Archive-name: tis_and_macbsd-faq
Posting-Frequency: whenever updated
Last-modified: May 9, 1996
Version: 0.1
Trusted Information System's Firewall Toolkit and MacBSD Frequently Asked
Questions
FAQ Maintainer: Aaron S. Magill <amagill@uiuc.edu>
For corrections or comments, please send them to the address given above.
While I make no promises as to how often this will be updated, I will
work to keep what is given in here accurate.
About the FAQ
This FAQ is not a specific endorsement of TIS's fwtk. The purpose of this FAQ
is to show how the fwtk can be used with MacBSD to provide internet connectivity
for a local network to the Internet under specific situations. The FAQ may be
expanded at a later date to include a more detailed analysis of the fwtk, and
its use as a Firewall, on other systems. Then again, it may not be.
I began using the fwtk because I have a local network (currently three machines)
and only one IP address, dynamically allocated by my provider. By using the
application proxies in the fwtk, I can access the internet from any machine on
my local network. I chose the fwtk because it was freely available. As my
intention was not to create a secure environment, at this time, I do not plan to
give specific information concerning creating a secure environment. The
information provided here may be usefull to people interested in setting up a
secure site, but be warned, I take no responsibility for any harm or injury that
arises from using the information provided here. For information provided by
TIS concerning this product and its use as a firewall for security purposes, see
the section on getting more information.
Most of the information contained in here will probably work on machines other
than MacBSD systems as well. However, minor differences may exist which will
need to be addressed by someone more familliar with the system in question.
This FAQ is geared towards MacBSD specifically. If it works for other systems
as well, thats great! If not, well, hopefully at least the section on
configuring the FWTK is usefull.
Contents:
Software and Documentation
1. What is the Firewall Tool Kit?
2. What is MacBSD?
3a. Where can I get the fwtk?
b. Where can I get more information about the fwtk?
4a. Where can I get MacBSD?
b. Where can I get more information about MacBSD?
5. Specifically, what type of network does this FAQ pertain to?
Setting up the MacBSD host
6. How can I compile the fwtk under MacBSD?
7a. How do I setup a PPP connection to my provider?
b. More info about serial ports under MacBSD
8. How do I setup my internal network?
9. How do I setup PPP to a machine on the local network?
10. How do I setup an Ethernet connection to another machine on
my local network?
Setting up the FWTK
11. What files do I need to modify?
12a. How do I setup the fwtk for FTP?
b. How do use FTP from a machine on the local network?
c. How do I use FTP from my MacBSD host?
13a. How do I setup the fwtk for Telnet?
b. How do I use Telnet from a machine on the local network?
c. How do I use Telnet from my MacBSD host?
14a. How do I setup the fwtk for HTTP?
b. How do I use Web Browsers from a machine on the local network?
c. How do I use Web Browsers from my MacBSD host?
15a. What is the passthru proxy, and how do I configure it?
b. How can I read/send mail from my POP mail server?
c. How can I read/post news from my NNTP news server?
Other Information
16. What are the limitations in using the fwtk?
------------------------------------------------------------------------------
1. What is the Firewall Tool Kit?
------------------------------------------------------------------------------
The Firewall Tool Kit (fwtk for short), provided by Trusted Information
Systems (TIS), is a set of application proxies which, when configured correctly
on a firewall, provides controlled access to and from the Internet for a local
network. Used in conjuction with a screening router, and with a properly
configured host, it can provide a comfortable level of security for most sites,
with limited impact on the users.
It provides a single point through which all traffic in to and out of the local
network must pass. It is this feature which makes the fwtk usefull for people
with a single IP address (usually) provided by a dial-up internet connection.
------------------------------------------------------------------------------
2. What is MacBSD?
------------------------------------------------------------------------------
MacBSD is a varient of BSD unix which runs on many 68030 and 68040(?) Macintosh
computers. Properly speaking, it is a subset of the NetBSD project. It is
based on the BSD 4.2 sources, and runs comfortably on many older Macs, in as
little as 4mb of memory and 40mb of disk space.
It is work in progress, but most of the work to still be done is concerned with
expanding the number of machines it will run on, and the peripherals it will
work with. From a users standpoint, it is pretty much identical to the BSD
unix found on many other traditional work stations. Most software that will
compile under BSD (that doesn't have machine specific requirements) will compile
under MacBSD (at least in my experience.)
