Great Circle Associates Firewalls
(March 1993)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Firewalls and NFS -
From: Kent Landfield <kent @ sparky . IMD . Sterling . COM>
Date: Mon, 22 Mar 93 13:35:38 CST
To: wohler @ sap-ag . de
Cc: mjr @ tis . com, firewalls @ GreatCircle . COM
In-reply-to: <9303221647 . AA18513 @ sap-ag . de>; from "Bill Wohler" at Mar 22, 93 5:46 pm

Bill,

> Marcus J Ranum <mjr @
 TIS .
 COM> writes:
> marcus> 	If you have to, a captive login program that does a chroot to
> marcus> someplace and drops the user into a simple shell that lets them telnet,
> marcus> or rlogin to other machines, will do 95% of what you want.
> 
>   this is what i was thinking.  comments from others?  has anyone
>   written this?  if not, i'll post it here after i do. ;-)

I have real reservations about responding to this but what the hey...  I have 
hacked something together that has been in use here for a while.  There are
some assumptions made that may not apply to all.  I am putting this out as 
a starting point for others.  I'd be happy to hear constructive ideas but 
please, no heavy duty flames of "how dumb can you be!" :-)  I needed something 
cheap and this definitely fit the bill... :-)  The sources are available via 
FTP from sparky.sterling.com as /local/gau.tar.Z.  I'd be happy to roll in 
any enhancements others make.  I was planning on adding some additional ftp 
commands for dealing with ftp from the firewall to internal systems but we
are NFS mounting the transfer area at present.  There are some stubs in place
if you wish to modify it further to not need NFS.  You will need to edit the 
file telout.c to set up the GATEWAY and DOMAIN defines.  Please examine the 
following overview carefully and if you retrieve the sources, do the same to 
them as well.  All the mods should be bracketed within the GATEWAY ifdefs.  

These tools also supports checking the load of the gateway host, /etc/nologin 
semantics, configurable MOTD, as well as they can be configured to log transfers 
to and from the gateway system.

Like everything I release...

**
** Use of this software constitutes acceptance for use in an AS IS 
** condition. There are NO warranties with regard to this software.  
** In no event shall the author(s) be liable for any damages whatsoever 
** arising out of or in connection with the use or performance of this 
** software.  Any use of this software is at the user's own risk.
**

			-Kent+
-- 
Kent Landfield                   INTERNET: kent @
 sterling .
 com
Sterling Software                UUCP:     uunet!sparky!kent
Phone:    (402) 291-8300         FAX:      (402) 291-4362
Please send comp.sources.misc-related mail to kent @
 uunet .
 uu .
 net .
 
=============================================================================
FTP-Availability: sparky.sterling.com:/local/gau.tar.Z
Tested Environment: SunOS4.1.2

This README is an overview of the GATEWAY Access Utilities and how to
install them.  This package currently supports access to the Internet 
through the use of a firewall system.  All internal systems are hidden 
behind a firewall (or gateway) from the Internet.

These utilities allow users from inside the network to get to archives and
services on the Internet without requiring that they have an account on the
gateway system.  

The general design is as follows.  There are two special accounts setup
to specifically allow use of a modified telnet and ftp program from the
gateway host.   The access programs telout and ftpout are installed on hosts 
which are internal to the network.  There are currently two different network 
access utilities supported, telnet and ftp.  On the gateway host, two different 
executables, acftp and actelnet, are installed.  These are actually a version
of telnet and ftp which have been modified to better support gateway usage.

--------------------------------------- Internet --------------------
                                          ||
                                          ||
                                          ||
                                          ||
          __________                 ______________
         |Internal  |               | Gateway Host |
         |    Host  | Internal      |  [Firewall]  |
         |          |---------------|              |
         | (telout) |     LAN       |  (actelnet)  |
         | (ftpout) |               |   (acftp)    |
         |__________|               |______________|

The internal user executes the ftpout or telout program which setups the
user's privilege as that of the special accounts ftpout or telout.  The
program then rlogins into the appropriate account on the gateway system.  
The user is thrown into either actelnet or acftp applications as appropriate.
These applications are setup as the account's login shells.  The internal 
user is then free to access hosts and services on the Internet.  Files 
retrieved to the gateway are available to the user internally via NFS.
The user can remove files transfered into the directories created during 
the acftp session startup but they cannot remove the directories.  Empty 
directories can be removed via a process run periodically from cron if 
they are bothersome but it is unnecessary.

All access to the Internet is logged to a file, /var/log/outbound on the
loghost as delivered.  The time in seconds of the connection is logged as 
well for possible use in accounting for use of the network connections.

=====================================================================
GATEWAY HOST SETUP:
=====================================================================

    1. Add the following entries to /etc/passwd,

ftpout:*:85:85:Internal FTP Account:/tmp/ftp:/usr/local/bin/acftp
telout:*:86:86:Internal Telnet Account:/tmp/.tel:/usr/local/bin/actelnet

       NOTE: The accounts are setup so that there is no direct login capability
             allowed. The login shell is specified as the application so that
             the user cannot get directory to the shell.

    2. Add the following entry to /etc/group,

ftpout:*:85:
telout:*:86:

    3. Edit the /etc/syslog.conf file and add the following entries:

local0.info                     ifdef(`LOGHOST', /var/log/outbound, @loghost)
local0.err                      ifdef(`LOGHOST', /var/log/outbound, @loghost)

       NOTE: Since the syslog.conf file is actually run through m4, assure 
             that the fields are separated by tab characters.

    4. Create /var/log/outbound and assure that the ownership and modes
       allow it to be written by syslogd.  Restart syslogd with a -HUP so
       that it processes your changes.
    
