Archive-name: tis_and_macbsd-faq Posting-Frequency: whenever updated Last-modified: May 9, 1996 Version: 0.1 Trusted Information System's Firewall Toolkit and MacBSD Frequently Asked Questions FAQ Maintainer: Aaron S. Magill <amagill@uiuc.edu> For corrections or comments, please send them to the address given above. While I make no promises as to how often this will be updated, I will work to keep what is given in here accurate. About the FAQ This FAQ is not a specific endorsement of TIS's fwtk. The purpose of this FAQ is to show how the fwtk can be used with MacBSD to provide internet connectivity for a local network to the Internet under specific situations. The FAQ may be expanded at a later date to include a more detailed analysis of the fwtk, and its use as a Firewall, on other systems. Then again, it may not be. I began using the fwtk because I have a local network (currently three machines) and only one IP address, dynamically allocated by my provider. By using the application proxies in the fwtk, I can access the internet from any machine on my local network. I chose the fwtk because it was freely available. As my intention was not to create a secure environment, at this time, I do not plan to give specific information concerning creating a secure environment. The information provided here may be usefull to people interested in setting up a secure site, but be warned, I take no responsibility for any harm or injury that arises from using the information provided here. For information provided by TIS concerning this product and its use as a firewall for security purposes, see the section on getting more information. Most of the information contained in here will probably work on machines other than MacBSD systems as well. However, minor differences may exist which will need to be addressed by someone more familliar with the system in question. This FAQ is geared towards MacBSD specifically. If it works for other systems as well, thats great! If not, well, hopefully at least the section on configuring the FWTK is usefull. Contents: Software and Documentation 1. What is the Firewall Tool Kit? 2. What is MacBSD? 3a. Where can I get the fwtk? b. Where can I get more information about the fwtk? 4a. Where can I get MacBSD? b. Where can I get more information about MacBSD? 5. Specifically, what type of network does this FAQ pertain to? Setting up the MacBSD host 6. How can I compile the fwtk under MacBSD? 7a. How do I setup a PPP connection to my provider? b. More info about serial ports under MacBSD 8. How do I setup my internal network? 9. How do I setup PPP to a machine on the local network? 10. How do I setup an Ethernet connection to another machine on my local network? Setting up the FWTK 11. What files do I need to modify? 12a. How do I setup the fwtk for FTP? b. How do use FTP from a machine on the local network? c. How do I use FTP from my MacBSD host? 13a. How do I setup the fwtk for Telnet? b. How do I use Telnet from a machine on the local network? c. How do I use Telnet from my MacBSD host? 14a. How do I setup the fwtk for HTTP? b. How do I use Web Browsers from a machine on the local network? c. How do I use Web Browsers from my MacBSD host? 15a. What is the passthru proxy, and how do I configure it? b. How can I read/send mail from my POP mail server? c. How can I read/post news from my NNTP news server? Other Information 16. What are the limitations in using the fwtk? ------------------------------------------------------------------------------ 1. What is the Firewall Tool Kit? ------------------------------------------------------------------------------ The Firewall Tool Kit (fwtk for short), provided by Trusted Information Systems (TIS), is a set of application proxies which, when configured correctly on a firewall, provides controlled access to and from the Internet for a local network. Used in conjuction with a screening router, and with a properly configured host, it can provide a comfortable level of security for most sites, with limited impact on the users. It provides a single point through which all traffic in to and out of the local network must pass. It is this feature which makes the fwtk usefull for people with a single IP address (usually) provided by a dial-up internet connection. ------------------------------------------------------------------------------ 2. What is MacBSD? ------------------------------------------------------------------------------ MacBSD is a varient of BSD unix which runs on many 68030 and 68040(?) Macintosh computers. Properly speaking, it is a subset of the NetBSD project. It is based on the BSD 4.2 sources, and runs comfortably on many older Macs, in as little as 4mb of memory and 40mb of disk space. It is work in progress, but most of the work to still be done is concerned with expanding the number of machines it will run on, and the peripherals it will work with. From a users standpoint, it is pretty much identical to the BSD unix found on many other traditional work stations. Most software that will compile under BSD (that doesn't have machine specific requirements) will compile under MacBSD (at least in my experience.) ------------------------------------------------------------------------------ 3a. Where can I get the fwtk? b. Where can I get more information about the