Docs
Downloading
FAQ
Patches

               subscribe fwtk-users

After subscribing, you can e-mail the FWTK users mailing list by sending an e-mail to fwtk-users@listserv.nai.com .
 
 

0.3: How can I unsubscribe from the FWTK mailing list?

Unsubscribe to the FWTK mailing list by sending a message to majordomo@listserv.nai.com. In the body of the message put the following line:

                unsubscribe fwtk-users

Also, every e-mail from the mailing list has instructions on how to unsubscribe your own e-mail address and which of your e-mail addresses is subscirbed to the list.

0.4: I am having problems with the mailing list...

Contact the FWTK list owner at Support.Listserv@nai.com.  

0.5: Where can I find an archive of the mailing list?

The FWTK users mail list archive is at ftp://ftp.tislabs.com/pub/firewall/toolkit/fwtk-users-archive/ . You can find a searchable online archive at: http://www.progressive-comp.com/Lists/?l=fwtk-users&r=1&w=2#fwtk-users
 
 

0.6: What companies provide paid support for the toolkit? Can I provide paid support?

Not really. This is against the FWTK license.

Unofficially, NAI is not completely enforcing this part of the license. They do, however, completely enforce selling of the FWTK or systems based on a "FWTK firewall".
======
From: John Kelley <johnk@tislabs.com>
Subject: Re: Request for licensing details

Basically, we allow consultant configurations as long as it is a part of a whole consulting package.  For example, you cannot advertise as a fwtk consultant or fwtk expert, or sell fwtk consulting.  But if it is a part of a whole consulting package, we have no problems with it.

We appreciate being kept informed of who you are doing this work for, and ask that you don't do a large number (say, over 5) fwtk configurations a year.

I hope that is clearer.  Fwtk is not officially supported by NAI, so consulting with its configuration is entirely understandable.  We just limit what commercial gain can be acquired from it directly.

Fix:  In daemon.c include types.h before signal.h.

HPUX

*** fixmake     Thu Sep  4 09:49:06 1997 
--- fixmake.orig        Thu Sep  4 09:49:15 1997 
*************** 
*** 30,36 **** 
    echo renaming $name to $name.proto 
    mv $name $name.proto 
   fi 
   sed 's/^include[        ]*\([^  ].*\)/include \1/' $name.proto > $name 
   echo "built $name" 
  done 
 ) 
--- 30,36 ---- 
    echo renaming $name to $name.proto 
    mv $name $name.proto 
   fi 
!   sed 's/^include[        ]*\([^  ].*\)/.include "\1"/' $name.proto >
$name 
   echo "built $name" 
  done 
 )

Also, it looks like 11.0 supplies getenv(); edit getenv.c to remove the "|| defined(HPUX)" from line 38. 

Linux

If you are still having problems, get the latest gdbm package from ftp://ftp.gnu.org and compile/install the entire package (including header files) with the "install-compat" option. Then, change the DBMLIB= line in Makefile.config to "-lgdbm" to point to your new /usr/lib/libgdbm.a library file. 
 

1.3.2: "cannot open -libc" or "cannot open -lc" errors

Make a backup of the current Makefile.config, then copy Makefile.config.linux to Makefile.config. If this doesn't work, you might want to remove the "-static" from the "LDFL=" line, but you lose the advantages of static binaries. 
 

1.3.3: "error.c: Parse error before string constant" errors

Find occurences of the string "errno" in error.c. Change them to "zerrno". 
 

1.3.4: "ulib.h:23: X11/Intrinsic.h: No such file or directory" error

You need the X11 programming environment installed to build x-gw. One of your packages probably has these - should be there as part of the X11R6 stuff. 
 

1.3.5: "hmain.c:1060: warning: passing arg 3 of `select' from incompatible pointer type" error

You can safely ignore these. 
 

1.3.6: "Undefined symbol `_crypt' referenced from text segment" errors

See the answer to the same question in the FreeBSD section of this FAQ. 