------------------------------------------------------------------------------
3a. Where can I get the fwtk?
b. Where can I get more information about the fwtk?
------------------------------------------------------------------------------
The fwtk can be obtained by anonymous ftp from ftp.tis.com. It can be found
in /pub/firewalls/toolkit/fwtk.
The documentation for the fwtk can be found in the same directory. Information
concerning firewalls in general, and Gauntlet (their commercial firewall
system), can also be found at the site in /pub/firewalls.
http://www.tis.com/ contains their homepage, and includes more information
about the company and the software they provide.
As far as I know, they do not specifically support the fwtk, though bug fixes
may be made occasionally. For more information concerning this, check the
Great Circle Firewall mailing list.
There is also information available at the FWTK Fan Hub (
http://www.nucleus.com/~dreamwvr/firewall.htm).
------------------------------------------------------------------------------
4a. Where can I get MacBSD?
b. Where can I get more information about MacBSD?
------------------------------------------------------------------------------
These two questions are given in detail in FAQs maintained by others. The
"Home" for NetBSD in general can be found at http://www.netbsd.org/.
FAQs pertaining to MacBSD can be found at http://puma.bevd.blacksburg.va.us.
------------------------------------------------------------------------------
5. Specifically, what type of network does this FAQ pertain to?
------------------------------------------------------------------------------
This FAQ describes how I setup the fwtk to allow me to connect three machines
at home to the Internet, through a dialup provider which supplied me with only
one IP address (dynamically allocated, at that.)
The network can be diagrammed something like this:
host1 --- host2 --- host3
|
|
modem --- internet provider
Where host1 is a PowerMac, host2 is a Mac IIx running MacBSD, and host3 is a
PC running Linux. With the exception of host2, the other hosts could be
pretty much any machine, running any OS, so long as it supported TCP/IP for
network communications. The number of hosts which can be connected in this
manner is limited only by the networking method and the capabilities of the
MacBSD host and your internet connection.
So far, I haven't noticed a slow down which could be traced to the MacBSD
host, so a Mac IIx, with 8MB of RAM, and 16MB of swap space is probably
sufficient for a fairly small network. The slowdowns I have seen have been
due to the 28.8k modem. File transfer rates are still at around 4.5k/sec
under Fetch on the PowerMac (which is what they were at when the modem was
connected directly to it.) I have successfully supped a new kernel, while
actively using Netscape on the PowerMac and FTP under linux to download
new kernel sources. While the times did slow down, it was no more so than
I would have expected, had I been downloading something on the PowerMac
while surfing the web.
------------------------------------------------------------------------------
6. How can I compile the fwtk under MacBSD?
------------------------------------------------------------------------------
After expanding the tarred archive, the following steps need to be taken to
get the fwtk to compile under MacBSD (v1.1-current as of 2/15/96):
First, in the fwtk directory, run 'fixmake'. This modifies the Makefiles
to conform to BSD standards, rather than the Sun standards.
Then, in the following files:
ftp-gw/ftp-gw.c
http-gw/gauthd.c
http-gw/http-gw.c
lib/conn.c
lib/syslog.c
tn-gw/tn-gw.c
x-gw/ulib.h
change the following line:
extern char *sys_errlist[];
to:
extern const char *const sys_errlist[];
You will also need to add -lcrypt to the AUXLIBS line in auth/Makefile.
If you are running a kernel from late April or more recent, you may find
it necessary to add the following line to the begining of lib/daemon.c:
#include <sys/cdefs.h>
********************** Special, untested X support fix ************************
In recently recompiling the fwtk, I realized that I also made some changes in
the x-gw code. I haven't tested the changes, as I am not running any kind of
X services through the firewall, so if someone makes these changes out there,
let me know if it works properly or not.
In the x-gw directory, in the files getenv.c, setenv.c, and x-gw.c, change
*every* reference to getenv, setenv, or unsetenv to my_getenv, my_setenv, and
my_unsetenv respectively. This includes the function definitions (this is a
total of about 6 lines to change. I forget the exact number.)
What is happening is that the functions used by the x-gw code already exist
in MacBSD's libraries. The prototypes are different enough that I couldn't
figure out a simple translation (without extensive tests that I can't
currently perform.) So, instead, I renamed the functions so everything will
compile. I'm not sure if the functions included in the FWTK work or not,
since I can't test them, but they do compile with these changes.
