From owner-fwtk-users@ex.tis.com Sun Aug  1 00:19 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id AAA03399
	Sun, 1 Aug 1999 00:19:23 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id UAA07166;
	Sat, 31 Jul 1999 20:22:35 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Sat, 31 Jul 1999 18:48:04 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id SAA05827
	for fwtk-users-outgoing; Sat, 31 Jul 1999 18:47:44 -0700 (PDT)
Message-Id: <3.0.5.32.19990731214208.0086ce70@fw.itm-inst.com>
X-Sender: rmurphy@fw.itm-inst.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Sat, 31 Jul 1999 21:42:08 -0400
To: "Andreas L. Prodromidis" <andreas@cs.columbia.edu>
From: Rick Murphy <rmurphy@itm-inst.com>
Subject: Re: ftp (500 port error) from the browser 
Cc: fwtk-users@ex.tis.com
In-Reply-To: <37A36E1C.9A180969@cs.columbia.edu>
Mime-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset="us-ascii"
Content-Length: 571

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

At 05:43 PM 7/31/99 -0400, Andreas L. Prodromidis wrote:
>http-gw:        ftp-proxy 127.0.0.1
That's an unusual configuration entry; comment this out and see if it works.
Ideally, this would work; however, it's redundant when pointing to
localhost. That entry says that localhost (port 80?) is running an http
proxy that supports ftp. You get a loop (http-gw says 'handoff ftp to
localhost' which then tries to hand it off yet again.
	-Rick


From owner-fwtk-users@ex.tis.com Mon Aug  2 04:12 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id EAA05631
	Mon, 2 Aug 1999 04:12:05 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id BAA15090;
	Mon, 2 Aug 1999 01:09:42 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Sun, 1 Aug 1999 22:54:48 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id WAA13003
	for fwtk-users-outgoing; Sun, 1 Aug 1999 22:54:32 -0700 (PDT)
Message-ID: <000701bedcab$6ba13d40$082589c0@------>
From: "liujianwei" <liujianwei@hisense.qd.sd.cn>
To: <fwtk-users@ex.tis.com>
Subject: I need help!!
Date: Mon, 2 Aug 1999 13:53:59 +0800
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3110.5
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0004_01BEDCEE.788EBC60"
Content-Length: 2302

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

This is a multi-part message in MIME format.

------=_NextPart_000_0004_01BEDCEE.788EBC60
Content-Type: text/plain;
	charset="gb2312"
Content-Transfer-Encoding: quoted-printable

Dear Sir:

Now, I have got a FWTK version 2.0,and I am trying to patch it using a =
patch downloading from Internet.
But I failed. Then I try to patch it manually, but I found there are too =
many differences between the FWTK=20
and the patch. Thus, I doult that if the patch and the FWTK are matching =
each other. Could you give me
a clue to solve the problem? If you know where I can find the suitable =
patch, please tell me the web site,
or you can email me directly if you had one. Thank you very much. I am =
waiting for your response.

Sincerely yours
Jianwei Liu, Ph.D




------=_NextPart_000_0004_01BEDCEE.788EBC60
Content-Type: text/html;
	charset="gb2312"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>

<META content=3Dtext/html;charset=3Dgb2312 http-equiv=3DContent-Type>
<META content=3D'"MSHTML 4.72.3110.7"' name=3DGENERATOR>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT color=3D#000000 size=3D2>Dear Sir:</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT color=3D#000000 size=3D2>Now, I have got a FWTK version =
2.0,and I am=20
trying to patch it using a patch downloading from Internet.<BR>But I =
failed.=20
Then I try to patch it manually, but I found there are too many =
differences=20
between the FWTK <BR>and the patch. Thus, I doult that if the patch and =
the FWTK=20
are matching each other. Could you give me<BR>a clue to solve the =
problem? If=20
you know where I can find the suitable patch, please tell me the web =
site,<BR>or=20
you can email me directly if you had one. Thank you very much. I am =
waiting for=20
your response.</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT color=3D#000000 size=3D2>Sincerely yours<BR>Jianwei Liu,=20
Ph.D</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT color=3D#000000 =
size=3D2><BR></FONT>&nbsp;</DIV></BODY></HTML>

------=_NextPart_000_0004_01BEDCEE.788EBC60--


From owner-fwtk-users@ex.tis.com Mon Aug  2 04:12 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id EAA05630
	Mon, 2 Aug 1999 04:12:05 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id BAA15086;
	Mon, 2 Aug 1999 01:09:39 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Sun, 1 Aug 1999 22:53:13 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id WAA12970
	for fwtk-users-outgoing; Sun, 1 Aug 1999 22:52:58 -0700 (PDT)
Message-ID: <000701bedcab$30d5f840$082589c0@------>
From: "liujianwei" <liujianwei@hisense.qd.sd.cn>
To: <fwtk-users@ex.tis.com>
Subject: Ask problem!!
Date: Mon, 2 Aug 1999 13:52:11 +0800
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3110.5
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0004_01BEDCEE.3864A640"
Content-Length: 2382

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

This is a multi-part message in MIME format.

------=_NextPart_000_0004_01BEDCEE.3864A640
Content-Type: text/plain;
	charset="gb2312"
Content-Transfer-Encoding: quoted-printable

Dear Sir:

Now, I have got a FWTK version 2.0 (released at Feb. 26,1998)),and I am =
trying to patch it using a patch downloading from Internet. But I =
failed. Then I try to patch it manually, but I found there are too many =
differences between the FWTK and the patch. So, many HUNKs happen. I =
doult that if the patch and the FWTK are matching each other. Could you =
give me a clue to solve the problem? If you know where I can find the =
suitable patch, please tell me the web site, or you can email me =
directly if you had one. Thank you very much. I am waiting for your =
response.

Sincerely yours
Jianwei Liu, Ph.D




------=_NextPart_000_0004_01BEDCEE.3864A640
Content-Type: text/html;
	charset="gb2312"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>

<META content=3Dtext/html;charset=3Dgb2312 http-equiv=3DContent-Type>
<META content=3D'"MSHTML 4.72.3110.7"' name=3DGENERATOR>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT color=3D#000000 size=3D2>Dear Sir:</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT color=3D#000000 size=3D2>Now, I have got a FWTK version 2.0 =
(released at=20
Feb. 26,1998)),and I am trying to patch it using a patch downloading =
from=20
Internet. But I failed. Then I try to patch it manually, but I found =
there are=20
too many differences between the FWTK and the patch. So, many HUNKs =
happen. I=20
doult that if the patch and the FWTK are matching each other. Could you =
give me=20
a clue to solve the problem? If you know where I can find the suitable =
patch,=20
please tell me the web site, or you can email me directly if you had =
one. Thank=20
you very much. I am waiting for your response.</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT color=3D#000000 size=3D2>Sincerely yours<BR>Jianwei Liu,=20
Ph.D</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT color=3D#000000 =
size=3D2><BR></FONT>&nbsp;</DIV></BODY></HTML>

------=_NextPart_000_0004_01BEDCEE.3864A640--


From owner-fwtk-users@ex.tis.com Mon Aug  2 06:39 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id GAA05941
	Mon, 2 Aug 1999 06:39:26 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id DAA17997;
	Mon, 2 Aug 1999 03:36:39 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 2 Aug 1999 02:01:41 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id CAA15891
	for fwtk-users-outgoing; Mon, 2 Aug 1999 02:01:25 -0700 (PDT)
Message-ID: <CBD90C79730BD311A22E0008C709E9A7635AC7@mail1.rainbow.camcable.co.uk>
From: Spencer Marshall <Spencer.Marshall@ntl.com>
To: fwtk-users@ex.tis.com
Subject: auth....
Date: Mon, 2 Aug 1999 09:58:45 +0100 
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 326

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]


Has anyone managed to get opie working with auth rather than s/key?  I am
looking to use opie, because I do not have the s/key libraries, or a
portable challenge response card.

Cheers,

Spencer


From owner-fwtk-users@ex.tis.com Mon Aug  2 09:42 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id JAA06641
	Mon, 2 Aug 1999 09:42:16 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id GAA20246;
	Mon, 2 Aug 1999 06:39:22 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 2 Aug 1999 05:03:51 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id FAA19006
	for fwtk-users-outgoing; Mon, 2 Aug 1999 05:03:36 -0700 (PDT)
From: mathias.sundman@backupcentralen.se
X-Lotus-FromDomain: BC
To: fwtk-users@tis.com
Message-ID: <412567C1.00481C03.00@mailgw.backupcentralen.se>
Date: Mon, 2 Aug 1999 14:07:36 +0100
Subject: Transparent http-gw
Mime-Version: 1.0
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by relay2.nai.com id FAA19003
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=iso-8859-1
Content-Length: 644

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]



I´ve just patched fwtk 2.1 to be transparent. Everything seems to work perfectly
except that it became so slow. And I meen slow, a site that used to take about
5-10 sec to load can take 1-2 minutes now.

I´m using Slackware Linux 4.0 with kernel 2.2.10
I´ve made an input rule that redirects all trafic for port 80 to port 8080 where
http-gw answers via inetd.

If I config the browser to be "proxy aware" it works just fine (I'm using IE
4.01 and WinNT4.0).

What have I made wrong? Or should it be this slow?



From owner-fwtk-users@ex.tis.com Mon Aug  2 13:00 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id NAA07125
	Mon, 2 Aug 1999 13:00:20 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id JAA22624;
	Mon, 2 Aug 1999 09:57:15 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 2 Aug 1999 08:21:05 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id IAA21446
	for fwtk-users-outgoing; Mon, 2 Aug 1999 08:20:44 -0700 (PDT)
Message-Id: <199908021521.LAA22335@fw1-b.osis.gov>
From: Joseph S D Yao <jsdy@cospo.osis.gov>
Subject: Re: ftp (500 port error) from the browser
To: andreas@cs.columbia.edu (Andreas L. Prodromidis)
Date: Mon, 2 Aug 1999 11:21:52 -0400 (EDT)
Cc: fwtk-users@ex.tis.com
In-Reply-To: <37A36E1C.9A180969@cs.columbia.edu> from "Andreas L. Prodromidis" at Jul 31, 99 05:43:56 pm
X-Mailer: ELM [version 2.4 PL25 PGP3 *ALPHA*]
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=US-ASCII
Content-Length: 830

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

> Just to double check, to be sure I haven't missed anything,
> here is the ftp portion of my netperm-table:
> 
> ftp-gw:         sizelimit 0
> ftp-gw:         data-port 20
> ftp-gw:         timeout 3600
> ftp-gw:         permit-hosts 10.1.1.* -log { retr stor }

I believe this is irrelevant to FTP via http-gw.

> and also:
> http-gw:        ftp-proxy 127.0.0.1
> 
> Do you see anything missing?

On the contrary: too much.  Comment out that last line and see what
happens.

--
Joe Yao				jsdy@cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.

From owner-fwtk-users@ex.tis.com Mon Aug  2 22:30 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id WAA08799
	Mon, 2 Aug 1999 22:30:07 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id TAA28205;
	Mon, 2 Aug 1999 19:28:02 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 2 Aug 1999 17:43:30 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id RAA26837
	for fwtk-users-outgoing; Mon, 2 Aug 1999 17:43:14 -0700 (PDT)
Message-ID: <B38C56B978D2D211B7F20080C8783914278EAD@VICMELNT1>
From: Greg Omond <gomond@skilled.com.au>
To: fwtk-users@ex.tis.com
Subject: FW: Plug-gw & Routing
Date: Tue, 3 Aug 1999 10:43:00 +1000 
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 1730

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]



Gregory Omond
Skilled Engineering LTD.
850 Whitehorse Road
Box Hill, 3128
Ph:    (03) 9924 2471
Fax:   (03) 9924 2422
Mobile:(040) 710 1739
Ah:    (03) 9710 1738
Ah Fax:(03) 9710 1728

> -----Original Message-----
> From:	Greg Omond 
> Sent:	Thursday, July 29, 1999 9:38 AM
> To:	'fwtk-users@ex.tis.com'
> Cc:	'users@ex.tis.com'
> Subject:	FW: Plug-gw & Routing
> 
> 
> 
> -----Original Message-----
> From:	Greg Omond 
> Sent:	Wednesday, July 28, 1999 10:01 AM
> To:	'majordomo@ex.tis.com'
> Subject:	Plug-gw & Routing
> 
> Help
> I am new to all of this firewall stuff.
> I have the FWTK running on Solaris 2.7 Intel and it is passing HTTP , FTP
> and NNTP well via their respective gateways .
> 
> I am trying to use the plug-gw to pass 2 addresses on port 12000 to an
> outside destination.
> 
> I have setup a default route from the source pc ie:
> 
> Route -p add 0.0.0.0 mask 255.255.0.0 192.1.25.70 metric 1
> 
> To force the applet to hit the firewall.
> 
> And I have set the netperm table up to allow the port ie:
> 
> plug-gw: port fred * -plug-to [ dest-address ] -port fred
> plug-gw: port fred  [ dest-address ] -plug-to * -port fred
> 
> I have added fred to the services file.
> 
> And the following line to /etc/inetd.conf:
> fred stream tcp nowait root /user/local/etc/plug-gw fred
> 
> and HUPed inetd
> 
> Yet when I run flog and attempt access to the service I get no connection
> and no debugging info.
> 
> It appears that the plugged port is not listening or that I am just plain
> stupid ( please don't comment on the last bit.)
> 
> Thanks in advance.
> 
> Greg Omond 
> 

From owner-fwtk-users@ex.tis.com Mon Aug  2 23:46 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id XAA08921
	Mon, 2 Aug 1999 23:46:26 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id UAA29638;
	Mon, 2 Aug 1999 20:44:20 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 2 Aug 1999 19:09:30 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id TAA27824
	for fwtk-users-outgoing; Mon, 2 Aug 1999 19:09:14 -0700 (PDT)
Message-ID: <37A64F93.C3A032FC@cs.columbia.edu>
Date: Mon, 02 Aug 1999 22:10:27 -0400
From: "Andreas L. Prodromidis" <andreas@cs.columbia.edu>
Organization: Columbia University
X-Mailer: Mozilla 4.5 [en] (X11; U; SunOS 5.6 sun4u)
X-Accept-Language: en
MIME-Version: 1.0
CC: fwtk-users@ex.tis.com
Subject: Re: ftp (500 port error) from the browser
References: <199908021521.LAA22335@fw1-b.osis.gov>
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=iso-8859-7
Content-Length: 909

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Joseph S D Yao wrote:

> > Just to double check, to be sure I haven't missed anything,
> > here is the ftp portion of my netperm-table:
> >
> > ftp-gw:         sizelimit 0
> > ftp-gw:         data-port 20
> > ftp-gw:         timeout 3600
> > ftp-gw:         permit-hosts 10.1.1.* -log { retr stor }
>
> I believe this is irrelevant to FTP via http-gw.
>
> > and also:
> > http-gw:        ftp-proxy 127.0.0.1
> >
> > Do you see anything missing?
>
> On the contrary: too much.  Comment out that last line and see what
> happens.

Yes, I have tried it with and without this statement (Rick Murphy
also suggested it). But with no change in the final outcome. Anyway,
thanks for the help... I appreciate it. I'll try to go deeper... maybe
look at the source code if needed.

Andreas


From owner-fwtk-users@ex.tis.com Tue Aug  3 06:53 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id GAA09968
	Tue, 3 Aug 1999 06:53:10 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id DAA03190;
	Tue, 3 Aug 1999 03:50:54 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Tue, 3 Aug 1999 01:39:31 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id BAA01919
	for fwtk-users-outgoing; Tue, 3 Aug 1999 01:39:11 -0700 (PDT)
From: Chris Wakelin <c.d.wakelin@reading.ac.uk>
To: Spencer Marshall <Spencer.Marshall@ntl.com>
cc: fwtk-users@ex.tis.com
Subject: Re: auth....
In-Reply-To: <CBD90C79730BD311A22E0008C709E9A7635AC7@mail1.rainbow.camcable.co.uk>
Message-ID: <SIMEON.9908030902.C@supc19.reading.ac.uk>
Date: Tue, 3 Aug 1999 09:41:02 +0100 (GMT Daylight Time)
X-Mailer: Simeon for Win32 Version 4.1.1 Build (17)
X-Authentication: none
MIME-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-Length: 2637

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Yes I have. There is a patch available from a link on the FWTK web-pages at 
www.fwtk.org (under patches, #2.6). I did have to make a small change to fix a 
problem with the warning when you're about to run out of passwords; the way it 
is supplied the warning occurs every time. To fix it I made a small change to
auth/opie.c (diff output):-

8a9,13                                                                          
> /*                                                                            
>  * Modified by Chris Wakelin, IT Services, The University of Reading          
>  * to fix bug in test for running out of passwords                            
> */                                                                            
>                                                                               
45a51                                                                           
>       int i;                                                                  
49a56,57                                                                        
>       i = opiegetsequence(&kbuf);     /* save password sequence number */     
>                                       /* since opieverify zeros kbuf */       
52c60                                                                           
<               if(kbuf.opie_n < 5)                                             
---                                                                             
>               if(i < 5)                                                       

There are all sorts of OPIE calculators out there. For a couple of very neat 
ideas, have a look at http://tama.gate.nec.co.jp/so/ and 
http://www.cs.umd.edu/~harry/jotp

Hope this helps,
Chris

On Mon, 2 Aug 1999 09:58:45 +0100  Spencer Marshall <Spencer.Marshall@ntl.com> 
wrote:

> [To be removed from this list send the message "unsubscribe fwtk-users" in the
> BODY of a mail message to majordomo@ex.tis.com.]
> 
> 
> Has anyone managed to get opie working with auth rather than s/key?  I am
> looking to use opie, because I do not have the s/key libraries, or a
> portable challenge response card.
> 
> Cheers,
> 
> Spencer
> 

--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+--
Christopher Wakelin,                                c.d.wakelin@reading.ac.uk
IT Services Centre, The University of Reading,       Tel: +44 (0)118 931 6630
Whiteknights, Reading, RG6 2AF, UK                   Fax: +44 (0)118 975 3094



From owner-fwtk-users@ex.tis.com Wed Aug  4 10:21 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id KAA00774
	Wed, 4 Aug 1999 10:21:33 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id HAA11748;
	Wed, 4 Aug 1999 07:18:32 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Wed, 4 Aug 1999 05:03:19 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id FAA09397
	for fwtk-users-outgoing; Wed, 4 Aug 1999 05:02:52 -0700 (PDT)
From: ark@eltex.ru
Date: Wed, 4 Aug 1999 15:58:47 +0400
Message-Id: <199908041158.PAA22701@paranoid.eltex.spb.ru>
Organization: "Klingon Imperial Intelligence Service"
Subject: new sybase-gw
To: fwtk-users@tis.com
Cc: avenger@erols.com, youngk@ttc.com
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text
Content-Length: 3896

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

http://private.convey.ru/ark/archive/sybase-gw-0.3beta.tar.gz

hope fwtk.org will mirror it soon

readme file follows

sybase-gw v0.3beta
^^^^^^^^^ ^^^^^^^^

This file is README for sybase-gw, a proxy for TDS protocol 5.0 and fwtk-style
firewalls. It should work and tested with Sybase 11. Another functionality
it provides is creating encrypted tunnel between two firewalls for database
applications.

setting up proxy
^^^^^^^ ^^ ^^^^^

Edit Makefile to add -DIPFILTER to c options and IPFILTER variable to point
to IPFilter source if you use IPFilter tranparency.

Compile the source and edit inetd.conf to point to the binary.
Requires libblowfish (available from ftp.funet.fi) and md5 library (if
your system does not have libmd5 you are probably running linux. try to
get it separately. Don't ask me where.)

Set up connection divertor if you use transparent operation.

netperm-table general options:

{permit-|deny-}hosts 			similar to fwtk

netperm-table hosts options:

- -dest <list>				similar to fwtk

- -transparent				tranparent operation

- -plug-to <server>			plug to a pre-defined server

- -port <port>				use this port number when connecting
					to server

- -authuser <username>			similar to fwtk

- -user <username-list>			specify the list of users allowed
					to access proxy. "!" modifier is
					valid.

- -loguser 				log username when authenticating
					on database server

- -client-encrypt <method>		use encryption on client side,
					blowfish only is implemented for now

- -client-md5key <any string>		string hash will be encryption key

- -server-encrypt <method>		use encryption on server side,
					blowfish only is implemented for now

- -server-md5key <any string>		string hash will be encryption key

- -extnd					turn extended permissions processing
					on (see authsrv documentation)

setting up client side
^^^^^^^ ^^ ^^^^^^ ^^^^

Use user@host syntax
to specify real destination for non-transparent operation.

For transparent operations no special client setup is required.


BUGS
^^^^

Just a beta release - so there should be some.

I think i should make it more portable. There are some possible problems
if your compliler does not understand pack() #pragma.

Packet check after authenitcation is embryonic.

Protocol seems to be quite brain-dead so expect slowdowns or something.

Encryption is far from being optimal.

ToDo
^^^^

Fix the above.

Implement more encryption and hash functions.

Think on 2-level authentication (if it is possible at all)

Get protocol specs from Sybase (all the code is based on reverse engineering
and non-reliable sources. it is much better than Gauntlet sybase proxy 
anyways ;)

Anything else?

For developers
^^^ ^^^^^^^^^^

Feel free to improve the program the way you want - but send me a
copy of your patches.


Revision history
^^^^^^^^ ^^^^^^^

0.1alpha		First version
0.2alpha		Bugfixes, workarounds
0.3beta			Attempt to fix (i think protocol, not mine) bug
			that caused connection to slow down.
			Some cosmetic changes and code cleanup, so i 
			call it beta now. 

Email
^^^^^

home: 	ark@mpak.convey.ru
work: 	ark@eltex.ru



                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBN6gq9KH/mIJW9LeBAQFCRAQAp9cIfbGMQ8n3szJSk4YvoqXV+4AnZTpD
z6kydEHciZvUg1Gsc0PYUtazdO73enbO+XxmtNlBC1crp0ZjdQtfyN63lTrL511P
O5hQQXfxony2OWQejzyIpVqXsxSxM0z7fo0fC9m+OLCNFo+CuI9m0oPXGMOaIvlq
3LeSYbR+cMQ=
=nN38
-----END PGP SIGNATURE-----

From owner-fwtk-users@ex.tis.com Wed Aug  4 10:36 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id KAA00805
	Wed, 4 Aug 1999 10:36:10 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id HAA12302;
	Wed, 4 Aug 1999 07:33:10 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Wed, 4 Aug 1999 06:06:11 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id GAA09999
	for fwtk-users-outgoing; Wed, 4 Aug 1999 06:05:45 -0700 (PDT)
From: ark@eltex.ru
Date: Wed, 4 Aug 1999 16:59:40 +0400
Message-Id: <199908041259.QAA22944@paranoid.eltex.spb.ru>
Organization: "Klingon Imperial Intelligence Service"
Subject: ms-sql-gw
To: fwtk-users@tis.com
Cc: avenger@erols.com, youngk@ttc.com
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text
Content-Length: 3912

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

http://private.convey.ru/ark/archive/ms-sql-gw-0.3beta.tar.gz

ms-sql-gw v0.3beta
^^^^^^^^^ ^^^^^^^^

This file is README for ms-sql-gw, a proxy for TDS protocol 4.2 or 4.6 and 
fwtk-style firewalls. It should work with MS SQL 6 and 7 and older Sybase
( <10 ) versions. Another functionality
it provides is creating encrypted tunnel between two firewalls for database
applications.

setting up proxy
^^^^^^^ ^^ ^^^^^

Edit Makefile to add -DIPFILTER to c options and IPFILTER variable to point
to IPFilter source if you use IPFilter tranparency.

Compile the source and edit inetd.conf to point to the binary.
Requires libblowfish (available from ftp.funet.fi) and md5 library (if
your system does not have libmd5 you are probably running linux. try to
get it separately. Don't ask me where.)

Set up connection divertor if you use transparent operation.

netperm-table general options:

{permit-|deny-}hosts 			similar to fwtk

netperm-table hosts options:

- -dest <list>				similar to fwtk

- -transparent				tranparent operation

- -plug-to <server>			plug to a pre-defined server

- -port <port>				use this port number when connecting
					to server

- -authuser <username>			similar to fwtk

- -user <username-list>			specify the list of users allowed
					to access proxy. "!" modifier is
					valid.

- -loguser 				log username when authenticating
					on database server

- -client-encrypt <method>		use encryption on client side,
					blowfish only is implemented for now

- -client-md5key <any string>		string hash will be encryption key

- -server-encrypt <method>		use encryption on server side,
					blowfish only is implemented for now

- -server-md5key <any string>		string hash will be encryption key

- -oob					emulate client oob behavior

- -sqlv6					specify protocol version

- -tdsv42 				"

- -sqlv7					"

- -tds46					"

- -extnd					turn extended permissions processing
					on (see authsrv documentation)

setting up client side
^^^^^^^ ^^ ^^^^^^ ^^^^

Use user@host syntax
to specify real destination for non-transparent operation.

For transparent operations no special client setup is required.


BUGS
^^^^

Just a beta release - so there should be some.

I think i should make it more portable. There are some possible problems
if your compliler does not understand pack() #pragma.

Packet check after authenitcation is embryonic.

Protocol seems to be quite brain-dead so expect slowdowns or something.

Encryption is far from being optimal.

ToDo
^^^^

Fix the above.

Implement more encryption and hash functions.

Think on 2-level authentication (if it is possible at all)

Get protocol specs from Sybase (all the code is based on reverse engineering
and non-reliable sources. it is much better than Gauntlet ms sql proxy 
anyways ;)

Anything else?

For developers
^^^ ^^^^^^^^^^

Feel free to improve the program the way you want - but send me a
copy of your patches.


Revision history
^^^^^^^^ ^^^^^^^

0.1alpha		First version
0.2alpha		Bugfixes, workarounds
0.3beta			Some cosmetic changes and code cleanup, so i 
			call it beta now. 

Email
^^^^^

home: 	ark@mpak.convey.ru
work: 	ark@eltex.ru


                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBN6g5M6H/mIJW9LeBAQGvCQP/YhcTcgYyOGCDLDA18BMLhTTbMVBWNUKS
Hw0o/q+0+kLWBB9RM99b/5gWgqixnupeseUmX9BhbjH8FO/mIxc3H0pXddGUqjaV
DThEMWIuK4TsegCOqVOnlcmODxCd6Ph6yOqMvjXIL6dSw2TyBXZoWIQ78TQSLCqn
cftNylG6u7k=
=2ZJB
-----END PGP SIGNATURE-----

From owner-fwtk-users@ex.tis.com Wed Aug  4 11:30 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id LAA00952
	Wed, 4 Aug 1999 11:30:17 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id IAA14253;
	Wed, 4 Aug 1999 08:27:25 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Wed, 4 Aug 1999 06:55:20 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id GAA10970
	for fwtk-users-outgoing; Wed, 4 Aug 1999 06:55:04 -0700 (PDT)
From: hans schneidhofer <technik.business-conzept@acco.net>
Organization: Busines-CON'ZEPT
To: fwtk-users@lists.nai.com
Subject: how can I realize a DMZ with fwtk ?
Date: Wed, 4 Aug 1999 15:29:45 +0200
X-Mailer: KMail [version 1.0.21]
MIME-Version: 1.0
Message-Id: <99080415501404.00795@mozart.busines.conzept.com>
Content-Transfer-Encoding: 8bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain
Content-Length: 768

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

hi,

have to install a DMZ with a outside-firewall, web, mail,
ftp and an innside-firewall.
Would it be possible to install a proxy, DNS and
tis-firewall to both an outside and innside-firewall ?

For sure, the innside DNS (firewall) knows only about the
inhouse-hosts and the outside firewall nothing about the
inhouse-hosts.

Should loook like that :

Internet ---> 
Cisco-Router ---> 
outside-Firewall ---> (Proxy,DNS,Firewall)
	|
	Webserver     
            MailServer    
            FTPServer     
            etc.
inside firewall ---> (Proxy,DNS,Firewall)
            |
inhouse hosts

Your help is very welcome

hans schneidhofer



From owner-fwtk-users@ex.tis.com Wed Aug  4 11:42 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id LAA00972
	Wed, 4 Aug 1999 11:42:40 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id IAA14690;
	Wed, 4 Aug 1999 08:39:48 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Wed, 4 Aug 1999 07:13:02 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id HAA11506
	for fwtk-users-outgoing; Wed, 4 Aug 1999 07:12:46 -0700 (PDT)
Message-ID: <3551A31796ADCF11929400A0247B20CD08CFB795@exchnj02-temp.sbi.com>
From: "Simonowits, Jerry" <jerry.simonowits@ssmb.com>
To: fwtk-users@tis.com
Subject: remove hostname lookup
Date: Wed, 4 Aug 1999 10:10:11 -0400 
X-Mailer: Internet Mail Service (5.5.2232.9)
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text
Content-Length: 274

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Is there a way to set a configuration parameter so that fwtk does NOT do a
name lookup for each IP address ? If not, is there a patch ?

Jerry



From owner-fwtk-users@ex.tis.com Wed Aug  4 21:12 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id VAA03563
	Wed, 4 Aug 1999 21:12:38 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id SAA20073;
	Wed, 4 Aug 1999 18:10:33 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Wed, 4 Aug 1999 16:31:03 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id QAA18910
	for fwtk-users-outgoing; Wed, 4 Aug 1999 16:30:48 -0700 (PDT)
Message-ID: <B38C56B978D2D211B7F20080C87839141CB3A9@VICMELNT1>
From: Greg Omond <gomond@skilled.com.au>
To: "'FWTK News'" <fwtk-users@ex.tis.com>
Subject: NAB proxy or plug
Date: Thu, 5 Aug 1999 09:30:44 +1000 
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 396

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Has anyone managed to get the National Australia Bank Software to work with
FWTK.

Gregory Omond
Skilled Engineering LTD.
850 Whitehorse Road
Box Hill, 3128
Ph:    (03) 9924 2471
Fax:   (03) 9924 2422
Mobile:(040) 710 1739
Ah:    (03) 9710 1738
Ah Fax:(03) 9710 1728

From owner-fwtk-users@ex.tis.com Thu Aug  5 00:29 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id AAA04091
	Thu, 5 Aug 1999 00:29:05 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id VAA22351;
	Wed, 4 Aug 1999 21:27:00 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Wed, 4 Aug 1999 19:46:16 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id TAA21096
	for fwtk-users-outgoing; Wed, 4 Aug 1999 19:46:00 -0700 (PDT)
Message-ID: <B38C56B978D2D211B7F20080C87839141CB3AB@VICMELNT1>
From: Greg Omond <gomond@skilled.com.au>
To: Greg Omond <gomond@skilled.com.au>,
        "'FWTK News'"
	 <fwtk-users@ex.tis.com>
Subject: RE: NAB proxy or plug
Date: Thu, 5 Aug 1999 12:45:54 +1000 
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 1210

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Further to my original Prob.

I think that the machine is not listening.
If I telnet the respective plugs and proxies they work perfectly.

But if I just setup routing so as the only way out is via the firewall.
The proxy s dont appear to listen , as there is no debug info produced.

thanks.

Gregory Omond
Skilled Engineering LTD.
850 Whitehorse Road
Box Hill, 3128
Ph:    (03) 9924 2471
Fax:   (03) 9924 2422
Mobile:(040) 710 1739
Ah:    (03) 9710 1738
Ah Fax:(03) 9710 1728

-----Original Message-----
From: owner-fwtk-users@ex.tis.com [mailto:owner-fwtk-users@ex.tis.com]On
Behalf Of Greg Omond
Sent: Thursday, August 05, 1999 9:31 AM
To: 'FWTK News'
Subject: NAB proxy or plug


[To be removed from this list send the message "unsubscribe fwtk-users" in
the
BODY of a mail message to majordomo@ex.tis.com.]

Has anyone managed to get the National Australia Bank Software to work with
FWTK.

Gregory Omond
Skilled Engineering LTD.
850 Whitehorse Road
Box Hill, 3128
Ph:    (03) 9924 2471
Fax:   (03) 9924 2422
Mobile:(040) 710 1739
Ah:    (03) 9710 1738
Ah Fax:(03) 9710 1728

From owner-fwtk-users@ex.tis.com Thu Aug  5 05:38 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id FAA05087
	Thu, 5 Aug 1999 05:38:30 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id CAA25808;
	Thu, 5 Aug 1999 02:36:24 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Thu, 5 Aug 1999 00:56:30 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id AAA23776
	for fwtk-users-outgoing; Thu, 5 Aug 1999 00:56:14 -0700 (PDT)
Message-ID: <19990805175621.A20530@venus.dev.unico.com.au>
Date: Thu, 5 Aug 1999 17:56:21 +1000
From: David Goh <david@unico.com.au>
To: fwtk-users@ex.tis.com
Subject: Re: NAB proxy or plug
Reply-To: david@unico.com.au
References: <B38C56B978D2D211B7F20080C87839141CB3AB@VICMELNT1>
Mime-Version: 1.0
X-Mailer: Mutt 0.91i
In-Reply-To: <B38C56B978D2D211B7F20080C87839141CB3AB@VICMELNT1>; from "Greg Omond" on Thu, Aug 05, 1999 at 12:45:54PM
X-Religion: linux slrn mutt vim
X-Silly-Line: "The Computer made me do it."
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 1064

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

gomond@skilled.com.au (Greg Omond) wrote:
> I think that the machine is not listening.