NeXTStep

SCO

SGI IRIX

SINIX

In Makefile.config set: 

CC = /usr/ucb/cc 
DEFINES=  -DSYSV 
RANLIB= touch 
(comment out) SYSVOBJ= signal.o

Solaris 2.x

#ifndef MAXHOSTNAMELEN 
#define MAXHOSTNAMELEN 64 
#endif

SunOS 4.x (Solaris 1.x)

Ultrix

Darren Reed <darrenr@cyber.com.au > 

=================================================================== 
RCS file: RCS/hmain.c,v 
retrieving revision 1.9 
diff -c -r1.9 hmain.c 
*** hmain.c 1997/01/18 20:23:16 1.9 
--- hmain.c 1997/11/06 07:25:22 
*************** 
*** 93,99 **** 
return; 
} 

!  if ( !(tab_ptr[*cnt_ptr] = strdup(browser_name)) ) { 
syslog(LLEV,"failed to get storage for browser entry %m"); 
exit(1); 
} 
--- 93,99 ---- 
return; 
} 

!  if ( !(tab_ptr[*cnt_ptr] = makestring(browser_name)) ) { 
syslog(LLEV,"failed to get storage for browser entry %m"); 
exit(1); 
} 

=================================================================== 
RCS file: RCS/daemon.c,v 
retrieving revision 1.8 
diff -c -r1.8 daemon.c 
*** daemon.c 1997/01/18 19:12:56 1.8 
--- daemon.c 1997/11/06 05:08:43 
*************** 
*** 24,30 **** 
#include <netdb.h> 
#include <sys/time.h> 
#include <sys/resource.h> 
! #include <sys/fcntl.h> 

#include "firewall.h" 

--- 24,30 ---- 
#include <netdb.h> 
#include <sys/time.h> 
#include <sys/resource.h> 
! #include <fcntl.h> 

#include "firewall.h" 
 

Now, it's true that if you run fixmake on a non-BSD system, it'll break the makefiles - fixmake unfix will put them back - but the README is pretty clear about when you need to fix and when you don't. For Linux you (probably) don't. 
 

1.12: I am getting "xxx-gw.c: differs from default RCS version" errors when trying to apply a patch

If you don't care about the revision control system, just type "find . -name RCS -exec rm -rf {} \" in your FWTK root dir before you try applying the patches. 

truss chroot <newroot> <command> 

and see what fails. 
Be aware that syslog will break under a chrooted environment. Sun forgot to put something in the different man pages when they changed the behaviour. There is a dev entry that is missing. The additional dev entry that has to be there is /dev/conslog within the chroot()'ed environment. This was changed as of SunOS 5.5 and newer. You might also need Neil Readwin's patch to create the special /etc/syslog.pid file, which can be found at /patches/sun-syslog.pch. 
 

2.1.4: Why doesn't FTP work with my web browser?

Change the FTP Proxy settings of your web browser to point to the same host name and port number of your http proxy. 
 

2.1.5: Why are connections to the proxies so slow?

Make sure that your DNS resolver can be reached. The toolkit tries to do host<==>IPAddr lookups, so if your nameserver is slow or down, it will slow all of the connections down. 
 

2.1.6: How do I proxy UDP packets with the toolkit?

The FWTK doesn't handle UDP packets; it only works with TCP. If you want to proxy UDP (for Quake, Realaudio, etc.), then check out the patches section of this FAQ for udprelay. 
 

2.1.7: How do I publish web pages through the firewall?

The problem here is not with the FWTK, but instead with the clients. Netscape, as of yet, will not let you use a proxy server (besides their own) to publish pages. 

The only solution is to use ftp-gw and manually put the files on the web server. 
 

2.1.8: I am trying to get ftpd from the toolkit working...

Don't. It is very out of date and contains some bugs. Look at using another ftp daemon, like wu-ftpd. 
 

2.1.9: How do I get the toolkit to run under MacBSD?

You can look at the MacBSD/FWTK FAQ, written by Aaron S. Magill, which is found at macbsd-faq.html . 
 

2.1.10: Is there a way to setup a VPN using the FWTK?

At this time, no, and I doubt that TIS will add it in the near future since it is an important addition to Gauntlet. You might want to look at ssh, mentioned in this FAQ, for secure telnet connections between hosts. 
 

2.1.11: Is the FWTK year 2000 compliant?

The real answer is that since FWTK does nothing with dates other than logging, there's no problem with anything that I know of with respect to Y2K. 

I would make sure that your operating system and hardware will support year 2000. As long as that is true, you should be okay. The only way to verify it is to test it first in your environment. 
 

2.1.12: Host address lookups fail with "failed to connect to server test (80) reason: hostname unknown"

In order for the FWTK to work correctly, you must have your /etc/resolv.conf configured correctly and, in some instances, be running BIND. 

Programs in some OSs don't automatically use DNS (assuming that's your default name service.)  Programs you compile from source can be made to if they use the res_*() routines and you link with -lresolv.  Most programs in the system though look in system static files (ie /etc/hosts ) then in NIS (former "yellow pages") if it is configured. 

