TIS Firewall Toolkit MBone Proxy Configuration April 18, 1997 The MBone proxy is an optional fwtk component. The MBone proxy can be configured to allow users inside the firewall, using specific MBone applications (sdr, vic, vat, wb, nt) to conference with users outside the firewall. In addition to configuring the MBone proxy on the firewall, client software must also be installed on all client systems which will use the MBone applications. For information about the MBone security concerns and the MBone proxy, see the research paper titled "An MBone Proxy for an Application Gateway Firewall" at: http://www.tis.com/docs/research/network/mbone/mboneabs.html . Firewall Configuration 1. Add the mbone-gw directory to the fwtk directory; put the mbone-gw source files there. 2. Modify mbone-gw.h to specify your firewall's inside and outside interfaces. If the firewall only has one interface, make inside and outside the same address. 3. Build mbone-gw. 4. Add mbonesrv to the /etc/services file: Example: mbonesrv 8765/tcp 5. Add mbone-gw to inetd.conf or rc.local inetd.conf example: mbonesrv stream tcp nowait root /usr/local/etc/netacl in.mboned rc.local example: /usr/local/etc/mbone-gw -daemon & 6. Add mbone-gw specific netperm-table entries. Examples: netacl-in.mboned: permit-hosts * -exec /usr/local/etc/mbone-gw mbone-gw: timeout 3600 mbone-gw: timelimit 28800 mbone-gw: permit-hosts 192.33.112.* mbone-gw: permit-hosts 192.34.113.* -auth Client Configuration 1. Copy the modified mbone-gw.h to the directory where the client wrapper sources are located. 2. Determine how the users are to start the applications. Modify wrapper.h. Two options (using vic as example): a. vic 224.2.197.230/49162 vic must be a symbolic link to wrapper. The real vic application is specified in MBONE_APPL_DIRECTORY. b. wrapper vic 224.2.197.230/49162 The real vic application is found from the user's PATH, or specified in MBONE_APPL_DIRECTORY. The proxy has been tested with sdr, vic, vat, wb, and nt. However, other applications may also work; add other applications to wrapper.h. Some modification to the wrapper may be needed (like specify if use RTP). 3. Build wrapper applications.