Listening to *what*?  What does the software you're trying to plug
through *do*?  Open a socket connection to some specific host on the
internet via some specific port?  Use proxied HTTP to do its work?

> If I telnet the respective plugs and proxies they work perfectly.

Mmm...  *which* plugs and proxies?

> But if I just setup routing so as the only way out is via the firewall.
> The proxy s dont appear to listen , as there is no debug info produced.

Eh?  Your firewall is routing packets?  Routing packets from where to
where?  You are using real Internet IPs *inside* your firewall??

Later,

     david

-- 
| david@unico.com.au (David Goh, Unico Computer Systems, +61-3-9866-5688)
If USENET is anarchy, IRC is a paranoid schizophrenic
after 6 days on speed.
    -- Chris "Saundo" Saunderson <saundo@idx.com.au> in alt.sysadmin.recovery

From owner-fwtk-users@ex.tis.com Thu Aug  5 05:38 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id FAA05088
	Thu, 5 Aug 1999 05:38:30 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id CAA25812;
	Thu, 5 Aug 1999 02:36:24 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Thu, 5 Aug 1999 01:07:46 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id BAA23906
	for fwtk-users-outgoing; Thu, 5 Aug 1999 01:07:25 -0700 (PDT)
From: hans schneidhofer <technik.business-conzept@acco.net>
Organization: Busines-CON'ZEPT
To: Antonino Iannella <antonino.iannella@camtech.com.au>
Subject: Re: how can I realize a DMZ with fwtk ?
Date: Thu, 5 Aug 1999 08:59:27 +0200
X-Mailer: KMail [version 1.0.21]
References: <37A8E01E.C540B516@camtech.com.au>
Cc: fwtk-users@lists.nai.com
MIME-Version: 1.0
Message-Id: <99080510021600.00785@mozart.busines.conzept.com>
Content-Transfer-Encoding: 8bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain
Content-Length: 2954

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

hi antonino and list,

you wrote, why two firewalls - okay I'll try to describe,
why.

during the planning phase I had read a lot of articles,
books, newsletters, and much more. In the most cases I
found a construction, which is called a DeMilitariedZone.

The first Firewall with inbuilt DNS and Proxy is connected
directly to the internet and acts as a Firewall for incoming
calls, as well as a Proxy also for incoming requests and
answers the DNS-queries from outside. But knows nothing
about the inhouse-hosts, or with other words - the intranet.

Then follows the web-, mail-, ftp-, and something
else-servers.

The inner-firewall, so the descriptions, have to act as
firewall for the inhouse-hosts, which only have indirect
connections like a simple internetsurfer likes to do. 

Also the DNS on this inner-firewall only knows about the
inhouse-hosts. Nothing about Internet-hosts.

And the inbuilt Proxy here have to act as a proxy for
normal requests like a simple internetsurfer does it. The
proxy here could be possibly realized with squid or eq.

> > Should loook like that :
> > 
> > Internet --->
> > Cisco-Router --->
> > outside-Firewall ---> (Proxy,DNS,Firewall)
> >         |
> >         Webserver
> >             MailServer
> >             FTPServer
> >             etc.
> > inside firewall ---> (Proxy,DNS,Firewall)
> >             |
> > inhouse hosts
> > 

My problem now is, so I think, I had read too much in a too
short time. The result is, I cannot get a light on all that
informations in this short time.

On the other hand - we now have a leased line since a few
days and don't know exactly how to realize all the necessary
stuff to do. Especially the connection to the internet as a
provider.

The experience I have with linux is doing
"normal" network-jobs like install and
maintaining NFS-Server, Printserver, Samba-Server,
Workstations with different designs.
but to do a complete provider-setup is very new and hard
for me.

maybe I'm wrong about the needed stuff here. If so please
correct me.

Think the important thing I need here, is to make a
correct plan, and then a step by step realizing for all the
needed stuff.

For sure, I could give an order for a company here. But if
something is wrong, or anybody breaks the security from
outside, I cannot maintain my own network. On the other
hand - the most companies here are working with WinNT, and
if I only hear the word Win or WinNT, I get a gruel.
I know why - indeed. We have 2 Win-Users. Every day I have
to do a small or big setup, because that winboxes suddenly
screws up one or a few times more. Crazy Thing.

If anybody is interested in doing a professionel helping
here, we are willing to pay something. Supposed, the
installation is okay and we can work with the equipment.

rehards and thanks for helping me

hans schneidhofer

From owner-fwtk-users@ex.tis.com Thu Aug  5 14:27 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id OAA07532
	Thu, 5 Aug 1999 14:27:21 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id LAA29938;
	Thu, 5 Aug 1999 11:25:08 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Thu, 5 Aug 1999 09:08:55 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id JAA28700
	for fwtk-users-outgoing; Thu, 5 Aug 1999 09:08:24 -0700 (PDT)
Message-ID: <012d01bedf5d$1b03f7b0$0102a8c0@racer.benzacar.com>
From: "Eric Benzacar" <benze@attcanada.net>
To: "hans schneidhofer" <technik.business-conzept@acco.net>
Cc: <fwtk-users@lists.nai.com>
Subject: Re: how can I realize a DMZ with fwtk ?
Date: Thu, 5 Aug 1999 12:10:53 -0400
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3612.1700
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3612.1700
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 1604

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

>From the way I see things (and I should not be taken to be an expert on this
stuff), you don't need the first firewall.

Your DMZ should be between the Cisco Router and your Intranet firewall.
Any internal DNS, Samba, etc, should run on an internal server (inside your
intranet), and the machines in the DMZ should be able to access the intranet
firewall, but none of the internal machines.  If you do this, then you need
Internet DNS entries for you WWW, and public FTP servers.  Also make sure
that any other servers you put out here are not security concerns - ie: I
wouldn't consider putting a mail server here particularly.

You can take a look at the following web page (firewall faq) to get a better
idea about firewalls.
http://www.clark.net/pub/mjr/pubs/fwfaq/

Finally, another decision you have to make is if you want a packet-filtering
(and NAT) firewall or a proxy-based firewall.

Final config should prob. be something like:

Internet --->
Cisco-Router --->
   |      |
   |   Webserver    (public IP address)
   |   FTPServer    (public IP address)
   |   Gopher (?)   (public IP address)
   |   etc - anything else for public access
   |
Intranet firewall (dual homed - 1 public, 1 private IP)
    (Proxy and/or Packet filter)
        |
    Internal DNS  (private IP)
    MailServer     (private IP)
    inhouse hosts (all gateway'ed to the Intranet firewall - private IP's)


If you have any other question, don't hesitate to ask....

Good Luck!

Eric





From owner-fwtk-users@ex.tis.com Thu Aug  5 16:52 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id QAA08320
	Thu, 5 Aug 1999 16:52:27 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id NAA02000;
	Thu, 5 Aug 1999 13:50:24 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Thu, 5 Aug 1999 12:13:56 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id MAA00372
	for fwtk-users-outgoing; Thu, 5 Aug 1999 12:13:34 -0700 (PDT)
Message-ID: <5A83122BF183D2119AA600A0C955246A01BFA1DF@first-corp.corp.firstindustrial.com>
From: Nick Colakovic <NickC@CORP.FirstIndustrial.com>
To: "'Greg Omond'" <gomond@skilled.com.au>,
        "Fwtk-Users (E-mail)"
	 <fwtk-users@ex.tis.com>
Subject: RE: NAB proxy or plug
Date: Thu, 5 Aug 1999 14:14:17 -0500 
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 2198

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

> If I telnet the respective plugs and proxies they work perfectly.
> 
> But if I just setup routing so as the only way out is via the 
> firewall.
> The proxy s dont appear to listen , as there is no debug info 
> produced.

I assume that by enabling routing you are attempting to setup a transparent
proxy.   I am assuming you have done the following:

	1) Pointed the client machine's default gateway to the ip of the
firewall.
	2) Enabled forwarding on the firewall.
	3) Assumed that client traffic with a destination external to your
LAN(s) would be automatically handled by the whatever proxy as a result of 1
and 2.

This will not work with plain jane Unix routing.  The packets are being sent
to the firewall/router LAN MAC address by client machines, but their headers
still point to IP's that are non-local to the firewall machine.  The Unix
kernel will not redirect packets to proxies on the local machine magically.
If you want to do this you need to install a redirecting packet filter like
IPFILTER (http://cheops.anu.edu.au/~avalon).  I believe (though I have never
used it) that the Linux IPFW packet filter can do this also.   
	With the redirecting packet filter you can tell the filter package
to rewrite IP headers to point the destination IP based around the traffic
type.  In your case (I am assuming much here because technical details such
as specific proxied protocols, FWTK host OS, client types, etc were not
provided) say you wish to direct outbound SMTP traffic to the FWTK host:

1) Setup a SMTP proxy on the firewall machine.  This can be smap/smapd or
whatever.
2) Setup the firewall packet filter to redirect incoming packets with a
destination port = 25 to the firewall host.  With ipfilter the ipnat rule
is: 

rdr ed0 0.0.0.0/0 port smtp -> 127.0.0.1 port smtp

Where ed0 is the internal NIC of your firewall host.

With the above config all packets coming in to the firewall host get their
destination IP's set to the localhost IP.   This forces the any outgoing IP
SMTP sessions to be redirected internally to the firewall.

	-NRC

From owner-fwtk-users@ex.tis.com Fri Aug  6 03:59 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id DAA09922
	Fri, 6 Aug 1999 03:59:03 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id AAA05832;
	Fri, 6 Aug 1999 00:56:48 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Thu, 5 Aug 1999 23:13:47 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id XAA04697
	for fwtk-users-outgoing; Thu, 5 Aug 1999 23:13:32 -0700 (PDT)
Message-Id: <199908060614.XAA17128@relay.nai.com>
Date: Fri, 6 Aug 1999 14:14:58 +0800
From: Liu Jianwei <liujianwei@hisense.qd.sd.cn>
To: "fwtk-users@ex.tis.com" <fwtk-users@ex.tis.com>
Subject: Where can I put the FWTK firewall?
Organization: HiSense
X-mailer: FoxMail 2.1 [cn]
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset="us-ascii"
Content-Length: 814

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Dear Sirs:

Now I am creating a Linux firewall. I have installed two net cards (adapters) on 
my PC, and installed the FWTK software either. 

I know there are many kinds of net structure for putting firewall. But I want to know
what's the best one for my FWTK-type firewall. As I know, my PC is connected to INTERNET through
a HUB, a proxy server and a router. But I want my PC to be the Bastion Host to control
all the hosts (under the HUB) in our department. Where is the best structure to put my 
FWTK firewall. You'd better show me a diagram (figure). And if you know where I can find the
references concerning this problem, please tell me.

Thank you very much!

Jianwei Liu

 


From owner-fwtk-users@ex.tis.com Fri Aug  6 17:09 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id RAA12425
	Fri, 6 Aug 1999 17:09:20 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id OAA10879;
	Fri, 6 Aug 1999 14:06:11 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Fri, 6 Aug 1999 11:49:22 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id LAA09556
	for fwtk-users-outgoing; Fri, 6 Aug 1999 11:48:57 -0700 (PDT)
Message-ID: <01BEE019.B25D0F40.dave.sims@idicanada.com>
From: Dave Sims <dave.sims@idicanada.com>
To: "'Eric Benzacar'" <benze@attcanada.net>,
        hans schneidhofer
	 <technik.business-conzept@acco.net>
Cc: "fwtk-users@lists.nai.com" <fwtk-users@lists.nai.com>
Subject: RE: how can I realize a DMZ with fwtk ?
Date: Fri, 6 Aug 1999 14:40:55 -0400
Organization: IDI Canada
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset="us-ascii"
Content-Length: 4093

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

I always thought that your DMZ should be on a 3rd NIC on your firewall. 
 Your firewall then checks the packet coming in from the Internet or 
Intranet on NICs 1 and 2, respectively, (see below) and if it's a request 
for your WEB, FTP, etc, it'll route the packet out the 3rd NIC onto your 
DMZ.  If it's mail, sendmail (w/ smap, etc.) sends it to your internal MAIL 
server, or out to it's destination on the Internet.  You then have further 
control over access to your DMZ than just 'router rules'.  Also you have 
just one firewall.  DMZ IP addresses can be anything you want:  The 'Real 
World' addresses of your DMZ servers can be one and the same, and can be 
directed by the Firewall.  I consider the 'ideal' Firewall to be a packet 
analyzer and smart switch all-in-one.  I am currently analyzing the fwtk to 
see if it meets MY requirement, so I can't say for sure if the fwtk 
performs the way I believe it should.
Here is my proposed layout/flow diagram:

  (you)
     |----hackers and the 'real World' (them)
     |----external DNS - provides lookup for your domain for outside world.
     |                        -  maintained by your ISP
     |
INTERNET
     /\
      |
      |
     \/
ROUTER
     /\
      |
      |
     \/
   [NIC1]
FIREWALL [NIC3]<-------->DMZ (for all publicly available servers)
   [NIC2]
     /\
      |
      |
     \/
INTRANET
      |-- internal DNS - maintains internal domain only.
      |                      - forwards foreign domain requests to outside 
DNS.
      |
      |-- mail server    - simple algorithm: if mail NOT local, send to 
firewall.  done.
      |-- ... (other protected resources)
    (me)

So can the fwtk do this cleanly?  I doubt it.  Can it be made to do it with 
patches, advice, blood sweat and tears?  Probably.  This is what I'm 
banking on!  Ideally, I want a transparent firewall for all possible 
applications traversing it.  No changing config requirements for mobile 
users and support concerns for internal applications.
Have I confused you even more?

Dave Sims
Senior Network Specialist
Intelligent Decisions Inc.
Ottawa, Ontario.
Canada.
(613) 782-2300x6302
-----Original Message-----
From:	Eric Benzacar [SMTP:benze@attcanada.net]
Sent:	Thursday, August 05, 1999 12:11 PM
To:	hans schneidhofer
Cc:	fwtk-users@lists.nai.com
Subject:	Re: how can I realize a DMZ with fwtk ?

[To be removed from this list send the message "unsubscribe fwtk-users" in 
the
BODY of a mail message to majordomo@ex.tis.com.]

>From the way I see things (and I should not be taken to be an expert on 
this
stuff), you don't need the first firewall.

Your DMZ should be between the Cisco Router and your Intranet firewall.
Any internal DNS, Samba, etc, should run on an internal server (inside your
intranet), and the machines in the DMZ should be able to access the 
intranet
firewall, but none of the internal machines.  If you do this, then you need
Internet DNS entries for you WWW, and public FTP servers.  Also make sure
that any other servers you put out here are not security concerns - ie: I
wouldn't consider putting a mail server here particularly.

You can take a look at the following web page (firewall faq) to get a 
better
idea about firewalls.
http://www.clark.net/pub/mjr/pubs/fwfaq/

Finally, another decision you have to make is if you want a 
packet-filtering
(and NAT) firewall or a proxy-based firewall.

Final config should prob. be something like:

Internet --->
Cisco-Router --->
   |      |
   |   Webserver    (public IP address)
   |   FTPServer    (public IP address)
   |   Gopher (?)   (public IP address)
   |   etc - anything else for public access
   |
Intranet firewall (dual homed - 1 public, 1 private IP)
    (Proxy and/or Packet filter)
        |
    Internal DNS  (private IP)
    MailServer     (private IP)
    inhouse hosts (all gateway'ed to the Intranet firewall - private IP's)


If you have any other question, don't hesitate to ask....

Good Luck!

Eric



From owner-fwtk-users@ex.tis.com Sat Aug  7 01:17 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id BAA13261
	Sat, 7 Aug 1999 01:17:07 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id WAA13995;
	Fri, 6 Aug 1999 22:13:55 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Fri, 6 Aug 1999 20:29:24 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id UAA12855
	for fwtk-users-outgoing; Fri, 6 Aug 1999 20:28:59 -0700 (PDT)
Message-ID: <027b01bee085$6b84f3a0$0102a8c0@racer.benzacar.com>
From: "Eric Benzacar" <benze@attcanada.net>
To: "Dave Sims" <dave.sims@idicanada.com>,
        "hans schneidhofer" <technik.business-conzept@acco.net>
Cc: <fwtk-users@lists.nai.com>
Subject: Re: how can I realize a DMZ with fwtk ?
Date: Fri, 6 Aug 1999 23:32:02 -0400
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3612.1700
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3612.1700
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 4153

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Hmmm....  I guess that's another way of doing it that can work.  Through the
use of a 3rd NIC, I guess you can offer additional access protection to your
DMZ.  I don't know about using proxies for that, however - it might be too
much traffic for the firewall - especially if you'll be getting a lot of
hits on your servers.  What about using packet-filtering at that point?  You
can mulit-home your firewall, and use IPCHAINS to redirect all packets
destined for the web server (etc) thru the 3rd NIC.  Or you can just
single-home your firewall, and redirect the packets based on the ports they
are trying to access.

I guess I just don't see the additional advantage of this, however.  It'll
cause an extra burden on the firewall that may (or may not) be necessary.  I
guess the biggest advantage is only needing 1 public address for all your
servers (the firewall address)  which can be a big benefit.

Can fwtk do that?  Hmmm... yeah, I don't see why not.  FWTK can be set up to
bind to a particular network card (a patch I saw on www.fwtk.org page) and
the config file can be set up to direct particular connections to particular
servers (ie: if coming from hosts XXXX.XXXX goto host YYY.YYY).  You can
also use IPCHAINS to redirect packets at the packet level, but  just don't
know how secure it is; typically you don't want to be doing NAT with a proxy
server.

Does this make sense?

Eric

----Original Message-----
From: Dave Sims <dave.sims@idicanada.com>
To: 'Eric Benzacar' <benze@attcanada.net>; hans schneidhofer
<technik.business-conzept@acco.net>
Cc: fwtk-users@lists.nai.com <fwtk-users@lists.nai.com>
Date: Friday, August 06, 1999 6:15 PM
Subject: RE: how can I realize a DMZ with fwtk ?


>[To be removed from this list send the message "unsubscribe fwtk-users" in
the
>BODY of a mail message to majordomo@ex.tis.com.]
>
>I always thought that your DMZ should be on a 3rd NIC on your firewall.
> Your firewall then checks the packet coming in from the Internet or
>Intranet on NICs 1 and 2, respectively, (see below) and if it's a request
>for your WEB, FTP, etc, it'll route the packet out the 3rd NIC onto your
>DMZ.  If it's mail, sendmail (w/ smap, etc.) sends it to your internal MAIL
>server, or out to it's destination on the Internet.  You then have further
>control over access to your DMZ than just 'router rules'.  Also you have
>just one firewall.  DMZ IP addresses can be anything you want:  The 'Real
>World' addresses of your DMZ servers can be one and the same, and can be
>directed by the Firewall.  I consider the 'ideal' Firewall to be a packet
>analyzer and smart switch all-in-one.  I am currently analyzing the fwtk to
>see if it meets MY requirement, so I can't say for sure if the fwtk
>performs the way I believe it should.
>Here is my proposed layout/flow diagram:
>
>  (you)
>     |----hackers and the 'real World' (them)
>     |----external DNS - provides lookup for your domain for outside world.
>     |                        -  maintained by your ISP
>     |
>INTERNET
>     /\
>      |
>      |
>     \/
>ROUTER
>     /\
>      |
>      |
>     \/
>   [NIC1]
>FIREWALL [NIC3]<-------->DMZ (for all publicly available servers)
>   [NIC2]
>     /\
>      |
>      |
>     \/
>INTRANET
>      |-- internal DNS - maintains internal domain only.
>      |                      - forwards foreign domain requests to outside
>DNS.
>      |
>      |-- mail server    - simple algorithm: if mail NOT local, send to
>firewall.  done.
>      |-- ... (other protected resources)
>    (me)
>
>So can the fwtk do this cleanly?  I doubt it.  Can it be made to do it with
>patches, advice, blood sweat and tears?  Probably.  This is what I'm
>banking on!  Ideally, I want a transparent firewall for all possible
>applications traversing it.  No changing config requirements for mobile
>users and support concerns for internal applications.
>Have I confused you even more?
>
>Dave Sims
>Senior Network Specialist
>Intelligent Decisions Inc.
>Ottawa, Ontario.
>Canada.
>(613) 782-2300x6302



From owner-fwtk-users@ex.tis.com Mon Aug  9 07:09 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id HAA17783
	Mon, 9 Aug 1999 07:09:24 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id EAA25167;
	Mon, 9 Aug 1999 04:07:06 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 9 Aug 1999 01:40:29 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id BAA23859
	for fwtk-users-outgoing; Mon, 9 Aug 1999 01:40:13 -0700 (PDT)
X-Authentication-Warning: julubu.staff.apnic.net: bc set sender to sysadm@apnic.net using -f
Date: Mon, 9 Aug 1999 18:42:38 +1000 (EST)
From: Bruce Campbell <sysadm@apnic.net>
To: "fwtk-users@lists.nai.com" <fwtk-users@lists.nai.com>
Subject: RE: how can I realize a DMZ with fwtk ?
In-Reply-To: <01BEE019.B25D0F40.dave.sims@idicanada.com>
Message-ID: <Pine.UW2.4.10.9908091832270.6140-100000@julubu.staff.apnic.net>
MIME-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Length: 1248

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

On Fri, 6 Aug 1999, Dave Sims wrote:

dave.s> I always thought that your DMZ should be on a 3rd NIC on your firewall. 

      [INTERNET, ROUTER]
dave.s>      \/
dave.s>    [NIC1]
dave.s> FIREWALL [NIC3]<-------->DMZ (for all publicly available servers)
dave.s>    [NIC2]
dave.s>      /\
      [INTERNAL NETWORK]

Cool.  You've just made your firewall the prime failure point.  Unlike
routers, firewalls generally have nice parts which are moving very fast
and have a tendency to stop moving very fast at inconvienent moments, such
as 2am Saturday mornings.

Personal preference for a DMZ is to have your 'public presence' machines
only relying on your router (which also go pop at inconvienent moments,
but less often than equipment with moving parts) for basic packet
filtering, and having these machines driven totally from the inside (ie,
web page updates, mail configs etc).

If you have the money, you could also do this via bootable CDROMs and
memory filesystems for speed (assuming a gig or so of memory).  As always,
anything is possible, given suitable amounts of money and staffing.

Regards,

--==--
Bruce.


From owner-fwtk-users@ex.tis.com Mon Aug  9 09:39 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id JAA18329
	Mon, 9 Aug 1999 09:39:42 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id GAA27715;
	Mon, 9 Aug 1999 06:37:28 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 9 Aug 1999 05:00:39 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id FAA25724
	for fwtk-users-outgoing; Mon, 9 Aug 1999 05:00:23 -0700 (PDT)
From: "Sture Lygren" <sture@rocketrange.no>
To: <fwtk-users@ex.tis.com>
Subject: Some questions
Date: Mon, 9 Aug 1999 14:03:42 +0200
Message-ID: <01bee25f$39780510$8a662780@NTBIB.ARRDOMAIN>
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.71.1712.3
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by relay2.nai.com id FAA25721
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 1077

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Hi!
 
I'm new to this list, and as such I hope you will bear with me for asking already answered questions.
 
My configuration:
 
Firewall: Linux 2.2.10 running fwtk 2.1.
Protected net: 15 machines running NT Workstation.
Gateways working: http-gw, ftp-gw and tn-gw.
 
Now I need to give the machines behind the firewall access to networked printers on the outside (they are beeing served from an ntserver). Question is - how can I setup the firewall so that the NT Workstations behind the firewall can access the shares (machines and printers) in our outer net (that is how can the machines log on to our NTDOMAIN?)?
 
Second:
We have a server (program) on out outer net that servs data on a specific port. I need access to that data on a machine behind the wall. How will I go about to configure the firewall to let this happen? 
 
Hope you ppl can help me out here - I'm quite desperate to get this working!
 
Thanks in advance
 
Sture Lygren



From owner-fwtk-users@ex.tis.com Mon Aug  9 10:53 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id KAA18677
	Mon, 9 Aug 1999 10:53:13 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id HAA29208;
	Mon, 9 Aug 1999 07:50:24 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 9 Aug 1999 06:14:56 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id GAA27115
	for fwtk-users-outgoing; Mon, 9 Aug 1999 06:14:40 -0700 (PDT)
X-Authentication-Warning: ns1.cpiai.com: shutdown set sender to <rmoody@cpiai.com> using -f
Reply-To: <rmoody@cpiai.com>
From: "Bob Moody" <rmoody@cpiai.com>
To: <fwtk-users@lists.nai.com>
Subject: RE: how can I realize a DMZ with fwtk ?
Date: Mon, 9 Aug 1999 08:17:46 -0500
Message-ID: <000101bee269$92b60b40$191ea8c0@Bobm.cpiai.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
In-Reply-To: <Pine.UW2.4.10.9908091832270.6140-100000@julubu.staff.apnic.net>
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4
Importance: Normal
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 2351

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Greetings,
	I'm a little confused. I have been watching this conversation for days now
and I'm still trying to understand the purpose of the 3rd NIC card. I was to
understand that the area between the routers and the firewall WAS the DMZ
and anything placed there was the sacraficial lambs in the event of an
attack.
	[INTERNET, ROUTER]
             \ /
             DMZ
             / \
    [FIREWALL NIC PUBLIC]
            [FWTK]
    [FIREWALL NIC PRIVATE]
             / \
      [Private Network]

Granted, I'm certainly not an expert, but besides offering alot more work,
maintenance and setup, I dont see the purpose of a 3rd NIC. Perhpas it will
become clearer as this saga unfolds

Bob Moody
MGR MIS
Collateral Protection


-----Original Message-----
From: owner-fwtk-users@ex.tis.com [mailto:owner-fwtk-users@ex.tis.com]On
Behalf Of Bruce Campbell
Sent: Monday, August 09, 1999 3:43 AM
To: fwtk-users@lists.nai.com
Subject: RE: how can I realize a DMZ with fwtk ?


[To be removed from this list send the message "unsubscribe fwtk-users" in
the
BODY of a mail message to majordomo@ex.tis.com.]

On Fri, 6 Aug 1999, Dave Sims wrote:

dave.s> I always thought that your DMZ should be on a 3rd NIC on your
firewall.

      [INTERNET, ROUTER]
dave.s>      \/
dave.s>    [NIC1]
dave.s> FIREWALL [NIC3]<-------->DMZ (for all publicly available servers)
dave.s>    [NIC2]
dave.s>      /\
      [INTERNAL NETWORK]

Cool.  You've just made your firewall the prime failure point.  Unlike
routers, firewalls generally have nice parts which are moving very fast
and have a tendency to stop moving very fast at inconvienent moments, such
as 2am Saturday mornings.

Personal preference for a DMZ is to have your 'public presence' machines
only relying on your router (which also go pop at inconvienent moments,
but less often than equipment with moving parts) for basic packet
filtering, and having these machines driven totally from the inside (ie,
web page updates, mail configs etc).

If you have the money, you could also do this via bootable CDROMs and
memory filesystems for speed (assuming a gig or so of memory).  As always,
anything is possible, given suitable amounts of money and staffing.

Regards,

--==--
Bruce.


From owner-fwtk-users@ex.tis.com Mon Aug  9 13:13 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id NAA19281
	Mon, 9 Aug 1999 13:13:22 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id KAA01607;
	Mon, 9 Aug 1999 10:10:28 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 9 Aug 1999 08:32:31 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id IAA29916
	for fwtk-users-outgoing; Mon, 9 Aug 1999 08:32:11 -0700 (PDT)
Message-ID: <19990809153415.23347.rocketmail@send205.yahoomail.com>
Date: Mon, 9 Aug 1999 08:34:15 -0700 (PDT)
From: Rude Yak <rudeyak@yahoo.com>
Subject: RE: how can I realize a DMZ with fwtk ?
To: rmoody@cpiai.com
Cc: fwtk-users@lists.nai.com
MIME-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 764

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]


  The difference is the first setup offers little to protect your publicly
accessible machines whereas the second does.

#1
	[INTERNET, ROUTER]
             \ /
             DMZ
             / \
    [FIREWALL NIC PUBLIC]
            [FWTK]
    [FIREWALL NIC PRIVATE]
             / \
      [Private Network]

#2
      [INTERNET, ROUTER]
             \/
           [NIC1]
        FIREWALL [NIC3]<-------->DMZ (for all publicly available servers)
           [NIC2]
             /\
      [INTERNAL NETWORK]

_____________________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com


From owner-fwtk-users@ex.tis.com Mon Aug  9 15:37 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id PAA19841
	Mon, 9 Aug 1999 15:37:06 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id MAA04371;
	Mon, 9 Aug 1999 12:34:12 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 9 Aug 1999 10:55:34 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id KAA02103
	for fwtk-users-outgoing; Mon, 9 Aug 1999 10:55:13 -0700 (PDT)
Date: Mon, 9 Aug 1999 13:54:54 -0400 (EDT)
From: Ted Keller <keller@bfg.com>
To: Bob Moody <rmoody@cpiai.com>
cc: fwtk-users@lists.nai.com
Subject: RE: how can I realize a DMZ with fwtk ?
In-Reply-To: <000101bee269$92b60b40$191ea8c0@Bobm.cpiai.com>
Message-ID: <Pine.GSO.4.10.9908091331130.12587-100000@ns1.bfg.com>
MIME-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Length: 3665

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Bob,

People now are being asked to allow inbound connections into their
network.  Direct connections are always dangerous and must be prohibited.
To get around this delemma, many people are creating a new DMZ which
provides firewall protection to a limited function - safe computer on the
side of the firewall.  This machine is then permitted to make very
specific connections to the inside network.  The "DMZ" machine is
protected by the firewall from the outside.  It is then trusted to make
limited internal connections to the inside.

Normally, you will want to change the protocols and ports between the
outside and inside networking functions.  That way, if this machine it
compromized, the damage is still quite limited on getting to the inside
network.

Also, the limited inbound functionality should not include general
vehicles like telnet, ftp, and the like.  But they should be very simple
facilties which permit limited extraction of data - or limited submission
of data.

ted keller


On Mon, 9 Aug 1999, Bob Moody wrote:

> [To be removed from this list send the message "unsubscribe fwtk-users" in the
> BODY of a mail message to majordomo@ex.tis.com.]
> 
> Greetings,
> 	I'm a little confused. I have been watching this conversation for days now
> and I'm still trying to understand the purpose of the 3rd NIC card. I was to
> understand that the area between the routers and the firewall WAS the DMZ
> and anything placed there was the sacraficial lambs in the event of an
> attack.
> 	[INTERNET, ROUTER]
>              \ /
>              DMZ
>              / \
>     [FIREWALL NIC PUBLIC]
>             [FWTK]
>     [FIREWALL NIC PRIVATE]
>              / \
>       [Private Network]
> 
> Granted, I'm certainly not an expert, but besides offering alot more work,
> maintenance and setup, I dont see the purpose of a 3rd NIC. Perhpas it will
> become clearer as this saga unfolds
> 
> Bob Moody
> MGR MIS
> Collateral Protection
> 
> 
> -----Original Message-----
> From: owner-fwtk-users@ex.tis.com [mailto:owner-fwtk-users@ex.tis.com]On
> Behalf Of Bruce Campbell
> Sent: Monday, August 09, 1999 3:43 AM
> To: fwtk-users@lists.nai.com
> Subject: RE: how can I realize a DMZ with fwtk ?
> 
> 
> [To be removed from this list send the message "unsubscribe fwtk-users" in
> the
> BODY of a mail message to majordomo@ex.tis.com.]
> 
> On Fri, 6 Aug 1999, Dave Sims wrote:
> 
> dave.s> I always thought that your DMZ should be on a 3rd NIC on your
> firewall.
> 
>       [INTERNET, ROUTER]
> dave.s>      \/
> dave.s>    [NIC1]
> dave.s> FIREWALL [NIC3]<-------->DMZ (for all publicly available servers)
> dave.s>    [NIC2]
> dave.s>      /\
>       [INTERNAL NETWORK]
> 
> Cool.  You've just made your firewall the prime failure point.  Unlike
> routers, firewalls generally have nice parts which are moving very fast
> and have a tendency to stop moving very fast at inconvienent moments, such
> as 2am Saturday mornings.
> 
> Personal preference for a DMZ is to have your 'public presence' machines
> only relying on your router (which also go pop at inconvienent moments,
> but less often than equipment with moving parts) for basic packet
> filtering, and having these machines driven totally from the inside (ie,
> web page updates, mail configs etc).
> 
> If you have the money, you could also do this via bootable CDROMs and
> memory filesystems for speed (assuming a gig or so of memory).  As always,
> anything is possible, given suitable amounts of money and staffing.
> 
> Regards,
> 
> --==--
> Bruce.
> 


From owner-fwtk-users@ex.tis.com Mon Aug  9 16:00 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id QAA19947
	Mon, 9 Aug 1999 16:00:45 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id MAA04845;
	Mon, 9 Aug 1999 12:57:40 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 9 Aug 1999 11:28:11 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id LAA02786
	for fwtk-users-outgoing; Mon, 9 Aug 1999 11:27:40 -0700 (PDT)
Message-Id: <199908091828.OAA04059@fw1-b.osis.gov>
From: Joseph S D Yao <jsdy@cospo.osis.gov>
Subject: Re: how can I realize a DMZ with fwtk ?
To: dave.sims@idicanada.com (Dave Sims)
Date: Mon, 9 Aug 1999 14:28:27 -0400 (EDT)
Cc: benze@attcanada.net, technik.business-conzept@acco.net,
        fwtk-users@lists.nai.com
In-Reply-To: <01BEE019.B25D0F40.dave.sims@idicanada.com> from "Dave Sims" at Aug 6, 99 02:40:55 pm
X-Mailer: ELM [version 2.4 PL25 PGP3 *ALPHA*]
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=US-ASCII
Content-Length: 1070

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Your diagram was [roughly]:

	Internet
	   |
	ext. router
	   |
	bastion host------service network
	   |
	int. router
	   |
	internal network

The above is exactly what FWTK was designed for.  I don't see why you
would have any problems with it.

