|
|
| Previous | Table of Contents | Next |
The host rules that permit and deny access to the ftp proxy can be modified by a number of additional options. The host rules use the format:
ftp-gw: deny-hosts unknown ftp-gw: hosts 192.33.112.* 192.94.214.*
In this example, hosts that cannot be found in the DNS in-addr.arpa domain are unknown, and therefore denied; hosts connecting from the network 192.33.112 and 192.94.214 are allowed to connect to the proxy. The optional parameters—each begin with a hyphen—further restrict the hosts that can connect to the proxy by limiting where they can connect.
Like the other proxy agents, a number of options, listed in table 6.8, are available for controlling the proxy.
| Option | Description |
|---|---|
| -dest pattern -dest { pattern1 pattern2 …} | Specifies a list of valid destinations. If no list is specified, all -dest destinations are considered valid. The -dest list is processed in the order it appears on the options line. -dest entries preceded with a “!” character are treated as negation entries. |
| -auth | Specifies that the proxy should require a user to authenticate with a valid userid prior to being permitted to use the gateway. |
| -passok | Specifies that the proxy should permit users to change their passwords if they are connected from the designated host. Only hosts on a trusted network should be permitted to change passwords, unless token-type authenticators are distributed to all users. |
The use of an IP address instead of a domain name does not alter the rule. Before the connection is permitted, the tn-gw application attempts to validate the IP address. If the returned host matches one of the rules, then the rule is applied. Otherwise, the connection is dropped.
Verifying the operation of the FTP proxy involves testing each of the rules and connection points. For example, if you are allowing FTP sessions to originate from the private network, but deny FTP access to hosts outside the private network, then the ftp-gw rules would look like:
ftp-gw: permit-hosts 206.116.65.* -log { retr stor }
This can only be verified by attempting to establish an FTP session from a host on the LAN and going out to the public network. To prove the proper operation of the proxy, a connection from the public network to a machine on the private network must be attempted. The following command sequence illustrates the use of telnet to access the firewall from a host on the internal network:
C:\WINDOWS>ftp pc.unilabs.org Connected to pc.unilabs.org. 220-Welcome to the URG Firewall FTP Proxy 220- 220-To report problems, please contact Network Security Services at 220-555-1212 or by e-mail at security@org.com 220 User (pc.unilabs.org:(none)): chrish@nds.fonorola.net 331-(----GATEWAY CONNECTED TO nds.fonorola.net----) 331-(220 nds.fonorola.net FTP server (Version A) ready.) 331 Password required for chrish. Password: 230 User chrish logged in. ftp>
Notice that the user was allowed access to the ftp proxy, and an FTP session was established to the machine nds.fonorola.net. The converse for this rule then must also be true: any host outside the private network is not permitted access to the ftp proxy. The following output illustrates this restriction:
bash$ ftp pc.unilabs.org Connected to pc.unilabs.org. 500- 500-**** ATTENTION **** 500- 500-Your attempt to use this server’s ftp proxy is not permitted due to 500-organizational security policies. Your connection attempt has been 500-logged and recorded. 500- 500-If you believe that you are an authorized site, please contact Jon 500-Smith at 555-1212 ext 502, or e-mail to ftpadmin@org.com. 500 ftp>
In this situation, the user on the system nds.fonorola.net attempted to connect to the firewall, but because its IP address [204.191.124.252] is not within the address space specified on the ftp-gw rule, the connection is denied, and the message shown here appears. Remember that this message is from the denial-msg rule in the configuration file.
Establishing a connection through the proxy involves connecting to the ftp port and then specifying the host to connect to. The target specification, however, is not quite what you might expect:
$ ftp 204.191.3.150 Connected to 204.191.3.150. 220 pc.unilabs.org FTP proxy (Version V1.3) ready. User (204.191.3.150:(none)): anonymous@ftp.fonorola.net 331-(----GATEWAY CONNECTED TO ftp.fonorola.net----) 331-(220 net FTP server (Version wu-2.4(1) Fri Apr 21 22:42:18 EDT 1995) ready.) 331 Guest login ok, send your complete e-mail address as password. Password: 230- 230- Welcome to i*internet Inc. 230- Anonymous FTP Server 230- 230-We are currently in the process of deploying the Washington 230-University Anonymous FTP Server. 230- 230 Guest login ok, access restrictions apply. ftp>
When establishing a connection through the proxy, you first run the ftp command and connect to the firewall, which serves as the host. After you are connected, you must specify the username and the site to connect to. This is done using the syntax:
user@site
After validating that the site is indeed one that is allowed, the proxy connects to the FTP server on the remote system and starts to log in using the supplied username. The remote server then prompts for the user’s password, and if it is correct, allows the connection.
| Previous | Table of Contents | Next |