You may also need to change the XLIBDIR definition in x-gw/Makefile to
XLIBDIR=/usr/X11R6/lib in order to get it to link to the appropriate libraries.
If anyone tries this, let me know if it works or not. Thanks!
*******************************************************************************
After making the necessary changes, make sure you are in the fwtk directory,
and type 'make'. You'll probably get a few warnings, but it should compile.
I didn't worry about the warnings, so I don't think that they matter much,
but I haven't really tested the X support, or the authentication support.
The other functions seem to work fine, though.
If all goes well, type 'make install'. This puts the binaries and
configuration files in /usr/local/etc.
If all does not go well, send me email including the error message, what
line and in what file the error occurs, and any other information you think
might be relavant (when your kernel was compiled, when you gcc and the
include files were last updated, etc.)
------------------------------------------------------------------------------
7a. How do I setup a PPP connection to my provider?
b. More info about serial ports under MacBSD
------------------------------------------------------------------------------
PPP scripts come in various shapes an sizes... no one I've seen has worked for
me without modification. You should probably consult the relavant FAQs
mentioned in the question about MacBSD above.
Here are some notes I have concerning PPP and Serial ports in general. They
may or may not be addressed in other FAQs... I really haven't checked.
38400 is used, even though the machine will handle 57600, because the faster
rate keeps the machine too busy to actually do anything with the data
transfered. I believe I was told that it had something to do with the interupts
for the serial ports overriding the interupts for the code which processed the
data. At any rate, large file transfers, when I used 57600 baud, would have a
50-50 chance of locking up the MacBSD host. When I dropped the speed, the
lockups disappeared, but transfer rates are almost as high as running on the
PowerMac at 115k (Ok, so I know that the data coming to the modem isn't that
fast. However, since my PowerMac will support it, why not use it? ;-)
The difference was not really noticable unless I had many tarnsfers from
multiple machines going on at once... and even then it was comprable to
having the same numebr of transfers going on on the PowerMac by itself.
Originally, I used a PPP connection through the modem, and another through
the other serial port to one of my other machines. Because both ports were
getting heavy use, I saw an awfull lot of overrings. I was able to reduce
these by changing the following lines in /usr/src/sys/arch/mac68k/dev/zsvars.h
and recompiling the kernel:
#define ZLRB_RING_SIZE 512 /* ZS line ring buffer size */
#define ZLRB_RING_MASK 511 /* mask for same */
were changed to:
#define ZLRB_RING_SIZE 1024 /* ZS line ring buffer size */
#define ZLRB_RING_MASK 1023 /* mask for same */
This was originally suggested to me by Bill Studenmund
(wrstuden@loki.stanford.edu).
------------------------------------------------------------------------------
8. How do I setup my internal network?
9. How do I setup PPP to a machine on the local network?
10. How do I setup an Ethernet connection to another machine on my local
network?
------------------------------------------------------------------------------
Again, consult the FAQs at Puma and netbsd.org concerning this.
A trick I use for my one machine connected via PPP to the main server is the
following. It may be included in other FAQs, but I really haven't checked.
I have one machine running Linux, and another running MacBSD. Because they
both startup at different speeds, and because both are run
"headless" at
various times (ie. without a Monitor attached) I put the pppd commands to
connect the two hosts into the /etc/ttys and /etc/inittab files attached to
the appropriate tty. (inittab is used under Linux, while MacBSD uses the ttys
file.)
The line in my /etc/ttys file under MacBSD is the following:
tty00 "/usr/sbin/pppd /dev/tty00 38400 passive -detach asyncmap
0x00000000
local defaultroute lock 192.168.1.3:192.168.1.1" unknown on secure
(This is all on one line, but it is greater than 80 chars.)
Under linux, I have a similar line.
(If you can get hardware handshaking working, add crtscts to the list of
options to the pppd process. So far, I have been unable to get it working
for my link, but I suspect that its becuase I have the wires wrong... I
made the cable to connect the Mac and the PC myself. Someday I'll get
it fixed, but right now its a low priority for me.)