> So can the fwtk do this cleanly?  I doubt it.  Can it be made to do it with 
> patches, advice, blood sweat and tears?  Probably.  This is what I'm 
> banking on!  Ideally, I want a transparent firewall for all possible 
> applications traversing it.  No changing config requirements for mobile 
> users and support concerns for internal applications.

Ah, with the last two sentences you are adding in the BS&T.

> Have I confused you even more?

Now you have.  ;-/

--
Joe Yao				jsdy@cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.

From owner-fwtk-users@ex.tis.com Mon Aug  9 18:23 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id SAA20383
	Mon, 9 Aug 1999 18:23:49 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id PAA07565;
	Mon, 9 Aug 1999 15:20:19 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 9 Aug 1999 13:41:46 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id NAA05751
	for fwtk-users-outgoing; Mon, 9 Aug 1999 13:41:30 -0700 (PDT)
Message-ID: <36C0ABB9.1275BD62@farelogix.com>
Date: Tue, 09 Feb 1999 16:42:17 -0500
From: Jeff Yu <jyu@farelogix.com>
X-Mailer: Mozilla 4.04 [en] (X11; I; SunOS 5.6 sun4u)
MIME-Version: 1.0
To: fwtk ML <fwtk-users@ex.tis.com>
Subject: compile 2.1 under solaris 2.6
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 424

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Hi folks,
    I have a lot of problem building 2.1 under solaris 2.6.
    The machine is an ultra 5 machine with Sun WorkShop Compiler C 4.2,
Sun WorkShop Compiler C++ 4.2.
    I got a lot of error when I try to compile ftwk/lib/config.c.  Do
anyone has any idea about it?

Thanks a lot

Jeff



From owner-fwtk-users@ex.tis.com Mon Aug  9 21:34 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id VAA20800
	Mon, 9 Aug 1999 21:34:49 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id SAA09787;
	Mon, 9 Aug 1999 18:31:55 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 9 Aug 1999 16:51:13 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id QAA08574
	for fwtk-users-outgoing; Mon, 9 Aug 1999 16:50:51 -0700 (PDT)
From: "Mike Batchelor" <mbatchelor@citysearch.com>
To: "Jeff Yu" <jyu@farelogix.com>, "fwtk ML" <fwtk-users@ex.tis.com>
Subject: RE: compile 2.1 under solaris 2.6
Date: Mon, 9 Aug 1999 16:52:05 -0700
Message-ID: <008f01bee2c2$2ef69f80$4432000a@beach.citysearch.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211
Importance: Normal
In-Reply-To: <36C0ABB9.1275BD62@farelogix.com>
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 1846

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

What are the errors?

I do not have a problem building it with SunPro CC 4.2 on Solaris 2.6.

My Makefile.config looks like this:

DEFINES=-DSYSV -DSOLARIS
MAKE=gmake
RANLIB=ranlib
DEST=/usr/local/sbin
DESTMAN=/usr/local/man
CC=cc
CP=cp
COPT=-O
AUXLIB=-lresolv -lnsl -lsocket
DBMLIB=
LDFL=
XLDFL=$(LDFL)
FWTKSRCDIR=/my/home/dir/src/fwtk2.1
XLIBDIR=/usr/openwin/lib
XLIBS=-L$(XLIBDIR) -lXaw -lXmu -lXt -lXext -lX11
XINCLUDE=-I/usr/openwin/include
SYSVOBJ=signal.o

There are some dependencies in config.c for the variable SYSV, so make sure it
is defined in your Makefile.config.  I also ran into some trouble with the
Solaris /usr/ccs/bin/make.  I used GNU make.  No trouble.

I do not bother with the defines for -Dgethostbyname=res_gethostbyname.  I
don't know why I see them in the Makefile.config.solaris that (I presume) came
with my copy of the FWTK 2.1 tarball (or maybe I modified and renamed
Makefile.config.sunos and forgot that I did it).  Those are functions in the
resolv+ library for SunOS 4.x, and do not apply to Solaris.

> -----Original Message-----
> From: owner-fwtk-users@ex.tis.com [mailto:owner-fwtk-users@ex.tis.com]On
> Behalf Of Jeff Yu
> Sent: Tuesday, February 09, 1999 1:42 PM
> To: fwtk ML
> Subject: compile 2.1 under solaris 2.6
>
>
> [To be removed from this list send the message "unsubscribe
> fwtk-users" in the
> BODY of a mail message to majordomo@ex.tis.com.]
>
> Hi folks,
>     I have a lot of problem building 2.1 under solaris 2.6.
>     The machine is an ultra 5 machine with Sun WorkShop Compiler C 4.2,
> Sun WorkShop Compiler C++ 4.2.
>     I got a lot of error when I try to compile ftwk/lib/config.c.  Do
> anyone has any idea about it?
>
> Thanks a lot
>
> Jeff
>
>


From owner-fwtk-users@ex.tis.com Tue Aug 10 04:38 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id EAA21661
	Tue, 10 Aug 1999 04:38:55 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id BAA13269;
	Tue, 10 Aug 1999 01:36:04 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 9 Aug 1999 23:56:05 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id XAA11504
	for fwtk-users-outgoing; Mon, 9 Aug 1999 23:55:49 -0700 (PDT)
Message-ID: <37AFCC6D.AFF51F6E@libertysurf.fr>
Date: Tue, 10 Aug 1999 08:53:33 +0200
From: Sebastien COTTALORDA <sebastien.cottalorda1@libertysurf.fr>
X-Mailer: Mozilla 4.08 [en] (X11; I; Linux 2.0.36 i686)
MIME-Version: 1.0
To: fwtk-users@lists.nai.com
Subject: How to get fwtk ?
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 408

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Hi,

Excuse me for that stupid question but when I send an e-mail to
fwtk-request@tislabs.com with accepted in the body, I don't receive any
answer . I need to use fwtk to make a Firewall for my business but I
didn't manage yet to get TIS.

Any help will be welcome.

Sebastien


From owner-fwtk-users@ex.tis.com Tue Aug 10 05:13 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id FAA21854
	Tue, 10 Aug 1999 05:13:01 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id CAA13990;
	Tue, 10 Aug 1999 02:11:01 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Tue, 10 Aug 1999 00:40:58 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id AAA12106
	for fwtk-users-outgoing; Tue, 10 Aug 1999 00:40:43 -0700 (PDT)
Reply-To: <alanf@spatialinfo.com>
From: "Alan Franklin" <alanf@spatialinfo.com>
To: <fwtk-users@tis.com>
Subject: How to use smap to stop external relay
Date: Tue, 10 Aug 1999 17:36:42 +1000
Message-ID: <1195E963FDB0D211905700105A2507200BC3BC@syd108.syd.arcsystems.com.au>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 959

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

We have just discovered that our FWTK bastion is being
used for a spam relay.  The staff who built the
system have move on and are no longer available.

I have tried simply dropping a V2.0 release of smap and
smapd in place, whilst it stopped the external relay,
it also stopped mail going out  8-(.  I have not yet
been able to find out how or where I tell smap to
accept mail from the internal mail server.

Any hints or pointers would be appreciated.  I got a
nasty awk hack sitting on the firewall for now, but it
is far from robust.

Alan Franklin                   SPATIALinfo Pty. Limited
Alan.Franklin@SPATIALinfo.com   101 Sussex St, Level 1
Ph:       61 2 9290 2400        Sydney, NSW, Australia, 2000
Direct:   61 2 9239 4629        FAX:    61 2 9261 3472
=============================================================


From owner-fwtk-users@ex.tis.com Tue Aug 10 07:54 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id HAA22238
	Tue, 10 Aug 1999 07:53:55 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id EAA19163;
	Tue, 10 Aug 1999 04:51:43 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Tue, 10 Aug 1999 02:37:09 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id CAA14501
	for fwtk-users-outgoing; Tue, 10 Aug 1999 02:36:48 -0700 (PDT)
Message-ID: <CBD90C79730BD311A22E0008C709E9A7D45751@mail1.rainbow.camcable.co.uk>
From: Spencer Marshall <Spencer.Marshall@ntl.com>
To: "'alanf@spatialinfo.com'" <alanf@spatialinfo.com>, fwtk-users@tis.com
Subject: RE: How to use smap to stop external relay
Date: Tue, 10 Aug 1999 10:33:59 +0100
Importance: high
X-Priority: 1
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 1592

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]


As a fast and simple emergency plugin, edit netperm-table 
smap: permit-hosts  $ISP $INTERNAL_MAILHUB
to accept only incoming connections from your ISP's mail system, and your
internal mailhub.  With my ISP at home, this prevents the hole from being
exploited.

> -----Original Message-----
> From: Alan Franklin [mailto:alanf@spatialinfo.com]
> Sent: 10 August 1999 08:37
> To: fwtk-users@tis.com
> Subject: How to use smap to stop external relay
> 
> 
> [To be removed from this list send the message "unsubscribe 
> fwtk-users" in the
> BODY of a mail message to majordomo@ex.tis.com.]
> 
> We have just discovered that our FWTK bastion is being
> used for a spam relay.  The staff who built the
> system have move on and are no longer available.
> 
> I have tried simply dropping a V2.0 release of smap and
> smapd in place, whilst it stopped the external relay,
> it also stopped mail going out  8-(.  I have not yet
> been able to find out how or where I tell smap to
> accept mail from the internal mail server.
> 
> Any hints or pointers would be appreciated.  I got a
> nasty awk hack sitting on the firewall for now, but it
> is far from robust.
> 
> Alan Franklin                   SPATIALinfo Pty. Limited
> Alan.Franklin@SPATIALinfo.com   101 Sussex St, Level 1
> Ph:       61 2 9290 2400        Sydney, NSW, Australia, 2000
> Direct:   61 2 9239 4629        FAX:    61 2 9261 3472
> =============================================================
> 

From owner-fwtk-users@ex.tis.com Tue Aug 10 07:54 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id HAA22237
	Tue, 10 Aug 1999 07:53:55 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id EAA19159;
	Tue, 10 Aug 1999 04:51:43 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Tue, 10 Aug 1999 02:58:19 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id CAA15073
	for fwtk-users-outgoing; Tue, 10 Aug 1999 02:57:59 -0700 (PDT)
Message-ID: <37AFF6B6.C87EB2AF@libertysurf.fr>
Date: Tue, 10 Aug 1999 11:53:58 +0200
From: Sebastien COTTALORDA <sebastien.cottalorda1@libertysurf.fr>
X-Mailer: Mozilla 4.08 [en] (X11; I; Linux 2.0.36 i686)
MIME-Version: 1.0
To: ramas <ramas@boscalleo.co.in>, fwtk-users@lists.nai.com
Subject: Re: How to get fwtk ?
References: <37AFCC6D.AFF51F6E@libertysurf.fr> <010801bee311$85ee78e0$0f1aa8c0@bgl.vsnl.net.in>
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 1140

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Thanks all for you help.
I manage to get the last TIS version.
Someone give me the path on ftp.tis.com where the toolkit was.

Thanks again you all.
I start installing TIS.......


Sebastien

ramas wrote:

> I can give you the latest source from FWTK which I downloaded some days ago.
> Send me a mail and I will mail the same to you..
>
> regards,
> - ramas
>
> ----- Original Message -----
> From: Sebastien COTTALORDA <sebastien.cottalorda1@libertysurf.fr>
> To: <fwtk-users@lists.nai.com>
> Sent: 10 August 1999 12:23
> Subject: How to get fwtk ?
>
> > [To be removed from this list send the message "unsubscribe fwtk-users" in
> the
> > BODY of a mail message to majordomo@ex.tis.com.]
> >
> > Hi,
> >
> > Excuse me for that stupid question but when I send an e-mail to
> > fwtk-request@tislabs.com with accepted in the body, I don't receive any
> > answer . I need to use fwtk to make a Firewall for my business but I
> > didn't manage yet to get TIS.
> >
> > Any help will be welcome.
> >
> > Sebastien


From owner-fwtk-users@ex.tis.com Tue Aug 10 08:13 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id IAA22314
	Tue, 10 Aug 1999 08:13:13 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id FAA19988;
	Tue, 10 Aug 1999 05:10:15 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Tue, 10 Aug 1999 03:41:15 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id DAA16440
	for fwtk-users-outgoing; Tue, 10 Aug 1999 03:41:00 -0700 (PDT)
Message-ID: <37B0012F.821E82C@libertysurf.fr>
Date: Tue, 10 Aug 1999 12:38:39 +0200
From: Sebastien COTTALORDA <sebastien.cottalorda1@libertysurf.fr>
X-Mailer: Mozilla 4.08 [en] (X11; I; Linux 2.0.36 i686)
MIME-Version: 1.0
To: fwtk-users@lists.nai.com
Subject: Problem Compiling the 2.1 
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: multipart/mixed; boundary="------------5A1B6B4C474E827A1A691CD7"
Content-Length: 1409

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

This is a multi-part message in MIME format.
--------------5A1B6B4C474E827A1A691CD7
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Hi,

I didn't manage to compile the module auth (see the log file)
I have a Red Hat 5.2 with kernel 2.0.36
I use to have gdbm problems because it was missing : I don't think it's
the reason now because, by the past, I use to have "gdbm not Found",
actually that is no more the case. I've checked in the man pages the
correct syntaxe when compiling  -->   -lgdbm exactly the same than I've
in the Makefile.

If anybody has a clue .....


Thanks in advance.


Sébastien


--------------5A1B6B4C474E827A1A691CD7
Content-Type: text/plain; charset=us-ascii; name="report"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="report"

install: /usr/fwtk/auth
make[1]: Entering directory `/usr/fwtk/auth'
cc -g -static -o authsrv authsrv.o proto.o db.o pass.o srvio.o     ../libauth.a ../libfwall.a    -lgdbm 
pass.o: In function `passverify':
/usr/fwtk/auth/pass.c:39: undefined reference to `crypt'
pass.o: In function `passset':
/usr/fwtk/auth/pass.c:70: undefined reference to `crypt'
make[1]: *** [authsrv] Error 1
make[1]: Leaving directory `/usr/fwtk/auth'

--------------5A1B6B4C474E827A1A691CD7--


From owner-fwtk-users@ex.tis.com Tue Aug 10 08:13 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id IAA22317
	Tue, 10 Aug 1999 08:13:24 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id FAA19992;
	Tue, 10 Aug 1999 05:10:21 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Tue, 10 Aug 1999 03:41:59 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id DAA16484
	for fwtk-users-outgoing; Tue, 10 Aug 1999 03:41:38 -0700 (PDT)
Date: Tue, 10 Aug 1999 20:41:03 +1000 (EST)
From: Pauline van Winsen <Pauline.van.Winsen@eserv.com.au>
Message-ID: <199908101041.UAA18538@basil.uniq.com.au>
To: fwtk-users@tis.com, alanf@spatialinfo.com
Subject: Re: How to use smap to stop external relay
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-MD5: o4aNAvQWZlb2lmu7vRDTZw==
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 1800

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

hi alex,

i can't provide a solution for smap. i stopped using smap/smapd
a few years ago. if you want a drop-in replacement for smap/smapd
with very sophisticated anti-spam features, checkout smtpd/smtpfwdd:
http://www.obtuse.com/smtpd.html

it has a simple rules file which allows you to deny/permit mail
based on src ip of the connecting host, to: and from: addresses
or a combination of all three. if you're hosting lots of domains,
you can opt-in/opt-out addresses based on the name server a domain
is using. RBL support is available as a patch. it also has cute
responses for those who like to connect directly to the SMTP port. 8-)

hope this helps,
pauline

> [To be removed from this list send the message "unsubscribe fwtk-users" in the
> BODY of a mail message to majordomo@ex.tis.com.]
> 
> We have just discovered that our FWTK bastion is being
> used for a spam relay.  The staff who built the
> system have move on and are no longer available.
> 
> I have tried simply dropping a V2.0 release of smap and
> smapd in place, whilst it stopped the external relay,
> it also stopped mail going out  8-(.  I have not yet
> been able to find out how or where I tell smap to
> accept mail from the internal mail server.
> 
> Any hints or pointers would be appreciated.  I got a
> nasty awk hack sitting on the firewall for now, but it
> is far from robust.
> 
> Alan Franklin                   SPATIALinfo Pty. Limited
> Alan.Franklin@SPATIALinfo.com   101 Sussex St, Level 1
> Ph:       61 2 9290 2400        Sydney, NSW, Australia, 2000
> Direct:   61 2 9239 4629        FAX:    61 2 9261 3472
> =============================================================
> 

From owner-fwtk-users@ex.tis.com Tue Aug 10 09:01 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id JAA22501
	Tue, 10 Aug 1999 09:01:25 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id FAA22115;
	Tue, 10 Aug 1999 05:58:47 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Tue, 10 Aug 1999 04:24:20 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id EAA17941
	for fwtk-users-outgoing; Tue, 10 Aug 1999 04:23:59 -0700 (PDT)
Message-ID: <37B00C0D.31F3F7D1@comit.ch>
Date: Tue, 10 Aug 1999 13:25:01 +0200
From: "Sylvain Gitta" <sylvain.gitta@comit.ch>
X-Mailer: Mozilla 4.61 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: fwtk-users@lists.nai.com
CC: sebastien.cottalorda1@libertysurf.fr
Subject: Re: Problem Compiling the 2.1
References: <37B0012F.821E82C@libertysurf.fr>
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 879

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Salut Sebastien

I ran into the same problem.

As stated in the FWTK FAQ available at:

http://www.upo.es/fwtk/fwtk/faq/faq.html

   Make sure that you add "-lcrypt" to the AUXLIB setting in
   Makefile.config.

Hope this helps

Sylvain

Sebastien COTTALORDA wrote:
> 
> Hi,
> 
> I didn't manage to compile the module auth (see the log file)
> I have a Red Hat 5.2 with kernel 2.0.36
> I use to have gdbm problems because it was missing : I don't think it's
> the reason now because, by the past, I use to have "gdbm not Found",
> actually that is no more the case. I've checked in the man pages the
> correct syntaxe when compiling  -->   -lgdbm exactly the same than I've
> in the Makefile.
> 
> If anybody has a clue .....
> 
> Thanks in advance.

From owner-fwtk-users@ex.tis.com Tue Aug 10 10:58 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id KAA22978
	Tue, 10 Aug 1999 10:58:44 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id HAA25688;
	Tue, 10 Aug 1999 07:56:17 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Tue, 10 Aug 1999 06:16:43 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id GAA22820
	for fwtk-users-outgoing; Tue, 10 Aug 1999 06:16:23 -0700 (PDT)
Message-Id: <3.0.6.32.19990810141840.00c285d0@mail.lr.isla.pt>
X-Sender: ngg@mail.lr.isla.pt
X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32)
Date: Tue, 10 Aug 1999 14:18:40 +0100
To: <alanf@spatialinfo.com>
From: Nuno Guarda <nuno.guarda@lr.isla.pt>
Subject: Re: How to use smap to stop external relay
Cc: fwtk-users@tis.com
In-Reply-To: <1195E963FDB0D211905700105A2507200BC3BC@syd108.syd.arcsyste
 ms.com.au>
Mime-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset="us-ascii"
Content-Length: 786

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Alan:

Visit http://www.fwtk.org/fwtk/patches/patches.html#2.2.

>At 17:36 1999-08-10 +1000, you wrote:
>We have just discovered that our FWTK bastion is being
>used for a spam relay.  The staff who built the
>system have move on and are no longer available.
>
>I have tried simply dropping a V2.0 release of smap and
>smapd in place, whilst it stopped the external relay,
>it also stopped mail going out  8-(.  I have not yet
>been able to find out how or where I tell smap to
>accept mail from the internal mail server.
>
>Any hints or pointers would be appreciated.  I got a
>nasty awk hack sitting on the firewall for now, but it
>is far from robust.
>

From owner-fwtk-users@ex.tis.com Wed Aug 11 12:37 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id MAA28496
	Wed, 11 Aug 1999 12:37:36 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id JAA03038;
	Wed, 11 Aug 1999 09:35:03 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Wed, 11 Aug 1999 07:09:06 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id HAA01571
	for fwtk-users-outgoing; Wed, 11 Aug 1999 07:08:50 -0700 (PDT)
Message-ID: <37B18366.809D5CCA@libertysurf.fr>
Date: Wed, 11 Aug 1999 16:06:31 +0200
From: Sebastien COTTALORDA <sebastien.cottalorda1@libertysurf.fr>
X-Mailer: Mozilla 4.08 [en] (X11; I; Linux 2.0.36 i686)
MIME-Version: 1.0
To: fwtk-users@lists.nai.com
Subject: http-gw Problem with Internet Explorer 4.0
Content-Transfer-Encoding: 8bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=iso-8859-1
Content-Length: 1567

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Hi,

I've a problem configuring IE 4.0 with my firewall.
The message :
        ERROR 404
        Request Information
        /
        is unavailable
        Fail to connect server
        www.yahoo.fr (80)
        reason: hostname unknown

I've configured my netperm-table as this :
        http-gw:    userid    root
        http-gw    directory    /jail
        http-gw    timeout 90
        http-gw    www.libertysurf.fr
        http-gw    hosts    1.0.0.* -log { read write ftp }

On my IE 4.0 I've configured the connexion towards proxy with that
parameters
         Service       IP                    Port
        HTTP    Firewall-Host        80
        FTP       Firewall-Host        80
        Gopher  Firewall-Host        80
        Secure   Firewall-Host        80
        SOCKS            <Nothing>
I've configure as first page in IE 4.0 the www.yahoo.fr site

Here is my /var/log/messages when I get the error 404 :
             http-gw[701]: permit host=.../... use of gateway (V2.1)
             http-gw[701]: log host=.../... protocol=HTTP cmd=dir
dest=www.yahoo.fr path=/
             http-gw[701]: failed to connect to server www.yahoo.fr (80)

             http-gw[701]: exit host=.../... cmds=1 in=0 out=0
user=unauth duration=0
I seem to not have PPP connexion. The problem is that I can connect each
www site with my Firewall (www.yahoo.fr is reachable during the ERROR
404)

Any help will be welcome.


Sébastien


From owner-fwtk-users@ex.tis.com Thu Aug 12 05:26 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id FAA00852
	Thu, 12 Aug 1999 05:26:19 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id CAA08220;
	Thu, 12 Aug 1999 02:23:53 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Wed, 11 Aug 1999 23:57:19 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id XAA06872
	for fwtk-users-outgoing; Wed, 11 Aug 1999 23:56:59 -0700 (PDT)
Message-ID: <37B26FA6.6868D01@libertysurf.fr>
Date: Thu, 12 Aug 1999 08:54:30 +0200
From: =?iso-8859-1?Q?S=E9bastien?= COTTALORDA 
	<sebastien.cottalorda1@libertysurf.fr>
X-Mailer: Mozilla 4.51 [fr] (WinNT; I)
X-Accept-Language: fr
MIME-Version: 1.0
To: "Johann G. Hautzinger" <trema@eic.at>, fwtk-users@lists.nai.com
Subject: Re: http-gw Problem with Internet Explorer 4.0
References: <37B18366.809D5CCA@libertysurf.fr> <37B259DE.864567E1@eic.at>
Content-Transfer-Encoding: 8bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=iso-8859-1
Content-Length: 1348

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Thanks Johann for your clue,
I'll check the problem in that direction.
I didn't understand in fact why with my Firewall I can ping every www adresses and
my DNS server, and I can't with a computer in the secured zone.
I'll check the HTTP configuration one more time to find if I've missed something.

Sébastien

"Johann G. Hautzinger" a écrit :

> Sebastien COTTALORDA wrote:
> >
> > [To be removed from this list send the message "unsubscribe fwtk-users" in the
> > BODY of a mail message to majordomo@ex.tis.com.]
> >
> > Hi,
> >
> > I've a problem configuring IE 4.0 with my firewall.
> > The message :
> >         ERROR 404
> >         Request Information
> >         /
> >         is unavailable
> >         Fail to connect server
> >         www.yahoo.fr (80)
> >         reason: hostname unknown
>           ^^^^^^^^^^^^^^^^^^^^^^^^
> you might have problems with your nameserver? just an idea ...
>
> greetz from vienna
>
> Hannes
>
> --
> Johann Georg Hautzinger              http://treasury.erstebank.at
> Erste Bank AG - OE 0423 - Orga./Entw. Treasury u. Orga.Wertpapier
> Boersegasse 14                                  Tel.: 531 00 1907
> 1010 Wien                                     email: trema@eic.at


From owner-fwtk-users@ex.tis.com Thu Aug 12 07:30 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id HAA01170
	Thu, 12 Aug 1999 07:30:18 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id EAA10140;
	Thu, 12 Aug 1999 04:28:01 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Thu, 12 Aug 1999 02:52:37 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id CAA08469
	for fwtk-users-outgoing; Thu, 12 Aug 1999 02:52:16 -0700 (PDT)
Message-ID: <37B298BA.13806F47@libertysurf.fr>
Date: Thu, 12 Aug 1999 11:49:46 +0200
From: Sebastien COTTALORDA <sebastien.cottalorda1@libertysurf.fr>
X-Mailer: Mozilla 4.08 [en] (X11; I; Linux 2.0.36 i686)
MIME-Version: 1.0
To: yvo.volders@usa.net, fwtk-users@lists.nai.com
Subject: FIXED : http-gw Problem with Internet Explorer 4.0
References: <19990812091751.5450.qmail@nw178.netaddress.usa.net>
Content-Transfer-Encoding: 8bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=iso-8859-1
Content-Length: 4180

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Hi,

I've fixed the problem adding more timeout to http-gw from 90 to 3600, deleting
the two lines:
    http-gw:    userid    root
    http-gw:    directory    /jail

Now it works.

Thanks all who helped me to fiw this problem.


Sébastien

yvo.volders@usa.net wrote:

> Sebastien,
>
> Can you try connecting a site by its ip-number, and not using the URL?
> So try http://207.46.130.150.  This is the www.microsoft.com site.  Ifthis
> succeeds, we can look at the DNS configuration somewhere.  If it doesn't
> succeed, something is wrong with the firewall.  This way, we can eleminate
> parts of the connection.
>
> As I also user win-clients, and a Linux server, I have set up the linux as a
> DBS-server.  I don't use the DNS of my ISP.  I had the same problem as you
> did.  My firewall wouldn't forward the DNS requests, or the result didn't come
> back.  Setting the Linux as a DNS resolved the problem.  Now my Linux caches
> DNS-information.
>
> Greetings,
>
> Sébastien COTTALORDA  <sebastien.cottalorda1@libertysurf.fr> wrote:
> Hi Yvo,
>
> I don't think it's the case because the DNS is required during the connexion
> when
> you connect directly to Internet not with a Firewall.
> In IE 4.0, you just specify that HTTP, FTP, Gopher, ... need to be send to a
> Firewall wich IP adress xxxx.xxxx.xxxx.xxxx on port 80 or another one (The
> connexion between your network and your ISP is yet done with your Firewall)
> I think that is the Firewall that need to route any client requests toward the
> DNS
> (I've declare in /etc/resolv.conf the two DNS of my ISP).
> The strange thing is at any time during my connection, I can ping the DNS, any
> ftp
> site any www sites. I don't understand why I get this   ......Biiiiiip......
> 404
> ERROR.
> I've read the FAQ (that talk about that problem): according them it may be a
> DNS
> missing in resolv.conf (I don't think it's the case for me) or a chroot
> problem
> with the http-gw directory because I've set in my netper-table :
>         http-gw   directory     /jail
> and done a chmod 700 with root user for /jail.
>
> I don't know what to do ......
> If I remove this line, I get the same message.
>
> Sébastien
>
> yvo.volders@usa.net a écrit :
>
> > I think the DNS-server at the computers in the secure zone is not set. Look
> at
> > the network settings, if the list of DNS-servers if set properly.  Let me
> know
> > if you need more help.
> >
> > Greetings
> >
> > Yvo Volders
> >
> > Sébastien COTTALORDA  <sebastien.cottalorda1@libertysurf.fr> wrote:
> > [To be removed from this list send the message "unsubscribe fwtk-users" in
> > the
> > BODY of a mail message to majordomo@ex.tis.com.]
> >
> > Thanks Johann for your clue,
> > I'll check the problem in that direction.
> > I didn't understand in fact why with my Firewall I can ping every www
> adresses
> > and
> > my DNS server, and I can't with a computer in the secured zone.
> > I'll check the HTTP configuration one more time to find if I've missed
> > something.
> >
> > Sébastien
> >
> > "Johann G. Hautzinger" a écrit :
> >
> > > Sebastien COTTALORDA wrote:
> > > >
> > > > [To be removed from this list send the message "unsubscribe fwtk-users"
> in
> > the
> > > > BODY of a mail message to majordomo@ex.tis.com.]
> > > >
> > > > Hi,
> > > >
> > > > I've a problem configuring IE 4.0 with my firewall.
> > > > The message :
> > > >         ERROR 404
> > > >         Request Information
> > > >         /
> > > >         is unavailable
> > > >         Fail to connect server
> > > >         www.yahoo.fr (80)
> > > >         reason: hostname unknown
> > >           ^^^^^^^^^^^^^^^^^^^^^^^^
> > > you might have problems with your nameserver? just an idea ...
> > >
> > > greetz from vienna
> > >
> > > Hannes
> > >
> > > --
> > > Johann Georg Hautzinger              http://treasury.erstebank.at
> > > Erste Bank AG - OE 0423 - Orga./Entw. Treasury u. Orga.Wertpapier
> > > Boersegasse 14                                  Tel.: 531 00 1907
> > > 1010 Wien                                     email: trema@eic.at


From owner-fwtk-users@ex.tis.com Sun Aug 15 23:55 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id XAA11433
	Sun, 15 Aug 1999 23:55:03 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id UAA03379;
	Sun, 15 Aug 1999 20:53:52 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Sun, 15 Aug 1999 18:26:56 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id SAA02131
	for fwtk-users-outgoing; Sun, 15 Aug 1999 18:26:41 -0700 (PDT)
Message-ID: <B38C56B978D2D211B7F20080C87839141CB3C1@VICMELNT1>
From: Greg Omond <gomond@skilled.com.au>
To: "'FWTK News'" <fwtk-users@ex.tis.com>
Date: Mon, 16 Aug 1999 11:24:58 +1000
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 444

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Does anyone know of a HTML or perl GUI for the netperm-table.

As our Firewall admin is a windoze user and cant use UNIX.

Thanx.

