|
|
| Previous | Table of Contents | Next |
Examples
The following entries permit NNTP transfer through a firewall bastion host. In this example the interior news server host is “foo.us.org” (111.11.1.11) and the external news server is “nntp.outside.someplace” (222.22.2.22). The bastion host, where the software is installed, is “bastion.us.org.” On the bastion host, you place an entry for the NNTP service in inetd.conf:
nntp stream tcp nowait root /usr/local/etc/plug-gw plug-gw nntp
The plug gateway is invoked as “plug-gw nntp” to inform it that it is providing NNTP service. The configuration entries in netperm-table are as follows:
plug-gw: timeout 60 plug-gw: port webster 111.11.1.* -plug-to WEBSTER.LCS.MIT.EDU -port webster plug-gw: port nntp 111.11.1.11 -plug-to 222.22.2.22 -port nntp plug-gw: port nntp 222.22.2.22 -plug-to 111.11.1.11 -port nntp
Whenever 111.11.1.11 connects to the bastion host, it is automatically connected to 222.22.2.22’s NNTP service. The news software on 111.11.1.11 should be configured to believe that its news server is the bastion host “bastion.us.org”—the host from which it transfers and receives news. Note too that a simple webster service is provided by plugging webster on another host over the Internet to the webster service port on the bastion host.
Bugs
Because incoming connection hosts can be wildcarded, plug-gw works well in a many-to-one relationship but does not work at all in a one-to-many relationship. If, for example, a site has three news feeds, it is easy to configure plug-gw to plug-board any connections from those three hosts to an internal news server. Unfortunately, the software will have to be modified if multiple instances of plug-gw are on the same port, or the internal news server’s software cannot support connecting on a non-standard port.
Synopsis
rlogin-gw (invoked from inetd)
Description
rlogin-gw provides pass-through rlogin proxy services with logging and access control. When rlogin-gw is invoked from inetd, it reads its configuration and checks to see if the system that has just connected is permitted to use the proxy. If not, it shuts down, displays a message, and logs the connection. If the peer is permitted to use the proxy, rlogin-gw checks the username that is provided as part of the rlogin protocol, and if it is in the form user@host, an attempt is made to reconnect to the host and log in as that user. If no host is specified, rlogin-gw enters a command loop in which it waits for a user to specify the following:
Options
rlogin-gw reads its configuration rules and permissions information from the firewall configuration netperm-table, where it retrieves all rules specified for “rlogin-gw.” The following configuration rules are recognized:
directory pathname
This rule specifies a directory to which rlogin-gw will chroot(2) prior to providing service.
prompt string
The prompt rule specifies a prompt for rlogin-gw to use while it is in command mode.
timeout seconds
The timeout rule specifies the time, in seconds, the system remains idle before disconnecting the proxy. Default is no timeout.
denial-msg filename
The denial-msg rule specifies the name of a file to display to the remote user if he or she is denied permission to use the proxy. If this option is not set, a default message is generated.
help-msg filename
The help-msg rule specifies the name of a file to display if the “help” command is issued. If this option is not set, a list of internal commands is printed.
denydest-msg filename
The denydest-msg rule specifies the name of a file to display if a user attempts to connect to a remote server for which he or she is restricted. If this option is not set, a default message is generated.
authserver hostname [portnumber [cipherkey] ]
The authserver rule specifies the name or address of a system to use for network authentication. If tn-gw is built with a compiled-in value for the server and port, the built-in values will be used as defaults but can be overridden if specified in the command line. If the server supports DES-encryption of traffic, an optional cipherkey can be provided to secure communications with the server.
hosts host-pattern [host-pattern2 … ] [ options]
The hosts rules specify host and access permissions. Typically, a hosts rule will be in the form of:
rlogin-gw: deny-hosts unknown rlogin-gw: hosts 192.33.112.* 192.94.214.*
Several host patterns might follow the “hosts” keyword, ending with the first optional parameter beginning with “-.” Optional parameters are:
-dest pattern -dest pattern1 pattern2 …
The -dest option specifies a list of valid destinations. If no list is specified, all destinations are considered valid. The -dest list is processed in the order it appears on the options line. -dest entries preceded with a “!” character are treated as negation entries. The following rule permits hosts that are not in the domain “mit.edu” to be connected.
-dest !*.mit.edu -dest * -auth
The -auth option specifies that the proxy should require a user to authenticate with a valid user-id prior to being permitted to use the gateway.
-passok
The -passok option specifies that the proxy should permit users to change their passwords if they are connected by the designated host. Only hosts on a trusted network should be permitted to change passwords, unless token-type authenticators are distributed to all users.
Installation
To install rlogin-gw place the executable in a system area, then modify inetd.conf to reflect the appropriate executable path. The rlogin proxy must be installed on the rlogin port (port 513) in order to function without requiring modified clients. Verify installation by attempting a connection and monitoring the system logs.
Synopsis
smap (invoked from inetd)
| Previous | Table of Contents | Next |