H TIS fwtk einai dia8esimh sto ftp://ftp.tis.com/.
Mhn kanete to la8os poy ekana egw. Otan katebazete arxeia apo to TIS DIABASTE TA README. H TIS fwtk einai kleidwmenh mesa se ena kryfo katalogo sto diakomisth toys.To TIS zhta na steilete ena email sto fwtk-request@tis.com me mono th lejh SEND sto swma toy mynhmatos gia na ma8ete to onoma aytou toy krymmenoy katalogoy. Den xreiazetai 8ema (subject) sto mhnyma. To susthma toys 8a sas steilei to onoma aytou toy kryfou katalogoy (kalo gia 12 wres) gia na katebasete to phgaio arxeio.
Th stigmh poy grafw ayto (to HOWTO) to TIS ekdidei thn ekdosh 2.0 (beta) ths FWTK. Ayth h ekdosh fainetai oti metaglwttizetai kala (me merikes ejaireseis) kai ta panta doyleuoyn. Ayth einai h ekdosh poy 8a kalucw edw. Otan dia8esoyn to teliko kwdika 8a ananewsw to HOWTO.
Gia thn egkatastash th FWTK, dhmioyrghste to katalogo fwtk-2.0 sto /usr/src. Metakinhste to antigrafo ths FWTK fwtk-2.0.tar.gz) apo to katalogo sas se ayton to katalogo (/usr/src/fwtk-2.0) kai aposympieste to. (tar zxf fwtk-2.0.tar.gz)
H FWTK den ejoysiodotei (yposthrizei) SSL web keimena alla yparxei ena pros8eto (add on) gi' ayth grammeno apo ton Jean-Christophe Touvet. Einai dia8esimo sto ftp://ftp.edelweb.fr/pub/contrib/fwtk/ssl-gw.tar.Z. O Touvet den yposthrizei ayto to kwdika
Xrhsimopoiw mia tropopoihmenh ekdosh poy perilambanei prosbash gia Netscape asfaleis diakomistes newn grammeno apo ton Eric Wedel. Einai dia8esimh sto ftp://mdi.meridian-data.com/pub/tis.fwtk/ssl-gw/ssl-gw2.tar.Z.
Sto paradeigma mas 8a xrhsimopoihsw thn ekdosh toy Eric Wedel.
Gia na to egkatasthsete, apla dhmioyrghste to ssl-gw katalogo sto /usr/src/fwtk-2.0 kai balte ta arxeia ekei mesa.
Otan egkatesthsa ayth th pulh apaithse merikes allages prin metaglwttistei mazi me thn ypoloiph ergaleio8hkh.
H prwth allagh htan sto ssl-gw.c arxeio. Brhka oti den perielambane ena xrhsimo perielambanomeno (included) arxeio.
#if defined(__linux) #include <sys/ioctl.h> #endif
Deuteron den erxetai me Makefile. Antegraca ena ejw apo toys alloys katalogoys pylwn kai antikatesthsa to onoma ths pulhs me to ssl-gw.
H ekdosh 2.0 ths FWTK metaglwttizetai polu pio eukola apo opoiadhpote palaioterh ekdosh. Briskw akoma merika pragmata poy xreiazetai na allax8oun prin h BETA ekdosh mporei na metaglwttistei ka8ara. Elpizw aytes oi allages na ginoyn sth telikh ekdosh.
Gia th dior8wsh toys, jekinhste allazontas to /usr/src/fwtk/fwtk katalogo kai antigracte to Makefile.config.linux panw apo to Makefile.config
MHN EKTELESETE TO FIXMAKE. Oi odhgies lene na to ektelesete. Ean to kanete 8a spasei ta Makefiles sto ka8e katalogo
Den exw kamia dior8wsh gia to fixmake. To problhma einai to sed script pros8este ena '.' kai '' sth ka8e grammh poy perilambanei ta Makefiles.
sed 's/^include[ ]*\([^ ].*\)/include \1/' $name .proto > $name
Meta xreiazetai na epejergastoume to arxeio Makefile.config. Yparxoyn duo allages poy xreiazetai na kanete.