Gregory Omond
Skilled Engineering LTD.
850 Whitehorse Road
Box Hill, 3128
Ph:    (03) 9924 2471
Fax:   (03) 9924 2422
Mobile:(040) 710 1739
Ah:    (03) 9710 1738
Ah Fax:(03) 9710 1728

From owner-fwtk-users@ex.tis.com Mon Aug 16 03:54 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id DAA11843
	Mon, 16 Aug 1999 03:54:34 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id AAA05801;
	Mon, 16 Aug 1999 00:53:18 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Sun, 15 Aug 1999 23:14:53 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id XAA04575
	for fwtk-users-outgoing; Sun, 15 Aug 1999 23:14:38 -0700 (PDT)
Message-ID: <19990816161354.A29818@venus.dev.unico.com.au>
Date: Mon, 16 Aug 1999 16:13:54 +1000
From: David Goh <david@unico.com.au>
To: "'FWTK News'" <fwtk-users@ex.tis.com>
Subject: Re: your mail
Reply-To: david@unico.com.au
References: <B38C56B978D2D211B7F20080C87839141CB3C1@VICMELNT1>
Mime-Version: 1.0
X-Mailer: Mutt 0.91i
In-Reply-To: <B38C56B978D2D211B7F20080C87839141CB3C1@VICMELNT1>; from "Greg Omond" on Mon, Aug 16, 1999 at 11:24:58AM
X-Religion: linux slrn mutt vim
X-Silly-Line: "I don't think so," said Rene Descartes.  Just then, he vanished.
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 1233

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

gomond@skilled.com.au (Greg Omond) wrote:
> Does anyone know of a HTML or perl GUI for the netperm-table.

Uhh... *what*?  *blink*  No, there aren't any.  I suppose some people
*might* have rolled their own... but I think they would count as
people that don't know anything about firewalls, and why putting a
webserver with cgi scripts that must run as the fwtk user or setuid
root *on the firewall* would be a *really* bad idea.

> As our Firewall admin is a windoze user and cant use UNIX.

I suggest you get a competent firewall admin... ie, someone that knows
what they're doing with a firewall.  I find it hard to believe that
someone that finds it difficult to edit the netperm-table by hand can
manage a firewall.

Later,

     david

-- 
| david@unico.com.au (David Goh, Unico Computer Systems, +61-3-9866-5688)
"Perl already has _bless_, and we know what it does...  [it] should also
 have _smite_, and we know what it should do, too.  If more languages had
 _smite_ implemented, the remaining programmers would be better than the
 current average." -- Mike Andrews in the scary.devil.monastery

From owner-fwtk-users@ex.tis.com Mon Aug 16 07:54 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id HAA12329
	Mon, 16 Aug 1999 07:54:51 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id EAA08161;
	Mon, 16 Aug 1999 04:53:29 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 16 Aug 1999 03:15:05 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id DAA07017
	for fwtk-users-outgoing; Mon, 16 Aug 1999 03:14:45 -0700 (PDT)
Message-ID: <CBD90C79730BD311A22E0008C709E9A7D4578C@mail1.rainbow.camcable.co.uk>
From: Spencer Marshall <Spencer.Marshall@ntl.com>
To: "'david@unico.com.au'" <david@unico.com.au>,
        "'FWTK News'"
	 <fwtk-users@ex.tis.com>
Subject: RE: your mail
Date: Mon, 16 Aug 1999 11:10:46 +0100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 2061

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]


I suggest you buy your "firewall admin" the O'Reilly book Building
Firewalls, as it could be cheaper than replacing him/her!

On a separate subject.  I would like to set up ssh from multiple hosts
inside (mil) to multiple hosts outside (the big bad internet)  Does anyone
have any recommendations please?  We do not trust users on either the mil or
internet domains!  Hey, if you really trusted your users, they would have
accounts on the firewall!!

Cheers,

Spencer

> -----Original Message-----
> From: David Goh [mailto:david@unico.com.au]
> Sent: 16 August 1999 07:14
> To: 'FWTK News'
> Subject: Re: your mail
> 
> 
> [To be removed from this list send the message "unsubscribe 
> fwtk-users" in the
> BODY of a mail message to majordomo@ex.tis.com.]
> 
> gomond@skilled.com.au (Greg Omond) wrote:
> > Does anyone know of a HTML or perl GUI for the netperm-table.
> 
> Uhh... *what*?  *blink*  No, there aren't any.  I suppose some people
> *might* have rolled their own... but I think they would count as
> people that don't know anything about firewalls, and why putting a
> webserver with cgi scripts that must run as the fwtk user or setuid
> root *on the firewall* would be a *really* bad idea.
> 
> > As our Firewall admin is a windoze user and cant use UNIX.
> 
> I suggest you get a competent firewall admin... ie, someone that knows
> what they're doing with a firewall.  I find it hard to believe that
> someone that finds it difficult to edit the netperm-table by hand can
> manage a firewall.
> 
> Later,
> 
>      david
> 
> -- 
> | david@unico.com.au (David Goh, Unico Computer Systems, 
> +61-3-9866-5688)
> "Perl already has _bless_, and we know what it does...  [it] 
> should also
>  have _smite_, and we know what it should do, too.  If more 
> languages had
>  _smite_ implemented, the remaining programmers would be 
> better than the
>  current average." -- Mike Andrews in the scary.devil.monastery
> 

From owner-fwtk-users@ex.tis.com Mon Aug 16 09:52 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id JAA13009
	Mon, 16 Aug 1999 09:52:47 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id GAA11273;
	Mon, 16 Aug 1999 06:51:40 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 16 Aug 1999 05:15:01 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id FAA08383
	for fwtk-users-outgoing; Mon, 16 Aug 1999 05:14:45 -0700 (PDT)
Message-ID: <37B8009E.623D3E0B@whiteoaknet.com>
Date: Mon, 16 Aug 1999 08:14:22 -0400
From: Jeffrey Fulmer <jfulmer@mail.whiteoaknet.com>
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: fwtk-users@ex.tis.com
Subject: Re: your mail
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 1279

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

The netperm-table is a text file.  He could copy the file to a floppy,
edit it in
Word, then copy it back.  But I would REALLY recommend that your
administrator
choose a Windows based product; if he doesn't know UNIX, then how will
he know if
the UNIX based firewall has been compromised?  Would he be able to
detect security
breaches?  Will he know what to do in the event of a security breach?
The answer
to these questions is a resounding NO.  If he can't edit a simple text
file in
UNIX, then he has NO business administering a UNIX based firewall.  You
might as
well not bother with security, because without the proper personnel, you
have
none.

Greg Omond wrote:

> [To be removed from this list send the message "unsubscribe
fwtk-users" in the
> BODY of a mail message to majordomo@ex.tis.com.]
>
> Does anyone know of a HTML or perl GUI for the netperm-table.
>
> As our Firewall admin is a windoze user and cant use UNIX.
>
> Thanx.
>
> Gregory Omond
> Skilled Engineering LTD.
> 850 Whitehorse Road
> Box Hill, 3128
> Ph:    (03) 9924 2471
> Fax:   (03) 9924 2422
> Mobile:(040) 710 1739
> Ah:    (03) 9710 1738
> Ah Fax:(03) 9710 1728




From owner-fwtk-users@ex.tis.com Mon Aug 16 09:57 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id JAA13023
	Mon, 16 Aug 1999 09:57:06 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id GAA11438;
	Mon, 16 Aug 1999 06:55:59 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 16 Aug 1999 05:27:16 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id FAA08642
	for fwtk-users-outgoing; Mon, 16 Aug 1999 05:27:00 -0700 (PDT)
Message-ID: <37B8030B.C1D04210@cityedin.demon.co.uk>
Date: Mon, 16 Aug 1999 13:25:13 +0100
From: Wallace Nicoll <wallace@cityedin.demon.co.uk>
Reply-To: wallace@cityedin.demon.co.uk
Organization: City of Edinburgh Council IT Services
X-Mailer: Mozilla 4.05 [en] (WinNT; I)
MIME-Version: 1.0
To: fwtk-users@tis.com
Subject: Re: your mail
References: <CBD90C79730BD311A22E0008C709E9A7D4578C@mail1.rainbow.camcable.co.uk>
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 982

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Spencer Marshall wrote:

> I suggest you buy your "firewall admin" the O'Reilly book Building
> Firewalls, as it could be cheaper than replacing him/her!

or

"Internet Firewalls and Network Security" on New Riders Press by Chris Hare and
Karanjit Siyan. The Second Edition of this book features FWTK as one of the
firewall products they spend some time explaining and configuring.

W.
--
======================================================================
 Wallace Nicoll                          wallace@cityedin.demon.co.uk
 City of Edinburgh Council IT Services,
 Chesser House, 500 Gorgie Road,                Phone : 0131 469 5343
 Edinburgh, EH11 3YJ, Scotland                    Fax : 0131 469 5335
 [From overseas                  [P]+441314695343  [F]+441314695335 ]
======================================================================



From owner-fwtk-users@ex.tis.com Mon Aug 16 11:10 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id LAA13295
	Mon, 16 Aug 1999 11:10:04 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id IAA14278;
	Mon, 16 Aug 1999 08:08:58 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 16 Aug 1999 06:32:46 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id GAA10611
	for fwtk-users-outgoing; Mon, 16 Aug 1999 06:32:30 -0700 (PDT)
Message-ID: <1A2B916673DFD211ABC700805FA7AA6896114F@MSX11002>
From: "Lidgate, Chris A" <lidgaca@texaco.com>
To: "'fwtk-users@lists.nai.com'" <fwtk-users@lists.nai.com>
Subject: MS SQL server and fwtk
Date: Mon, 16 Aug 1999 08:32:12 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain
Content-Length: 439

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Hi 

I know that from reading the FAQ that there *were* problems
trying to plug-gw MS SQL server across a fwtk firewall, but 
the FAQ does sorta hold out hope that it might work one
day.

Did anyone ever get this to work, and if so how. 

Any help greatly appriciated ....






Chris Lidgate.


Texaco Ltd.



From owner-fwtk-users@ex.tis.com Mon Aug 16 11:20 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id LAA13324
	Mon, 16 Aug 1999 11:20:23 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id IAA14683;
	Mon, 16 Aug 1999 08:19:09 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 16 Aug 1999 06:50:42 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id GAA11217
	for fwtk-users-outgoing; Mon, 16 Aug 1999 06:50:21 -0700 (PDT)
Message-ID: <XFMail.990816143429.gale@syntax.dera.gov.uk>
X-Mailer: XFMail 1.3 [p0] on Linux
X-Priority: 3 (Normal)
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
In-Reply-To: <-1279636937msa@micronic.se>
Date: Mon, 16 Aug 1999 14:34:29 +0100 (BST)
From: Tony Gale <gale@syntax.dera.gov.uk>
To: =?iso-8859-1?Q?Mattias_Sandstr=F6m?= <msa@micronic.se>
Subject: Re:FWTK + RH Linux 6.0 + Netscape = No good?
Cc: fwtk-users@ex.tis.com
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=iso-8859-1
Content-Length: 4322

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]


Just went back to look at this problem again, and have concluded that
this *is* a bug in FWTK, well kind of :-)

Actually, the root of the problem is that the HTTP RFC's don't specify
whether POST data should be CRLF terminated or not. Netscape thinks
it should, and FWTK thinks it shouldn't (haven't checked IE yet).

As the FWTK leaves the CRLF in the socket receive buffer (i.e. the
kernel), when it closes the connection the kernel (correctly) sends a
reset to the client (i.e. Netscape). Basically, this is required as
TCP is a reliable procotol, so it has to inform the client that not
all of the data it sent was received by the server.

It's not a one line fix unfortunately. As I'm feeling ill I'm going
back to bed now. Assuming I feel better, I'll try and get a fix
out in the next couple of days.

As a side note, at least one version of Apache also seems to have the
same (or similar) problem.

-tony


On 20-Jul-99 Mattias Sandström wrote:
> Hi Tony,
> thanks for the feedback on this. It seems that it will be a
> somewhat hard nut to crack. What really bothers me is the fact the
> out favorite browser *g* has stopped to work and I am forced to use
> an alternative (M$'s), the real bother is that I am forced to say
> this publically to the users at our site... Could SOCKS be an
> alternative to http-gw? Suggestions or tips? I sure like the FWTK
> idea of several small components better, but if SOCKS works, then,
> well.... 
> /Mattias
> --
> Mattias Sandstrom - R&D, LAN/WAN Manager Micronic Laser Systems,
> Taeby - SWEDEN
> Mail: msa@micronic.se Phone: +46 8 638 52 00/Ext. 5265
> PGP ID#: 0xBC6C449A or http://www.micronic.se/~msa/pgpkey.html
> 
> 
> On tisdag 20 juli 1999, Tony Gale <gale@syntax.dera.gov.uk> wrote:
>>
>>On 20-Jul-99 Mattias Sandström wrote:
>>> [To be removed from this list send the message "unsubscribe
>>> fwtk-users" in the
>>> BODY of a mail message to majordomo@ex.tis.com.]
>>> >> Finally managed to get the RH 6.0 kernel in shape and
>>> >> installed
>>> FWTK 2.1 and the patches on the box. (I have left one fw at RH
>>> 5.1
>>> for reference.) Yesterday some of my collegues here in the office
>>> came around and started to complain that the Internet connection
>>> was broken and that the could not connect to certain sites. I
>>> checked with my iCab browser and had no problems in connecting to
>>> these sites. After some investigation, I isolated the problem to:
>>> >>>>> RH6.0 + FWTK 2.1 <<<
>>> * Using Netscape � 3.0 (Mac/PC/Linux) I can not establish
>>> connection to some sites using "Submit" buttons, for example to
>>> login. After hitting submit I get the message "Connection reset
>>> by
>>> peer" or "Socket not connected".
>>> * Using iCab, p1.6a (Mac), I can connect.
>>> * Using M$ IE 4.5 and 5.0 (Mac/PC/Solaris) I can connect to these
>>> sites.
>>> >>>>> RH5.1 + FWTK 2.1 <<<
>>> All browsers can connect to all sites...
>>> >
>>This is due to the change between Linux 2.0 and 2.2 kernels. In 2.2
>>they (correctly) send a connection reset when the connection is
>>closed before all the data has been read from the socket.
>>
>>This is frustrating me as it implies a client bug, but I'm not
>>convinced, as it happens with different browsers. It could be a
>>FWTK
>>bug or a kernel bug.
>>
>>As you can tell, I haven't gotten far in tracking this down. It
>>mainly occurs on posting forms (doing a search on www.cdnow.com for
>>example).
>>
>>A FWTK bug seems favourite at the present time.
>>
>>-tony
>>
>>
>>---
>>E-Mail: Tony Gale <gale@syntax.dera.gov.uk>
>>It is not good for a man to be without knowledge,
>>and he who makes haste with his feet misses his way.
>>              -- Proverbs 19:2
>>
>>The views expressed above are entirely those of the writer
>>and do not represent the views, policy or understanding of
>>any other person or official body.
>>
>>

---
E-Mail: Tony Gale <gale@syntax.dera.gov.uk>
petribar:
	Any sun-bleached prehistoric candy that has been sitting in
	the window of a vending machine too long.
		-- Rich Hall, "Sniglets"

The views expressed above are entirely those of the writer
and do not represent the views, policy or understanding of
any other person or official body.

From owner-fwtk-users@ex.tis.com Mon Aug 16 13:49 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id NAA13939
	Mon, 16 Aug 1999 13:49:56 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id KAA17681;
	Mon, 16 Aug 1999 10:48:41 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 16 Aug 1999 09:10:49 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id JAA15894
	for fwtk-users-outgoing; Mon, 16 Aug 1999 09:10:28 -0700 (PDT)
Message-ID: <003201bee801$34efe1a0$19780ac7@subasekb.navy.MIL>
From: "Jim Ferguson" <jferguso@www.subasekb.navy.MIL>
To: "Greg Omond" <gomond@skilled.com.au>,
        "'FWTK News'" <fwtk-users@ex.tis.com>
References: <B38C56B978D2D211B7F20080C87839141CB3C1@VICMELNT1>
Subject: Re: Your Mail
Date: Mon, 16 Aug 1999 12:05:40 -0400
Organization: Computer Systems Technology Inc.
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2314.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by relay2.nai.com id JAA15887
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 371

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

The TIS Gauntlet firewall product (a spin-off of fwtk) has a nice gui that does all the files involved in the firewall such as the netperm-table, named files, netstart, etc. tailor made for the WinDoze Administrator but you will pay for it.


From owner-fwtk-users@ex.tis.com Tue Aug 17 00:33 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id AAA15496
	Tue, 17 Aug 1999 00:33:08 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id VAA21243;
	Mon, 16 Aug 1999 21:31:42 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 16 Aug 1999 19:15:20 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id TAA19984
	for fwtk-users-outgoing; Mon, 16 Aug 1999 19:14:54 -0700 (PDT)
Message-Id: <3.0.5.32.19990816221143.00890970@mail.itm-inst.com>
X-Sender: rmurphy@mail.itm-inst.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Mon, 16 Aug 1999 22:11:43 -0400
To: Tony Gale <gale@syntax.dera.gov.uk>,
        Mattias 
 =?iso-8859-1?Q?Sandstr=F6m?= <msa@micronic.se>
From: Rick Murphy <rmurphy@itm-inst.com>
Subject: Re:FWTK + RH Linux 6.0 + Netscape = No good?
Cc: fwtk-users@ex.tis.com
In-Reply-To: <XFMail.990816143429.gale@syntax.dera.gov.uk>
References: <-1279636937msa@micronic.se>
Mime-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset="us-ascii"
Content-Length: 682

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

At 02:34 PM 8/16/99 +0100, Tony Gale wrote:
>Actually, the root of the problem is that the HTTP RFC's don't specify
>whether POST data should be CRLF terminated or not. Netscape thinks
>it should, and FWTK thinks it shouldn't (haven't checked IE yet).
Nope, it's not ambiguous. "Content-Length" defines the length of
the content, period. If the extra CRLF aren't accounted for in the
Content-Length, they shouldn't be sent or expected. 

Gauntlet had a hack to work around this Netscape bug -
'http-gw: send-broken-post-requests true' IIRC :-)
	-Rick



From owner-fwtk-users@ex.tis.com Tue Aug 17 06:48 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id GAA16120
	Tue, 17 Aug 1999 06:48:06 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id DAA24217;
	Tue, 17 Aug 1999 03:47:48 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Tue, 17 Aug 1999 02:05:52 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id CAA23009
	for fwtk-users-outgoing; Tue, 17 Aug 1999 02:05:26 -0700 (PDT)
Message-ID: <XFMail.990817100502.gale@syntax.dera.gov.uk>
X-Mailer: XFMail 1.3 [p0] on Linux
X-Priority: 3 (Normal)
MIME-Version: 1.0
In-Reply-To: <XFMail.990816143429.gale@syntax.dera.gov.uk>
Date: Tue, 17 Aug 1999 10:05:02 +0100 (BST)
From: Tony Gale <gale@syntax.dera.gov.uk>
To: Mario Cosenza <MCosenza@MediaOne.Net>
Subject: [PATCH] POSTs (was Re:FWTK + RH Linux 6.0 + Netscape = No good?)
Cc: fwtk-users@ex.tis.com
Cc: fwtk-users@ex.tis.com,
        =?iso-8859-1?Q?Mattias_Sandstr=F6m?= <msa@micronic.se>
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: multipart/mixed;
 boundary="_=XFMail.1.3.p0.Linux:990817100502:14744=_"
Content-Length: 2093

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

This message is in MIME format
--_=XFMail.1.3.p0.Linux:990817100502:14744=_
Content-Type: text/plain; charset=iso-8859-1


Here's a patch for the 'Connection reset by peer' problem. This
should be pretty safe and should also be pretty portable. I've only
tested it on Linux though.

Rick: I re-read the RFC, and you are correct, this is a Netscape bug.

<ass covering>
As usual, you get no warranty, guarantee or anything else with this
patch; use at your own risk. I don't claim it is fit for any purpose
whatsoever.
</ass covering>

Have fun,

-tony


---
E-Mail: Tony Gale <gale@syntax.dera.gov.uk>
Innovation is hard to schedule.
		-- Dan Fylstra

The views expressed above are entirely those of the writer
and do not represent the views, policy or understanding of
any other person or official body.

--_=XFMail.1.3.p0.Linux:990817100502:14744=_
Content-Disposition: attachment; filename="fwtk-ns-post.patch"
Content-Transfer-Encoding: base64
Content-Description: fwtk-ns-post.patch
Content-Type: application/octet-stream; name=fwtk-ns-post.patch; SizeOnDisk=612

KioqIGh0dHAtZ3cuYy5vcmlnCVR1ZSBBdWcgMTcgMDk6NTQ6MDkgMTk5OQotLS0gaHR0cC1ndy5j
CVR1ZSBBdWcgMTcgMDk6NDc6NDQgMTk5OQoqKioqKioqKioqKioqKioKKioqIDEzNjIsMTM2NyAq
KioqCi0tLSAxMzYyLDEzODMgLS0tLQogIAkJCQl9ZWxzZQogIAkJCQkJYnJlYWs7CiAgCQkJfQor
IAkJCS8qIENoZWNrIGlmIHRoZXJlIGlzIGEgQ1JMRiBsZWZ0IGluIHRoZSBidWZmZXIuCisgCQkJ
ICogTmV0c2NhcGUgc2VuZHMgQ1JMRiBvbiB0aGUgZW5kIG9mIFBPU1QgY29tbWFuZHMuCisgCQkJ
ICogVFJHIC0gMTk5OTA4MTcKKyAJCQkgKi8KKyAJCQl7CisgCQkJICBjaGFyIHN0clsyXTsKKyAJ
CQkgIGludCBjb3VudDsKKyAJCQkgIGlmIChpb2N0bChyZmQsIEZJT05SRUFELCAmY291bnQpID09
IDApIHsKKyAJCQkJaWYgKGNvdW50ID09IDIpIHsKKyAJCQkJCWlmIChyZWN2KHJmZCwgc3RyLCAy
LCBNU0dfUEVFSykgPT0gMikgeworIAkJCQkJCWlmICgoc3RyWzBdID09ICdccicpICYmIChzdHJb
MV0gPT0gJ1xuJykpCisgCQkJCQkJCXJlYWQocmZkLCBzdHIsIDIpOworIAkJCQkJfQorIAkJCQl9
CisgCQkJICB9CisgCQkJfQogIAkJfQogIAkJcmV0dXJuIDA7CiAgCX0K

--_=XFMail.1.3.p0.Linux:990817100502:14744=_--
End of MIME message

From owner-fwtk-users@ex.tis.com Tue Aug 17 16:45 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id QAA19215
	Tue, 17 Aug 1999 16:44:59 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id NAA27879;
	Tue, 17 Aug 1999 13:43:55 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Tue, 17 Aug 1999 11:59:52 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id LAA26677
	for fwtk-users-outgoing; Tue, 17 Aug 1999 11:59:36 -0700 (PDT)
Date: Tue, 17 Aug 1999 11:58:51 -0700 (PDT)
From: Eugene Chupkin <ace@credit.com>
To: fwtk-users@ex.tis.com
Subject: plug-gw with www proxy
Message-ID: <Pine.LNX.3.96.990817115016.30048A-100000@mail.credit.com>
MIME-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Length: 957

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]



Hi, I configured my fwtk 2.1 on Redhat Linux 2.0.36 and I have a problem
with plug-gw.. I get a deny message in messages file.

Aug 17 11:01:20 gatekeeper plug-gw[21110]: deny host=unknown/216.216.1.11
service=www
Aug 17 11:02:14 gatekeeper plug-gw[21112]:
ATHM-216-216-xxx-11.home.net/216.216.1.11 host name lookup failed
Aug 17 11:02:14 gatekeeper plug-gw[21112]: deny host=unknown/216.216.1.11
service=www

like so...
What am I doing wrong? 

Here is my /etc/services
http            80/tcp
www             80/tcp

my /etc/inetd.conf
www     stream  tcp     nowait  root    /usr/local/etc/plug-gw plug-gw www 
-as www

my netperm-table
plug-gw: port www * -plug-to 192.168.1.5 -port www


Am I missing anything? I checked the FAQ and this looks right, what am I
doing wrong?


P.S.
Can I dissable dns lookups in the logs?


From owner-fwtk-users@ex.tis.com Wed Aug 18 04:39 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id EAA21068
	Wed, 18 Aug 1999 04:39:35 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id BAA01671;
	Wed, 18 Aug 1999 01:38:27 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Tue, 17 Aug 1999 23:17:27 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id XAA00410
	for fwtk-users-outgoing; Tue, 17 Aug 1999 23:17:11 -0700 (PDT)
Date: Wed, 18 Aug 1999 14:16:52 +0800
From: Garfield <chd1998@netease.com>
X-Mailer: The Bat! (v1.21) S/N 9FA473A9
Reply-To: Garfield <chd1998@netease.com>
X-Priority: 3 (Normal)
Message-ID: <11595.990818@netease.com>
To: fwtk-users@ex.tis.com
Subject: Re: plug-gw with www proxy
References: <Pine.LNX.3.96.990817115016.30048A-100000@mail.credit.com>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 498

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Hi, all,

I have one question to bother you all:
How can I log where the user inside the intranet has connected?  For
example, when one of user inside the intranet want to connect to
www.yahoo.com through my firewall/proxy, could I log where they want
to browse or ftp?
Thanx in advance!

Best regards,
 Garfield                            mailto:chd1998@netease.com



From owner-fwtk-users@ex.tis.com Wed Aug 18 11:02 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id LAA22432
	Wed, 18 Aug 1999 11:02:01 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id IAA04884;
	Wed, 18 Aug 1999 08:00:16 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Wed, 18 Aug 1999 06:18:16 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id GAA03347
	for fwtk-users-outgoing; Wed, 18 Aug 1999 06:17:51 -0700 (PDT)
Date: Wed, 18 Aug 1999 09:15:58 -0400 (EDT)
From: Ted Keller <keller@bfg.com>
To: Spencer Marshall <Spencer.Marshall@ntl.com>
cc: "'david@unico.com.au'" <david@unico.com.au>,
        "'FWTK News'" <fwtk-users@ex.tis.com>
Subject: RE: your mail
In-Reply-To: <CBD90C79730BD311A22E0008C709E9A7D4578C@mail1.rainbow.camcable.co.uk>
Message-ID: <Pine.GSO.4.10.9908180913280.29429-100000@ns1.bfg.com>
MIME-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Length: 2606

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Spencer,

If you list of external sites are small that you want to ssh to, you can
assign each site a separate port number - and use plug-gw to map to the
remote site.  I haven't seen an effective general use proxy for ssh.

ted keller - bfg.com


On Mon, 16 Aug 1999, Spencer Marshall wrote:

> [To be removed from this list send the message "unsubscribe fwtk-users" in the
> BODY of a mail message to majordomo@ex.tis.com.]
> 
> 
> I suggest you buy your "firewall admin" the O'Reilly book Building
> Firewalls, as it could be cheaper than replacing him/her!
> 
> On a separate subject.  I would like to set up ssh from multiple hosts
> inside (mil) to multiple hosts outside (the big bad internet)  Does anyone
> have any recommendations please?  We do not trust users on either the mil or
> internet domains!  Hey, if you really trusted your users, they would have
> accounts on the firewall!!
> 
> Cheers,
> 
> Spencer
> 
> > -----Original Message-----
> > From: David Goh [mailto:david@unico.com.au]
> > Sent: 16 August 1999 07:14
> > To: 'FWTK News'
> > Subject: Re: your mail
> > 
> > 
> > [To be removed from this list send the message "unsubscribe 
> > fwtk-users" in the
> > BODY of a mail message to majordomo@ex.tis.com.]
> > 
> > gomond@skilled.com.au (Greg Omond) wrote:
> > > Does anyone know of a HTML or perl GUI for the netperm-table.
> > 
> > Uhh... *what*?  *blink*  No, there aren't any.  I suppose some people
> > *might* have rolled their own... but I think they would count as
> > people that don't know anything about firewalls, and why putting a
> > webserver with cgi scripts that must run as the fwtk user or setuid
> > root *on the firewall* would be a *really* bad idea.
> > 
> > > As our Firewall admin is a windoze user and cant use UNIX.
> > 
> > I suggest you get a competent firewall admin... ie, someone that knows
> > what they're doing with a firewall.  I find it hard to believe that
> > someone that finds it difficult to edit the netperm-table by hand can
> > manage a firewall.
> > 
> > Later,
> > 
> >      david
> > 
> > -- 
> > | david@unico.com.au (David Goh, Unico Computer Systems, 
> > +61-3-9866-5688)
> > "Perl already has _bless_, and we know what it does...  [it] 
> > should also
> >  have _smite_, and we know what it should do, too.  If more 
> > languages had
> >  _smite_ implemented, the remaining programmers would be 
> > better than the
> >  current average." -- Mike Andrews in the scary.devil.monastery
> > 
> 


From owner-fwtk-users@ex.tis.com Wed Aug 18 12:04 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id MAA22614
	Wed, 18 Aug 1999 12:03:47 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id JAA06111;
	Wed, 18 Aug 1999 09:03:11 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Wed, 18 Aug 1999 07:27:22 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id HAA04182
	for fwtk-users-outgoing; Wed, 18 Aug 1999 07:27:01 -0700 (PDT)
Date: Wed, 18 Aug 1999 10:25:30 -0400 (EDT)
From: Ted Keller <keller@bfg.com>
To: Garfield <chd1998@netease.com>
cc: fwtk-users@ex.tis.com
Subject: Re: plug-gw with www proxy
In-Reply-To: <11595.990818@netease.com>
Message-ID: <Pine.GSO.4.10.9908181024340.29429-100000@ns1.bfg.com>
MIME-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Length: 889

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Garfield,

You may want to front-end your firewall with an actual web proxy server.
Take a look at www.apache.org or the squid proxy and see if those products
do what you want.

ted keller


On Wed, 18 Aug 1999, Garfield wrote:

> [To be removed from this list send the message "unsubscribe fwtk-users" in the
> BODY of a mail message to majordomo@ex.tis.com.]
> 
> Hi, all,
> 
> I have one question to bother you all:
> How can I log where the user inside the intranet has connected?  For
> example, when one of user inside the intranet want to connect to
> www.yahoo.com through my firewall/proxy, could I log where they want
> to browse or ftp?
> Thanx in advance!
> 
> Best regards,
>  Garfield                            mailto:chd1998@netease.com
> 
> 


From owner-fwtk-users@ex.tis.com Wed Aug 18 15:16 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id PAA23310
	Wed, 18 Aug 1999 15:16:29 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id MAA08776;
	Wed, 18 Aug 1999 12:15:51 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Wed, 18 Aug 1999 10:37:51 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id KAA07611
	for fwtk-users-outgoing; Wed, 18 Aug 1999 10:37:25 -0700 (PDT)
Message-Id: <199908181737.NAA26367@fw1-a.osis.gov>
From: Joseph S D Yao <jsdy@cospo.osis.gov>
Subject: Re: plug-gw with www proxy
To: keller@bfg.com (Ted Keller)
Date: Wed, 18 Aug 1999 13:37:00 -0400 (EDT)
Cc: chd1998@netease.com, fwtk-users@ex.tis.com
In-Reply-To: <Pine.GSO.4.10.9908181024340.29429-100000@ns1.bfg.com> from "Ted Keller" at Aug 18, 99 10:25:30 am
X-Mailer: ELM [version 2.4 PL25 PGP3 *ALPHA*]
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=US-ASCII
Content-Length: 1654

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

> You may want to front-end your firewall with an actual web proxy server.
> Take a look at www.apache.org or the squid proxy and see if those products
> do what you want.
> 
> ted keller
> 
> On Wed, 18 Aug 1999, Garfield wrote:
...
> > I have one question to bother you all:
> > How can I log where the user inside the intranet has connected?  For
> > example, when one of user inside the intranet want to connect to
> > www.yahoo.com through my firewall/proxy, could I log where they want
> > to browse or ftp?
> > Thanx in advance!
> > 
> > Best regards,
> >  Garfield                            mailto:chd1998@netease.com

ISTM that he just wants to log accesses through the firewall, and for
that the logs kept by http-gw should suffice.  If he wants to log
accesses elsewhere within the intranet, then he will need a Web proxy
within his LAN that is the only IP address allowed out to port 80 at
other parts of the intranet.  All accesses would then have to go
through the internal Web proxy; and that could then proxy through the
firewall ...

Why am I making this so complicated?  Make http-gw the proxy for ALL
Web accesses [a null Exceptions list], and the only internal address
allowed to access internal Web sites.  Then all internal AND external
Web accesses will be logged by http-gw.

--
Joe Yao				jsdy@cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.

From owner-fwtk-users@ex.tis.com Wed Aug 18 21:00 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id VAA24215
	Wed, 18 Aug 1999 21:00:23 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id RAA11817;
	Wed, 18 Aug 1999 17:59:52 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Wed, 18 Aug 1999 16:16:00 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id QAA10310
	for fwtk-users-outgoing; Wed, 18 Aug 1999 16:15:44 -0700 (PDT)
Message-ID: <37BB3E9F.1D6B8E@MediaOne.Net>
Date: Wed, 18 Aug 1999 19:15:43 -0400
From: Mario Cosenza <MCosenza@MediaOne.Net>
X-Mailer: Mozilla 4.61 [en] (Win98; I)
X-Accept-Language: en
MIME-Version: 1.0
To: fwtk-users@ex.tis.com
Subject: Forwarding HTTP to an internal web server?
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 931

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

I would like to use http-gw to forward external http requests to an
internal web server.