A nice package which gets around this is resolv+2.1.1. (version # may be later now).  It works by substituting its own versions of the gethostby{name,addr} routines in the /lib/libc.so file. Those versions call DNS.  When set up, every system binary that uses these routines can automatically use DNS.  resolv+2.1.1 is a subset of what you get with BIND, which also includes a replacement for DNS. It's a good substitute for the more general /etc/nsswitch.conf and /usr/lib/libnsl in Solaris. Check your favorite search engine. 
 

2.1.13: I can't start the toolkit; I am getting "Failed to bind to port XXX" or "Address already in use".

That depends on how you're starting things. Only one process can listen on a given port and address combination. Having an entry in your inetd.conf for a port (http, for example) will cause the error above if you try to start a proxy in daemon mode on the http port if you already have a web server running. You should go through your inetd.conf and remove all the unnecessary lines, specifically the "login", "telnet", and "ftp" lines. Best make it empty then turn on what you *really* need - you are probably wide open at this point with all sorts of unnecessary services. 
 

2.1.14: Does the proxy hide internal addresses? What are the "illegal" addresses?

Yes. You may use "illegal" addresses inside of your firewall, as long as your external interface's address is assigned by either the Internic or your ISP. 

Here is a list of the "illegal" address (per RFC 1918): 
 

Subnet address	Broadcast address
10.0.0.0	10.255.255.255  (10/8 prefix)
172.16.0.0	172.31.255.255  (172.16/12 prefix)
192.168.0.0	192.168.255.255 (192.168/16 prefix)

 

2.1.15: Should I be able to ping the Internet from the internal network?

NO! If you can, then you are leaking packets. Check the routing setup on your firewall box. Also make sure that you do not have another unprotected route to the Internet. External pings may easily be stopped at two points: at the router, where the ICMP service requests may be blocked (while maintaining the ability to ping the server from within the network), or the kernel can be recompiled to not include ping (ICMP) responses since the kernel responds to the ping. 
 

2.1.16: How to I specify a subnet mask in the netperm-table?

Use "network-number:netmask" or something like: 

    111.222.0.0:255.255.0.0 

This feature is only available in FWTK 2.x and above. 
 

2.1.17: Why do I get an "inetd: xxx-gw/tcp: unknown service" error when I start a proxy?

It means that a service that you listed in your /etc/inetd.conf file doesn't match a service in your /etc/services file. 

For example, look at your inetd.conf line: 
    ftp-gw stream tcp nowait root /usr/local/etc/ftp-gw ftp-gw 
The last token is the service name; change it to ftp and you should be OK. 

Also, if you are running Solaris 2.x, make sure that the services line in your /etc/nsswitch.conf is configured correctly to look only in "files" and not in "nisplus". 
 
 

2.1.18: What is the maximum number of ethernet interfaces that the toolkit will support?

Since the proxies don't deal with interfaces (only addresses), they support as many interfaces as the platform on which they run. 

You may want to look at the bind-to patches. That will allow you to bind selected proxies to selected interfaces, rather than the un-patched behavior of binding to all of them. 
 

2.1.19: How do I enable PPTP using the FWTK?

Since PPTP control run on port 1723, you can easily plug that using plug-gw. However, the encryption protocol is GRE (which is IP protocol 47) which the FWTK can't understand since it is not TCP/IP. You can't support PPTP using just the FWTK; you will need some other kind of packet filter to accomplish this. 
 

2.1.20: What is the configuration to allow ICQ?

Use udprelay on port 4000. Relay to icq.mirabilis.com then point your clients to the firewall. 
Disadvantage:  file transfers don't work - udprelay only works for ICQ chat. 
 

2.1.21: How do I wrap lines in the netperm-table?

Unfortunately, you can't. All lines must terminate and cannot continue with the "\" character.
 

2.1.22: Which is the best way for starting FWTK: inetd or daemon mode in an "rc" script?

Definately use an "rc" script. The FWTK 2.x proxies are designed to be run by themselves, so you don't need to worry about inetd speed or throttling problems.

* auth

Also make sure that you are using a recent version of your compiler. 
 
 

2.2.2: How do I use SecureID/Skey with the toolkit?

First, you must obtain the SecureID library from Axent Technologies (Security Dynamics) or the Skey library.  In order to compile the SecureID with the toolkit, change the "tis_sd_init" reference in securid.c to "sd_init". The "tis_" variant is a TIS fix that ships with Gauntlet since the SecurID software won't work well with multi-homed hosts. 
For both, you need to edit the Makefile in the auth directory for the proper modules to be compiled and linked. Remove the "#" from the "SKEYDIR=" (etc..) lines and re-make. 