    5. Create the file /etc/outbound.cfg configuration file with the following
       type of information;

	#
        # MOTD is the Message that you wish displayed when the user logs
        # into the gateway via the telout of ftpout facility.  The contents
        # of MOTD should be the full disk path to file to be displayed.
        #
        # LOAD is the load limit at which logins to the gateway system are
        # disabled with a "Sorry, try again" type message. 
        #
	MOTD=/etc/Outbound.motd
	LOAD=6

       Create and edit your welcome message so that it is displayed to the
       user upon login.

Telout:
    6. Create a home directory for the telout account.
    7. Create a .hushlogin file in the telout home directory. 
    8. Create a .rhosts file in the telout home directory. The contents
       of the .rhosts file should consist a host's fully qualified domain 
       name and the account name "telout".  If I have a system nomad in the
       DDP.Sterling.COM domain the .rhosts file entry for that system is:

	nomad.DDP.Sterling.COM  telout

       Add an entry for each host that you are going to install the telout
       access software on.
      
    9. Change the modes and ownership on the telout home directory and 
       the files within to reflect the following;

drwxr-sr-x   2 root     wheel        512 May 21 00:19 .
-r--r--r--   1 root     wheel          0 May 12 10:47 .hushlogin
-r--r--r--   1 root     wheel         32 May 21 00:19 .rhosts

Ftpout:
   10. Create a home directory for the ftpout account.
   11. Create a .hushlogin file in the ftpout home directory. 
   12. Create a .rhosts file in the ftpout home directory. The contents
       of the .rhosts file should consist a host's fully qualified domain 
       name and the account name "ftpout".  If I have a system nomad in the
       DDP.Sterling.COM domain the .rhosts file entry for that system is:

	nomad.DDP.Sterling.COM  ftpout

       Add an entry for each host that you are going to install the ftpout
       access software on.
      
   13. Change the modes and ownership on the ftpout home directory and 
       the files within to reflect the following;

drwxrwsr-t   3 ftpout   ftpout       512 May 20 23:44 .
-r--r--r--   1 root     wheel          0 May 20 23:01 .hushlogin
-r--r--r--   1 root     wheel         32 May 20 21:18 .rhosts
 
   14. Edit the /etc/exports files to allow those systems that are to have
       telout and ftpout programs installed so that the FTP transfer area
       can be NFS mounted from the internal system.

   15. Next compile and install the acftp executable.
       a. Make the executable acftp.
       b. cp acftp /usr/local/bin 
       c. chgrp kmem /usr/local/bin/acftp 
       d. chown ftpout /usr/local/bin/acftp 
       f. chmod 2755 /usr/local/bin/acftp 

   16. Next compile and install the actelnet executable.
       a. Make the executable actelnet.
       b. cp actelnet /usr/local/bin 
       c. chgrp kmem /usr/local/bin/actelnet 
       d. chown telout /usr/local/bin/actelnet 
       f. chmod 2755 /usr/local/bin/actelnet 

       NOTE: That the executables are installed with setgid to the group kmem
             so that the program can read the load average out of /dev/kmem
             when the programs start up.  Once kmem is read actelnet and acftp
             reset the group id to the real group id.  All files retrieved
             via ftp will have a group ownership of ftpout, not kmem.

=====================================================================
INTERNAL HOSTS SETUP:
=====================================================================

    1. Add the following entries to /etc/passwd,

ftpout:NOLOGIN:85:85:Internal FTP Account:/tmp:/dev/null
telout:NOLOGIN:86:85:Internal Telnet Account:/tmp:/dev/null

    2. Add the following entries to /etc/group,

ftpout:*:85:
telout:*:86:

    3. Next compile and install the telout and ftpout executables.
       a. Edit telout.c and assure the GATEWAY and DOMAIN defines
          are correct and then make the executables.
       b. cp ftpout telout /usr/local/bin 
       c. chgrp ftpout /usr/local/bin/ftpout 
       c. chgrp telout /usr/local/bin/telout
       d. chown ftpout /usr/local/bin/ftpout 
       e. chown telout /usr/local/bin/telout 
       f. chmod 6755 /usr/local/bin/ftpout /usr/local/bin/telout

    4. Edit the /etc/fstab and add an entry so as to allow the ftp transfer
       area to be accessible from the internal systems. (automount 'em if
       you got'em)

    5. Mount the gateway's transfer area.

=====================================================================
The Internal host setup will need to be completed for each host that
you wish to allow external access from.

These facilities recognize the semantics of /etc/nologin and will display
its contents if the file's size is greater that 0 bytes.  They also use the
LOAD value specified in the config file to determine when to disallow access
because the gateway is too busy.

The sources to telnet were originally from the BSD sources and modified to 
become actelnet.  The sources to ftp were grabbed from gatekeeper.dec.com.
Originally BSD sources, ftp was modified by Paul Vixie (vixie @
 pa .
 dec .
 com) 
and then later modified to become acftp with gateway support added.  
Telout.c was written by Kent Landfield (kent @
 sterling .
 com) to glue this 
all together.




References:
Indexed By Date Previous: Re: Firewalls and NFS -
From: Marcus J Ranum <mjr @ TIS . COM>
Next: FYI - New NIC database
From: Scott M. Hinnrichs <smh @ netserv . com>
Indexed By Thread Previous: Re: Firewalls and NFS -
From: "Louis A. Mamakos" <louie @ NI . umd . edu>
Next: Re: Firewalls and NFS -
From: smb @ research . att . com

Google
 
Search Internet Search www.greatcircle.com