I would do this by adding the following line to my netperm-table.
http-gw:        forward * -protocol http -tohost <mylocal.webserver>:80

But I understand that http-gw was not designed for this. There are
issues with the CONNECT support in http-gw that could allow a 'bad guy'
to telnet past your firewall and into your (relatively unprotected) web
server.

So My Questions Are...

Can anybody explain this better?
How to I test for the CONNECT 'hole' in http-gw?
How do I remove it? (Is there a patch?)
If I remove it, will I be secure? (i.e. Is this the only issue with
forwarding?)
If I remove it, will I be loosing functionality from normal use? (Local
-> Proxy -> Internet access)

Thanks,

Mario Cosenza


From owner-fwtk-users@ex.tis.com Wed Aug 18 22:28 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id WAA24386
	Wed, 18 Aug 1999 22:28:32 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id TAA14492;
	Wed, 18 Aug 1999 19:28:04 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Wed, 18 Aug 1999 17:52:47 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id RAA11577
	for fwtk-users-outgoing; Wed, 18 Aug 1999 17:52:31 -0700 (PDT)
Reply-To: <alanf@spatialinfo.com>
From: "Alan Franklin" <alanf@spatialinfo.com>
To: <fwtk-users@ex.tis.com>
Subject: PC Anywhere and FWTK
Date: Thu, 19 Aug 1999 10:49:25 +1000
Message-ID: <1195E963FDB0D211905700105A2507200BC3FF@syd108.syd.arcsystems.com.au>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 622

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Has anyone setup fwtk to pass through the PC-Anywhere
traffic ?

I'm trying to work out if I can do remote control
of a remote NT system going out via our fwtk
internet connection.

Thanks in advance.

Alan Franklin                   SPATIALinfo Pty. Limited
Alan.Franklin@SPATIALinfo.com   101 Sussex St, Level 1
Ph:       61 2 9290 2400        Sydney, NSW, Australia, 2000
Direct:   61 2 9239 4629        FAX:    61 2 9261 3472
=============================================================


From owner-fwtk-users@ex.tis.com Thu Aug 19 00:37 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id AAA24504
	Thu, 19 Aug 1999 00:37:18 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id VAA17754;
	Wed, 18 Aug 1999 21:37:01 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Wed, 18 Aug 1999 19:57:55 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id TAA15084
	for fwtk-users-outgoing; Wed, 18 Aug 1999 19:57:35 -0700 (PDT)
Date: Wed, 18 Aug 1999 22:56:20 -0400 (EDT)
From: Ted Keller <keller@bfg.com>
To: Alan Franklin <alanf@spatialinfo.com>
cc: fwtk-users@ex.tis.com
Subject: Re: PC Anywhere and FWTK
In-Reply-To: <1195E963FDB0D211905700105A2507200BC3FF@syd108.syd.arcsystems.com.au>
Message-ID: <Pine.GSO.4.10.9908182253220.25296-100000@ns1.bfg.com>
MIME-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Length: 2587

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Alan,

Attached are a coupld of old messages where others have solved this
problem....

ted keller


>From wlang@isis.wu-wien.ac.at Wed Aug 18 22:55:28 1999
Date: Sat, 6 Feb 1999 00:04:07 +0100 (CET)
From: Willi Langenberger <wlang@isis.wu-wien.ac.at>
Reply-To: Willi.Langenberger@wu-wien.ac.at
To: fwtk-users@tis.com
Subject: Re: PCanywhere

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

According to Michael Menefee:
> Does anybody know what PCAnywhere uses?

PCAnywhere uses UDP Port 5632 and TCP Port 5631.

However, you can disable the UDP Communication in the Registry:

Create a DWORD with name TCPIPConnectIfUnknown in 

  HKLM\Software\Symantec\pcANYWHERE\CurrentVersion\System\

and set it to 1.

(This can result in PCA showing a black screen, if the host is in use.)

The TCP Connection should be no Problem for FWTK. Set something like

  plug-gw: port 5632 remote-ip -plug-to host-ip -port 5632

in your netperm-table.


\wlang{}

-- 
Willi.Langenberger@wu-wien.ac.at                 Fax: +43/1/31336/702
Zentrum fuer Informatikdienste, Wirtschaftsuniversitaet Wien, Austria

>From alan@wj.com Wed Aug 18 22:55:40 1999
Date: Mon, 5 Apr 1999 13:55:51 -0700
From: Alan Strassberg <alan@wj.com>
To: fwtk-users@tislabs.com
Subject: PCAnywhere using plug-gw

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@lists.tislabs.com.]

	Hi,

	Trying to get PCAnywhere working using plug-gw ....

	plug-gw: port pca  A.B.C.D -plug-to W.X.Y.Z -port pca
	plug-gw: port pca2 A.B.C.D -plug-to W.X.Y.Z -port pca2

	where pca is port 5631 and pca2 is 5632 .

	Anyone care to share a working config ?

				alan

On Thu, 19 Aug 1999, Alan Franklin wrote:

> [To be removed from this list send the message "unsubscribe fwtk-users" in the
> BODY of a mail message to majordomo@ex.tis.com.]
> 
> Has anyone setup fwtk to pass through the PC-Anywhere
> traffic ?
> 
> I'm trying to work out if I can do remote control
> of a remote NT system going out via our fwtk
> internet connection.
> 
> Thanks in advance.
> 
> Alan Franklin                   SPATIALinfo Pty. Limited
> Alan.Franklin@SPATIALinfo.com   101 Sussex St, Level 1
> Ph:       61 2 9290 2400        Sydney, NSW, Australia, 2000
> Direct:   61 2 9239 4629        FAX:    61 2 9261 3472
> =============================================================
> 



From owner-fwtk-users@ex.tis.com Thu Aug 19 05:15 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id FAA25341
	Thu, 19 Aug 1999 05:15:48 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id CAA22996;
	Thu, 19 Aug 1999 02:15:32 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Thu, 19 Aug 1999 00:01:01 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id AAA20438
	for fwtk-users-outgoing; Thu, 19 Aug 1999 00:00:40 -0700 (PDT)
Message-ID: <030601beea10$db3f07f0$0102a8c0@racer.benzacar.com>
From: "Eric Benzacar" <benze@attcanada.net>
To: "Mario Cosenza" <MCosenza@MediaOne.Net>, <fwtk-users@ex.tis.com>
Subject: Re: Forwarding HTTP to an internal web server?
Date: Thu, 19 Aug 1999 03:02:48 -0400
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3612.1700
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3612.1700
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 1601

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

I didn't even know the "forward" key word existed....  What does it do?  How
does it work?

Why don't you use the following line in netperm-table:
http-gw:        permit-hosts    * -httpd <mylocal.webserver> -deny { write
ftp wais exec }

Does that not accomplish the same as "forward"?

Eric

-----Original Message-----
From: Mario Cosenza <MCosenza@MediaOne.Net>
To: fwtk-users@ex.tis.com <fwtk-users@ex.tis.com>
Date: Wednesday, August 18, 1999 9:49 PM
Subject: Forwarding HTTP to an internal web server?


>[To be removed from this list send the message "unsubscribe fwtk-users" in
the
>BODY of a mail message to majordomo@ex.tis.com.]
>
>I would like to use http-gw to forward external http requests to an
>internal web server.
>
>I would do this by adding the following line to my netperm-table.
>http-gw:        forward * -protocol http -tohost <mylocal.webserver>:80
>
>But I understand that http-gw was not designed for this. There are
>issues with the CONNECT support in http-gw that could allow a 'bad guy'
>to telnet past your firewall and into your (relatively unprotected) web
>server.
>
>So My Questions Are...
>
>Can anybody explain this better?
>How to I test for the CONNECT 'hole' in http-gw?
>How do I remove it? (Is there a patch?)
>If I remove it, will I be secure? (i.e. Is this the only issue with
>forwarding?)
>If I remove it, will I be loosing functionality from normal use? (Local
>-> Proxy -> Internet access)
>
>Thanks,
>
>Mario Cosenza
>
>


From owner-fwtk-users@ex.tis.com Thu Aug 19 20:43 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id UAA28506
	Thu, 19 Aug 1999 20:43:05 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id RAA06789;
	Thu, 19 Aug 1999 17:42:14 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Thu, 19 Aug 1999 16:08:38 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id QAA04292
	for fwtk-users-outgoing; Thu, 19 Aug 1999 16:08:17 -0700 (PDT)
Message-ID: <37BC8E55.AFC6BFA3@MediaOne.Net>
Date: Thu, 19 Aug 1999 19:08:05 -0400
From: Mario Cosenza <MCosenza@MediaOne.Net>
X-Mailer: Mozilla 4.61 [en] (Win98; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Eric Benzacar <benze@attcanada.net>
CC: fwtk-users@ex.tis.com
Subject: Re: Forwarding HTTP to an internal web server?
References: <030601beea10$db3f07f0$0102a8c0@racer.benzacar.com>
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 2480

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

I found the 'forward' concept at http://www.fwtk.org/fwtk/faq/faq.html#2.4.13 .
Now that you mention it I can't find it in the fwtk man pages (which is where I
thought it was). The fwtk.org FAQ also explains the CONNECT 'hole' pretty well
(though not well enough for me).

You are right about the permit hosts line... The forwarding setup I have is
actually...
    http-gw:        forward /* -protocol http -tohost <local.web.server>
    http-gw:        permit-hosts * -java -javascript -activex
I'm not sure if this is effectively the same as your line below.

Possibly someone else can provide more input?

Learning as I go,

Mario

Eric Benzacar wrote:

> [To be removed from this list send the message "unsubscribe fwtk-users" in the
> BODY of a mail message to majordomo@ex.tis.com.]
>
> I didn't even know the "forward" key word existed....  What does it do?  How
> does it work?
>
> Why don't you use the following line in netperm-table:
> http-gw:        permit-hosts    * -httpd <mylocal.webserver> -deny { write
> ftp wais exec }
>
> Does that not accomplish the same as "forward"?
>
> Eric
>
> -----Original Message-----
> From: Mario Cosenza <MCosenza@MediaOne.Net>
> To: fwtk-users@ex.tis.com <fwtk-users@ex.tis.com>
> Date: Wednesday, August 18, 1999 9:49 PM
> Subject: Forwarding HTTP to an internal web server?
>
> >[To be removed from this list send the message "unsubscribe fwtk-users" in
> the
> >BODY of a mail message to majordomo@ex.tis.com.]
> >
> >I would like to use http-gw to forward external http requests to an
> >internal web server.
> >
> >I would do this by adding the following line to my netperm-table.
> >http-gw:        forward * -protocol http -tohost <mylocal.webserver>:80
> >
> >But I understand that http-gw was not designed for this. There are
> >issues with the CONNECT support in http-gw that could allow a 'bad guy'
> >to telnet past your firewall and into your (relatively unprotected) web
> >server.
> >
> >So My Questions Are...
> >
> >Can anybody explain this better?
> >How to I test for the CONNECT 'hole' in http-gw?
> >How do I remove it? (Is there a patch?)
> >If I remove it, will I be secure? (i.e. Is this the only issue with
> >forwarding?)
> >If I remove it, will I be loosing functionality from normal use? (Local
> >-> Proxy -> Internet access)
> >
> >Thanks,
> >
> >Mario Cosenza
> >
> >


From owner-fwtk-users@ex.tis.com Thu Aug 19 20:43 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id UAA28504
	Thu, 19 Aug 1999 20:43:04 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id RAA06793;
	Thu, 19 Aug 1999 17:42:15 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Thu, 19 Aug 1999 15:56:19 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id PAA03970
	for fwtk-users-outgoing; Thu, 19 Aug 1999 15:55:59 -0700 (PDT)
Message-ID: <37BC8B6E.821F6559@MediaOne.Net>
Date: Thu, 19 Aug 1999 18:55:42 -0400
From: Mario Cosenza <MCosenza@MediaOne.Net>
X-Mailer: Mozilla 4.61 [en] (Win98; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Mariusz Potocki <mariusz@nutricia.com.pl>
CC: fwtk-users@ex.tis.com
Subject: Re: Forwarding HTTP to an internal web server?
References: <XFMail.990819085415.mariusz@ovitanutricia.com.pl>
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 895

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

I always thought that plug-gw was an 'undesirable' solution, because it was
just a 'general purpose connector'. (From what I understand) plug-gw does not
check for anything. It just allows anything (and everything) through the
specified port.

I'd like to find alternatives (http-gw) before I resort to plug-gw. Of course
this is mostly due to paranoia.

Learning as I go,

Mario Cosenza
Canton, MI  USA

Mariusz Potocki wrote:

> On 18-Aug-99 Mario Cosenza wrote:
> > I would like to use http-gw to forward external http requests to an
> > internal web server.
> >
> > I would do this by adding the following line to my netperm-table.
> > http-gw:        forward * -protocol http -tohost <mylocal.webserver>:80
> >
> I did it using plug-gw.
> --
> Mariusz Potocki


From owner-fwtk-users@ex.tis.com Fri Aug 20 00:02 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id AAA28978
	Fri, 20 Aug 1999 00:02:04 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id VAA11957;
	Thu, 19 Aug 1999 21:01:34 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Thu, 19 Aug 1999 19:20:40 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id TAA09346
	for fwtk-users-outgoing; Thu, 19 Aug 1999 19:20:19 -0700 (PDT)
Message-Id: <3.0.5.32.19990819221124.0087e820@mail.itm-inst.com>
X-Sender: rmurphy@mail.itm-inst.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Thu, 19 Aug 1999 22:11:24 -0400
To: Mario Cosenza <MCosenza@MediaOne.Net>, fwtk-users@ex.tis.com
From: Rick Murphy <rmurphy@itm-inst.com>
Subject: Re: Forwarding HTTP to an internal web server?
In-Reply-To: <37BB3E9F.1D6B8E@MediaOne.Net>
Mime-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset="us-ascii"
Content-Length: 855

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

At 07:15 PM 8/18/99 -0400, Mario Cosenza wrote:
>I would like to use http-gw to forward external http requests to an
>internal web server.
Use a plug-gw. Plug will limit the hosts that the users can connect to
to only the web server.

To demonstrate the CONNECT hole - telnet to the firewall from the outside
to the http port. Then, try 'CONNECT internal.host.ip.address:23 <CR><CR>'
where the 'internal.host.ip.address' is some internal system with a telnet
daemon running (i.e. not a NT or Windows system). You've now bypassed the
proxy to an internal system.. that's why plug alone is better.
The reality of http-gw is that it adds absolutely no security for inbound
connections; you're far better off with a plug.
	-Rick


From owner-fwtk-users@ex.tis.com Fri Aug 20 11:32 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id LAA01503
	Fri, 20 Aug 1999 11:32:34 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id IAA22229;
	Fri, 20 Aug 1999 08:31:58 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Fri, 20 Aug 1999 06:07:39 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id GAA19520
	for fwtk-users-outgoing; Fri, 20 Aug 1999 06:07:13 -0700 (PDT)
From: "Joseph Judge" <judgej@ne.mediaone.net>
To: "Rick Murphy" <rmurphy@itm-inst.com>,
        "Mario Cosenza" <MCosenza@MediaOne.Net>, <fwtk-users@ex.tis.com>
Subject: RE: Forwarding HTTP to an internal web server?
Date: Fri, 20 Aug 1999 09:06:42 -0400
Message-ID: <000301beeb0c$d91c5480$0601a8c0@poopy.judgefamily.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2377.0
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0
In-Reply-To: <3.0.5.32.19990819221124.0087e820@mail.itm-inst.com>
Importance: Normal
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 1634

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]



Or telnet outward via the ssl proxy via:
	telnet firewall proxyport (80 ? 8080?)
	CONNECT myhomeserver.place.com:23 HTTP/1.0 <CR><CR>
You need the HTTP/1.0 from my experience

Some proxies restrict what ports one can SSL out to (like only
to socket 443). Once the connection is up ... the SSL proxy just
acts like a plug-gw


	- joe

> -----Original Message-----
> From: owner-fwtk-users@ex.tis.com [mailto:owner-fwtk-users@ex.tis.com]On
> Behalf Of Rick Murphy
> Sent: Thursday, August 19, 1999 10:11 PM
> To: Mario Cosenza; fwtk-users@ex.tis.com
> Subject: Re: Forwarding HTTP to an internal web server?
>
>
> [To be removed from this list send the message "unsubscribe
> fwtk-users" in the
> BODY of a mail message to majordomo@ex.tis.com.]
>
> At 07:15 PM 8/18/99 -0400, Mario Cosenza wrote:
> >I would like to use http-gw to forward external http requests to an
> >internal web server.
> Use a plug-gw. Plug will limit the hosts that the users can connect to
> to only the web server.
>
> To demonstrate the CONNECT hole - telnet to the firewall from the outside
> to the http port. Then, try 'CONNECT internal.host.ip.address:23 <CR><CR>'
> where the 'internal.host.ip.address' is some internal system with a telnet
> daemon running (i.e. not a NT or Windows system). You've now bypassed the
> proxy to an internal system.. that's why plug alone is better.
> The reality of http-gw is that it adds absolutely no security for inbound
> connections; you're far better off with a plug.
> 	-Rick
>
>


From owner-fwtk-users@ex.tis.com Fri Aug 20 13:49 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id NAA02141
	Fri, 20 Aug 1999 13:49:48 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id KAA26943;
	Fri, 20 Aug 1999 10:49:13 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Fri, 20 Aug 1999 09:11:19 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id JAA23060
	for fwtk-users-outgoing; Fri, 20 Aug 1999 09:10:54 -0700 (PDT)
Message-Id: <199908201610.MAA23099@fw1-a.osis.gov>
From: Joseph S D Yao <jsdy@cospo.osis.gov>
Subject: Re: Forwarding HTTP to an internal web server?
To: MCosenza@mediaone.net (Mario Cosenza)
Date: Fri, 20 Aug 1999 12:10:25 -0400 (EDT)
Cc: mariusz@nutricia.com.pl, fwtk-users@ex.tis.com
In-Reply-To: <37BC8B6E.821F6559@MediaOne.Net> from "Mario Cosenza" at Aug 19, 99 06:55:42 pm
X-Mailer: ELM [version 2.4 PL25 PGP3 *ALPHA*]
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=US-ASCII
Content-Length: 880

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

> I always thought that plug-gw was an 'undesirable' solution, because it was
> just a 'general purpose connector'. (From what I understand) plug-gw does not
> check for anything. It just allows anything (and everything) through the
> specified port.
> 
> I'd like to find alternatives (http-gw) before I resort to plug-gw. Of course
> this is mostly due to paranoia.

THe http-gw was written to protect the user from the server.  Not the
other way around.  It would be nice to have the proxy that you are
suggesting, though.

--
Joe Yao				jsdy@cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.

From owner-fwtk-users@ex.tis.com Fri Aug 20 13:49 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id NAA02144
	Fri, 20 Aug 1999 13:49:50 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id KAA26947;
	Fri, 20 Aug 1999 10:49:15 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Fri, 20 Aug 1999 09:10:39 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id JAA23027
	for fwtk-users-outgoing; Fri, 20 Aug 1999 09:10:12 -0700 (PDT)
Message-Id: <199908201609.MAA23014@fw1-a.osis.gov>
From: Joseph S D Yao <jsdy@cospo.osis.gov>
Subject: Re: Forwarding HTTP to an internal web server?
To: MCosenza@mediaone.net (Mario Cosenza)
Date: Fri, 20 Aug 1999 12:09:31 -0400 (EDT)
Cc: benze@attcanada.net, fwtk-users@ex.tis.com
In-Reply-To: <37BC8E55.AFC6BFA3@MediaOne.Net> from "Mario Cosenza" at Aug 19, 99 07:08:05 pm
X-Mailer: ELM [version 2.4 PL25 PGP3 *ALPHA*]
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=US-ASCII
Content-Length: 774

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

> I found the 'forward' concept at http://www.fwtk.org/fwtk/faq/faq.html#2.4.13 .
> Now that you mention it I can't find it in the fwtk man pages (which is where I
> thought it was). The fwtk.org FAQ also explains the CONNECT 'hole' pretty well
> (though not well enough for me).

Unfortunately, in an evolving piece of open-source code, the code
itself is always the best documentation.  The documentation always
lags.

--
Joe Yao				jsdy@cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.

From owner-fwtk-users@ex.tis.com Mon Aug 23 10:53 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id KAA08626
	Mon, 23 Aug 1999 10:53:26 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id HAA14460;
	Mon, 23 Aug 1999 07:52:45 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 23 Aug 1999 05:31:00 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id FAA12838
	for fwtk-users-outgoing; Mon, 23 Aug 1999 05:30:45 -0700 (PDT)
Date: Mon, 23 Aug 1999 08:30:19 -0400 (EDT)
From: Jiann-Ming Su <js1@zeus.me.gatech.edu>
To: fwtk-users@lists.nai.com
Subject: smap/smapd and http question
Message-ID: <Pine.LNX.4.10.9908230824030.5369-100000@zeus.me.gatech.edu>
MIME-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Length: 1025

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

I'm sure this has been discussed before, but I couldn't find it in the FAQ.
Does user information have to exist on the bastion host where smap and smapd
is running?  That is, how does smap and smapd know who users are?  Or does it
not care?  If not, how does it know which mailserver to forward mail to?  
If I had to guess, I'd say it's using the MX records in the DNS tables.  

Also, for those who use fwtk, do you put your public web servers externally?  
According to the docs, http-gw is only good for internal users trying to
get out, not the other way around, which basically tells me that the web
server has to be outside the firewall.

Sorry if this has been discussed before.  This is the first time I've set
up fwtk.  Thanks for any help.

Jiann-Ming Su 	         "People seldom do what they believe in. They do
js290@prism.gatech.edu	  what is convenient, then repent." --Bob Dylan


From owner-fwtk-users@ex.tis.com Mon Aug 23 12:11 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id MAA08808
	Mon, 23 Aug 1999 12:11:00 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id JAA16399;
	Mon, 23 Aug 1999 09:09:45 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 23 Aug 1999 07:33:47 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id HAA14085
	for fwtk-users-outgoing; Mon, 23 Aug 1999 07:33:27 -0700 (PDT)
Message-Id: <CBD90C79730BD311A22E0008C709E9A7D457D9@mail1.camcable.co.uk>
From: Spencer Marshall <Spencer.Marshall@ntl.com>
To: "'Jiann-Ming Su'" <js1@zeus.me.gatech.edu>, fwtk-users@lists.nai.com
Subject: RE: smap/smapd and http question
Date: Mon, 23 Aug 1999 15:28:42 +0100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 1455

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]


Put your public website outside.

> -----Original Message-----
> From: Jiann-Ming Su [mailto:js1@zeus.me.gatech.edu]
> Sent: 23 August 1999 13:30
> To: fwtk-users@lists.nai.com
> Subject: smap/smapd and http question
> 
> 
> [To be removed from this list send the message "unsubscribe 
> fwtk-users" in the
> BODY of a mail message to majordomo@ex.tis.com.]
> 
> I'm sure this has been discussed before, but I couldn't find 
> it in the FAQ.
> Does user information have to exist on the bastion host where 
> smap and smapd
> is running?  That is, how does smap and smapd know who users 
> are?  Or does it
> not care?  If not, how does it know which mailserver to 
> forward mail to?  
> If I had to guess, I'd say it's using the MX records in the 
> DNS tables.  
> 
> Also, for those who use fwtk, do you put your public web 
> servers externally?  
> According to the docs, http-gw is only good for internal 
> users trying to
> get out, not the other way around, which basically tells me 
> that the web
> server has to be outside the firewall.
> 
> Sorry if this has been discussed before.  This is the first 
> time I've set
> up fwtk.  Thanks for any help.
> 
> Jiann-Ming Su 	         "People seldom do what they 
> believe in. They do
> js290@prism.gatech.edu	  what is convenient, then 
> repent." --Bob Dylan
> 


From owner-fwtk-users@ex.tis.com Mon Aug 23 13:17 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id NAA09089
	Mon, 23 Aug 1999 13:17:55 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id KAA18822;
	Mon, 23 Aug 1999 10:16:43 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 23 Aug 1999 08:45:25 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id IAA15504
	for fwtk-users-outgoing; Mon, 23 Aug 1999 08:45:00 -0700 (PDT)
Message-Id: <CBD90C79730BD311A22E0008C709E9A7D457DE@mail1.camcable.co.uk>
From: Spencer Marshall <Spencer.Marshall@ntl.com>
To: "'Richard Stagg'" <squid@bae.co.uk>,
        Spencer Marshall
	 <Spencer.Marshall@ntl.com>
Cc: "'Jiann-Ming Su'" <js1@zeus.me.gatech.edu>, fwtk-users@lists.nai.com
Subject: RE: smap/smapd and http question
Date: Mon, 23 Aug 1999 16:40:05 +0100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 2861

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]


Sorry, I presumed your ISP is hosting your website for you, and this would
be within part of their dmz (basically the same as Richard was suggesting
but someone else's responsibility).  Saves you from doing it, and leaves
them the problem of security.

> -----Original Message-----
> From: Richard Stagg [mailto:squid@bae.co.uk]
> Sent: 23 August 1999 16:38
> To: Spencer Marshall
> Cc: 'Jiann-Ming Su'; fwtk-users@lists.nai.com
> Subject: RE: smap/smapd and http question
> 
> 
> I'd be more inclined, from a purely security perspective, not 
> to put the
> webserver outside the firewall, or there's a good chance 
> it'll get hacked
> to bits.
> 
> Your options are:
> 
> Put an HTTP accelerator/reverse proxy outside the firewall 
> and the server
> inside. (Squid's good for this)
> 
> Put the server on a DMZ hanging off a firewall port and 
> permit traffic to
> it only on relevant ports. Much safer.
> 
> Regards
> Richard Stagg
> 
> On Mon, 23 Aug 1999, Spencer Marshall wrote:
> 
> > [To be removed from this list send the message "unsubscribe 
> fwtk-users" in the
> > BODY of a mail message to majordomo@ex.tis.com.]
> > 
> > 
> > Put your public website outside.
> > 
> > > -----Original Message-----
> > > From: Jiann-Ming Su [mailto:js1@zeus.me.gatech.edu]
> > > Sent: 23 August 1999 13:30
> > > To: fwtk-users@lists.nai.com
> > > Subject: smap/smapd and http question
> > > 
> > > 
> > > [To be removed from this list send the message "unsubscribe 
> > > fwtk-users" in the
> > > BODY of a mail message to majordomo@ex.tis.com.]
> > > 
> > > I'm sure this has been discussed before, but I couldn't find 
> > > it in the FAQ.
> > > Does user information have to exist on the bastion host where 
> > > smap and smapd
> > > is running?  That is, how does smap and smapd know who users 
> > > are?  Or does it
> > > not care?  If not, how does it know which mailserver to 
> > > forward mail to?  
> > > If I had to guess, I'd say it's using the MX records in the 
> > > DNS tables.  
> > > 
> > > Also, for those who use fwtk, do you put your public web 
> > > servers externally?  
> > > According to the docs, http-gw is only good for internal 
> > > users trying to
> > > get out, not the other way around, which basically tells me 
> > > that the web
> > > server has to be outside the firewall.
> > > 
> > > Sorry if this has been discussed before.  This is the first 
> > > time I've set
> > > up fwtk.  Thanks for any help.
> > > 
> > > Jiann-Ming Su 	         "People seldom do what they 
> > > believe in. They do
> > > js290@prism.gatech.edu	  what is convenient, then 
> > > repent." --Bob Dylan
> > > 
> > 
> 
> ---------------------------------
> Richard Stagg
> Internet Architect
> squid@bae.co.uk
> 


From owner-fwtk-users@ex.tis.com Mon Aug 23 13:18 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id NAA09092
	Mon, 23 Aug 1999 13:18:01 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id KAA18826;
	Mon, 23 Aug 1999 10:16:46 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 23 Aug 1999 08:38:37 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id IAA15313
	for fwtk-users-outgoing; Mon, 23 Aug 1999 08:38:11 -0700 (PDT)
X-Authentication-Warning: nadnl5.net.bae.co.uk: squid owned process doing -bs
Date: Mon, 23 Aug 1999 16:37:35 +0100 (BST)
From: Richard Stagg <squid@bae.co.uk>
X-Sender: squid@nadnl5.net.bae.co.uk
To: Spencer Marshall <Spencer.Marshall@ntl.com>
cc: "'Jiann-Ming Su'" <js1@zeus.me.gatech.edu>, fwtk-users@lists.nai.com
Subject: RE: smap/smapd and http question
In-Reply-To: <CBD90C79730BD311A22E0008C709E9A7D457D9@mail1.camcable.co.uk>
Message-ID: <Pine.LNX.4.10.9908231636140.7529-100000@nadnl5.net.bae.co.uk>
MIME-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Length: 2227

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

I'd be more inclined, from a purely security perspective, not to put the
webserver outside the firewall, or there's a good chance it'll get hacked
to bits.

Your options are:

Put an HTTP accelerator/reverse proxy outside the firewall and the server
inside. (Squid's good for this)

Put the server on a DMZ hanging off a firewall port and permit traffic to
it only on relevant ports. Much safer.

Regards
Richard Stagg

On Mon, 23 Aug 1999, Spencer Marshall wrote:

> [To be removed from this list send the message "unsubscribe fwtk-users" in the
> BODY of a mail message to majordomo@ex.tis.com.]
> 
> 
> Put your public website outside.
> 
> > -----Original Message-----
> > From: Jiann-Ming Su [mailto:js1@zeus.me.gatech.edu]
> > Sent: 23 August 1999 13:30
> > To: fwtk-users@lists.nai.com
> > Subject: smap/smapd and http question
> > 
> > 
> > [To be removed from this list send the message "unsubscribe 
> > fwtk-users" in the
> > BODY of a mail message to majordomo@ex.tis.com.]
> > 
> > I'm sure this has been discussed before, but I couldn't find 
> > it in the FAQ.
> > Does user information have to exist on the bastion host where 
> > smap and smapd
> > is running?  That is, how does smap and smapd know who users 
> > are?  Or does it
> > not care?  If not, how does it know which mailserver to 
> > forward mail to?  
> > If I had to guess, I'd say it's using the MX records in the 
> > DNS tables.  
> > 
> > Also, for those who use fwtk, do you put your public web 
> > servers externally?  
> > According to the docs, http-gw is only good for internal 
> > users trying to
> > get out, not the other way around, which basically tells me 
> > that the web
> > server has to be outside the firewall.
> > 
> > Sorry if this has been discussed before.  This is the first 
> > time I've set
> > up fwtk.  Thanks for any help.
> > 
> > Jiann-Ming Su 	         "People seldom do what they 
> > believe in. They do
> > js290@prism.gatech.edu	  what is convenient, then 
> > repent." --Bob Dylan
> > 
> 

---------------------------------
Richard Stagg
Internet Architect
squid@bae.co.uk


From owner-fwtk-users@ex.tis.com Mon Aug 23 15:31 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id PAA09502
	Mon, 23 Aug 1999 15:31:04 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id MAA22242;
	Mon, 23 Aug 1999 12:30:02 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 23 Aug 1999 10:51:04 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id KAA19812
	for fwtk-users-outgoing; Mon, 23 Aug 1999 10:50:42 -0700 (PDT)
Message-Id: <199908231750.NAA14740@fw1-a.osis.gov>
From: Joseph S D Yao <jsdy@cospo.osis.gov>
Subject: Re: smap/smapd and http question
To: js1@zeus.me.gatech.edu (Jiann-Ming Su)
Date: Mon, 23 Aug 1999 13:50:12 -0400 (EDT)
Cc: fwtk-users@lists.nai.com
In-Reply-To: <Pine.LNX.4.10.9908230824030.5369-100000@zeus.me.gatech.edu> from "Jiann-Ming Su" at Aug 23, 99 08:30:19 am
X-Mailer: ELM [version 2.4 PL25 PGP3 *ALPHA*]
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=US-ASCII
Content-Length: 1332

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

> Does user information have to exist on the bastion host where smap and smapd
> is running?  That is, how does smap and smapd know who users are?  Or does it
> not care?  If not, how does it know which mailserver to forward mail to?  
> If I had to guess, I'd say it's using the MX records in the DNS tables.  

Exactly.  Its DNS resoves internally.  It sends to the "correct" mail
server internally.  There should be NO user information on the firewall
(except maybe S/Key auth databases).