O syggrafeas e8ese ws phgaio katalogo to diko toy spitiko katalogo. 8a metaglwttisoyme to kwdika mas sto /usr/src etsi prepei na allajoyme th metablhth FWTKSRCDIR gia na antikatroptizei ayto.
FWTKSRCDIR=/usr/src/fwtk/fwtk
Deuteron, se orismena liga systhmata Linux xrhsimopoihtai h bash dedomenwn gdbm. To Makefile.conf xrhsimopoiei dbm. 8a xreiastei na allajete ayto. Eixa gia to RH 3.0.3
DBMLIB=-lgdbm
H teleytaia dior8wsh einai sto x-gw. To bug sth BETA ekdosh einai mesa sto socket.c kwdika. Gia na to ftiajete sbhste tis parakatw grammes kwdika
#ifdef SCM_RIGHTS /* 4.3BSD Reno and later */
+ sizeof(un_name->sun_len) + 1
#endif
Ean pros8esete to ssl-gw sto FWTK phgaio katalogo sas. 8a xreiasthte na pros8esete ayto sth lista katalogwn sto Makefile.
DIRS= smap smapd netacl plug-gw ftp-gw tn-gw rlogin-gw http-gw x-gw ssl-gw
Twra ekteleste to make.
Ekteleste make install.
O ej orismou katalogos egkatastashs einai o /usr/local/etc. Mporeite na ton allajete (egw oxi) se ena pio asfales katalogo. Dialeja na allajw th prosbash sto katalogo ayto me chmod 700.
Ola ayta poy emeinan twra einai h telikh ru8mish toy firewall
Twra arxizei h pragmatikh diaskedash. Prepei na ma8oyme :-) to susthma na kalei aytes tis nees yphresies kai na dhmioyrgei toys pinakes gia ton elegxo toys.
Den prokeitai na dokimasw na janagracw to egxeiridio ths TIS FWTK, edw. 8a sas deijw tis ry8miseis poy anakalyca doyleuontas kai 8a ejhghsw ta problhmata poy brhka kai pws ta jeperasa.
Yparxoyn tria arxeia poy ry8mizoyn ayta ta xeiristhria
Gia na parete th FWTK leitoyrgikh, 8a prepei na epejergasthte ayta ta arxeia apo to teleytaio pros ta panw. Epejergazontas ta arxeia twn yphresiwn xwris to inedt.conf h to netperm-table ry8mismena swsta mporei na kanete to susthma sas aprospelasto.
Ayto to arxeio elegxei poios mporei na exei prosbash stis yphresies apo th TIS FWTK. Ofeilete na skefthte sxetika me to kykloforiako xrhsimopoiwntas to firewall kai apo tis duo pleyres. O kosmos ejw apo to diktyo sas, ofeilei na anagnwrisei toys eaytous twn prin kerdisoyn prosbash, alla o kosmos mesa sto diktyo sas mporei na afe8ei na perna apla apo mesa.
Etsi o kosmos mporei na anagnwrisei toys eaytous toys, o firewall xrhsimopoiei ena programma poy kaleitai authsrv gia na krata mia bash dedomenwn ta user ID kai toys kwdikous. To tmhma epikurwshs apo to netperm-table elegxei poy h bash dedomenwn brisketai kai poios mporei na exei prosbash se ayth.
Eixa kapoia problhmata kleinontas th prosbash se ayth thn yphresia.
Shmeiwste oti h grammh permit-hosts poy paroysiazw xrhsimopoiei '*' gia na
dinei se oloys prosbash. Oi swstes ry8miseis gia th grammh ayth einai '' authsrv: premit-hosts localhost
ean mporesete na to parete ayto doyleuontas
# # Proxy configuration table # # Authentication server and client rules authsrv: database /usr/local/etc/fw-authdb authsrv: permit-hosts * authsrv: badsleep 1200 authsrv: nobogus true # Client Applications using the Authentication server *: authserver 127.0.0.1 114
Gia na orisete th bash dedomenwn, ginete root, kai ekteleste ./authsrv mesa sto /var/local/etc katalogo gia na dhmioyrgh8ei h eggrafh toy xrhsth poy ektelei xreh diaxeiristh. Edw einai ena aplo paradeigma.