What this does is start the pppd process in passive mode, which causes it to
wait until it gets a Link command from the other host. Then the connection is
made. The -detach option is required to keep pppd from
"detaching" the process
from the parent process which spawns it. Otherwise we get multiple pppd
processes attempting to grab the line and init kills the tty entry for 5 minutes
because it is respawning too fast.
------------------------------------------------------------------------------
11. What files do I need to modify?
------------------------------------------------------------------------------
In general, the only files you will have to modify are the following:
/etc/services, /etc/inetd.conf, and /usr/local/etc/netperm-table.
The changes which need to be made for your specific needs are listed in the
examples given below.
------------------------------------------------------------------------------
12a. How do I setup the fwtk for FTP?
b. How do use FTP from a machine on the local network?
c. How do I use FTP from my MacBSD host?
------------------------------------------------------------------------------
Once the software is installed, add the following line to your /etc/services
file:
ftp-a 22/tcp
In /etc/inetd.conf, remove the current line for ftp, and enter the following
lines in its place:
ftp-a stream tcp nowait root /usr/libexec/ftpd ftpd -l
ftp stream tcp nowait root /usr/local/etc/ftp-gw ftp-gw
Finally, in /usr/local/etc/netperm-table, make the ftp-gw entries match the
following:
#ftp-gw: denial-msg /usr/local/etc/ftp-deny.txt
#ftp-gw: welcome-msg /usr/local/etc/ftp-welcome.txt
#ftp-gw: help-msg /usr/local/etc/ftp-help.txt
ftp-gw: timeout 3600
# uncomment the following line if you want internal users to be
# able to do FTP with the internet
ftp-gw: permit-hosts 192.168.1.*
# uncomment the following line if you want external users to be
# able to do FTP with the internal network using authentication
#ftp-gw: permit-hosts * -authall -log { retr stor }
where 192.168.1.* matches your local network address.
These settings allow any host on the internal network to initiate ftp
connections with hosts on the Internet.
Since any ftp request to the firewall will now be handled by ftp-gw, we added
a second ftp entry in /etc/services and inetd.conf (ftp-a) for connecting to
the firewall itself. From a Unix based host, we would connect to this port by
typing 'ftp <host> 22'. Other platforms may use spaces after the hostname
(Fetch for the Macintosh does) while others may use <host>:22 (this
is what
Netscape would require.)
Finally, either restart your MacBSD host, or type
kill -1 `cat /var/run/inetd.pid`
You should now be able to access the outside world.
>From an internal machine, you would initiate a ftp connection by first ftp'ing
to the firewall. In my case, this would be the same as 'ftp wormhole'.
In case there is any confusion here, the port number listed in the above
paragraphs is only needed if you wish to ftp files to or from the firewall
itself.
I would then be prompted for a user name. For the user name, you should enter
<user>@<host.I.really.want>. When prompted for a password,
enter the
appropriate one for the remote host you are trying to connect to. For
anonymous transfers, the username would be anonymouse@<host> (or
ftp@<host>)
and then my email address for a password.
Once this connection is completed, all other ftp commands will work as expected.
>From your MacBSD host, you can use ftp as you normally would, as the firewall
is already connected to the outside network and doesn't need to be proxyed.
Fetch for the Macintosh supports Firewall proxies of this sort. In the
network preferences, tell it that you are using a Proxy firewall, and that
the firewall has whatever name/ip address it has been assigned for the internal
network. After that, Fetch will proxy through the firewall transparently.
Netscape will also work transparently for ftp transfers, but via a different
mechanism. See the section on HTTP for more info (later in this document.)
I am not aware of other ftp clients which support Proxies, but I would be
very surprised if they didn't exist.
------------------------------------------------------------------------------
13a. How do I setup the fwtk for TELNET?
b. How do use TELNET from a machine on the local network?
c. How do I use TELNET from my MacBSD host?
------------------------------------------------------------------------------
Once the software is installed, add the following line to your /etc/services
file:
telnet-a 24/tcp
In /etc/inetd.conf, remove the current line for telnet, and enter the following
lines in its place:
telnet-a stream tcp nowait root /usr/libexec/telnetd telnetd
telnet stream tcp nowait root /usr/local/etc/tn-gw tn-gw
Finally, in /usr/local/etc/netperm-table, make the tn-gw entries match the
following:
#tn-gw: denial-msg /usr/local/etc/tn-deny.txt
#tn-gw: welcome-msg /usr/local/etc/tn-welcome.txt
#tn-gw: help-msg /usr/local/etc/tn-help.txt
tn-gw: timeout 3600
tn-gw: permit-hosts 192.168.1.* -passok -xok
#tn-gw: permit-hosts * -auth
where 192.168.1.* matches your local network address.