#if you are using the SKEY modules, define SKEYDIR to be the source 
#directory where the SKEY libraries and include files are. 
#SKEYDIR=../../skey 
#SKEYINC= -I$(SKEYDIR) 
#SKEYLIB= $(SKEYDIR)/libskey.a 
#SKEYOBJ= skey.o 

#if you are using the SecurID module, define SECURDIR to be the source 
#directory where the SecurID libraries and include files are. 
#SECURDIR= /var/ace/client 
#SECURLIB= $(SECURDIR)/sdclient.a $(FWLIB) #SECURINC= -I$(SECURDIR) 
#SECUROBJ= securid.o

    ftp://ftp.tis.com/pub/firewalls/toolkit/patches2.0/
 

2.2.5: I am getting lots of "undefined references" when trying to compile.

In your skey Makefile, you haven't defined your encryption type. Uncomment these two lines:

# MD5
LIBOBJS=skeylogin.o skeysubr.o md5c.o put.o skey.o

# MD5
CFLAGS=$(CDEBUGFLAGS) $(HASSTDLIB) -DSKEY -DMD5

* ftp-gw

# ftp proxy-server 

Welcome to the proxy server.... 

User (proxy-server:(none)): username@my.isp.net

Connected to my.isp.net 
Password required for username 
Password: 
 

Make sure that the remote FTP site can perform a reverse-DNS lookup of the external interface of your bastion host. An increasing number of sites will refuse to accept host attachments unless your host name is verified. 
 

2.3.5: Why does FTP hang when getting a directory listing or downloading a file?

This is due to the fact that a router or firewall between ftp-gw and the remote FTP server is blocking the returning PORT command. FTP uses two connections - a control connection (made to port 21 on the target host) and a data connection. The data connnection uses a random port; what port number gets used is up to your operating system. Check to see where that connection is dropped.

If you have a Checkpoint firewall, you should be running at least FWTK 2.1 and you should apply the patch which allows you to specify the data port. The data port should be set to 20.

* http-gw

Most inetd's based on BSD inetd have a throttle built into them such that if more than about 60 connects per minute come in on any well-known port, inetd figures the server is looping or something else has gone awry and shuts down the service. To fix this, change your current /etc/inetd.conf file to look like this (note the "nowait.1000"): 
            http-gw    stream    tcp    nowait.1000    root    /usr/local/etc/http-gw    http-gw 

If this line doesn't work, check the man page for inetd. 
If you are running SunOS 4.1.x, you'll need to patch inetd. The appropriate SunOS patches are as follows: 
 

SunOS version	Patch
4.1.1, 4.1.2, 4.1.3	100178
4.1.3_U1	101618
4.1.4	102416

They are all a drop in replacement for inetd allowing you to specify the number of connections to be handled in a minute in the command line at startup (usually in /etc/rc for SunOS). e.g. 

/usr/etc/inetd -r 1000 
 

2.4.2: How do I get SSL/HTTPS working with the toolkit?

It is very easy. Just make sure that you are running version 2.x of the toolkit and point your Security Proxy setting of your browser to the same host name and port number of your http proxy. With version 2.x, you can also use SSL tunneling support in plug-gw.  From plug-gw.c: 

        To use as an SSL plug, include a line like 
             plug-gw: port 4430 10.* -plug-to https -ssl 
         Meaning listen on port 4430 for connections from 10.*  which are interpreted as ssl security handoff proxy requests. 
 
 

2.4.3: Authentication (-authall) doesn't work with http-gw. How do I get authentication working with the toolkit?

There is no authentication support in http-gw; primarily because it's very hard to do it right. There are proxies (like squid) that do a "good enough" authentication for most people. Doing it "right" means that you can use one-time password sources for authentication without permitting replay of the authentication info (such as the name name and password). 

Most people don't care about replay. Squid and squid-gw may fit the bill for you. 
 

2.4.4: How do I run http-gw and a web server on the same machine?

Use a normal httpd configuration such as stand-alone Apache via port 80. Setup the http-gw proxy to another port (ex. 8080) for outgoing internal users conections. You might also want to set the "No proxy for" setting in the browsers not to go to the firewall for your web server, otherwise it will slow down your connections to the web server. 
 

2.4.5: What does "Network error: net_flags[X] >set (read)" mean?

This means that something attempted to read on a connection that had failed. In the past, this would have left a hung http-gw that wouldn't die. It's really an indication of a bug in the http-gw code somewhere - an error happened on that connection at one point so we shouldn't be re-reading from that socket. The code captures this case and quits. 
 

