitted to use the gateway. |
| -passok | Specifies that the proxy should permit users to change their passwords if they are connected from the designated host. Only hosts on a trusted network should be permitted to change passwords, unless token-type authenticators are distributed to all users. |
The -dest options are applied in the order that they appear in the line. Consequently, in the example used so far in this chapter, if the machine you are connecting to is sco.sco.com, then the first option describing a machine in the fonorola.net domain is not matched. This means that the second destination specification is matched, which is a denial. The “!” is a negation operator and indicates that this is not permitted. The end result is that users on the 204.191.3 network can only connect to systems in the fonorola.net domain, and no others.
The use of an IP address instead of a domain name does not alter the rule. Before the connection is permitted, the tn-gw application attempts to validate the IP address. If the returned host matches one of the rules, then the rule is applied. Otherwise, the connection is dropped.
The operation of the proxy rules can be determined by attempting a connection through each of the rules, and verifying whether the correct files are displayed when information is requested. For example, if a user connects to tn-gw and enters the help command, does the user get the requested information? Are the restricted sites in fact restricted?
This verification is accomplished by exercising each of the rules. For example, consider the following rule:
tn-gw: permit-hosts 204.191.3.* -dest *.fonorola.net -dest !*
The operation of this rule can be easily verified, once it is clear what is being controlled. This rule says: “Permit any host in the 204.191.3 network to connect to any machine in the fonorola.net domain. All connections to machines outside that domain are denied.”
This can be easily verified by using telnet to contact tn-gw and attempting to connect to a site within the fonorola.net domain space, and then attempting to connect to any other site. If the fonorla.net site is accessible, but no other site is, then it is safe to say that the telnet is working as it should.
For example, consider the following rules:
tn-gw: permit-hosts 204.191.3.* -dest *.fonorola.net -dest !* -passok -xok tn-gw: deny-hosts * -dest 204.191.3.150
If the connecting host is from the 204.191.3 network, access is granted to the proxy, but the user can only connect to the sites in the fonorola.net domain. The second line says that any host attempting to access 204.191.3.150 will be denied. Should the second line be first in the file, access to the proxy server itself would not be permitted.
Tip: When entering the rules in the netperm-table, remember to write them from least to most specific. Or, write them in order of use, after conducting some traffic analysis to determine where the traffic is going. This can be difficult and time-consuming.
This type of configuration is advantageous because it ensures that the firewall cannot be accessed through the proxy, and leaves the telnet server available through the netacl program, which has been configured to listen on a different port.
Even though the firewall host is not available through the proxy, it can still be accessed through the netacl program and the telnet server running on the alternate port.
| Previous | Table of Contents | Next |