fwtk? ------------------------------------------------------------------------------ The fwtk can be obtained by anonymous ftp from ftp.tis.com. It can be found in /pub/firewalls/toolkit/fwtk. The documentation for the fwtk can be found in the same directory. Information concerning firewalls in general, and Gauntlet (their commercial firewall system), can also be found at the site in /pub/firewalls. http://www.tis.com/ contains their homepage, and includes more information about the company and the software they provide. As far as I know, they do not specifically support the fwtk, though bug fixes may be made occasionally. For more information concerning this, check the Great Circle Firewall mailing list. There is also information available at the FWTK Fan Hub ( http://www.nucleus.com/~dreamwvr/firewall.htm). ------------------------------------------------------------------------------ 4a. Where can I get MacBSD? b. Where can I get more information about MacBSD? ------------------------------------------------------------------------------ These two questions are given in detail in FAQs maintained by others. The "Home" for NetBSD in general can be found at http://www.netbsd.org/. FAQs pertaining to MacBSD can be found at http://puma.bevd.blacksburg.va.us. ------------------------------------------------------------------------------ 5. Specifically, what type of network does this FAQ pertain to? ------------------------------------------------------------------------------ This FAQ describes how I setup the fwtk to allow me to connect three machines at home to the Internet, through a dialup provider which supplied me with only one IP address (dynamically allocated, at that.) The network can be diagrammed something like this: host1 --- host2 --- host3 | | modem --- internet provider Where host1 is a PowerMac, host2 is a Mac IIx running MacBSD, and host3 is a PC running Linux. With the exception of host2, the other hosts could be pretty much any machine, running any OS, so long as it supported TCP/IP for network communications. The number of hosts which can be connected in this manner is limited only by the networking method and the capabilities of the MacBSD host and your internet connection. So far, I haven't noticed a slow down which could be traced to the MacBSD host, so a Mac IIx, with 8MB of RAM, and 16MB of swap space is probably sufficient for a fairly small network. The slowdowns I have seen have been due to the 28.8k modem. File transfer rates are still at around 4.5k/sec under Fetch on the PowerMac (which is what they were at when the modem was connected directly to it.) I have successfully supped a new kernel, while actively using Netscape on the PowerMac and FTP under linux to download new kernel sources. While the times did slow down, it was no more so than I would have expected, had I been downloading something on the PowerMac while surfing the web. ------------------------------------------------------------------------------ 6. How can I compile the fwtk under MacBSD? ------------------------------------------------------------------------------ After expanding the tarred archive, the following steps need to be taken to get the fwtk to compile under MacBSD (v1.1-current as of 2/15/96): First, in the fwtk directory, run 'fixmake'. This modifies the Makefiles to conform to BSD standards, rather than the Sun standards. Then, in the following files: ftp-gw/ftp-gw.c http-gw/gauthd.c http-gw/http-gw.c lib/conn.c lib/syslog.c tn-gw/tn-gw.c x-gw/ulib.h change the following line: extern char *sys_errlist[]; to: extern const char *const sys_errlist[]; You will also need to add -lcrypt to the AUXLIBS line in auth/Makefile. If you are running a kernel from late April or more recent, you may find it necessary to add the following line to the begining of lib/daemon.c: #include <sys/cdefs.h> ********************** Special, untested X support fix ************************ In recently recompiling the fwtk, I realized that I also made some changes in the x-gw code. I haven't tested the changes, as I am not running any kind of X services through the firewall, so if someone makes these changes out there, let me know if it works properly or not. In the x-gw directory, in the files getenv.c, setenv.c, and x-gw.c, change *every* reference to getenv, setenv, or unsetenv to my_getenv, my_setenv, and my_unsetenv respectively. This includes the function definitions (this is a total of about 6 lines to change. I forget the exact number.) What is happening is that the functions used by the x-gw code already exist in MacBSD's libraries. The prototypes are different enough that I couldn't figure out a simple translation (without extensive tests that I can't currently perform.) So, instead, I renamed the functions so everything will compile. I'm not sure if the functions included in the FWTK work or not, since I can't test them, but they do compile with these changes. You may also need to change the XLIBDIR definition in x-gw/Makefile to XLIBDIR=/usr/X11R6/lib in order to get it to link to the appropriate libraries. If anyone tries this, let me know if it works or not. Thanks! ******************************************************************************* After making the necessary changes, make sure you are in the fwtk directory, and type 'make'. You'll