|
|
| Previous | Table of Contents | Next |
Host rules that permit and deny access to the rlogin proxy can be modified by a number of additional options, or rules. The host rules use the following format:
rlogin-gw: deny-hosts unknown rlogin-gw: hosts 192.33.112.* 192.94.214.*
In this example, hosts that cannot be found in the DNS in-addr.arpa domain are unknown, and therefore denied; hosts connecting from the networks 192.33.112 and 192.94.214 are allowed to connect to the proxy. The optional parameters—each begin with a hyphen—further restrict the hosts that can connect to the proxy by limiting where they can connect.
Operation of the rlogin proxy is verified by attempting to circumvent the established rules, and checking to see that the text from each of the configured files displays when it should display. For example, if your security policy states that only certain hosts can connect to the rlogin proxy, you must test this from each of the permitted hosts, and also test the connection from a few hosts that are not permitted.
Each rule for rlogin-gw must be carefully evaluated to ensure that it is operating as it should.
The FTP proxy allows FTP traffic through the firewall to either private or public networks. The FTP proxy executes when a connection is made to the FTP port on the firewall. From there a connection could be made to the firewall, although it is not a good idea to allow FTP traffic to the firewall on the default port. It is better to have an additional FTP server system running elsewhere. A more secure setup would be to run the FTP server processes when a connection is made to a different port. By not publishing this port number, it is harder to have an FTP session established directly on the firewall.
Remember that the FTP service is found on port 21 as stated in the /etc/services file. To change this, edit the /etc/services file and add a second ftp entry called ftp-a—like the telnet-a that was added earlier. Establish this ftp-a service to run on a different port, such as 2,021. The new /etc/services file will look like:
ftp 21/tcp ftp-a 2,021/tcp
This new ftp-a entry only addresses part of the problem. The /etc/inetd.conf file is where the actual specification is made regarding which service is executed when a connection is made. The trick here is to configure the inetd.conf file so that when a connection is made to the ftp port, the ftp-gw application is started. When a connection is made to the ftp-a port, the real ftp server is started through the netacl application:
# ftp stream tcp nowait root /usr/libexec/tcpd ftpd -l -A ftp stream tcp nowait root /usr/local/etc/ftp-gw ftp-gw ftp-a stream tcp nowait root /usr/local/etc/netacl ftpd
Three entries for the FTP service are included here to illustrate a point. The first entry is uncommented out and is provided to show you how the FTP service was originally started. The second entry establishes a connection to the FTP proxy. The third line allows ftp connections to the firewall itself. Examine the configuration of the ftp-gw proxy application first.
The ftp-gw proxy, like the other Toolkit applications, reads the lines in the netperm-table file that start with the application name, ftp-gw. Table 6.7 lists clauses that are understood by ftp-gw.
| Rule | Description |
|---|---|
| userid user | Specifies a numeric userid or the name of a password file entry. If this value is specified, ftp-gw will set its userid before providing service. |
| directory pathname | Specifies a directory to which ftp-gw will chroot(2) prior to providing service. |
| denial-msg filename | Specifies the name of a file to display to the remote user if he or she is denied permission to use the proxy. If this option is not set, a default message is generated. When the denial-msg file is displayed to the remote user, each line is prefixed with the FTP codes for permission denied. |
| welcome-msg filename | Specifies the name of a file to display as a welcome banner upon successful connection. If this option is not set, a default message is generated. |
| help-msg filename | Specifies the name of a file to display if the “help” command is issued. If this option is not set, a list of the internal commands is printed. |
| denydest-msg filename | Specifies the name of a file to display if a user attempts to connect to a remote server from which he or she is restricted. If this option is not set, a default message is generated. |
| timeout secondsvalue | Specifies the idle timeout value in seconds. When the specified number of seconds elapses with no activity through the proxy server, it will disconnect. If this value is not set, no timeout is enforced. |
If these options are not used, default values are used instead. When these options are used, however, the ftp-gw rules look like this:
ftp-gw: denial-msg /usr/local/etc/ftp-deny.txt ftp-gw: welcome-msg /usr/local/etc/ftp-welcome.txt ftp-gw: help-msg /usr/local/etc/ftp-help.txt ftp-gw: timeout 3600 ftp-gw: denydest-msg /usr/local/etc/ftp-badest.txt
By using the Host Access rules, you can control who has access to your private network using ftp, or to whom your internal users can connect to.
| Previous | Table of Contents | Next |