> Simon implies that ftp needs to be handled carefully, true; but has
> anyone done this ? Or, as mjr of TIS suggested to me, why not do
> all ftp's through an http-gw ? (I'm not sure how this would work,
> can anyone explain ?)
>
> And finally, is anyone running a dual firewall config like this ?
> Especially using the TIS Toolkit or Gauntlet ? I'd really like to
> know it worked and was secure.
Funny you should ask... the answer is yes to both.
I have split the TIS ftp-gw in two. Works the same as the TIS one
except there a a couple of new entries in netperm-table.
I took the added step of implementing a bindport facility (again as
suggested by Bellovin & Cheswick) such that the proxy can run as
non-root, yet bind reserved ports if required by the config of the
choke router. It is implemented via a function that checks if euid==0
and does the job itself if so. Both the lib function and program come
from the same file... I was planning to mail the patches to TIS but
I've been busy... :-)
I'm also about ready to release my modified version of the Linux NFS
server. It is intended to run under inetd and without the port
mapper. The client s/w registers a local UDP NFS service and shuffles
RPC's via TCP to the server. The server can be told to require
authentication via TIS's authsrv before accepting a mount request (TCP
transport only). Performance is about 1/4 native filesystem but who
cares?
Can any one offer an FTP site for this?
Note my build tree requires the new BSD make and macros - but I've a
version that runs on SunOS,HP/UX etc.
If I could work out how to implement Bellovin & Merritt's A-EKE
protocol, I could release my encrypted telnet too.. (no need for
kerberos or smart cards etc to store keys).
--sjg
References:
|
|