> Also, for those who use fwtk, do you put your public web servers externally?  
> According to the docs, http-gw is only good for internal users trying to
> get out, not the other way around, which basically tells me that the web
> server has to be outside the firewall.

Also well-read.  Web servers can be outside the firewall or, better, on
a third leg of the firewall with a plug-gw allowing some access in.  Do
not allow access from the third leg to your internal network!

--
Joe Yao				jsdy@cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
      This message is not an official statement of COSPO policies.

From owner-fwtk-users@ex.tis.com Tue Aug 24 16:42 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id QAA14220
	Tue, 24 Aug 1999 16:42:33 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id NAA29596;
	Tue, 24 Aug 1999 13:41:29 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Tue, 24 Aug 1999 11:18:43 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id LAA27919
	for fwtk-users-outgoing; Tue, 24 Aug 1999 11:18:28 -0700 (PDT)
Date: Tue, 24 Aug 1999 14:18:00 -0400 (EDT)
From: Jiann-Ming Su <js1@zeus.me.gatech.edu>
To: fwtk-users@lists.nai.com
Subject: imap through firewall...
Message-ID: <Pine.LNX.4.10.9908241416470.13040-100000@zeus.me.gatech.edu>
MIME-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Length: 438

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Is it "safe" to open port 143 on the internal mail server with plug-gw
so people can access email from home?  If not, what's the preferred way
to do this?  Thanks.

Jiann-Ming Su 	         "People seldom do what they believe in. They do
js290@prism.gatech.edu	  what is convenient, then repent." --Bob Dylan


From owner-fwtk-users@ex.tis.com Tue Aug 24 17:58 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id RAA14409
	Tue, 24 Aug 1999 17:58:39 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id OAA01710;
	Tue, 24 Aug 1999 14:57:33 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Tue, 24 Aug 1999 13:20:47 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id NAA29119
	for fwtk-users-outgoing; Tue, 24 Aug 1999 13:20:27 -0700 (PDT)
Message-ID: <37C2FED4.BBF8759B@v-one.com>
Date: Tue, 24 Aug 1999 16:21:40 -0400
From: Keith Young <kyoung@v-one.com>
Organization: V-ONE
X-Mailer: Mozilla 4.61 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Jiann-Ming Su <js1@zeus.me.gatech.edu>
CC: fwtk-users@lists.nai.com
Subject: Re: imap through firewall...
References: <Pine.LNX.4.10.9908241416470.13040-100000@zeus.me.gatech.edu>
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 1281

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Jiann-Ming Su wrote:
> 
> Is it "safe" to open port 143 on the internal mail server with plug-gw
> so people can access email from home?  If not, what's the preferred way
> to do this?  Thanks.

>From a quick look for "IMAP" at Rootshell.com:
===============
New remote root exploit in University of Washington imapd 4
http://www.rootshell.com/archive-j457nxiqi3gq59dv/199807/imapd4.txt.html

Get remote root access on Redhat systems by overwriting a buffer in
impad.
http://www.rootshell.com/archive-j457nxiqi3gq59dv/199707/imapd_exploit.c.html

Serveral different versions of the remote imapd buffer overflow exploit.
http://www.rootshell.com/archive-j457nxiqi3gq59dv/199711/imaps.tar.gz.html
===============

Of course they are all using the same basic exploit, but it shows that
allowing non-authenticated people to gain access to a machine in your
internal network might be a bad idea.

Other method of protection? Put the mail server in your DMZ by itself so
any damage done can be minimized and plug both internal and external
users to it using plug-gw. Also make sure that the imap server is at a
recent patch level.

--Keith
-kyoung@v-one.com

From owner-fwtk-users@ex.tis.com Tue Aug 24 18:04 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id SAA14434
	Tue, 24 Aug 1999 18:04:29 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id PAA01890;
	Tue, 24 Aug 1999 15:03:30 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Tue, 24 Aug 1999 13:33:41 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id NAA29363
	for fwtk-users-outgoing; Tue, 24 Aug 1999 13:33:25 -0700 (PDT)
From: "Fernando" <list@nedecon.com.br>
To: <fwtk-users@lists.nai.com>
Subject: Restarting the FWTK
Date: Tue, 24 Aug 1999 17:32:47 -0300
Message-ID: <000901beee6f$d38100a0$6910a8c0@shark.nedecon.com.br>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Importance: Normal
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 491

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Does anybody have some script to restart the toolkit?

I would like to have some safe way to reconfigure the proxys and restart
them without stopping the bastion host.

When I try to kill the toolkit, some other services stop, and the servers
almost crashes.
The services like named, sendmail, and others are stopped together with the
fwtk components.

Thanks.


From owner-fwtk-users@ex.tis.com Tue Aug 24 20:31 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id UAA14805
	Tue, 24 Aug 1999 20:31:53 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id RAA06003;
	Tue, 24 Aug 1999 17:30:46 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Tue, 24 Aug 1999 15:52:22 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id PAA03281
	for fwtk-users-outgoing; Tue, 24 Aug 1999 15:51:57 -0700 (PDT)
Date: Tue, 24 Aug 1999 15:43:18 -0700 (PDT)
From: David Lang <dlang@diginsite.com>
To: Keith Young <kyoung@v-one.com>
cc: Jiann-Ming Su <js1@zeus.me.gatech.edu>, fwtk-users@lists.nai.com
Subject: Re: imap through firewall...
In-Reply-To: <37C2FED4.BBF8759B@v-one.com>
Message-ID: <Pine.LNX.4.10.9908241542120.13380-100000@dlang.diginsite.com>
MIME-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Length: 1925

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

the bigger problem is that you are sending your password in the clear
(unless you wrap SSL around IMAP. you can get IMAP servers that do not
have these bugs (search for cyrus for one example)

David Lang


 On Tue, 24 Aug 1999, Keith Young wrote:

> Date: Tue, 24 Aug 1999 16:21:40 -0400
> From: Keith Young <kyoung@v-one.com>
> To: Jiann-Ming Su <js1@zeus.me.gatech.edu>
> Cc: fwtk-users@lists.nai.com
> Subject: Re: imap through firewall...
> 
> [To be removed from this list send the message "unsubscribe fwtk-users" in the
> BODY of a mail message to majordomo@ex.tis.com.]
> 
> Jiann-Ming Su wrote:
> > 
> > Is it "safe" to open port 143 on the internal mail server with plug-gw
> > so people can access email from home?  If not, what's the preferred way
> > to do this?  Thanks.
> 
> From a quick look for "IMAP" at Rootshell.com:
> ===============
> New remote root exploit in University of Washington imapd 4
> http://www.rootshell.com/archive-j457nxiqi3gq59dv/199807/imapd4.txt.html
> 
> Get remote root access on Redhat systems by overwriting a buffer in
> impad.
> http://www.rootshell.com/archive-j457nxiqi3gq59dv/199707/imapd_exploit.c.html
> 
> Serveral different versions of the remote imapd buffer overflow exploit.
> http://www.rootshell.com/archive-j457nxiqi3gq59dv/199711/imaps.tar.gz.html
> ===============
> 
> Of course they are all using the same basic exploit, but it shows that
> allowing non-authenticated people to gain access to a machine in your
> internal network might be a bad idea.
> 
> Other method of protection? Put the mail server in your DMZ by itself so
> any damage done can be minimized and plug both internal and external
> users to it using plug-gw. Also make sure that the imap server is at a
> recent patch level.
> 
> --Keith
> -kyoung@v-one.com
> 


From owner-fwtk-users@ex.tis.com Tue Aug 24 20:40 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id UAA14813
	Tue, 24 Aug 1999 20:40:19 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id RAA06190;
	Tue, 24 Aug 1999 17:39:13 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Tue, 24 Aug 1999 16:11:10 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id QAA03902
	for fwtk-users-outgoing; Tue, 24 Aug 1999 16:10:49 -0700 (PDT)
Message-Id: <199908242310.TAA17136@fw1-b.osis.gov>
From: Joseph S D Yao <jsdy@cospo.osis.gov>
Subject: Re: imap through firewall...
To: js1@zeus.me.gatech.edu (Jiann-Ming Su)
Date: Tue, 24 Aug 1999 19:10:20 -0400 (EDT)
Cc: fwtk-users@lists.nai.com
In-Reply-To: <Pine.LNX.4.10.9908241416470.13040-100000@zeus.me.gatech.edu> from "Jiann-Ming Su" at Aug 24, 99 02:18:00 pm
X-Mailer: ELM [version 2.4 PL25 PGP3 *ALPHA*]
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=US-ASCII
Content-Length: 770

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

> Is it "safe" to open port 143 on the internal mail server with plug-gw
> so people can access email from home?  If not, what's the preferred way
> to do this?  Thanks.
> 
> Jiann-Ming Su 	         "People seldom do what they believe in. They do
> js290@prism.gatech.edu	  what is convenient, then repent." --Bob Dylan

Not safe.

I authenticate in through the firewall and then read my e-mail from
"inside".

--
Joe Yao				jsdy@cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
      This message is not an official statement of COSPO policies.

From owner-fwtk-users@ex.tis.com Tue Aug 24 23:21 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id XAA15172
	Tue, 24 Aug 1999 23:21:57 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id UAA09267;
	Tue, 24 Aug 1999 20:20:48 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Tue, 24 Aug 1999 18:42:54 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id SAA07534
	for fwtk-users-outgoing; Tue, 24 Aug 1999 18:42:33 -0700 (PDT)
Date: Tue, 24 Aug 1999 21:40:25 -0400 (EDT)
From: Ted Keller <keller@bfg.com>
To: Fernando <list@nedecon.com.br>
cc: fwtk-users@lists.nai.com
Subject: Re: Restarting the FWTK
In-Reply-To: <000901beee6f$d38100a0$6910a8c0@shark.nedecon.com.br>
Message-ID: <Pine.GSO.4.10.9908242137320.12209-100000@ns1.bfg.com>
MIME-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Length: 1217

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Fernando,

If you run the proxies from inetd, they "dynamically" restart with each
connection.  You should be able to do this for just about every proxy with
the exception of  http-gw (way too many connections here).  Any changes
made in the netperm-table will be seen with the next envocation of the
proxy.

I don't understand how your other services are getting stopped.  Seems
like you may want to re-review your startup/shutdown scripts - keeping the
fwtk in it's own script - separate from the rest of the os.
ted keller


On Tue, 24 Aug 1999, Fernando wrote:

> [To be removed from this list send the message "unsubscribe fwtk-users" in the
> BODY of a mail message to majordomo@ex.tis.com.]
> 
> Does anybody have some script to restart the toolkit?
> 
> I would like to have some safe way to reconfigure the proxys and restart
> them without stopping the bastion host.
> 
> When I try to kill the toolkit, some other services stop, and the servers
> almost crashes.
> The services like named, sendmail, and others are stopped together with the
> fwtk components.
> 
> Thanks.
> 


From owner-fwtk-users@ex.tis.com Wed Aug 25 04:55 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id EAA15762
	Wed, 25 Aug 1999 04:55:46 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id BAA12193;
	Wed, 25 Aug 1999 01:54:32 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Wed, 25 Aug 1999 00:10:58 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id AAA11042
	for fwtk-users-outgoing; Wed, 25 Aug 1999 00:10:32 -0700 (PDT)
Message-ID: <007501beeec6$e3de13f0$061ea8c0@sdk6.sd.co.nz>
From: "Michael Williams" <sdynamic@xtra.co.nz>
To: <freebsd-security@freebsd.org>, <fwtk-users@lists.nai.com>
Cc: <whamlin@connetsys.com>
Subject: IPBind patch for fwtk on freeBSD 3.2
Date: Wed, 25 Aug 1999 18:55:59 +1200
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3110.5
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 2647

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Has anyone used the really cool fwtk IPBind patch for daemon mode plug-gw
proxies with success on any of the freeBSD OS version's?.

I have found it to work exactly as expected under RedHat Linux 6.0 as per
the syslog entries at the end of this mail.

The documentation clearly states,
This patch has been tested and verified on the following systems:

        Solaris 2.5.1 (sparc)
        Solaris 2.5 (x86)

So I am not expecting to much as it does work on my test RedHat server just
not on the freeBSD 3.2 server which happens to be the gateway I want to use
this on (:

However looking through the source code I can see that under freeBSD it
makes it through the create socket call, then the setsockopt call OK but
fails on the Bind seeming to not like the address.
I am not sure how to figure out if the problem is an access rights issue or
perhaps an address:port format issue.

A point worth noting is that when configured to bind the port only,  then
the bind is fine and in fact the proxy works as expected and when run in
daemon mode sets up a listener on *.port for all interfaces.

I do have an IPFW rulebase loaded on the freeBSD server which does not seem
to interfere as the plug-gw behaves fine as bind to port only.

Looking through my 4.4BSD books I can see that the bind call is quite happy
to bind the address of 0/ and decide on the fly the correct interface and
this made me wonder if it wanted to bind to an interface address rather than
an IP address?.

I am starting the proxy with the following,
/usr/local/etc/plug-gw -daemon 192.168.30.3:80 -name plug-http

Here are the syslog entries from both servers.
Hope they come through legible.

redhat 6 linux 2.2.15-22 kernel.
Aug 23 18:26:17 xmailgate plug-gw[615]: Starting daemon mode on ip
192.168.30.3(192.168.30.3), port 80
.
.
Aug 25 05:10:54 xmailgate plug-gw[1139]: HERE!!! av[0] = 80
Aug 25 05:10:54 xmailgate last message repeated 3 times
Aug 25 05:10:54 xmailgate plug-gw[1139]: YO!!! localip = 192.168.30.3
Aug 25 05:10:54 xmailgate plug-gw[1139]: connect
host=sdakx0.xx.xx/192.168.30.10 destination=10.0.30.4/8080


freebsd 3.2 kernel
Aug 24 06:13:19 sd172-lx52 plug-gw[1810]: Starting daemon mode on ip
172.16.30.4
(172.16.30.4), port 81
Aug 24 06:13:19 sd172-lx52 plug-gw[1810]: Failed to bind port 81, Can't
assign requested address

Any helpfull comment would be appreciated.
Thanks,
Mike.

Michael Williams
Software Dynamics
mailto:sdynamic@xtra.co.nz
http://www.voyager.co.nz/~michaelw
cell ph: 025 995 914
ph: +64 9 2744876


From owner-fwtk-users@ex.tis.com Wed Aug 25 10:56 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id KAA17178
	Wed, 25 Aug 1999 10:56:47 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id HAA15316;
	Wed, 25 Aug 1999 07:55:31 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Wed, 25 Aug 1999 06:11:30 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id GAA13808
	for fwtk-users-outgoing; Wed, 25 Aug 1999 06:11:05 -0700 (PDT)
From: -=ArkanoiD=- <ark@eltex.ru>
Message-Id: <199908251303.RAA21520@paranoid.eltex.spb.ru>
Subject: Re: imap through firewall...
In-Reply-To: <37C2FED4.BBF8759B@v-one.com> from Keith Young at "Aug 24, 1999 04:21:40 pm"
To: kyoung@v-one.com (Keith Young)
Date: Wed, 25 Aug 1999 17:03:02 +0400 (MSD)
Cc: js1@zeus.me.gatech.edu, fwtk-users@lists.nai.com
Reply-To: ark@eltex.ru
X-Mailer: ELM [version 2.4ME+ PL53 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=US-ASCII
Content-Length: 626

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

nuqneH,

btw when is the next major www.fwtk.org update planned?
I've noticed that many things that should be there are not
(aol-gw, lp-gw, sybase-gw, ms-sql-gw, x9.9 authentication, SASL patch, etc)


-- 
                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

From owner-fwtk-users@ex.tis.com Wed Aug 25 12:03 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id MAA17476
	Wed, 25 Aug 1999 12:03:52 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id JAA17164;
	Wed, 25 Aug 1999 09:02:25 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Wed, 25 Aug 1999 07:26:43 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id HAA14684
	for fwtk-users-outgoing; Wed, 25 Aug 1999 07:26:17 -0700 (PDT)
Date: Wed, 25 Aug 1999 07:25:42 -0700 (PDT)
From: "William L. Hamlin" <whamlin@connetsys.com>
X-Sender: whamlin@fearless
To: Michael Williams <sdynamic@xtra.co.nz>
cc: freebsd-security@freebsd.org, fwtk-users@lists.nai.com
Subject: Re: IPBind patch for fwtk on freeBSD 3.2
In-Reply-To: <007501beeec6$e3de13f0$061ea8c0@sdk6.sd.co.nz>
Message-ID: <Pine.GSO.4.01.9908250715420.660-100000@fearless>
MIME-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Length: 4339

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]


Michael,

Which version of IPBind are you using?  If you are using anything older
than 1.2, get the newest one - that will probably be your problem.  There
are known issues with earlier versions attempting to bind specific IP
addresses on some systems.

My next suggestion would be to verify that the IP address you are
specifying (172.16.30.4) is indeed the one that you want to use and that
it is correctly configured on the local machine.  I know this sounds
basic, but most of the problem e-mails I get regarding the patch end up
being this very problem.  A good sign of a computer nut is that his eyes
are almost completely blurry from working all night...

If that doesn't work, I'm at a bit of a loss.  I don't have access to a
FreeBSD machine right now and thus can't bang on it.  However, if you (or
anyone) has such a system on the Internet on which they can give me a
temporary login (and gcc, of course), I can take a look and see for
myself.

Or maybe someone else has already gotten it working?  Actually, I've
gotten very little response from people regarding the patch working on
different operating systems.  Since this is going out to the list, if any
of you have gotten it working, could you please let me know what
platform/OS and any changes you had to make?

   - Bill

---
William L. Hamlin
Systems Architect
Convergent Networking Systems, Inc.

On Wed, 25 Aug 1999, Michael Williams wrote:

> [To be removed from this list send the message "unsubscribe fwtk-users" in the
> BODY of a mail message to majordomo@ex.tis.com.]
> 
> Has anyone used the really cool fwtk IPBind patch for daemon mode plug-gw
> proxies with success on any of the freeBSD OS version's?.
> 
> I have found it to work exactly as expected under RedHat Linux 6.0 as per
> the syslog entries at the end of this mail.
> 
> The documentation clearly states,
> This patch has been tested and verified on the following systems:
> 
>         Solaris 2.5.1 (sparc)
>         Solaris 2.5 (x86)
> 
> So I am not expecting to much as it does work on my test RedHat server just
> not on the freeBSD 3.2 server which happens to be the gateway I want to use
> this on (:
> 
> However looking through the source code I can see that under freeBSD it
> makes it through the create socket call, then the setsockopt call OK but
> fails on the Bind seeming to not like the address.
> I am not sure how to figure out if the problem is an access rights issue or
> perhaps an address:port format issue.
> 
> A point worth noting is that when configured to bind the port only,  then
> the bind is fine and in fact the proxy works as expected and when run in
> daemon mode sets up a listener on *.port for all interfaces.
> 
> I do have an IPFW rulebase loaded on the freeBSD server which does not seem
> to interfere as the plug-gw behaves fine as bind to port only.
> 
> Looking through my 4.4BSD books I can see that the bind call is quite happy
> to bind the address of 0/ and decide on the fly the correct interface and
> this made me wonder if it wanted to bind to an interface address rather than
> an IP address?.
> 
> I am starting the proxy with the following,
> /usr/local/etc/plug-gw -daemon 192.168.30.3:80 -name plug-http
> 
> Here are the syslog entries from both servers.
> Hope they come through legible.
> 
> redhat 6 linux 2.2.15-22 kernel.
> Aug 23 18:26:17 xmailgate plug-gw[615]: Starting daemon mode on ip
> 192.168.30.3(192.168.30.3), port 80
> .
> .
> Aug 25 05:10:54 xmailgate plug-gw[1139]: HERE!!! av[0] = 80
> Aug 25 05:10:54 xmailgate last message repeated 3 times
> Aug 25 05:10:54 xmailgate plug-gw[1139]: YO!!! localip = 192.168.30.3
> Aug 25 05:10:54 xmailgate plug-gw[1139]: connect
> host=sdakx0.xx.xx/192.168.30.10 destination=10.0.30.4/8080
> 
> 
> freebsd 3.2 kernel
> Aug 24 06:13:19 sd172-lx52 plug-gw[1810]: Starting daemon mode on ip
> 172.16.30.4
> (172.16.30.4), port 81
> Aug 24 06:13:19 sd172-lx52 plug-gw[1810]: Failed to bind port 81, Can't
> assign requested address
> 
> Any helpfull comment would be appreciated.
> Thanks,
> Mike.
> 
> Michael Williams
> Software Dynamics
> mailto:sdynamic@xtra.co.nz
> http://www.voyager.co.nz/~michaelw
> cell ph: 025 995 914
> ph: +64 9 2744876
> 


From owner-fwtk-users@ex.tis.com Wed Aug 25 12:45 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id MAA17667
	Wed, 25 Aug 1999 12:45:27 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id JAA18768;
	Wed, 25 Aug 1999 09:44:46 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Wed, 25 Aug 1999 08:13:57 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id IAA15693
	for fwtk-users-outgoing; Wed, 25 Aug 1999 08:13:36 -0700 (PDT)
Message-ID: <1A2B916673DFD211ABC700805FA7AA6896116C@MSX11002>
From: "Lidgate, Chris A" <lidgaca@texaco.com>
To: fwtk-users@lists.nai.com
Cc: "'ark@eltex.ru'" <ark@eltex.ru>
Subject: RE: imap through firewall...
Date: Wed, 25 Aug 1999 10:02:22 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain
Content-Length: 847

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Hey hold on a moment ...

> ----------
> From: 	-=ArkanoiD=-[SMTP:ark@eltex.ru]
> Reply To: 	ark@eltex.ru
> Sent: 	25 August 1999 14:03
> To: 	kyoung@v-one.com
> Cc: 	js1@zeus.me.gatech.edu; fwtk-users@lists.nai.com
> Subject: 	Re: imap through firewall...
> 
> nuqneH,
> 
> btw when is the next major www.fwtk.org update planned?
> I've noticed that many things that should be there are not
> (aol-gw, lp-gw, sybase-gw, ms-sql-gw, x9.9 authentication, SASL patch,
> etc)
> 
I've been trying to get ms-sql working with my fwtk
filewall, and so far have got nowhere fast. Could
someone enlighten me as to where I can find the

	ms-sql-gw 

mentioned above ?





Chris Lidgate - Texaco Ltd.
===========================

From owner-fwtk-users@ex.tis.com Wed Aug 25 13:41 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id NAA17922
	Wed, 25 Aug 1999 13:41:04 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id KAA20428;
	Wed, 25 Aug 1999 10:40:02 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Wed, 25 Aug 1999 09:01:55 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id JAA17132
	for fwtk-users-outgoing; Wed, 25 Aug 1999 09:01:34 -0700 (PDT)
From: -=ArkanoiD=- <ark@eltex.ru>
Message-Id: <199908251557.TAA22334@paranoid.eltex.spb.ru>
Subject: Re: imap through firewall...
In-Reply-To: <1A2B916673DFD211ABC700805FA7AA6896116C@MSX11002> from "Lidgate, Chris A" at "Aug 25, 1999 10:02:22 am"
To: lidgaca@texaco.com (Lidgate, Chris A)
Date: Wed, 25 Aug 1999 19:57:14 +0400 (MSD)
Cc: fwtk-users@lists.nai.com, ark@eltex.ru
Reply-To: ark@eltex.ru
X-Mailer: ELM [version 2.4ME+ PL53 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=US-ASCII
Content-Length: 1599

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

nuqneH,

I think i put it at http://private.convey.ru/ark/archive
Note that you need md5 and blowfish libraries to build it.
libblowfish can be found somewhere on ftp.funet.fi

There could be some problem if you use TDS7 protocol with MS SQL 7,
i hope to fix it soon, let me know if you run into that problems.

Somebody (maybe you, Lidgate, Chris A) WROTE:
>  Hey hold on a moment ...
>  
>  > ----------
>  > From: 	-=ArkanoiD=-[SMTP:ark@eltex.ru]
>  > Reply To: 	ark@eltex.ru
>  > Sent: 	25 August 1999 14:03
>  > To: 	kyoung@v-one.com
>  > Cc: 	js1@zeus.me.gatech.edu; fwtk-users@lists.nai.com
>  > Subject: 	Re: imap through firewall...
>  > 
>  > nuqneH,
>  > 
>  > btw when is the next major www.fwtk.org update planned?
>  > I've noticed that many things that should be there are not
>  > (aol-gw, lp-gw, sybase-gw, ms-sql-gw, x9.9 authentication, SASL patch,
>  > etc)
>  > 
>  I've been trying to get ms-sql working with my fwtk
>  filewall, and so far have got nowhere fast. Could
>  someone enlighten me as to where I can find the
>  
>  	ms-sql-gw 
>  
>  mentioned above ?
>  
>  
>  
>  
>  
>  Chris Lidgate - Texaco Ltd.
>  ===========================
>  


-- 
                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

From owner-fwtk-users@ex.tis.com Wed Aug 25 19:09 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id TAA20270
	Wed, 25 Aug 1999 19:09:40 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id QAA24592;
	Wed, 25 Aug 1999 16:09:13 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Wed, 25 Aug 1999 13:50:09 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id NAA22440
	for fwtk-users-outgoing; Wed, 25 Aug 1999 13:49:44 -0700 (PDT)
Message-ID: <004a01beef3a$ed56c160$061ea8c0@sdk6.sd.co.nz>
From: "Michael Williams" <sdynamic@xtra.co.nz>
To: "William L. Hamlin" <whamlin@connetsys.com>
Cc: <freebsd-security@freebsd.org>, <fwtk-users@lists.nai.com>
Subject: Re: IPBind patch for fwtk on freeBSD 3.2
Date: Thu, 26 Aug 1999 08:46:36 +1200
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3110.5
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 4936

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Bill,
Thanks for your quick response. Sorry for my slow reply.. NZ time it way
differant.
If socket programming is bordering off corect topic for freebsd-security
perhaps one of the freeBSD team could let me know in which case we could
post the resolution only to freebsd-security :)

>
>Which version of IPBind are you using?  If you are using anything older
>than 1.2, get the newest one - that will probably be your problem.  There
>are known issues with earlier versions attempting to bind specific IP
>addresses on some systems.
>

Oops, silly of me to include the version of everything but the IPBind code.
Version 1.2 already (:

>
>My next suggestion would be to verify that the IP address you are
>specifying (172.16.30.4) is indeed the one that you want to use and that
>it is correctly configured on the local machine.  I know this sounds
>basic, but most of the problem e-mails I get regarding the patch end up
>being this very problem.  A good sign of a computer nut is that his eyes
>are almost completely blurry from working all night...
>

Good suggestion just the same, I can bind the plug-gw by port only and
connect via the IP address in question.
First I started with an alias IP & then moved on to using the base adapter
IP which I know works.

An interesting direct reply I had suggested that FreeBSD requires entire
sockaddr_in structure to be
bzero'ed before assigning address.
In the mean time I have found the Socket-address template structure and a
sample diagram for the Internet-domain socket name ( Design & Implementation
4.4 BSD ) showing the layout as follows:

sa_len, sa_family,  sa_data
1-byte, 1-byte,  variable-length

Which in this case should be:
sin_len,AF_INET,sin_port,sin_addr,sin_zero

My 'c' code is very rusty but I will follow this up.
I use freeBSD on  a number of production servers in various secure roles and
find it to be the most interesting, fun and stable OS of any I have ever
used :)

Mike.



Michael Williams
Software Dynamics
mailto:sdynamic@xtra.co.nz
http://www.voyager.co.nz/~michaelw
cell ph: 025 995 914
ph: +64 9 2744876

>>
>> Has anyone used the really cool fwtk IPBind patch for daemon mode plug-gw
>> proxies with success on any of the freeBSD OS version's?.
>>
>> I have found it to work exactly as expected under RedHat Linux 6.0 as per
>> the syslog entries at the end of this mail.
>>
>> The documentation clearly states,
>> This patch has been tested and verified on the following systems:
>>
>>         Solaris 2.5.1 (sparc)
>>         Solaris 2.5 (x86)
>>
>> So I am not expecting to much as it does work on my test RedHat server
just
>> not on the freeBSD 3.2 server which happens to be the gateway I want to
use
>> this on (:
>>
>> However looking through the source code I can see that under freeBSD it
>> makes it through the create socket call, then the setsockopt call OK but
>> fails on the Bind seeming to not like the address.
>> I am not sure how to figure out if the problem is an access rights issue
or
>> perhaps an address:port format issue.
>>
>> A point worth noting is that when configured to bind the port only,  then
>> the bind is fine and in fact the proxy works as expected and when run in
>> daemon mode sets up a listener on *.port for all interfaces.
>>
>> I do have an IPFW rulebase loaded on the freeBSD server which does not
seem
>> to interfere as the plug-gw behaves fine as bind to port only.
>>
>> Looking through my 4.4BSD books I can see that the bind call is quite
happy
>> to bind the address of 0/ and decide on the fly the correct interface and
>> this made me wonder if it wanted to bind to an interface address rather
than
>> an IP address?.
>>
>> I am starting the proxy with the following,
>> /usr/local/etc/plug-gw -daemon 192.168.30.3:80 -name plug-http
>>
>> Here are the syslog entries from both servers.
>> Hope they come through legible.
>>
>> redhat 6 linux 2.2.15-22 kernel.
>> Aug 23 18:26:17 xmailgate plug-gw[615]: Starting daemon mode on ip
>> 192.168.30.3(192.168.30.3), port 80
>> .
>> .
>> Aug 25 05:10:54 xmailgate plug-gw[1139]: HERE!!! av[0] = 80
>> Aug 25 05:10:54 xmailgate last message repeated 3 times
>> Aug 25 05:10:54 xmailgate plug-gw[1139]: YO!!! localip = 192.168.30.3
>> Aug 25 05:10:54 xmailgate plug-gw[1139]: connect
>> host=sdakx0.xx.xx/192.168.30.10 destination=10.0.30.4/8080
>>
>>
>> freebsd 3.2 kernel
>> Aug 24 06:13:19 sd172-lx52 plug-gw[1810]: Starting daemon mode on ip
>> 172.16.30.4
>> (172.16.30.4), port 81
>> Aug 24 06:13:19 sd172-lx52 plug-gw[1810]: Failed to bind port 81, Can't
>> assign requested address
>>
>> Any helpfull comment would be appreciated.
>> Thanks,
>> Mike.
>>
>> Michael Williams
>> Software Dynamics
>> mailto:sdynamic@xtra.co.nz
>> http://www.voyager.co.nz/~michaelw
>> cell ph: 025 995 914
>> ph: +64 9 2744876
>>
>


From owner-fwtk-users@ex.tis.com Wed Aug 25 19:12 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id TAA20274
	Wed, 25 Aug 1999 19:12:31 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id QAA24673;
	Wed, 25 Aug 1999 16:12:10 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Wed, 25 Aug 1999 14:43:30 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id OAA22935
	for fwtk-users-outgoing; Wed, 25 Aug 1999 14:43:09 -0700 (PDT)
Date: Wed, 25 Aug 1999 21:42:35 +0000 (GMT)
From: Chuck Young <cyoung@bbnplanet.com>
X-Sender: cyoung@taildragger.sys.gtei.net
Reply-To: Chuck Young <cyoung@bbnplanet.com>
To: fwtk-users@lists.nai.com, firewall-wizards@nfr.net
Subject: Strange ICMP messages, revisited
Message-ID: <Pine.SOL.3.95.990825202759.3323d-100000@taildragger.sys.gtei.net>
MIME-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Length: 2791

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

I ran into something the other day that explains some of the reported
"mysterious pings" and "strange ICMP" messages discussed earlier this
year.

Imagine the following scenario:  Someone behind a gauntlet/fwtk style
firewall whose LAN is using another organization's network mistypes
their IP address to a network number which is NOT in the firewall's
routing table.  For example, they are routing 193.50.65.0/24 internally at
the firewall, but that network really belongs to someone else and is
routed correctly on the public internet.  Now, some (insert least favorite
O/S here) user on the LAN decides to bring up his/her box as
193.50.66.3/24 and boots up with NetBEUI and NetBIOS turned on.  The
packets generated by this horrid thing are directed at the broadcast
address and the firewall hears it.  Being a good firewall, it does not
"do" UDP137 and replies "back" to the offending machine with an ICMP
destination unreachable (3/3).  However, since the firewall does NOT route
193.50.6[6].0/24 internally, it sends the ICMP packet to the REAL
193.50.66.3 on the other side of the country/world causing concern at that
end as to why some goofy box would send them an ICMP unreachable.  After
all, they weren't trying to reach the firewall in the first place!  Many
times, this is erroneously perceived as an attack or threat.  I think it
is fair to consider it an unnecessary annoyance which should be dealt
with quickly by a polite firewall administrator.  