2.4.6: Why do targets (on pages) with spaces get destroyed?

URLs should not contain spaces, since people behind the firewall are "protected" from %## characters in URLs and usually can't use URLs containing them..  The coder of the page should be using underscores or dashes instead. 
 

2.4.7: How do I change the output of http-gw when I connect to FTP sites?

If it was easy it would have been changed :-). It is not easy; the proxy has to create a HTML page describing the FTP directory. There's no simple way to obtain file type or size information that the proxy could use.The FTP code in http-gw is somewhat limited - it tries to handle different client types by using a listing format that does not provide size information. (There is no standard format for a directory listing that includes this information; long list formats are OS-dependent). 

The easy thing to change are the icons, but the icons are stored in the executable. However, you can specify an alternate location and provide your own icons.

Put this into your netperm-table:
http-gw: icon-source http://mywebserver/firewallicons/

One of the following will be appended to the above path.

menu.gif menuplus.gif html.gif gif.gif jpeg.gif image.gif audio.gif search.gif telnet.gif video.gif cso.gif macbin.gif dosbin.gif binary.gif text.gif blank.gif
 

2.4.8: Http-gw keeps core dumping on a BSD variant.

It is an OS issue. Just rename the variable "offtime" to something else. 
 

2.4.9: How do I FTP files through http-gw as a specific user?

Try using "ftp://user@hostname.dom".  If a password is required, the browser will display a dialog box. Otherwise, you can use "ftp://user:password@hostname.dom" This should work if you can normally do an ftp from your machine to the desired machine. 
 

2.4.10: Why do I get an error like "The response 'http-gw@firewall' is not valid" when trying to FTP in a browser?

Http-gw builds a password to send using the full hostname of the firewall. You should fix your firewall system to use the fully-qualified domain name as the hostname ("hostname firewall.your.domain" somewhere in the startup files.) 
 

2.4.11: Why does http-gw return blank pages to my Netscape browser?

Actually, this is not a FWTK issue. When Netscape 3.x and below reads some Microsoft FrontPage pages, it displays the background, but no text. It seems to be a known bug that Netscape fixed in its Communicator 4.x, but never publicly acknowledged. Example code that causes it to choke: 

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> 
<meta name="GENERATOR" content="Microsoft FrontPage 2.0">

Example: 

http-gw:        directory /usr/home/www

You can, however, use something like: 
        http-gw: forward * -protocol http -tohost server:80 
"forward /" means to forward anything that starts with "/". You've got to be specific about the protocol, else it seems to try gopher. 

I don't think that using http-gw backwards this way is such a great idea because of problems like this; besides, it's not designed to protect things when used this way. One example of why this is the case is the support for security proxying. If you don't rip CONNECT support out of the source, your inbound http-gw can be used to telnet right past the firewall to any host on the inside; probably not what you want. You MUST disable the https support; otherwise, anyone can telnet to the proxy and go: 
    CONNECT internal-ip-address:23 <return> <return> 
and get a telnet session uncontrolled right through your firewall. 

The best recommended solution: Put the web server in your firewall's DMZ and use plug-gw to pass traffic to it. Otherwise, if someone is able to break a security hole on your web server, they are then inside of your network.
 

2.4.14: URLs like "http://user:password@www.site.com" don't work...

This violates RFC1738 which states: 
    An HTTP URL takes the form: 
          http://<host>:<port>/<path>?<searchpart> 

Since http-gw follows the RFC spec, it does not allow "http://user:password@www.site.com" URLs.
 

2.4.15: FTP through http-gw gives a "-501 Unknown ftp problem" error message.

That'll only happen if the connection is being terminated prematurely for some reason. You'll probably find more reason why in the logs. 
 

2.4.16: How do I disable FTP access in http-gw?

You should add a "ftp-proxy" line in your netperm-table. What "ftp-proxy foo" should do is to change the handling of ftp URLs from connecting to the target host to using the given ftp host. For example, if you send "ftp://target/dir/file" with a line in your netperm-table like "http-gw: ftp-proxy proxy" what will change is that the http-gw will connect to host "proxy" on the ftp port, then send "user anonymous@target" as the user (expecting that there's a ftp-gw proxy in use.) Your netperm-table seems to be configured with the "ftp-proxy" having the name of a program to run; what you probably want is "http-gw: ftp-proxy 127.0.0.1" 
 

2.4.17: What is the configuration to connect to web servers running on non-standard ports?