probably get a few warnings, but it should compile. I didn't worry about the warnings, so I don't think that they matter much, but I haven't really tested the X support, or the authentication support. The other functions seem to work fine, though. If all goes well, type 'make install'. This puts the binaries and configuration files in /usr/local/etc. If all does not go well, send me email including the error message, what line and in what file the error occurs, and any other information you think might be relavant (when your kernel was compiled, when you gcc and the include files were last updated, etc.) ------------------------------------------------------------------------------ 7a. How do I setup a PPP connection to my provider? b. More info about serial ports under MacBSD ------------------------------------------------------------------------------ PPP scripts come in various shapes an sizes... no one I've seen has worked for me without modification. You should probably consult the relavant FAQs mentioned in the question about MacBSD above. Here are some notes I have concerning PPP and Serial ports in general. They may or may not be addressed in other FAQs... I really haven't checked. 38400 is used, even though the machine will handle 57600, because the faster rate keeps the machine too busy to actually do anything with the data transfered. I believe I was told that it had something to do with the interupts for the serial ports overriding the interupts for the code which processed the data. At any rate, large file transfers, when I used 57600 baud, would have a 50-50 chance of locking up the MacBSD host. When I dropped the speed, the lockups disappeared, but transfer rates are almost as high as running on the PowerMac at 115k (Ok, so I know that the data coming to the modem isn't that fast. However, since my PowerMac will support it, why not use it? ;-) The difference was not really noticable unless I had many tarnsfers from multiple machines going on at once... and even then it was comprable to having the same numebr of transfers going on on the PowerMac by itself. Originally, I used a PPP connection through the modem, and another through the other serial port to one of my other machines. Because both ports were getting heavy use, I saw an awfull lot of overrings. I was able to reduce these by changing the following lines in /usr/src/sys/arch/mac68k/dev/zsvars.h and recompiling the kernel: #define ZLRB_RING_SIZE 512 /* ZS line ring buffer size */ #define ZLRB_RING_MASK 511 /* mask for same */ were changed to: #define ZLRB_RING_SIZE 1024 /* ZS line ring buffer size */ #define ZLRB_RING_MASK 1023 /* mask for same */ This was originally suggested to me by Bill Studenmund (wrstuden@loki.stanford.edu). ------------------------------------------------------------------------------ 8. How do I setup my internal network? 9. How do I setup PPP to a machine on the local network? 10. How do I setup an Ethernet connection to another machine on my local network? ------------------------------------------------------------------------------ Again, consult the FAQs at Puma and netbsd.org concerning this. A trick I use for my one machine connected via PPP to the main server is the following. It may be included in other FAQs, but I really haven't checked. I have one machine running Linux, and another running MacBSD. Because they both startup at different speeds, and because both are run "headless" at various times (ie. without a Monitor attached) I put the pppd commands to connect the two hosts into the /etc/ttys and /etc/inittab files attached to the appropriate tty. (inittab is used under Linux, while MacBSD uses the ttys file.) The line in my /etc/ttys file under MacBSD is the following: tty00 "/usr/sbin/pppd /dev/tty00 38400 passive -detach asyncmap 0x00000000 local defaultroute lock 192.168.1.3:192.168.1.1" unknown on secure (This is all on one line, but it is greater than 80 chars.) Under linux, I have a similar line. (If you can get hardware handshaking working, add crtscts to the list of options to the pppd process. So far, I have been unable to get it working for my link, but I suspect that its becuase I have the wires wrong... I made the cable to connect the Mac and the PC myself. Someday I'll get it fixed, but right now its a low priority for me.) What this does is start the pppd process in passive mode, which causes it to wait until it gets a Link command from the other host. Then the connection is made. The -detach option is required to keep pppd from "detaching" the process from the parent process which spawns it. Otherwise we get multiple pppd processes attempting to grab the line and init kills the tty entry for 5 minutes because it is respawning too fast. ------------------------------------------------------------------------------ 11. What files do I need to modify? ------------------------------------------------------------------------------ In general, the only files you will have to modify are the following: /etc/services, /etc/inetd.conf, and /usr/local/etc/netperm-table. The changes which need to be made for your specific needs are listed in the examples given below. ------------------------------------------------------------------------------ 12a. How do I setup the fwtk for FTP? b. How do use FTP from a machine on the