Diabaste th tekmhriwsh ths FWTK gia na ma8ete pws na pros8etete xrhstes kai omades.
#
# authsrv
authsrv# list
authsrv# adduser admin "Auth DB admin"
ok - user added initially disabled
authsrv# ena admin
enabled
authsrv# proto admin pass
changed
authsrv# pass admin "plugh"
Password changed.
authsrv# superwiz admin
set wizard
authsrv# list
Report for users in database
user group longname ok? proto last
------ ------ ------------------ ----- ------ -----
admin Auth DB admin ena passw never
authsrv# display admin
Report for user admin (Auth DB admin)
Authentication protocol: password
Flags: WIZARD
authsrv# ^D
EOT
#
To xeiristhrio ths telnet pulhs (tn-gw) einai katey8eian mprosta kai to prwto poy ofeilete na sthsete.
Sto paradeigma moy, epitrepw se host apo to eswteriko toy proswpikou diktuoy na pernaei apo mesa xwris na epikyrwnoyn toys eaytous toys. (permit-hosts 19961.2.* -passok) Alla, ka8e allos xrhsths prepei na eisagei ta user ID kai to kwdiko toy gia na xrhsimopoiei ton ejoysiodothth. (permit-hosts * -auth)
Epishs epitrepw se ena allo susthma (196.1.2.202) na exei prosbash sto firewall xwris na perna mesa apo to firewall sth pragmatikothta. Oi duo grammes inetacl-in.telnetd to kanoyn ayto. 8a ejhghsw pws aytes oi grammes kalountai argotera.
To Telnet time out ofeiletai na krath8ei mikro.
# telnet gateway rules: tn-gw: denial-msg /usr/local/etc/tn-deny.txt tn-gw: welcome-msg /usr/local/etc/tn-welcome.txt tn-gw: help-msg /usr/local/etc/tn-help.txt tn-gw: timeout 90 tn-gw: permit-hosts 196.1.2.* -passok -xok tn-gw: permit-hosts * -auth # Only the Administrator can telnet directly to the Firewall via Port 24 netacl-in.telnetd: permit-hosts 196.1.2.202 -exec /usr/sbin/in.telnetd
Oi r-commands doyleuoyn me ton idio tropo opws to telnet.
# rlogin gateway rules: rlogin-gw: denial-msg /usr/local/etc/rlogin-deny.txt rlogin-gw: welcome-msg /usr/local/etc/rlogin-welcome.txt rlogin-gw: help-msg /usr/local/etc/rlogin-help.txt rlogin-gw: timeout 90 rlogin-gw: permit-hosts 196.1.2.* -passok -xok rlogin-gw: permit-hosts * -auth -xok # Only the Administrator can telnet directly to the Firewall via Port netacl-rlogind: permit-hosts 196.1.2.202 -exec /usr/libexec/rlogind -a
Den ofeilete na exete se kanenan amesh prosbash sto firewall kai ayto perilambanei to FTP etsi den bazoyme to FTP, diakomisth panw sto firewall.
3ana, oi grammes permit-hosts epitrepoyn mesa sto prostateyomeno diktyo eleu8erh prosbash sto Intenet kai oloi oi alloi prepei na epikyrwsoyn toys eaytous toys. Symperielaba th katagrafh symbantwn gia ka8e arxeio poy aposteletai kai paralambanetai gia ton elegxo moy. (-log { retr stor })
To ftp timeout elegxei poso 8a parei gia na rijei mia kakh sundesh toso oso poso 8a krathsei mia sundesh poy exei meinei anoikth xwris drasthriothta.