These settings allow any host on the internal network to initiate telnet
sessions with hosts on the Internet.
Finally, either restart your MacBSD host, or type
kill -1 `cat /var/run/inetd.pid`
You should now be able to access the outside world.
Since any telnet request to the firewall will now be handled by tn-gw, we
added a second telnet entry in /etc/services and inetd.conf (telnet-a) for
connecting to the firewall itself. From a Unix based host, we would connect
to this port by typing 'telnet <host> 24'. Other platforms may use spaces
after the hostname (NCSA Telnet for the Macintosh does) while others may use
<host>:22.
>From an internal machine, you would initiate a telnet session by first
telnetting to the firewall (without the port number listed above). You will
then see a tn-gw> prompt. At this prompt, type 'telnet
<remote-host>' to
connect to the remote host on the Internet. You have now successfully initiated
a telnet session to the remote machine.
>From your MacBSD host, you can use telnet as you normally would, as the
firewall is already connected to the outside network and doesn't need to be
proxyed.
I am not aware of any telnet clients that support firewall proxies in a
transparent manner. As far as I know, this two step process is required
no matter what client you are using. If anyone knows of telnet software
which allows transparent telnet sessions through a proxy, please let me know,
and I will include them in this FAQ.
------------------------------------------------------------------------------
14a. How do I setup the fwtk for HTTP?
b. How do I use Web Browsers from a machine on the local network?
c. How do I use Web Browsers from my MacBSD host?
------------------------------------------------------------------------------
First insure that the www entry in your /etc/services file is uncommented. If
you do not have a www entry, enter the following line into /etc/services:
www 80/tcp http # WorldWideWeb HTTP
Then enter the following line (or modify the existing line to match this one)
into your /etc/inetd.conf file:
http stream tcp nowait root /usr/local/etc/http-gw http-gw
Finally, in /usr/local/etc/netperm-table, modify the http-gw lines to match
the following:
http-gw: timeout 3600
http-gw: permit-hosts 192.168.1.* { all }
Where 192.168.1.* matches your local network address.
These lines will allow Web Browsers which support proxies to access WWW sites
on the Internet. You will need to tell your browser to use a proxy for http,
ftp, and gopher in order to successfully use this proxy.
Netscape supports this in its Network Preferences. You need to tell Netscape
that you want to manually set up the proxies. Then, for the 3 services listed
above, enter the machine name or ip address of your firewall, and set the
proxy port to 80. This will allow transparent Web and Gopher browsing, as well
as allowing ftp to be used for transferring files.
I assume that other Web Browsers have simillar support options, but I am not
familliar with them.
If you have a web browser on your MacBSD host, it will not require proxies to
be setup in its configuration options, as it is directly on the Internet
already.
If your MacBSD firewall also acts as a Web server, then make the following
changes to the instructions above:
Add a www2 entery into your /etc/services file, using a port number that is
not currently being used.
Change the 'www' label in the entry to be added to /etc/inetd.conf to www2.
Leave the www entry (if it is being invoked by inetd) untouched.
Use the port number you assigned to www2 instead of 80 when setting up your
browser. Also, add your MacBSD host to the field which contains hosts that
do not need to be proxyed.
Finally, either restart your MacBSD host, or type
kill -1 `cat /var/run/inetd.pid`
You should now be able to access the outside world.
------------------------------------------------------------------------------
15a. What is the passthru proxy, and how do I configure it?
b. How can I read/send mail from my POP mail server?
c. How can I read/post news from my NNTP news server?
------------------------------------------------------------------------------
The passthru proxy provides a method for connecting some other services
through the firewall. It will only work for services which are initiated
solely by the client. Any service which requires the server to initiate a
separate connection with the client machine after the client has contacted
it, will not work with this proxy.
This proxy is limited in that each rule given must resolve to a specific
machine. This means that, while I can proxy services like SMTP and NNTP, it
will not be trivial to change the remote host to which you wish to contact.