Nothing special has to be done.  Just make sure that your browser's proxies and no-proxy list are properly set up, then ask it to show you a URL like "http://host.domain:port/page.html" 
 

2.4.18: Why am I getting "Error - 404.   Reason:  hostname unknown" errors?

Either your DNS is not working correctly on the firewall, or you're chroot'ing http-gw without providing the files it needs to use the resolver. Try taking off the chroot temporarily by changing the "directory" option in your netperm-table. 
 

2.4.19: What does "network connection closed during write" mean?

It means that the network connection between the proxy and either the browser or the web server was closed while the proxy was writing data. Often this happens because the user pressed the "stop" button. It's almost never a sign of a problem.

* netacl

* plug-gw

    plug-gw: port popmail my.domain.*  -plug-to  pop.server.B -port popmail 
Also make sure that you add "popmail 110/tcp" to /etc/services and the appropriate line to /etc/inetd.conf or /etc/rc, if necessary. 
You can also look at cmd-gw, available in the FWTK patches at http://www.fwtk.org. 
Some things to think about: 
    1. pop3 sends usernames and passwords in the clear.  You might want to consider APOP 
    2. Unless you know the IP/hostname of the outside users and they are fixed, you could be opening your internal pop3 server to access from the outside. 
 
 

2.6.2: How do I use plug-gw to plug to a second proxy?

You can't use a plug-gw as a HTTP proxy but you can use the plug to forward the connection if the browser isn't set up to use that firewall as the proxy. 

When it's connecting to a web server - the plug-gw case - the browser sends "GET /page HTTP/1.0"; when it's connecting to a proxy the browser sends "GET http://host/page HTTP/1.0" and expects the proxy to decode the scheme and remove that before passing it on to the real server. Plug-gw won't work in this case. 
 

2.6.3: How do I plug samba/SMB (for Win95/WinNT file sharing) through the firewall?

SMB uses 137 for the name service (UDP normally), 138 UDP for support services and 139 TCP for the session services. The only problem is that you won't automatically reconnect to a share, you have to do it by hand every time (after the time-out, plug-gw disconnects you). You might need to add an entry to your c:\windows\lmhosts file (create it, if it doesn't exist). 
 

2.6.4: How do I allow SQL requests through?

Plug-gw is a TCP stream data processor. It does not support things that expect specific handling of URG, PUSH, etc; those require a SQL application-specific proxy. 

MS SQL: 
    When people have tried this in the past it has been found to not work when plug-gw is used - the SQL Server protocol is sensitive to the data stream. If it writes 1200 bytes it expects to read all 1200 bytes in a single packet. Plug-gw does not guarantee that. Perhaps more recent versions of SQL server don't work that way any longer. 

Sybase: 
    You must be running a recent version of Sybase. Just use plug-gw. 

Oracle: 
    The listener for Oracle SQL*Net is on port 1525. Just use plug-gw to plug the request through. However, multithreaded SQL*Net does not work. 
 

2.6.5: What is the plug-gw config for Usenet News?

If you want a proxy specifically for news, look at nntp-gw located in the patches section of this FAQ. 

Or, if you want to use plug-gw follow these directions: 
Add a line to the netperm-table such as this and point your news readers to the firewall: 
    nntp: port nntp my.domain.*  -plug-to  ext.news.dom -port nntp 
Also make sure that you add "nntp 119/tcp" to /etc/services and the appropriate line to /etc/inetd.conf, if necessary.  For ease, define "news" internally to be the address of the news bastion host (firewall), and point users at the "host" named "news". 

If you have several external news servers,  pick a different port for each news server that you want to attach to, say 9001, 9002, etc., on the firewall box. Of course, you will most likely be attaching (plugging) to port 119 (nntp) on the actual news server(s). 

See the plug-gw docs for details. 
 

2.6.6: How do I make Microsoft SNA Server requests go through?

Run regedit.exe and make the following change: 

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/SnaBase/Parameters/SnaTcp 

Create a value called Firewall, of type REG_MULTI_SZ, and populate it with the IP address of the proxy.  This does mean that you need to run plug-gw on both 1478/tcp and 1477/tcp. 
 

2.6.7: How do I plug to a Lotus Notes server?