# ftp gateway rules:
ftp-gw: denial-msg /usr/local/etc/ftp-deny.txt
ftp-gw: welcome-msg /usr/local/etc/ftp-welcome.txt
ftp-gw: help-msg /usr/local/etc/ftp-help.txt
ftp-gw: timeout 300
ftp-gw: permit-hosts 196.1.2.* -log { retr stor }
ftp-gw: permit-hosts * -authall -log { retr stor }
Web, gopher kai se browser basismeno ftp einai paramorfwmena apo th http-gw. Oi duo prwtes grammes dhmioyrgoun ena katalogo gia apo8hkeysh twn ftp kai web keimenwn ka8ws ayta pernoun mesa apo to firewall. Ekana ayta ta arxeia na anoikoyn ston root kai ta topo8ethsa se ena katalogo prosbasimo mono apo ton root.
H sundesh Web ofeiletai na krath8ei mikrh. Elegxei poso o xrhsths 8a perimenei se mia kakh sundesh.
# www and gopher gateway rules:
http-gw: userid root
http-gw: directory /jail
http-gw: timeout 90
http-gw: default-httpd www.afs.net
http-gw: hosts 196.1.2.* -log { read write ftp }
http-gw: deny-hosts *
To ssl-gw einai pragmati apla mia diabash opoiasdhpote pulhs. Prosejte me ayto. Se ayto to paradeigma epitrepw ston ka8ena apo mesa toy prostateyomenoy diktuoy na syndeetai se ka8e diakomisth ejw apo to diktyo ektos twn diey8unsewn 127.0.0.xxx kai 192.1.1.xxx kai mono stis portes 443 ews 563. Oi portes 443 ews 563 einai gnwstes SSL portes.
# ssl gateway rules:
ssl-gw: timeout 300
ssl-gw: hosts 196.1.2.* -dest { !127.0.0.* !192.1.1.* *:443:563 }
ssl-gw: deny-hosts *
Edw einai ena paradeigma sto pws na xrhsimopoihsete to plug-gw gia na epitrecete syndeseis se diakomistes newn. Se ayto to paradeigma epitrepw sto ka8ena mesa sto prostateuomeno diktyo na synde8ei se ena mono susthma kai mono sth porta newn toy.
H deuterh grammh epitrepei to diakomisth newn na perna ta dedomena toy pisw sto prostateyomeno diktyo.
Epeidh polloi pelates perimenoyn na stekontai syndedemenoi oso o xrhsths diabazei ta nea, to timeout gia diakomistes newn ofeiletai na einai megalo.
# NetNews Pluged gateway plug-gw: timeout 3600 plug-gw: port nntp 196.1.2.* -plug-to 199.5.175.22 -port nntp plug-gw: port nntp 199.5.175.22 -plug-to 196.1.2.* -port nntp
H pulh finger einai aplh. O ka8enas mesa sto prostateyomeno diktyo prepei na kanei login prwta kai meta epitrepoyme na xrhsimopoihsoyn to programma finger panw sto firewall. Oloi oi alloi apla pernoyn ena mhnyma.
# Enable finger service netacl-fingerd: permit-hosts 196.1.2.* -exec /usr/libexec/fingerd netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger.txt
Den exw sthsei tis Mail kai X-windows yphresies etsi den perilambanw paradeigmata. Ean kapoios exei doylecei ena paradeigma, parakalw steilte moy email.
Edw einai plhres ena arxeio /etc/inetd.conf. Oles oi axrhstes yphresies exoyn afaire8ei ws sxolia. Exw symperilabei to plhres arxeio gia na deijw ti na apenergopoihsete, toso oso to pws na sthnete tis nees yphresies toy firewall.