local network? c. How do I use FTP from my MacBSD host? ------------------------------------------------------------------------------ Once the software is installed, add the following line to your /etc/services file: ftp-a 22/tcp In /etc/inetd.conf, remove the current line for ftp, and enter the following lines in its place: ftp-a stream tcp nowait root /usr/libexec/ftpd ftpd -l ftp stream tcp nowait root /usr/local/etc/ftp-gw ftp-gw Finally, in /usr/local/etc/netperm-table, make the ftp-gw entries match the following: #ftp-gw: denial-msg /usr/local/etc/ftp-deny.txt #ftp-gw: welcome-msg /usr/local/etc/ftp-welcome.txt #ftp-gw: help-msg /usr/local/etc/ftp-help.txt ftp-gw: timeout 3600 # uncomment the following line if you want internal users to be # able to do FTP with the internet ftp-gw: permit-hosts 192.168.1.* # uncomment the following line if you want external users to be # able to do FTP with the internal network using authentication #ftp-gw: permit-hosts * -authall -log { retr stor } where 192.168.1.* matches your local network address. These settings allow any host on the internal network to initiate ftp connections with hosts on the Internet. Since any ftp request to the firewall will now be handled by ftp-gw, we added a second ftp entry in /etc/services and inetd.conf (ftp-a) for connecting to the firewall itself. From a Unix based host, we would connect to this port by typing 'ftp <host> 22'. Other platforms may use spaces after the hostname (Fetch for the Macintosh does) while others may use <host>:22 (this is what Netscape would require.) Finally, either restart your MacBSD host, or type kill -1 `cat /var/run/inetd.pid` You should now be able to access the outside world. >From an internal machine, you would initiate a ftp connection by first ftp'ing to the firewall. In my case, this would be the same as 'ftp wormhole'. In case there is any confusion here, the port number listed in the above paragraphs is only needed if you wish to ftp files to or from the firewall itself. I would then be prompted for a user name. For the user name, you should enter <user>@<host.I.really.want>. When prompted for a password, enter the appropriate one for the remote host you are trying to connect to. For anonymous transfers, the username would be anonymouse@<host> (or ftp@<host>) and then my email address for a password. Once this connection is completed, all other ftp commands will work as expected. >From your MacBSD host, you can use ftp as you normally would, as the firewall is already connected to the outside network and doesn't need to be proxyed. Fetch for the Macintosh supports Firewall proxies of this sort. In the network preferences, tell it that you are using a Proxy firewall, and that the firewall has whatever name/ip address it has been assigned for the internal network. After that, Fetch will proxy through the firewall transparently. Netscape will also work transparently for ftp transfers, but via a different mechanism. See the section on HTTP for more info (later in this document.) I am not aware of other ftp clients which support Proxies, but I would be very surprised if they didn't exist. ------------------------------------------------------------------------------ 13a. How do I setup the fwtk for TELNET? b. How do use TELNET from a machine on the local network? c. How do I use TELNET from my MacBSD host? ------------------------------------------------------------------------------ Once the software is installed, add the following line to your /etc/services file: telnet-a 24/tcp In /etc/inetd.conf, remove the current line for telnet, and enter the following lines in its place: telnet-a stream tcp nowait root /usr/libexec/telnetd telnetd telnet stream tcp nowait root /usr/local/etc/tn-gw tn-gw Finally, in /usr/local/etc/netperm-table, make the tn-gw entries match the following: #tn-gw: denial-msg /usr/local/etc/tn-deny.txt #tn-gw: welcome-msg /usr/local/etc/tn-welcome.txt #tn-gw: help-msg /usr/local/etc/tn-help.txt tn-gw: timeout 3600 tn-gw: permit-hosts 192.168.1.* -passok -xok #tn-gw: permit-hosts * -auth where 192.168.1.* matches your local network address. These settings allow any host on the internal network to initiate telnet sessions with hosts on the Internet. Finally, either restart your MacBSD host, or type kill -1 `cat /var/run/inetd.pid` You should now be able to access the outside world. Since any telnet request to the firewall will now be handled by tn-gw, we added a second telnet entry in /etc/services and inetd.conf (telnet-a) for connecting to the firewall itself. From a Unix based host, we would connect to this port by typing 'telnet <host> 24'. Other platforms may use spaces after the hostname (NCSA Telnet for the Macintosh does) while others may use <host>:22. >From an internal machine, you would initiate a telnet session by first telnetting to the firewall (without the port number listed above). You will then see a tn-gw> prompt. At this prompt, type 'telnet <remote-host>' to connect to the remote host on the Internet. You have now successfully initiated a telnet session to the remote machine. >From your MacBSD host, you can use telnet as you normally would, as the firewall is already connected to the outside network and doesn't need to be proxyed. I am not aware of any telnet clients that support firewall