Lotus Notes is actually one of the easier applications to proxy with FWTK.  Notes uses port 1352/tcp exclusively, so all you really need to do is set up plug-gw to listen on port 1352.  Something like this should work: 

    plug-gw:        port 1352 * -plug-to notes.server.dom -port 1352 
The real trick is the Notes end of things.  The intuitive thing to do would be to tell Notes to connect to your FWTK box and you'd see the server you were plugging to.  Not quite.  When you tell Notes to connect to a server by FQDN, it expects the response from the server to match the FQDN, or else it complains.  What you need to do is to create a connection doc (in your personal address book, for instance) that defines a correct connection to your Notes server. 
 

2.6.8: How can AOL clients get through the firewall?

The AOL client uses port 5190. Just use the following plug-gw config in your netperm-table: 

    plug-gw:    port 5190 192.168.0.* -plug-to Americaonline.aol.com -port 5190 
Also, there is a CCL directory under the AOL directory that contains a file called TCP.CCL (Macs have a file called TCP located in the Online Files directory).  This file has to be edited to point to your firewall address instead of AmericaOnline.aol.com. 
Be warned, however, that this can be unsecure due to AOL's tunneling protocol. 
 

2.6.9: Why is plug-gw denying everything even though it is correct in the netperm-table?

It's supposed to look for entries first using the service name - the first argument - then, if there's none, look for plug-gw entries. 

If you run the plug with: 
    /<path>/plug-gw -daemon nntp nntp 
it will look for "nntp: ..." entries in the netperm-table. If there's none of those, it'll look for "plug-gw: ..." entries. Running it with "plug-gw", or with "nntp-gw" and changing the netperm entries to "nntp-gw" will probably make it work. However, most netperm-tables have a  "*: authserver 127.0.0.1 7777" line which matches the news lookup so you find no rules at all 
 

2.6.10: How do I plug LDAP through the firewall?

LDAP runs on port 389. Just plug the requests from the client to the server. 

* smap/smapd

• smap gets a connection
• smap opens xmaXXXXXX (see var 'tempfile') smap gets message and closes 'tempfile' smap renames 'tempfile' to smaXXXXXX (see call to function add_too_file() and the function itself)
• smapd wakes up every x (60?) seconds smapd looks for smaXXXXXX
• smapd calls sendmail to send smaXXXXXX if successful delivery
• smapd removes smaXXXXXX
• else
• smapd moves smaXXXXXX to 'baddir'
• thats it....

rename xmaXXXXXX to smaXXXXXX 
watch logfile as smapd tries to process them and you'll see, either 
file delivered successfully -> the file is now gone, 
or 
some complaint from smapd -> you can delete the file.
 
 

2.7.5: Smap has received the e-mail, but how do I process the mail queue?

You will need to start the smapd daemon in your startup file in addition to a daemon to periodically scan the mail queue... that is /usr/local/etc/mqueue script....  and the smap entries in the netperm-table tell smap how to invoke sendmail (of course, you will need a valid sendmail configuration file, usually in the /etc/sendmail.cf file, but that depends on your sendmail version and configuration)... 

startup entries for smap/mqueue: 

# smtp queuer 
(cd /var/spool/mqueue; rm -f nf* lf*) 
echo "    smtp queuer" 
/usr/local/etc/smapd & 
# process the mail queue for undelivered mail 
/usr/local/etc/mqueue &

# Example smap rules: 
# ------------------- 
smap, smapd:    userid 15 
smap, smapd:    directory /var/spool/smap 
smapd:          executable /usr/local/etc/smapd 
smapd:          sendmail /usr/sbin/sendmail 
smap:           timeout 3600

In netperm-table: 
smapd:  sendmail /my/own/sendmail-wrapper 

Write a program named /my/own/sendmail-wrapper, which will be something like this: 

1. The input command line is "/my/own/sendmail-wrapper -f from rcpt ..."
2. Process the message text read from the standard input.
3. Invoke sendmail with the arguments " -f from rcpt ..." and pass the message text to sendmail through the standard output.

    Tsmap 
 

2.7.9: What does "smapd[xxxx]: discarding (OS error) pid=xxxx code=71" mean?

Sendmail returns this value if (among other things): 
 *can't open a pipe to the delivery agent 
 *can't execute the delivery agent 
 *if the delivery agent returns EX_OSERR 
 *if sendmail cannot fork
 *if setuid or setgid fails (RunAsUser...) 

Make sure that you have created a legal user which you defined in the smap section in your netperm-table. If you verified this, then you are probably having other problems between your OS and sendmail. 
 
 

2.7.10: Sometimes I am getting "exiting too much data" errors from smap...

Smap is denying your e-mail since it is too big. Check your "maxbytes" setting in your netperm-table. 

            * syslogd
 
 

2.8.1: How do I separate the FWTK logs from the standard syslog file?