POP mail readers, like Eudore, use the POP and SMTP services to receive and
send mail respectively. You can set up a Passthru proxy for mail by doing
the following:
First, add the following lines to your /etc/inetd.conf file:
pop3 stream tcp nowait root /usr/local/etc/plug-gw plug-gw pop3
smtp stream tcp nowait root /usr/local/etc/plug-gw plug-gw smtp
Then add the following lines to your /usr/local/etc/netperm-table file:
plug-gw: port pop3 192.168.1.2 -plug-to remote.host -port pop3
plug-gw: port smtp 192.168.1.2 -plug-to remote.host -port smtp
Where 192.168.1.2 is either a network address (eg. 192.168.1.*) or the IP
address of the local machine you are connecting FROM. remote.host is the
name or ip address of the mail server you are using.
Then 'kill -1 `cat /var/run/inetd.pid`. This will allow your POP mail
client to access the remote server if you make the following changes:
Change your POP mail account to <username>@<FirewallName> and
change your
Reply-To: address to the address of your POP server. This allows people to
respond to your mail. If you forget this last step, they will be unable to
reply to your mail, because it will be looking for a machine with your
firewalls host name.
If you look closely at the entries in netperm-table, you will see that you
could have different hosts in your local network connect to different
hosts on the Internet. However, each local machine would be limited to
the users which are on the actual mail server it is proxying for.
Another popular service to proxy is NNTP (news). This can be done by
adding the following lines to your configuration files.
In /etc/inetd.conf:
nntp stream tcp nowait root /usr/local/etc/plug-gw plug-gw nntp
And in /usr/local/etc/netperm-table:
plug-gw: port nntp 192.168.1.* -plug-to news.host -port nntp
Where 192.168.1.* is your network address (or a specific IP address) and
news.host is your NNTP server.
Again, different machines on your local network could have pointers to
different NNTP servers, but each machine can only access one server.
After restarting inetd with the kill command given above, set your News Client
on your Local machine to get its news from your Firewall. The proxy will
connect your local machine through to the remote site.
Other tcp based services like this can be proxyed in the same manner.
UDP based services do not lend themselves to an inetd type daemon, so they are
not supported by the FWTK. Some firewalls do support UDP proxying, and I've
read in the Firewalling FAQ for Linux that a UDP proxy is being worked on, but
I have been unable to contact the author for comments.
------------------------------------------------------------------------------
16. What are the limitations in using the fwtk?
------------------------------------------------------------------------------
The firewall toolkit is only usefull for proxying those services which are
specifically supported (X, HTTP, Telnet, FTP) or which can be entirely
initiated and maintained by the client (NNTP, SMTP, POP, etc) as they can
be handled by the passthrough proxy.
Any UDP traffic is blocked, as are any other services which require the remote
server to initiate a second connection to your client machine.
If you are using the Firewall Toolkit as a security firewall, and are using a
packet screening router, or packet filter as well, these services which you
deem more important than the security risk they pose, can be "passed
through".
However, the purpose of this FAQ is to describe how to allow a local network
access to the InterNet through a single IP address, so I won't go into the
details of setting up a pass-through filter -- which would differ depending
upon the hardware you were using anyway.
Services like RealAudio and CUSeeMe do not work with the FWTK used in this
manner. Both the RealAudio and CUSeeMe people have announced that they plan
to support some Firewall products for proxying their data, but I do not know
if their code will be limited to commercial firewalls, or if additions to the
FWTK will be provided as well.
NFS also does not work through the firewall (though it may be possible to NFS
mount a remote volume on the MacBSD host and the allow local machines to NFS
mount volumes off of the MacBSD host. There is an ongoing debate over
whether or not a non-local volume can be NFS shared. It is supported on
some systems, but I do not know about MacBSD. I haven't tried, so I do
not know the answer. ;-)
I did not discuss X service proxying because it is not something I have
had the need to work with yet. The documentation which can be ftp'd from TIS
covers this for those who need support for it.
------------------------------------------------------------------------------
Well, I hope this FAQ has been helpfull. If you see any mistakes or have
any comments, please email me at amagill@uiuc.edu.
I do not take any responsibilty for any loss or damaged sustained from the
use or misuse of any information contained within this FAQ. I do not speak
for TIS, nor do I support their products. I am mearly relaying information
which I have found to work for me. It should work, within the definitions
I have given above, but I offer no guarantees.
Aaron Magill
April, 1996