You can confirm this behavior with packet sniffs, filtering for the host
IP that received the destination unreachable, on both sides of your
firewall.  The "rogue" IP is on the inside unknowingly blasting away and
the "victim" is on the outside being constantly reminded that they can't
get there from here. 

I do not know how other firewalls and/or O/S's would handle this
situation, but maybe someone else does.  I know you are not supposed to
use non-RFC 1918 addresses (which do not belong to you) behind a gateway
doing NAT, but people will be people.  Many of us can only hope to
influence others' networking policies with good consulting/technical
support.

I also realize that there are other ways to generate "strange" ICMP
messages with all the exploits, scanning tools and whatnot that are
around these days, but this one was so easy (after I missed it the first
time around) to see, I thought I would share it with anyone who can
benefit from it.  If this does not settle the matter, your ICMP messages
are indeed strange and should be investigated if you cannot otherwise
account for them.

Standard apologies if this has been discussed before.

Chuck Young
GTE Internetworking



From owner-fwtk-users@ex.tis.com Wed Aug 25 23:40 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id XAA21065
	Wed, 25 Aug 1999 23:40:48 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id UAA00282;
	Wed, 25 Aug 1999 20:40:32 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Wed, 25 Aug 1999 19:00:24 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id TAA28068
	for fwtk-users-outgoing; Wed, 25 Aug 1999 19:00:08 -0700 (PDT)
From: "Jimmy Comer" <jimmy.comer@nashville.com>
To: <fwtk-users@lists.nai.com>
Subject: http-gw connection resets
Date: Wed, 25 Aug 1999 20:38:19 -0500
Message-ID: <000201beef63$ada19080$3cb441cf@gspnet.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Importance: Normal
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 391

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

I am setting up a firewall on a linux (2.2.11) machine with fwtk 2.1. I am
having a problem with connection resets when filling out forms that use cgi.
It seems that if I load the firewall by compiling the kernel I get much
better results. Any Ideas?

Thanks,



From owner-fwtk-users@ex.tis.com Thu Aug 26 03:15 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id DAA21623
	Thu, 26 Aug 1999 03:15:42 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id AAA05041;
	Thu, 26 Aug 1999 00:15:25 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Wed, 25 Aug 1999 22:35:56 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id WAA02907
	for fwtk-users-outgoing; Wed, 25 Aug 1999 22:35:40 -0700 (PDT)
Message-ID: <19990826153417.A5067@venus.dev.unico.com.au>
Date: Thu, 26 Aug 1999 15:34:17 +1000
From: David Goh <david@unico.com.au>
To: fwtk-users@lists.nai.com
Subject: Re: Strange ICMP messages, revisited
Reply-To: david@unico.com.au
References: <Pine.SOL.3.95.990825202759.3323d-100000@taildragger.sys.gtei.net>
Mime-Version: 1.0
X-Mailer: Mutt 0.91i
In-Reply-To: <Pine.SOL.3.95.990825202759.3323d-100000@taildragger.sys.gtei.net>; from "Chuck Young" on Wed, Aug 25, 1999 at 09:42:35PM
X-Religion: linux slrn mutt vim
X-Silly-Line: The moving cursor writes, and having written, blinks on.
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 1351

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

cyoung@bbnplanet.com (Chuck Young) wrote:
[ firewall with internal routing table and external default gateway ]
> I do not know how other firewalls and/or O/S's would handle this
> situation, but maybe someone else does.  I know you are not supposed to
> use non-RFC 1918 addresses (which do not belong to you) behind a gateway
> doing NAT, but people will be people.  Many of us can only hope to
> influence others' networking policies with good consulting/technical
> support.

Okay... this would be solved if you used a DMZ.

   Connection to full internet
      |
      | public IP address
   External Firewall Machine
      | private IP address
      |
      | private IP address
   Internal Firewall Machine
      | internal network IP addresses (hopefully private, but who knows)
      |
   Internal Network

Then you plug and proxy whatever traffic you need to between the
internal and external firewall boxen...

And of course, since neither box is doing IP forwarding, things like
the misdirected ICMP from the internal network don't go anywhere they
shouldn't.

Later,

     david

-- 
| david@unico.com.au (David Goh, Unico Computer Systems, +61-3-9866-5688)
Try not.
Do.  Or do not.
There is no try.  -- Yoda

From owner-fwtk-users@ex.tis.com Thu Aug 26 06:21 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id GAA22168
	Thu, 26 Aug 1999 06:21:46 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id DAA10266;
	Thu, 26 Aug 1999 03:21:19 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Thu, 26 Aug 1999 01:42:01 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id BAA06959
	for fwtk-users-outgoing; Thu, 26 Aug 1999 01:41:35 -0700 (PDT)
Message-ID: <XFMail.990826094102.gale@syntax.dera.gov.uk>
X-Mailer: XFMail 1.3 [p0] on Linux
X-Priority: 3 (Normal)
MIME-Version: 1.0
In-Reply-To: <000201beef63$ada19080$3cb441cf@gspnet.com>
Date: Thu, 26 Aug 1999 09:41:02 +0100 (BST)
From: Tony Gale <gale@syntax.dera.gov.uk>
To: Jimmy Comer <jimmy.comer@nashville.com>, avenger@erols.com
Subject: RE: http-gw connection resets
Cc: fwtk-users@lists.nai.com
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: multipart/mixed;
 boundary="_=XFMail.1.3.p0.Linux:990826094102:14128=_"
Content-Length: 2068

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

This message is in MIME format
--_=XFMail.1.3.p0.Linux:990826094102:14128=_
Content-Type: text/plain; charset=iso-8859-1


Apply this patch. Warranty not included.

-tony

(Avenger: please add to FAQ - I'll dig out my other bugfix patches as
well).


On 26-Aug-99 Jimmy Comer wrote:
> [To be removed from this list send the message "unsubscribe
> fwtk-users" in the
> BODY of a mail message to majordomo@ex.tis.com.]
> 
> I am setting up a firewall on a linux (2.2.11) machine with fwtk
> 2.1. I am
> having a problem with connection resets when filling out forms that
> use cgi.
> It seems that if I load the firewall by compiling the kernel I get
> much
> better results. Any Ideas?
> 
> Thanks,

---
E-Mail: Tony Gale <gale@syntax.dera.gov.uk>
Isn't air travel wonderful?  Breakfast in London, dinner in New York,
luggage in Brazil.

The views expressed above are entirely those of the writer
and do not represent the views, policy or understanding of
any other person or official body.

--_=XFMail.1.3.p0.Linux:990826094102:14128=_
Content-Disposition: attachment; filename="fwtk-ns-post.patch"
Content-Transfer-Encoding: 7bit
Content-Description: fwtk-ns-post.patch
Content-Type: text/plain;
 charset=iso-8859-1; name=fwtk-ns-post.patch; SizeOnDisk=612

*** http-gw.c.orig	Tue Aug 17 09:54:09 1999
--- http-gw.c	Tue Aug 17 09:47:44 1999
***************
*** 1362,1367 ****
--- 1362,1383 ----
  				}else
  					break;
  			}
+ 			/* Check if there is a CRLF left in the buffer.
+ 			 * Netscape sends CRLF on the end of POST commands.
+ 			 * TRG - 19990817
+ 			 */
+ 			{
+ 			  char str[2];
+ 			  int count;
+ 			  if (ioctl(rfd, FIONREAD, &count) == 0) {
+ 				if (count == 2) {
+ 					if (recv(rfd, str, 2, MSG_PEEK) == 2) {
+ 						if ((str[0] == '\r') && (str[1] == '\n'))
+ 							read(rfd, str, 2);
+ 					}
+ 				}
+ 			  }
+ 			}
  		}
  		return 0;
  	}

--_=XFMail.1.3.p0.Linux:990826094102:14128=_--
End of MIME message

From owner-fwtk-users@ex.tis.com Thu Aug 26 06:42 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id GAA22266
	Thu, 26 Aug 1999 06:42:03 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id DAA10888;
	Thu, 26 Aug 1999 03:41:41 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Thu, 26 Aug 1999 02:12:19 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id CAA07809
	for fwtk-users-outgoing; Thu, 26 Aug 1999 02:11:58 -0700 (PDT)
Message-Id: <CBD90C79730BD311A22E0008C709E9A7D45846@mail1.camcable.co.uk>
From: Spencer Marshall <Spencer.Marshall@ntl.com>
To: fwtk-users@lists.nai.com, firewall-wizards@nfr.net
Subject: port in use error....but it is not....
Date: Thu, 26 Aug 1999 10:07:05 +0100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 1692

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]


I have two machines forming my firewall

internet
   |
   | ppp
ext-firewall (fwtk)
   | 172.16.1.1
   |
   | dmz lan, containing mailserver, webserver etc.
   |
   |
   | 172.16.1.2
int-firewall (ipfwadm) forw with masq
   | 192.168.4.1
   |
   | mil lan (192.168.)
   |
   |
-------- internal lan
     |
wk- station 192.168.4.5 default route gw 192.168.4.1

Users telnet from the "internal lan" to the ext-firewall and using the fwtk
tn-gw go off onto the internet without incident.  My problem is when users
use ftp.  They ftp from the "internal lan" to the ext-firewall where they
use the ftp-gw to go off onto the internet.  Or at least should.  ftp to the
gw is no problem, and making a connection to an internet ftp site is also no
problem, but that is all they can do.  If they do a get or ls, they get the
error
PORT 172.16.1.2 mismatch 192.168.4.5
However, if I login to the int-firewall and go from there, all is fine, no
errors.  I thought this might have been a problem with the ftp ipfwadm rules
on the int-firewall, but they are the same as those for telnet.  I next
looked at the fwtk netperm-table but the rules are the same (though separate
entries) for ftp-gw and tn-gw.

I am stumped because everything else seems to work okay, tn-gw, http-gw,
cmd-gw, telnet to smap all from 192.168.4.* to 172.16.1.1

all machines including the wk-stations use the following
RedHat 5.2
kernel 2.0.36

ext-firewall also has fwtk 2.1

int-firewall also uses ipfwadm

Does anyone have any suggestions please.  This is driving me potty.

Many thanks,

Spencer


From owner-fwtk-users@ex.tis.com Thu Aug 26 11:01 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id LAA23077
	Thu, 26 Aug 1999 11:01:07 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id IAA16847;
	Thu, 26 Aug 1999 08:00:32 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Thu, 26 Aug 1999 06:17:41 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id GAA14544
	for fwtk-users-outgoing; Thu, 26 Aug 1999 06:17:15 -0700 (PDT)
Date: Thu, 26 Aug 1999 09:15:31 -0400 (EDT)
From: Ted Keller <keller@bfg.com>
To: Spencer Marshall <Spencer.Marshall@ntl.com>
cc: fwtk-users@lists.nai.com, firewall-wizards@nfr.net
Subject: Re: port in use error....but it is not....
In-Reply-To: <CBD90C79730BD311A22E0008C709E9A7D45846@mail1.camcable.co.uk>
Message-ID: <Pine.GSO.4.10.9908260913400.4477-100000@ns1.bfg.com>
MIME-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Length: 2442

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Spencer,

Don't have any suggestions, but I suspect I know what the problem is.

ftp opens up a command channel and a data channel.  The command channel
part is probably working just dandy.  The data channel is negotiated using
high numbered ports.  I suspect this negotiation is failing.

There was a patch posted in the archives to disable the high-channel
negotiation process and use the standard ftp data port.  Possibly that
will work here.

ted keller


On Thu, 26 Aug 1999, Spencer Marshall wrote:

> [To be removed from this list send the message "unsubscribe fwtk-users" in the
> BODY of a mail message to majordomo@ex.tis.com.]
> 
> 
> I have two machines forming my firewall
> 
> internet
>    |
>    | ppp
> ext-firewall (fwtk)
>    | 172.16.1.1
>    |
>    | dmz lan, containing mailserver, webserver etc.
>    |
>    |
>    | 172.16.1.2
> int-firewall (ipfwadm) forw with masq
>    | 192.168.4.1
>    |
>    | mil lan (192.168.)
>    |
>    |
> -------- internal lan
>      |
> wk- station 192.168.4.5 default route gw 192.168.4.1
> 
> Users telnet from the "internal lan" to the ext-firewall and using the fwtk
> tn-gw go off onto the internet without incident.  My problem is when users
> use ftp.  They ftp from the "internal lan" to the ext-firewall where they
> use the ftp-gw to go off onto the internet.  Or at least should.  ftp to the
> gw is no problem, and making a connection to an internet ftp site is also no
> problem, but that is all they can do.  If they do a get or ls, they get the
> error
> PORT 172.16.1.2 mismatch 192.168.4.5
> However, if I login to the int-firewall and go from there, all is fine, no
> errors.  I thought this might have been a problem with the ftp ipfwadm rules
> on the int-firewall, but they are the same as those for telnet.  I next
> looked at the fwtk netperm-table but the rules are the same (though separate
> entries) for ftp-gw and tn-gw.
> 
> I am stumped because everything else seems to work okay, tn-gw, http-gw,
> cmd-gw, telnet to smap all from 192.168.4.* to 172.16.1.1
> 
> all machines including the wk-stations use the following
> RedHat 5.2
> kernel 2.0.36
> 
> ext-firewall also has fwtk 2.1
> 
> int-firewall also uses ipfwadm
> 
> Does anyone have any suggestions please.  This is driving me potty.
> 
> Many thanks,
> 
> Spencer
> 


From owner-fwtk-users@ex.tis.com Thu Aug 26 12:38 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id MAA23299
	Thu, 26 Aug 1999 12:38:37 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id JAA20567;
	Thu, 26 Aug 1999 09:37:50 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Thu, 26 Aug 1999 08:00:42 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id IAA16837
	for fwtk-users-outgoing; Thu, 26 Aug 1999 08:00:21 -0700 (PDT)
From: jimmy.comer@nashville.com
Reply-to: jimmy.comer@nashville.com
To: Tony Gale <gale@syntax.dera.gov.uk>
Cc: fwtk-users@lists.nai.com
Date: Thu, 26 Aug 1999 09:39:06 -600
Subject: RE: http-gw connection resets
X-Mailer: DMailWeb Web to Mail Gateway 1.8t, http://netwinsite.com/top_mail.htm
Message-id: <37c5518a.14e.0@nashville.com>
X-User-Info: 207.234.35.140
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by relay2.nai.com id IAA16829
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset="iso-8859-1"
Content-Length: 2201

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Thanks for the help. It seems to be working perfectly.

>This message is in MIME format
>--_=XFMail.1.3.p0.Linux:990826094102:14128=_
>Content-Type: text/plain; charset=iso-8859-1
>
>
>Apply this patch. Warranty not included.
>
>-tony
>
>(Avenger: please add to FAQ - I'll dig out my other bugfix patches as
>well).
>
>
>On 26-Aug-99 Jimmy Comer wrote:
>> [To be removed from this list send the message "unsubscribe
>> fwtk-users" in the
>> BODY of a mail message to majordomo@ex.tis.com.]
>> 
>> I am setting up a firewall on a linux (2.2.11) machine with fwtk
>> 2.1. I am
>> having a problem with connection resets when filling out forms that
>> use cgi.
>> It seems that if I load the firewall by compiling the kernel I get
>> much
>> better results. Any Ideas?
>> 
>> Thanks,
>
>---
>E-Mail: Tony Gale <gale@syntax.dera.gov.uk>
>Isn't air travel wonderful?  Breakfast in London, dinner in New York,
>luggage in Brazil.
>
>The views expressed above are entirely those of the writer
>and do not represent the views, policy or understanding of
>any other person or official body.
>
>--_=XFMail.1.3.p0.Linux:990826094102:14128=_
>Content-Disposition: attachment; filename="fwtk-ns-post.patch"
>Content-Transfer-Encoding: 7bit
>Content-Description: fwtk-ns-post.patch
>Content-Type: text/plain;
> charset=iso-8859-1; name=fwtk-ns-post.patch; SizeOnDisk=612
>
>*** http-gw.c.orig	Tue Aug 17 09:54:09 1999
>--- http-gw.c	Tue Aug 17 09:47:44 1999
>***************
>*** 1362,1367 ****
>--- 1362,1383 ----
>  				}else
>  					break;
>  			}
>+ 			/* Check if there is a CRLF left in the buffer.
>+ 			 * Netscape sends CRLF on the end of POST commands.
>+ 			 * TRG - 19990817
>+ 			 */
>+ 			{
>+ 			  char str[2];
>+ 			  int count;
>+ 			  if (ioctl(rfd, FIONREAD, &count) == 0) {
>+ 				if (count == 2) {
>+ 					if (recv(rfd, str, 2, MSG_PEEK) == 2) {
>+ 						if ((str[0] == '\r') && (str[1] == '\n'))
>+ 							read(rfd, str, 2);
>+ 					}
>+ 				}
>+ 			  }
>+ 			}
>  		}
>  		return 0;
>  	}
>
>--_=XFMail.1.3.p0.Linux:990826094102:14128=_--
>End of MIME message
>


From owner-fwtk-users@ex.tis.com Thu Aug 26 12:42 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id MAA23303
	Thu, 26 Aug 1999 12:42:41 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id JAA20715;
	Thu, 26 Aug 1999 09:41:52 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Thu, 26 Aug 1999 08:12:58 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id IAA17260
	for fwtk-users-outgoing; Thu, 26 Aug 1999 08:12:32 -0700 (PDT)
Message-Id: <3.0.5.32.19990826081116.023f4ec0@132.147.160.252>
X-Sender: devin@132.147.160.252
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Thu, 26 Aug 1999 08:11:16 -0700
To: Spencer Marshall <Spencer.Marshall@ntl.com>, fwtk-users@lists.nai.com,
        firewall-wizards@nfr.net
From: Devin Redlich <devin@pctc.com>
Subject: Re: port in use error....but it is not....
In-Reply-To: <CBD90C79730BD311A22E0008C709E9A7D45846@mail1.camcable.co.u
 k>
Mime-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset="us-ascii"
Content-Length: 1222

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

At 10:07 AM 8/26/1999 +0100, Spencer Marshall wrote:
>Users telnet from the "internal lan" to the ext-firewall and using the fwtk
>tn-gw go off onto the internet without incident.  My problem is when users
>use ftp.  They ftp from the "internal lan" to the ext-firewall where they
>use the ftp-gw to go off onto the internet.  Or at least should.  ftp to the
>gw is no problem, and making a connection to an internet ftp site is also no
>problem, but that is all they can do.  If they do a get or ls, they get the
>error
>PORT 172.16.1.2 mismatch 192.168.4.5

I strongly suspect you haven't loaded the ftp masquarading module.  Some
protocols (like ftp, for one) contain the source addr as part of the data
portion of the packet.  In your case, masquarading is rewriting the source
addr in the header, but isn't touching the data, so there is a source addr
mismatch.  If you load the ftp masquarading module, it'll rewrite the ftp
packets on the fly, making everyone happy.

See http://metalab.unc.edu/LDP/HOWTO/mini/IP-Masquerade-3.html#ss3.1 for
more info.

-- 
Devin Redlich
devin@pctc.com

From owner-fwtk-users@ex.tis.com Fri Aug 27 06:39 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id GAA26259
	Fri, 27 Aug 1999 06:39:06 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id DAA12095;
	Fri, 27 Aug 1999 03:38:00 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Fri, 27 Aug 1999 01:18:57 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id BAA08873
	for fwtk-users-outgoing; Fri, 27 Aug 1999 01:18:26 -0700 (PDT)
Message-Id: <CBD90C79730BD311A22E0008C709E9A7D45864@mail1.camcable.co.uk>
From: Spencer Marshall <Spencer.Marshall@ntl.com>
To: "'Devin Redlich'" <devin@pctc.com>, fwtk-users@lists.nai.com,
        firewall-wizards@nfr.net, "'Ted Keller'" <keller@bfg.com>
Subject: RE: port in use error....but it is not....
Date: Fri, 27 Aug 1999 09:13:13 +0100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 4685

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]


Thank you Devin and Ted for you answers,  I implemented the ftp_masq, which
helped.  I could not restrict the port which was used for the data part of
the ftp.  I will implement the patch which Ted suggested and report back.  A
netstat --ip on the ext-firewall indicated ftp-data between the destination
and the ftp-gw but a port > 1024 between ftp-gw and the internal machine.

Many thanks,

Spencer

> -----Original Message-----
> From: Ted Keller [mailto:keller@bfg.com]
> Sent: 26 August 1999 14:16
> To: Spencer Marshall
> Cc: fwtk-users@lists.nai.com; firewall-wizards@nfr.net
> Subject: Re: port in use error....but it is not....
> 
> 
> Spencer,
> 
> Don't have any suggestions, but I suspect I know what the problem is.
> 
> ftp opens up a command channel and a data channel.  The 
> command channel
> part is probably working just dandy.  The data channel is 
> negotiated using
> high numbered ports.  I suspect this negotiation is failing.
> 
> There was a patch posted in the archives to disable the high-channel
> negotiation process and use the standard ftp data port.  Possibly that
> will work here.
> 
> ted keller
> 
> 
> On Thu, 26 Aug 1999, Spencer Marshall wrote:
> 
> > [To be removed from this list send the message "unsubscribe 
> fwtk-users" in the
> > BODY of a mail message to majordomo@ex.tis.com.]
> > 
> > 
> > I have two machines forming my firewall
> > 
> > internet
> >    |
> >    | ppp
> > ext-firewall (fwtk)
> >    | 172.16.1.1
> >    |
> >    | dmz lan, containing mailserver, webserver etc.
> >    |
> >    |
> >    | 172.16.1.2
> > int-firewall (ipfwadm) forw with masq
> >    | 192.168.4.1
> >    |
> >    | mil lan (192.168.)
> >    |
> >    |
> > -------- internal lan
> >      |
> > wk- station 192.168.4.5 default route gw 192.168.4.1
> > 
> > Users telnet from the "internal lan" to the ext-firewall 
> and using the fwtk
> > tn-gw go off onto the internet without incident.  My 
> problem is when users
> > use ftp.  They ftp from the "internal lan" to the 
> ext-firewall where they
> > use the ftp-gw to go off onto the internet.  Or at least 
> should.  ftp to the
> > gw is no problem, and making a connection to an internet 
> ftp site is also no
> > problem, but that is all they can do.  If they do a get or 
> ls, they get the
> > error
> > PORT 172.16.1.2 mismatch 192.168.4.5
> > However, if I login to the int-firewall and go from there, 
> all is fine, no
> > errors.  I thought this might have been a problem with the 
> ftp ipfwadm rules
> > on the int-firewall, but they are the same as those for 
> telnet.  I next
> > looked at the fwtk netperm-table but the rules are the same 
> (though separate
> > entries) for ftp-gw and tn-gw.
> > 
> > I am stumped because everything else seems to work okay, 
> tn-gw, http-gw,
> > cmd-gw, telnet to smap all from 192.168.4.* to 172.16.1.1
> > 
> > all machines including the wk-stations use the following
> > RedHat 5.2
> > kernel 2.0.36
> > 
> > ext-firewall also has fwtk 2.1
> > 
> > int-firewall also uses ipfwadm
> > 
> > Does anyone have any suggestions please.  This is driving me potty.
> > 
> > Many thanks,
> > 
> > Spencer
> > 
> 

> -----Original Message-----
> From: Devin Redlich [mailto:devin@pctc.com]
> Sent: 26 August 1999 16:11
> To: Spencer Marshall; fwtk-users@lists.nai.com; 
> firewall-wizards@nfr.net
> Subject: Re: port in use error....but it is not....
> 
> 
> At 10:07 AM 8/26/1999 +0100, Spencer Marshall wrote:
> >Users telnet from the "internal lan" to the ext-firewall and 
> using the fwtk
> >tn-gw go off onto the internet without incident.  My problem 
> is when users
> >use ftp.  They ftp from the "internal lan" to the 
> ext-firewall where they
> >use the ftp-gw to go off onto the internet.  Or at least 
> should.  ftp to the
> >gw is no problem, and making a connection to an internet ftp 
> site is also no
> >problem, but that is all they can do.  If they do a get or 
> ls, they get the
> >error
> >PORT 172.16.1.2 mismatch 192.168.4.5
> 
> I strongly suspect you haven't loaded the ftp masquarading 
> module.  Some
> protocols (like ftp, for one) contain the source addr as part 
> of the data
> portion of the packet.  In your case, masquarading is 
> rewriting the source
> addr in the header, but isn't touching the data, so there is 
> a source addr
> mismatch.  If you load the ftp masquarading module, it'll 
> rewrite the ftp
> packets on the fly, making everyone happy.
> 
> See 
http://metalab.unc.edu/LDP/HOWTO/mini/IP-Masquerade-3.html#ss3.1 for
more info.

-- 
Devin Redlich
devin@pctc.com


From owner-fwtk-users@ex.tis.com Fri Aug 27 10:21 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id KAA27062
	Fri, 27 Aug 1999 10:21:46 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id HAA17806;
	Fri, 27 Aug 1999 07:20:50 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Fri, 27 Aug 1999 05:43:04 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id FAA14965
	for fwtk-users-outgoing; Fri, 27 Aug 1999 05:42:49 -0700 (PDT)
From: yacketta@kodak.com
X-Lotus-FromDomain: KODAK@INTERNET
To: fwtk-users@lists.nai.com
Message-ID: <852567DA.0044F3BB.00@knotes.kodak.com>
Date: Fri, 27 Aug 1999 08:36:23 -0400
Subject: Mandrake 6.0 - tn-gw
Mime-Version: 1.0
Content-Disposition: inline
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 889

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]



From: Ronald A. Yacketta

Hello all!

I just went from RH 6.0 which uses /usr/sbin/in.telnetd to Mandrake
which appears to use /usr/sbin/tcpd telnet.

My question is this, in RH6.0 I my inetd.conf had a telnet line similar to
the following:
telnet  stream  tcp     nowait  root    /usr/local/etc/netcal   in.telnetd

seeing that Mandrake (from what I can tell) uses "/usr/sbin/tcpd telnet" (a
 tcp wrapper) what would be the proper config
for inetd.conf to use netcal?
I tried:
telnet  stream  tcp     nowait  root    /usr/local/etc/netcal   tcpd
and
telnet  stream  tcp     nowait  root    /usr/local/etc/netcal   tcpd telnet

I would paste a copy of my netpermtable entry, but unfortunatly I am at
work and unable to access the server.

Thanxs inadvance



From owner-fwtk-users@ex.tis.com Fri Aug 27 10:58 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id KAA27135
	Fri, 27 Aug 1999 10:58:14 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id HAA19057;
	Fri, 27 Aug 1999 07:57:23 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Fri, 27 Aug 1999 06:24:28 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id GAA15951
	for fwtk-users-outgoing; Fri, 27 Aug 1999 06:24:13 -0700 (PDT)
From: Naveen_Malhotra@ACML.COM
X-Lotus-FromDomain: ALLIANCE CAPITAL
To: fwtk-users@lists.nai.com
Message-ID: <852567DA.004985A2.00@njmta1.acml.com>
Date: Fri, 27 Aug 1999 09:22:20 -0400
Subject: Log files
Mime-Version: 1.0
Content-Disposition: inline
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 487

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]



Hi fwtk "gurus",
 I'm new to fwtk, your help would be highly appreciated.

'I have configured the FTP Proxy Server from the toolkit; is it possible to
restrict the destination sites to which the users can connect to through the ftp
proxy?
Is it possible to get this info in the logs?'

Thanks in advance for your time and help.

Regards,
Naveen Malhotra



From owner-fwtk-users@ex.tis.com Fri Aug 27 15:59 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id PAA28069
	Fri, 27 Aug 1999 15:59:23 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id MAA27724;
	Fri, 27 Aug 1999 12:58:24 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Fri, 27 Aug 1999 11:13:15 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id LAA23783
	for fwtk-users-outgoing; Fri, 27 Aug 1999 11:12:55 -0700 (PDT)
Message-ID: <000801bef0b7$fc47d500$02b9a8c0@inside>
From: "Paul Whelan" <pk@powhelanhsd.ne.mediaone.net>
To: <yacketta@kodak.com>, <fwtk-users@lists.nai.com>
Subject: Re: Mandrake 6.0 - tn-gw
Date: Fri, 27 Aug 1999 14:14:21 -0400
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3110.1
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 1850

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

You want to use either netacl or tcpd not both (seeing as they are both
trying to do the same thing--access control).  You want to use something
like this
in /etc/inetd.conf:
telnet  stream  tcp     nowait  root    /usr/local/etc/netcal   in.telnetd

in /usr/local/etc/netperm-table
netacl-in.telnetd: permit-hosts xxx.xxx.xxx.xxx -exec /usr/sbin/in.telnetd
(to run regular telnet server)
or

in /etc/inetd.conf:
telnet  stream  tcp     nowait  root    /usr/local/etc/tn-gw    tn-gw

in /usr/local/etc/netperm-table
tn-gw: permit-hosts xx.xx.xx.xx -auth (or -passok)
(to run the telnet gateway)

Paul


-----Original Message-----
From: yacketta@kodak.com <yacketta@kodak.com>
To: fwtk-users@lists.nai.com <fwtk-users@lists.nai.com>
Date: Friday, August 27, 1999 11:21 AM
Subject: Mandrake 6.0 - tn-gw


>[To be removed from this list send the message "unsubscribe fwtk-users" in
the
>BODY of a mail message to majordomo@ex.tis.com.]
>
>
>
>From: Ronald A. Yacketta
>
>Hello all!
>
>I just went from RH 6.0 which uses /usr/sbin/in.telnetd to Mandrake
>which appears to use /usr/sbin/tcpd telnet.
>
>My question is this, in RH6.0 I my inetd.conf had a telnet line similar to
>the following:
>telnet  stream  tcp     nowait  root    /usr/local/etc/netcal   in.telnetd
>
>seeing that Mandrake (from what I can tell) uses "/usr/sbin/tcpd telnet" (a
> tcp wrapper) what would be the proper config
>for inetd.conf to use netcal?
>I tried:
>telnet  stream  tcp     nowait  root    /usr/local/etc/netcal   tcpd
>and
>telnet  stream  tcp     nowait  root    /usr/local/etc/netcal   tcpd telnet
>
>I would paste a copy of my netpermtable entry, but unfortunatly I am at
>work and unable to access the server.
>
>Thanxs inadvance
>


From owner-fwtk-users@ex.tis.com Fri Aug 27 16:15 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id QAA28147
	Fri, 27 Aug 1999 16:15:04 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id NAA28379;
	Fri, 27 Aug 1999 13:14:00 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Fri, 27 Aug 1999 11:45:20 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id LAA24706
	for fwtk-users-outgoing; Fri, 27 Aug 1999 11:44:59 -0700 (PDT)
Message-Id: <199908271844.OAA25943@fw1-b.osis.gov>
From: Joseph S D Yao <jsdy@cospo.osis.gov>
Subject: Re: Log files
To: Naveen_Malhotra@ACML.COM
Date: Fri, 27 Aug 1999 14:44:31 -0400 (EDT)
Cc: fwtk-users@lists.nai.com
In-Reply-To: <852567DA.004985A2.00@njmta1.acml.com> from "Naveen_Malhotra@ACML.COM" at Aug 27, 99 09:22:20 am
X-Mailer: ELM [version 2.4 PL25 PGP3 *ALPHA*]
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=US-ASCII
Content-Length: 667

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

> 'I have configured the FTP Proxy Server from the toolkit; is it possible to
> restrict the destination sites to which the users can connect to through the ftp
> proxy?

Use 'permit-hosts' and 'deny-hosts' in netperm-table.

> Is it possible to get this info in the logs?'

I believe that it already goes there.

--
Joe Yao				jsdy@cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.

From owner-fwtk-users@ex.tis.com Fri Aug 27 16:15 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id QAA28151
	Fri, 27 Aug 1999 16:15:13 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id NAA28373;
	Fri, 27 Aug 1999 13:13:57 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Fri, 27 Aug 1999 11:43:35 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id LAA24635
	for fwtk-users-outgoing; Fri, 27 Aug 1999 11:43:15 -0700 (PDT)
Message-Id: <199908271842.OAA18853@fw1-a.osis.gov>
From: Joseph S D Yao <jsdy@cospo.osis.gov>
Subject: Re: Mandrake 6.0 - tn-gw
To: yacketta@kodak.com
Date: Fri, 27 Aug 1999 14:42:40 -0400 (EDT)
Cc: fwtk-users@lists.nai.com
In-Reply-To: <852567DA.0044F3BB.00@knotes.kodak.com> from "yacketta@kodak.com" at Aug 27, 99 08:36:23 am
X-Mailer: ELM [version 2.4 PL25 PGP3 *ALPHA*]
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=US-ASCII
Content-Length: 473

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

I don't understand the alternatives.  In both cases, chuck out the
existing telnet daemon completely, and use 'tn-gw'.