The facility and level are set in your "firewall.h" file:
===========
/*
Choose a system logging level for the firewall
toolkit. All components of the toolkit will use
this value for logging entries.
*/
#ifndef LLEV
#define LLEV    LOG_NOTICE
#endif

/* Choose a system logging facility for the firewall toolkit.  */
#ifndef LFAC
#define LFAC    LOG_DAEMON
#endif
============

Just edit firewall.h so it writes to one of the local facilities and edit syslog.conf to handle them special. 

Change firewall.h from: 
#define LFAC LOG_DAEMON 
   to 
#define LFAC LOG_LOCAL6 

Then just put something like 
    local6.* /var/log/fwtk 
in syslog.conf and don't forget to "remove" the messages from the "catchall" entry, eg. 

*.info;local6,mail.none  /var/log/messages 

Also make sure that you have enabled logging via your netperm-table using the "-log" parameter. 
 
 

2.8.2: How do I create separate log files for each service?

First, install the syslogd that is included with the toolkit. Then, edit your /etc/syslog.conf file to something like this: 

# patterns to match for 
"authsrv"                    /home/log/auth 
"netacl.*fingerd"        /home/log/in-fingerd 
"netacl.*telnetd"        /home/log/in-telnetd 
"smap"                      /home/log/smap 
"ftp-gw"                    /home/log/ftp-gw 
"plug-gw"                  /home/log/plug-gw 
"rlogin-gw"                /home/log/rlogin-gw 
"tn-gw"                     /home/log/tn-gw 
# Standard system logs 
*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info;*.debug  /var/adm/messages 
*.emerg                                         * 
*.emerg;*.crit                                  /dev/console

*** -     Fri Jun  5 09:40:08 1998
--- pathnames.h Fri Jun  5 09:41:08 1998 
*************** 
*** 53,58 **** 
--- 53,66 ---- 
  #define       _PATH_DEVNULL   "/dev/null" 
  #endif 
+ #ifndef _PATH_KLOG 
  #define       _PATH_KLOG      "/dev/klog" 
+ #endif 
+ 
+ #ifndef _PATH_LOGCONF 
  #define       _PATH_LOGCONF   "/etc/syslog.conf" 
+ #endif 
+ 
+ #ifndef _PATH_LOGPID 
  #define       _PATH_LOGPID    "/etc/syslog.pid" 
+ #endif 

* tn-gw/rlogin-gw

The basic problem is that it is extremely difficult to correctly proxy telnet - when your client connects to the proxy, it sends options negotiation commands to the proxy. We remember these and try to reset things to their prior state just before connecting to the real server. Back when the TELNET protocol was defined, this worked well - the settings were simple binary flags with no dependencies. Unfortunately, things that work well are often "improved". There are several options that have dependencies (for example, options 36, OLD_ENVIRON and 39 NEW_ENVIRON. Many telnet clients try to enable NEW_ENVIRON then if that fails try OLD_ENVIRON. They REMEMBER that the proxy refused NEW_ENVIRON and OLD_ENVIRON. Then, once you connect, the server tries to negotiate NEW_ENVIRON again; the client remembers that it was refused permission to turn this on, so ignores the server's request. That hangs the connection. Some servers don't like the negotiation flood that the telnet proxy sends when you first connect; that's what usually causes the double echo. 

All that we could do with the telnet proxy was to make it work as well as possible with as many clients as possible. Many telnet clients are broken (the Microsoft Windows 9x one, for example. The double echo you're seeing is probably due to the fix for the broken Windows Telnet client.) 

For some broken cases, you can fix things by playing around with telnet commands (echo, etc.) after the connection is made. 
 

2.9.2: How do I configure tn-gw to allow me to telnet to the firewall machine itself?

Configure tn-gw as you normally would. Then, check in the example $FWTK/conf/netperm-table or use the following lines in your netperm-table: 

netacl-telnetd: permit-hosts 127.0.0.1 -exec /usr/libexec/telnetd 
netacl-telnetd: permit-hosts (your.own.ip.address) -exec /usr/libexec/telnetd 
netacl-telnetd: permit-hosts (your.internal.ip.addresses) -exec /usr/local/etc/tn-gw 

netacl-rlogind: permit-hosts 127.0.0.1 -exec /usr/libexec/rlogind -a 
netacl-rlogind: permit-hosts (your.own.ip.address) -exec /usr/libexec/rlogind -a

Expect can be found at the following site: 
ftp://ftp.cme.nist.gov/pub/subject/expect

* x-gw

END OF FAQ