#echo stream tcp nowait root internal #echo dgram udp wait root internal #discard stream tcp nowait root internal #discard dgram udp wait root internal #daytime stream tcp nowait root internal #daytime dgram udp wait root internal #chargen stream tcp nowait root internal #chargen dgram udp wait root internal # FTP firewall gateway ftp-gw stream tcp nowait.400 root /usr/local/etc/ftp-gw ftp-gw # Telnet firewall gateway telnet stream tcp nowait root /usr/local/etc/tn-gw /usr/local/etc/tn-gw # local telnet services telnet-a stream tcp nowait root /usr/local/etc/netacl in.telnetd # Gopher firewall gateway gopher stream tcp nowait.400 root /usr/local/etc/http-gw /usr/local/etc/http-gw # WWW firewall gateway http stream tcp nowait.400 root /usr/local/etc/http-gw /usr/local/etc/http-gw # SSL firewall gateway ssl-gw stream tcp nowait root /usr/local/etc/ssl-gw ssl-gw # NetNews firewall proxy (using plug-gw) nntp stream tcp nowait root /usr/local/etc/plug-gw plug-gw nntp #nntp stream tcp nowait root /usr/sbin/tcpd in.nntpd # SMTP (email) firewall gateway #smtp stream tcp nowait root /usr/local/etc/smap smap # # Shell, login, exec and talk are BSD protocols. # #shell stream tcp nowait root /usr/sbin/tcpd in.rshd #login stream tcp nowait root /usr/sbin/tcpd in.rlogind #exec stream tcp nowait root /usr/sbin/tcpd in.rexecd #talk dgram udp wait root /usr/sbin/tcpd in.talkd #ntalk dgram udp wait root /usr/sbin/tcpd in.ntalkd #dtalk stream tcp waut nobody /usr/sbin/tcpd in.dtalkd # # Pop and imap mail services et al # #pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d #pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d #imap stream tcp nowait root /usr/sbin/tcpd imapd # # The Internet UUCP service. # #uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/lib/uucp/uucico -l # # Tftp service is provided primarily for booting. Most sites # run this only on machines acting as "boot servers." Do not uncomment # this unless you *need* it. # #tftp dgram udp wait root /usr/sbin/tcpd in.tftpd #bootps dgram udp wait root /usr/sbin/tcpd bootpd # # Finger, systat and netstat give out user information which may be # valuable to potential "system crackers." Many sites choose to disable # some or all of these services to improve security. # # cfinger is for GNU finger, which is currently not in use in RHS Linux # finger stream tcp nowait root /usr/sbin/tcpd in.fingerd #cfinger stream tcp nowait root /usr/sbin/tcpd in.cfingerd #systat stream tcp nowait guest /usr/sbin/tcpd /bin/ps -auwwx #netstat stream tcp nowait guest /usr/sbin/tcpd /bin/netstat -f inet # # Time service is used for clock syncronization. # #time stream tcp nowait root /usr/sbin/tcpd in.timed #time dgram udp wait root /usr/sbin/tcpd in.timed # # Authentication # auth stream tcp wait root /usr/sbin/tcpd in.identd -w -t120 authsrv stream tcp nowait root /usr/local/etc/authsrv authsrv # # End of inetd.conf
Edw einai poy jekinoun ola. Otan enas pelaths synde8ei sto firewall ayto syndeetai se mia gnwsth porta. (mikroterh apo 1024). p.x. To telnet syndeetai sth porta 23. O inetd daimonas akouei ayth th sundesh kai koita to onoma ayths ths yphresias sto arxeio /etc/services. Ayto tote kalei to programma orismeno gia to onoma sto mesa sto arxeio /etc/inetd.conf.
Kapoies yphresies poy dhmioyrgoume den einai kanonika sto arxeio /etc/sevices. Mporeite na orisete merikes apo aytes se opoia porta 8elete. p.x. Exw orisei th telnet porta toy diaxeiristh (telnet-a) sth porta 24. Mporeite na to orisete sth porta 2323 ean epi8ymhte. Gia to diaxeiristh (ESEIS), gia na syndeeste amesa sto firewall 8a xreiazeste na kanete telnet sth porta 24 kai oxi 23 ean sthsete to arxeio netperm-table, opws egw ekana, 8a eiste ikanoi na to kanete ayto mono apo to eswteriko toy prostateyomenoy diktuoy.
telnet-a 24/tcp ftp-gw 21/tcp # this named changed auth 113/tcp ident # User Verification ssl-gw 443/tcp