--
Joe Yao				jsdy@cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.

From owner-fwtk-users@ex.tis.com Fri Aug 27 18:42 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id SAA28659
	Fri, 27 Aug 1999 18:42:56 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id PAA04102;
	Fri, 27 Aug 1999 15:42:34 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Fri, 27 Aug 1999 14:02:04 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id OAA00493
	for fwtk-users-outgoing; Fri, 27 Aug 1999 14:01:48 -0700 (PDT)
From: sjha@omnipoint.com
Message-ID: <81F84374BF62D1118E6900805FBECF9C0167C3D3@omnipoint.com>
To: fwtk-users@lists.nai.com
Subject: TIS set up
Date: Fri, 27 Aug 1999 15:01:24 -0600
MIME-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 310

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]


I am not able to install TIS FWTK on Linux redhat 6.0 , kernel 2.2.9. I
tried all as told in HOW-TO-TIS FWTK. Error message is not helpful.
Any idea, what I am missing ?

Tia,
san

From owner-fwtk-users@ex.tis.com Fri Aug 27 21:05 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id VAA28921
	Fri, 27 Aug 1999 21:05:04 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id SAA08553;
	Fri, 27 Aug 1999 18:04:50 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Fri, 27 Aug 1999 16:24:38 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id QAA05084
	for fwtk-users-outgoing; Fri, 27 Aug 1999 16:24:22 -0700 (PDT)
From: sjha@omnipoint.com
Message-ID: <81F84374BF62D1118E6900805FBECF9C0167C3D5@omnipoint.com>
To: fwtk-users@lists.nai.com
Subject: FW: TIS set up
Date: Fri, 27 Aug 1999 17:23:58 -0600
MIME-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 986

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]


The exact error after typing  "#make install " in fwtk directory is as below
:-
___________________________________

:No such file or directoryg
'. Stop. No rule to make target 'Makefile.config'
__________________________________________

Thanks,
Sanjeev 
-----Original Message-----
From: Ted Keller [mailto:keller@bfg.com]
Sent: Friday, August 27, 1999 5:11 PM
To: sjha@omnipoint.com
Subject: Re: TIS set up


Tia,

Can you indicate the errors you are getting?

ted keller


On Fri, 27 Aug 1999 sjha@omnipoint.com wrote:

> [To be removed from this list send the message "unsubscribe fwtk-users" in
the
> BODY of a mail message to majordomo@ex.tis.com.]
> 
> 
> I am not able to install TIS FWTK on Linux redhat 6.0 , kernel 2.2.9. I
> tried all as told in HOW-TO-TIS FWTK. Error message is not helpful.
> Any idea, what I am missing ?
> 
> Tia,
> san
> 

From owner-fwtk-users@ex.tis.com Fri Aug 27 21:34 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id VAA28984
	Fri, 27 Aug 1999 21:34:28 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id SAA09626;
	Fri, 27 Aug 1999 18:34:09 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Fri, 27 Aug 1999 17:03:47 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id RAA06310
	for fwtk-users-outgoing; Fri, 27 Aug 1999 17:03:26 -0700 (PDT)
From: sjha@omnipoint.com
Message-ID: <81F84374BF62D1118E6900805FBECF9C0167C3D6@omnipoint.com>
To: keller@bfg.com
Subject: RE: TIS set up
Date: Fri, 27 Aug 1999 18:02:53 -0600
MIME-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 1503

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

I did move Makefile.config.linux as Makefile.config and followed all
instruction as in HOWTO docs. 

But I am not sure what changes need to be done in firewall.h ??
Thanks for replying.

Sanjeev 
-----Original Message-----
From: Ted Keller [mailto:keller@bfg.com]
Sent: Friday, August 27, 1999 5:46 PM
To: sjha@omnipoint.com
Subject: RE: TIS set up


Sanjeev,

Did you configure your Makefile.config file?  This needs to be set for
your system specifics.  First copy the Makefile.config.linux to
Makefile.config. Then edit as required - normally directory settings.

Also, make sure you take a good look at firewall.h.  That file also may
need setting-up.

ted keller


On Fri, 27 Aug 1999 sjha@omnipoint.com wrote:

> The exact error after typing  "#make install " in fwtk directory is as
below
> :-
> ___________________________________
> 
> :No such file or directoryg
> '. Stop. No rule to make target 'Makefile.config'
> __________________________________________
> 
> Thanks,
> Sanjeev 
> -----Original Message-----
> From: Ted Keller [mailto:keller@bfg.com]
> Sent: Friday, August 27, 1999 5:11 PM
> To: sjha@omnipoint.com
> Subject: Re: TIS set up
>> > 
> > I am not able to install TIS FWTK on Linux redhat 6.0 , kernel 2.2.9. I
> > tried all as told in HOW-TO-TIS FWTK. Error message is not helpful.
> > Any idea, what I am missing ?
> > 
> > Tia,
> > san
> > 
> 

From owner-fwtk-users@ex.tis.com Sat Aug 28 06:44 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id GAA29686
	Sat, 28 Aug 1999 06:44:25 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id DAA23382;
	Sat, 28 Aug 1999 03:44:12 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Sat, 28 Aug 1999 01:27:21 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id BAA20275
	for fwtk-users-outgoing; Sat, 28 Aug 1999 01:27:06 -0700 (PDT)
Reply-To: <jpmalai@wipsys.soft.net>
From: "Pazhamalai" <jpmalai@wipsys.soft.net>
To: <fwtk-users@ex.tis.com>
Subject: Problem using ftp-gw with FWTK
Date: Sat, 28 Aug 1999 14:01:57 +0530
Message-ID: <002501bef12f$caec6700$5f1aa4a4@Arya.wipsys.soft.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4
Importance: Normal
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 835

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Hi All,

Background :

Slackware Linux System with Kernel 2.0.35 running TIS FTP/Telnet Proxy &
TIS-FWTK version 2.0

Problem :

If I start a ftp session and come out of it, I can see that the
session is not completely closed and it takes nearly 8-10 minutes
to close the session.

Because of this the ftp daemon gets killed and if you try a new
connection, we get the error "Connection refused". And starts
working fine after inetd is restarted.

Changed the permission from ftp-gw to in.ftpd, it starts working
fine.

Need some inputs as how to go about. The Truss output does not
show anything. No messages are given in the messages file.

any help in this regard will be highly appreciated

TIA

Jp




From owner-fwtk-users@ex.tis.com Sat Aug 28 16:09 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id QAA00314
	Sat, 28 Aug 1999 16:09:32 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id NAA04172;
	Sat, 28 Aug 1999 13:09:03 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Sat, 28 Aug 1999 11:21:13 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id LAA01419
	for fwtk-users-outgoing; Sat, 28 Aug 1999 11:20:57 -0700 (PDT)
Date: Sat, 28 Aug 1999 11:19:54 -0700
From: Tor Perkins <3c9x5@altabates.com>
To: fwtk-users@lists.nai.com
Subject: Re: how can I realize a DMZ with fwtk ?
Message-ID: <19990828111954.A30439@itorp2c1.altabates.com>
Mail-Followup-To: fwtk-users@lists.nai.com
References: <19990809153415.23347.rocketmail@send205.yahoomail.com>
Mime-Version: 1.0
X-Mailer: Mutt 0.95i
In-Reply-To: <19990809153415.23347.rocketmail@send205.yahoomail.com>; from Rude Yak on Mon, Aug 09, 1999 at 08:34:15AM -0700
X-Operating-System: Linux 2.0.33
X-Zz-Envelope-From: 3c9x5@altabates.com
X-Zz-Envelope-To: fwtk-users@lists.nai.com.pmqq
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 1315

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

On Mon, Aug 09, 1999 at 08:34:15AM -0700, Rude Yak wrote:
> 
>   The difference is the first setup offers little to protect your publicly
> accessible machines whereas the second does.
> 
> #1
> 	[INTERNET, ROUTER]
>              \ /
>              DMZ
>              / \
>     [FIREWALL NIC PUBLIC]
>             [FWTK]
>     [FIREWALL NIC PRIVATE]
>              / \
>       [Private Network]
> 
> #2
>       [INTERNET, ROUTER]
>              \/
>            [NIC1]
>         FIREWALL [NIC3]<-------->DMZ (for all publicly available servers)
>            [NIC2]
>              /\
>       [INTERNAL NETWORK]

Option #1 looks a bit better in this regard if your router is a
cisco router with the "Cisco IOS Firewall Feature Set".  This is
a state inspection implimenation.  It's like having a CheckPoint
firewall as your router (minus the irritating GUI :).  This is a
nice way to protect your web server on some DMZ host as well as
keeping funky packets away from the FWTK.

For more info, refer to:

http://www.cisco.com/warp/public/cc/cisco/mkt/security/iosfw/prodlit/fire_ds.htm
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/fw3600.htm

- Tor


From owner-fwtk-users@ex.tis.com Sun Aug 29 13:39 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id NAA01914
	Sun, 29 Aug 1999 13:39:16 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id KAA27698;
	Sun, 29 Aug 1999 10:39:05 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Sun, 29 Aug 1999 08:57:10 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id IAA24611
	for fwtk-users-outgoing; Sun, 29 Aug 1999 08:56:55 -0700 (PDT)
Message-ID: <37C95834.CE241A72@MediaOne.Net>
Date: Sun, 29 Aug 1999 11:56:36 -0400
From: Mario Cosenza <MCosenza@MediaOne.Net>
X-Mailer: Mozilla 4.61 [en] (Win98; I)
X-Accept-Language: en
MIME-Version: 1.0
To: fwtk-users@ex.tis.com
Subject: Java Slowness?
References: <199908201610.MAA23099@fw1-a.osis.gov>
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 690

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Whenever one of my clients go to a site containing Java code (for the first time).
Everything loads and the browser claims the the document is "Done".

But the Java windows do not load. If the clients wait for 2-3 minutes (depending on
the amount of code) after the page is loaded, the Java code finally loads and runs
normally. Refreshing does not make the code load any faster.

Of course the firewall box (directly connected to the internet) works fine.

I'm running RedHat 6.0 with fwtk 2.1 (+ misc patches).

Is there a patch to fix this?

Thanks,

Mario


From owner-fwtk-users@ex.tis.com Sun Aug 29 13:39 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id NAA01917
	Sun, 29 Aug 1999 13:39:30 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id KAA27702;
	Sun, 29 Aug 1999 10:39:09 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Sun, 29 Aug 1999 08:17:26 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id IAA23645
	for fwtk-users-outgoing; Sun, 29 Aug 1999 08:17:00 -0700 (PDT)
To: ombre@iae.nl
To: freebsd-security@freebsd.org
Message-ID: <004a01beef3a$ed56c160$061ea8c0@sdk6.sd.co.nz>
From: "Michael Williams" <sdynamic@xtra.co.nz>
X-Old-To: "William L. Hamlin" <whamlin@connetsys.com>
Cc: <freebsd-security@freebsd.org>, <fwtk-users@lists.nai.com>
Subject: Re: IPBind patch for fwtk on freeBSD 3.2
Date: Thu, 26 Aug 1999 08:46:36 +1200
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3110.5
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
X-Loop: FreeBSD.org
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 5053

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Bill,
Thanks for your quick response. Sorry for my slow reply.. NZ time it way
differant.
If socket programming is bordering off corect topic for freebsd-security
perhaps one of the freeBSD team could let me know in which case we could
post the resolution only to freebsd-security :)

>
>Which version of IPBind are you using?  If you are using anything older
>than 1.2, get the newest one - that will probably be your problem.  There
>are known issues with earlier versions attempting to bind specific IP
>addresses on some systems.
>

Oops, silly of me to include the version of everything but the IPBind code.
Version 1.2 already (:

>
>My next suggestion would be to verify that the IP address you are
>specifying (172.16.30.4) is indeed the one that you want to use and that
>it is correctly configured on the local machine.  I know this sounds
>basic, but most of the problem e-mails I get regarding the patch end up
>being this very problem.  A good sign of a computer nut is that his eyes
>are almost completely blurry from working all night...
>

Good suggestion just the same, I can bind the plug-gw by port only and
connect via the IP address in question.
First I started with an alias IP & then moved on to using the base adapter
IP which I know works.

An interesting direct reply I had suggested that FreeBSD requires entire
sockaddr_in structure to be
bzero'ed before assigning address.
In the mean time I have found the Socket-address template structure and a
sample diagram for the Internet-domain socket name ( Design & Implementation
4.4 BSD ) showing the layout as follows:

sa_len, sa_family,  sa_data
1-byte, 1-byte,  variable-length

Which in this case should be:
sin_len,AF_INET,sin_port,sin_addr,sin_zero

My 'c' code is very rusty but I will follow this up.
I use freeBSD on  a number of production servers in various secure roles and
find it to be the most interesting, fun and stable OS of any I have ever
used :)

Mike.



Michael Williams
Software Dynamics
mailto:sdynamic@xtra.co.nz
http://www.voyager.co.nz/~michaelw
cell ph: 025 995 914
ph: +64 9 2744876

>>
>> Has anyone used the really cool fwtk IPBind patch for daemon mode plug-gw
>> proxies with success on any of the freeBSD OS version's?.
>>
>> I have found it to work exactly as expected under RedHat Linux 6.0 as per
>> the syslog entries at the end of this mail.
>>
>> The documentation clearly states,
>> This patch has been tested and verified on the following systems:
>>
>>         Solaris 2.5.1 (sparc)
>>         Solaris 2.5 (x86)
>>
>> So I am not expecting to much as it does work on my test RedHat server
just
>> not on the freeBSD 3.2 server which happens to be the gateway I want to
use
>> this on (:
>>
>> However looking through the source code I can see that under freeBSD it
>> makes it through the create socket call, then the setsockopt call OK but
>> fails on the Bind seeming to not like the address.
>> I am not sure how to figure out if the problem is an access rights issue
or
>> perhaps an address:port format issue.
>>
>> A point worth noting is that when configured to bind the port only,  then
>> the bind is fine and in fact the proxy works as expected and when run in
>> daemon mode sets up a listener on *.port for all interfaces.
>>
>> I do have an IPFW rulebase loaded on the freeBSD server which does not
seem
>> to interfere as the plug-gw behaves fine as bind to port only.
>>
>> Looking through my 4.4BSD books I can see that the bind call is quite
happy
>> to bind the address of 0/ and decide on the fly the correct interface and
>> this made me wonder if it wanted to bind to an interface address rather
than
>> an IP address?.
>>
>> I am starting the proxy with the following,
>> /usr/local/etc/plug-gw -daemon 192.168.30.3:80 -name plug-http
>>
>> Here are the syslog entries from both servers.
>> Hope they come through legible.
>>
>> redhat 6 linux 2.2.15-22 kernel.
>> Aug 23 18:26:17 xmailgate plug-gw[615]: Starting daemon mode on ip
>> 192.168.30.3(192.168.30.3), port 80
>> .
>> .
>> Aug 25 05:10:54 xmailgate plug-gw[1139]: HERE!!! av[0] = 80
>> Aug 25 05:10:54 xmailgate last message repeated 3 times
>> Aug 25 05:10:54 xmailgate plug-gw[1139]: YO!!! localip = 192.168.30.3
>> Aug 25 05:10:54 xmailgate plug-gw[1139]: connect
>> host=sdakx0.xx.xx/192.168.30.10 destination=10.0.30.4/8080
>>
>>
>> freebsd 3.2 kernel
>> Aug 24 06:13:19 sd172-lx52 plug-gw[1810]: Starting daemon mode on ip
>> 172.16.30.4
>> (172.16.30.4), port 81
>> Aug 24 06:13:19 sd172-lx52 plug-gw[1810]: Failed to bind port 81, Can't
>> assign requested address
>>
>> Any helpfull comment would be appreciated.
>> Thanks,
>> Mike.
>>
>> Michael Williams
>> Software Dynamics
>> mailto:sdynamic@xtra.co.nz
>> http://www.voyager.co.nz/~michaelw
>> cell ph: 025 995 914
>> ph: +64 9 2744876
>>
>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


From owner-fwtk-users@ex.tis.com Sun Aug 29 22:59 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id WAA02762
	Sun, 29 Aug 1999 22:59:08 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id TAA05209;
	Sun, 29 Aug 1999 19:58:35 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Sun, 29 Aug 1999 18:10:03 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id SAA03722
	for fwtk-users-outgoing; Sun, 29 Aug 1999 18:09:48 -0700 (PDT)
Message-Id: <199908300109.SAA03717@relay2.nai.com>
Date: Mon, 30 Aug 1999 9:8:34 +0800
From: Liu Jianwei <liujianwei@hisense.qd.sd.cn>
To: "fwtk-users@lists.nai.com" <fwtk-users@lists.nai.com>
Subject: Skey problem
Organization: HiSense
X-mailer: FoxMail 2.1 [cn]
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset="us-ascii"
Content-Length: 434

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Hi, Sirs:

I have made tn-gw, ftp-gw, http-gw through without authentication (based on RH6.0 and FWTK2.0).
The problem is I don't know how I use the Skey to setup an authentication server. I have 
installed Skey, but I don't know how the server authenticate the guest hosts. Can you show me
a clue?

Liu


From owner-fwtk-users@ex.tis.com Mon Aug 30 15:24 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id PAA05492
	Mon, 30 Aug 1999 15:24:00 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id MAA16257;
	Mon, 30 Aug 1999 12:23:09 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 30 Aug 1999 09:47:09 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id JAA09217
	for fwtk-users-outgoing; Mon, 30 Aug 1999 09:46:54 -0700 (PDT)
Date: Mon, 30 Aug 1999 09:51:25 -0700 (PDT)
From: Eugene Chupkin <ace@credit.com>
To: fwtk-users@ex.tis.com
Subject: Pass IP of originating host through the plug proxy
In-Reply-To: <002501bef12f$caec6700$5f1aa4a4@Arya.wipsys.soft.net>
Message-ID: <Pine.LNX.3.96.990830094655.14419B-100000@mail.credit.com>
MIME-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Length: 314

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]



Is it possible to pass the originating host IP through the plug proxy so
the machine on the secure network will see where the connection came from?

I'm using fwtk 5.1 on Linux 2.2



From owner-fwtk-users@ex.tis.com Mon Aug 30 16:01 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id QAA05633
	Mon, 30 Aug 1999 16:01:24 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id MAA17258;
	Mon, 30 Aug 1999 12:58:20 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 30 Aug 1999 11:26:36 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id LAA10178
	for fwtk-users-outgoing; Mon, 30 Aug 1999 11:26:21 -0700 (PDT)
Message-ID: <37CACDE5.82512BBE@lssi.org>
Date: Mon, 30 Aug 1999 13:31:01 -0500
From: Marcin Budzik <marcin.budzik@lssi.org>
Organization: Lutheran Social Services of Illinois
X-Mailer: Mozilla 4.61 [en] (X11; U; Linux 2.2.5-15 i686)
X-Accept-Language: en
MIME-Version: 1.0
To: fwtk-users@ex.tis.com
Subject: virus scan 
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 388

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Does anybody know, or recommends a virus scan software for FWTK running
on Linux.
Basically, I will need all incoming and outcoming mail messages (and
attachments) scanned.  I know  that there are products for NT, but not
sure about Linux

Thanks,

Marcin




From owner-fwtk-users@ex.tis.com Mon Aug 30 16:27 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id QAA05739
	Mon, 30 Aug 1999 16:27:38 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id NAA18249;
	Mon, 30 Aug 1999 13:26:42 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 30 Aug 1999 11:54:00 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id LAA15293
	for fwtk-users-outgoing; Mon, 30 Aug 1999 11:53:39 -0700 (PDT)
Message-ID: <37CAD37F.D10AA4E1@v-one.com>
Date: Mon, 30 Aug 1999 14:54:55 -0400
From: Keith Young <kyoung@v-one.com>
Organization: V-ONE
X-Mailer: Mozilla 4.61 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Eugene Chupkin <ace@credit.com>
CC: fwtk-users@ex.tis.com
Subject: Re: Pass IP of originating host through the plug proxy
References: <Pine.LNX.3.96.990830094655.14419B-100000@mail.credit.com>
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 758

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Eugene Chupkin wrote:
> 
> Is it possible to pass the originating host IP through the plug proxy so
> the machine on the secure network will see where the connection came from?

No, since the originating host is making the connection to the external
interface and the internal interface is making the connection to the
server.

I could explain this more, but the Firewalls FAQ will do it better:
http://www.clark.net/pub/mjr/pubs/fwfaq/index.htm
(look in the "Design" section)

--Keith
-kyoung@v-one.com

FYI... for those who asked, fwtk.org will get updated very soon (within
a week) with tons of new info and patches/addons...

From owner-fwtk-users@ex.tis.com Mon Aug 30 17:50 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id RAA05868
	Mon, 30 Aug 1999 17:50:18 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id OAA22470;
	Mon, 30 Aug 1999 14:48:58 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 30 Aug 1999 13:09:55 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id NAA17580
	for fwtk-users-outgoing; Mon, 30 Aug 1999 13:09:30 -0700 (PDT)
Message-ID: <F38588EB3695D2119B4500902727A3450165692C@csoc-mail-box.csoconline.com>
From: "Biggerstaff, Brice" <Brice.Biggerstaff@csoconline.com>
To: Eugene Chupkin <ace@credit.com>, "'Keith Young'" <kyoung@v-one.com>
Cc: fwtk-users@ex.tis.com
Subject: RE: Pass IP of originating host through the plug proxy
Date: Mon, 30 Aug 1999 15:02:57 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain
Content-Length: 1365

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Doesn't the 'transparency' patch achieve what Eugene wants to do?  We have
similar interests and I have been looking at this but have not had a chance
to look too deep.

Brice
brice.biggerstaff@csoconline.com

> ----------
> From: 	Keith Young[SMTP:kyoung@v-one.com]
> Sent: 	Monday, August 30, 1999 1:54 PM
> To: 	Eugene Chupkin
> Cc: 	fwtk-users@ex.tis.com
> Subject: 	Re: Pass IP of originating host through the plug proxy
> 
> [To be removed from this list send the message "unsubscribe fwtk-users" in
> the
> BODY of a mail message to majordomo@ex.tis.com.]
> 
> Eugene Chupkin wrote:
> > 
> > Is it possible to pass the originating host IP through the plug proxy so
> > the machine on the secure network will see where the connection came
> from?
> 
> No, since the originating host is making the connection to the external
> interface and the internal interface is making the connection to the
> server.
> 
> I could explain this more, but the Firewalls FAQ will do it better:
> http://www.clark.net/pub/mjr/pubs/fwfaq/index.htm
> (look in the "Design" section)
> 
> --Keith
> -kyoung@v-one.com
> 
> FYI... for those who asked, fwtk.org will get updated very soon (within
> a week) with tons of new info and patches/addons...
> 

From owner-fwtk-users@ex.tis.com Mon Aug 30 17:52 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id RAA05872
	Mon, 30 Aug 1999 17:52:38 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id OAA22553;
	Mon, 30 Aug 1999 14:51:29 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 30 Aug 1999 13:23:49 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id NAA18082
	for fwtk-users-outgoing; Mon, 30 Aug 1999 13:23:23 -0700 (PDT)
Message-ID: <37CAE885.AF155172@v-one.com>
Date: Mon, 30 Aug 1999 16:24:37 -0400
From: Keith Young <kyoung@v-one.com>
Organization: V-ONE
X-Mailer: Mozilla 4.61 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: "Biggerstaff, Brice" <Brice.Biggerstaff@csoconline.com>
CC: Eugene Chupkin <ace@credit.com>, fwtk-users@ex.tis.com
Subject: Re: Pass IP of originating host through the plug proxy
References: <F38588EB3695D2119B4500902727A3450165692C@csoc-mail-box.csoconline.com>
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 893

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

"Biggerstaff, Brice" wrote:
> 
> Doesn't the 'transparency' patch achieve what Eugene wants to do?  We have
> similar interests and I have been looking at this but have not had a chance
> to look too deep.

As far as I know, the "transparency" patch will only allow you to avoid
setting the proxies to the firewall; instead you just point to it in
your default route.

Otherwise, its still a proxy-based system; the firewall interfaces
connect directly with the machines, and the machines never see packets
from each other.

Only way for you to make the above happen is to use a packet filtering
based firewall. They are less secure but will do what you want to do.
For details on packet filtering vs proxies, refer to the Firewall FAQ.

--Keith
-kyoung@v-one.com

From owner-fwtk-users@ex.tis.com Mon Aug 30 20:15 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id UAA06130
	Mon, 30 Aug 1999 20:15:56 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id RAA26719;
	Mon, 30 Aug 1999 17:15:10 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 30 Aug 1999 15:36:50 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id PAA23801
	for fwtk-users-outgoing; Mon, 30 Aug 1999 15:36:35 -0700 (PDT)
Message-ID: <19990830223646.15007.rocketmail@send205.yahoomail.com>
Date: Mon, 30 Aug 1999 15:36:46 -0700 (PDT)
From: Rude Yak <rudeyak@yahoo.com>
Subject: RE: Pass IP of originating host through the plug proxy
To: fwtk-users@ex.tis.com
MIME-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 661

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

> Eugene Chupkin wrote:
> >
> > Is it possible to pass the originating host IP through the plug proxy so
> > the machine on the secure network will see where the connection came
> from?

  This may not be quite what you're looking for, but squid (see
http://squid.nlanr.net) can put X-Forwarded-For headers into an outgoing
request - in effect, this passes the originating IP information to the web
server.

  ER

__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com


From owner-fwtk-users@ex.tis.com Mon Aug 30 20:50 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id UAA06209
	Mon, 30 Aug 1999 20:50:32 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id RAA27529;
	Mon, 30 Aug 1999 17:49:44 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 30 Aug 1999 16:21:20 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id QAA25432
	for fwtk-users-outgoing; Mon, 30 Aug 1999 16:21:04 -0700 (PDT)
Mime-Version: 1.0
X-Sender: srp336@mail.optimum.com
Message-Id: <v04020a00b3f0c1388758@[198.81.219.146]>
Date: Mon, 30 Aug 1999 19:21:01 -0400
To: fwtk-users@ex.tis.com
From: Steve Pfister <srp336@optimum.com>
Subject: Choice of Real Audio proxies
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset="us-ascii"
Content-Length: 519

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

If I wanted to proxy Real Audio, and I have a functioning http/https proxy,
is there any reason to use a PNA/RTSP proxy? Do a lot of people use PNA and
RTSP...or do they do everything through HTTP? Where can I find statistics
on this? There has been some question in my company as to why we would need
separate proxies for Real Audio when the recent players support http.

Thanks!

--Steve

From owner-fwtk-users@ex.tis.com Mon Aug 30 22:23 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id WAA06379
	Mon, 30 Aug 1999 22:23:22 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id TAA00022;
	Mon, 30 Aug 1999 19:22:11 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Mon, 30 Aug 1999 17:44:31 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id RAA27343
	for fwtk-users-outgoing; Mon, 30 Aug 1999 17:44:00 -0700 (PDT)
Message-Id: <3.0.5.32.19990830203458.00886d30@mail.itm-inst.com>
X-Sender: rmurphy@mail.itm-inst.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Mon, 30 Aug 1999 20:34:58 -0400
To: "Biggerstaff, Brice" <Brice.Biggerstaff@csoconline.com>,
        Eugene Chupkin <ace@credit.com>, "'Keith Young'" <kyoung@v-one.com>
From: Rick Murphy <rmurphy@itm-inst.com>
Subject: RE: Pass IP of originating host through the plug proxy
Cc: fwtk-users@ex.tis.com
In-Reply-To: <F38588EB3695D2119B4500902727A3450165692C@csoc-mail-box.cso
 conline.com>
Mime-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset="us-ascii"
Content-Length: 853

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

At 03:02 PM 8/30/99 -0500, Biggerstaff, Brice wrote:
>Doesn't the 'transparency' patch achieve what Eugene wants to do?  We have
>similar interests and I have been looking at this but have not had a chance
>to look too deep.

No. The transparency patch allows a host to connect to a destination
without having to connect to the firewall first; the destination still sees
the firewall as the source of the connection.

To provide full transparency - the connection appearing to come from it's
original source - all you have to do is bind() the socket to the original
address before the connect. Unfortunately, that won't work without
modifications to your IP stack. It's a pretty simple mod to the Berkeley IP
stack.
	-Rick


From owner-fwtk-users@ex.tis.com Tue Aug 31 07:32 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id HAA07609
	Tue, 31 Aug 1999 07:32:41 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id EAA03987;
	Tue, 31 Aug 1999 04:32:22 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Tue, 31 Aug 1999 02:47:05 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id CAA02695
	for fwtk-users-outgoing; Tue, 31 Aug 1999 02:46:50 -0700 (PDT)
From: "Marcel de Reuver" <M.de.Reuver@helpman.nl>
To: <fwtk-users@ex.tis.com>
Subject: RE: virus scan 
Date: Tue, 31 Aug 1999 10:39:54 +0200
Message-ID: <031401bef38c$65c2f880$510aa8c0@pc081>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2232.26
Importance: Normal
In-Reply-To: <37CACDE5.82512BBE@lssi.org>
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Length: 410

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

> 
> Does anybody know, or recommends a virus scan software for 
> FWTK running on Linux.
> Basically, I will need all incoming and outcoming mail messages 
> (and attachments) scanned.
> 

A Mail Virus Scanner available at: http://aachalon.de/AMaViS/ 

Regards,
Marcel de Reuver


From owner-fwtk-users@ex.tis.com Tue Aug 31 11:54 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id LAA08480
	Tue, 31 Aug 1999 11:54:40 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id IAA06780;
	Tue, 31 Aug 1999 08:54:31 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Tue, 31 Aug 1999 07:14:33 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id HAA05461
	for fwtk-users-outgoing; Tue, 31 Aug 1999 07:14:17 -0700 (PDT)
Message-ID: <37CBE359.51304A21@earthlink.net>
Date: Tue, 31 Aug 1999 10:14:49 -0400
From: Chris Harry <chrishmm@earthlink.net>
X-Mailer: Mozilla 4.03 [en] (Win95; I)
MIME-Version: 1.0
To: Firewall Mailer <fwtk-users@ex.tis.com>
Subject: Complete virus scanner
Content-Transfer-Encoding: 7bit
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: text/plain; charset=us-ascii
Content-Length: 506

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

The latest thread reminds me........is there any complete virus scanner
for Unix ?
I was hoping for something like McAfee that scans files as they pass
thru the internet connection. Anyone know of something like this?
Obviously free is good :), but this is for a simple home firewall, so a
500.00 s/w package isnt what I am looking for.
Any help is appreciated.
Thanks!
Chris


From owner-fwtk-users@ex.tis.com Tue Aug 31 14:14 EDT 1999
Received: from relay2.nai.com (relay2.nai.com [208.228.228.62])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id OAA09023
	Tue, 31 Aug 1999 14:13:56 -0400 (EDT)
Received: from localhost (daemon@localhost)
	by relay2.nai.com (8.9.3/8.9.3) with SMTP id LAA09005;
	Tue, 31 Aug 1999 11:12:15 -0700 (PDT)
Received: by ex.tis.com (bulk_mailer v1.11); Tue, 31 Aug 1999 09:31:28 -0700
Received: (from majordomo@localhost)
	by relay2.nai.com (8.9.3/8.9.3) id JAA07248
	for fwtk-users-outgoing; Tue, 31 Aug 1999 09:31:07 -0700 (PDT)
Date: Tue, 31 Aug 1999 09:36:03 -0700 (PDT)
From: Eugene Chupkin <ace@credit.com>
To: Chris Harry <chrishmm@earthlink.net>
cc: Firewall Mailer <fwtk-users@ex.tis.com>
Subject: Re: Complete virus scanner
In-Reply-To: <37CBE359.51304A21@earthlink.net>
Message-ID: <Pine.LNX.3.96.990831093314.9906A-100000@mail.credit.com>
MIME-Version: 1.0
Sender: owner-fwtk-users@lists.tislabs.com
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Length: 956

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]



The only thing I can think of is webshield for firewalls by Network
Associates, it does virus scanning on web traffic and/or email, but I
think it only runs on commercial versions of Unix and NT, so if you're
runing linux.. you might be out of luck.

On Tue, 31 Aug 1999, Chris Harry wrote:

> [To be removed from this list send the message "unsubscribe fwtk-users" in the
> BODY of a mail message to majordomo@ex.tis.com.]
> 
> The latest thread reminds me........is there any complete virus scanner
> for Unix ?
> I was hoping for something like McAfee that scans files as they pass
> thru the internet connection. Anyone know of something like this?
> Obviously free is good :), but this is for a simple home firewall, so a
> 500.00 s/w package isnt what I am looking for.
> Any help is appreciated.
> Thanks!
> Chris
>