Great Circle Associates Firewalls
(November 1994)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: finger over proxy
From: mccurley @ cs . sandia . gov (Kevin S. McCurley)
Date: Tue, 8 Nov 1994 22:49:05 -0700 (MST)
To: firewalls @ greatcircle . com

In response to Ken Hardy's query:
> > >	What about services like talk and finger? How do my local users
> > >	"talk" a user at an outside host over proxy? (and external users too)

Marcus suggested using
> 	We don't support "talk" so I can't address that one, but finger
> works real easily. We have a netacl rule (or tcp_wrapper or whatever)
> that lets anyone on our inside net talk to fingerd w/o privs. Then
> someone can just:
> 	finger user @

This has the disadvantage that the bastion host actually has to run a
finger daemon.  There was at least one example in the last year of a
version of OSF that had a serious security bug in fingerd, and some
machines also have it run as root.  We prefer to use plug-gw from the
TIS toolkit to pipe finger requests on port 79 through to a machine
outside the firewall where the finger daemon actually makes the
request.  There is a script called "rfinger" installed inside that
does the following:

/usr/ucb/finger $* @

where "gateway" is the name of our machine.  If you use the command

  rfinger user @

then it sends the request through the gateway to a machine outside
(whatever plug-gw is pointing at) where the machine acts like it has
received the command 

  finger user @

The only apparent difference in behaviour is that some finger clients
put up the name of the machine that was the first target of the finger
command (in this case the gateway machine).  You can eliminate this
with a grep -v in the script.

Plug-gw is quite useful - we also use it for selected machines outside
the firewall but inside the building to print to our printers.

Kevin McCurley
Sandia National Laboratories

Indexed By Date Previous: Firewall OpSys
From: Jerry . Cashman @ asx . decus . com . au
Next: [no subject]
From: Joel P McKenzie <MCKENZIE @ WCUVAX1 . WCU . EDU>
Indexed By Thread Previous: Re: Finger over proxy
From: Jamie Clark <jclark @ clear . co . nz>
Next: Re: finger over proxy
From: "Christopher M. Spirito" <spirito @ eden . rutgers . edu>

Search Internet Search