proxies in a transparent manner. As far as I know, this two step process is required no matter what client you are using. If anyone knows of telnet software which allows transparent telnet sessions through a proxy, please let me know, and I will include them in this FAQ. ------------------------------------------------------------------------------ 14a. How do I setup the fwtk for HTTP? b. How do I use Web Browsers from a machine on the local network? c. How do I use Web Browsers from my MacBSD host? ------------------------------------------------------------------------------ First insure that the www entry in your /etc/services file is uncommented. If you do not have a www entry, enter the following line into /etc/services: www 80/tcp http # WorldWideWeb HTTP Then enter the following line (or modify the existing line to match this one) into your /etc/inetd.conf file: http stream tcp nowait root /usr/local/etc/http-gw http-gw Finally, in /usr/local/etc/netperm-table, modify the http-gw lines to match the following: http-gw: timeout 3600 http-gw: permit-hosts 192.168.1.* { all } Where 192.168.1.* matches your local network address. These lines will allow Web Browsers which support proxies to access WWW sites on the Internet. You will need to tell your browser to use a proxy for http, ftp, and gopher in order to successfully use this proxy. Netscape supports this in its Network Preferences. You need to tell Netscape that you want to manually set up the proxies. Then, for the 3 services listed above, enter the machine name or ip address of your firewall, and set the proxy port to 80. This will allow transparent Web and Gopher browsing, as well as allowing ftp to be used for transferring files. I assume that other Web Browsers have simillar support options, but I am not familliar with them. If you have a web browser on your MacBSD host, it will not require proxies to be setup in its configuration options, as it is directly on the Internet already. If your MacBSD firewall also acts as a Web server, then make the following changes to the instructions above: Add a www2 entery into your /etc/services file, using a port number that is not currently being used. Change the 'www' label in the entry to be added to /etc/inetd.conf to www2. Leave the www entry (if it is being invoked by inetd) untouched. Use the port number you assigned to www2 instead of 80 when setting up your browser. Also, add your MacBSD host to the field which contains hosts that do not need to be proxyed. Finally, either restart your MacBSD host, or type kill -1 `cat /var/run/inetd.pid` You should now be able to access the outside world. ------------------------------------------------------------------------------ 15a. What is the passthru proxy, and how do I configure it? b. How can I read/send mail from my POP mail server? c. How can I read/post news from my NNTP news server? ------------------------------------------------------------------------------ The passthru proxy provides a method for connecting some other services through the firewall. It will only work for services which are initiated solely by the client. Any service which requires the server to initiate a separate connection with the client machine after the client has contacted it, will not work with this proxy. This proxy is limited in that each rule given must resolve to a specific machine. This means that, while I can proxy services like SMTP and NNTP, it will not be trivial to change the remote host to which you wish to contact. POP mail readers, like Eudore, use the POP and SMTP services to receive and send mail respectively. You can set up a Passthru proxy for mail by doing the following: First, add the following lines to your /etc/inetd.conf file: pop3 stream tcp nowait root /usr/local/etc/plug-gw plug-gw pop3 smtp stream tcp nowait root /usr/local/etc/plug-gw plug-gw smtp Then add the following lines to your /usr/local/etc/netperm-table file: plug-gw: port pop3 192.168.1.2 -plug-to remote.host -port pop3 plug-gw: port smtp 192.168.1.2 -plug-to remote.host -port smtp Where 192.168.1.2 is either a network address (eg. 192.168.1.*) or the IP address of the local machine you are connecting FROM. remote.host is the name or ip address of the mail server you are using. Then 'kill -1 `cat /var/run/inetd.pid`. This will allow your POP mail client to access the remote server if you make the following changes: Change your POP mail account to <username>@<FirewallName> and change your Reply-To: address to the address of your POP server. This allows people to respond to your mail. If you forget this last step, they will be unable to reply to your mail, because it will be looking for a machine with your firewalls host name. If you look closely at the entries in netperm-table, you will see that you could have different hosts in your local network connect to different hosts on the Internet. However, each local machine would be limited to the users which are on the actual mail server it is proxying for. Another popular service to proxy is NNTP (news). This can be done by adding the following lines to your configuration files. In /etc/inetd.conf: nntp stream tcp nowait root /usr/local/etc/plug-gw plug-gw nntp And in /usr/local/etc/netperm-table: plug-gw: port nntp 192.168.1.* -plug-to news.host -port nntp Where 192.168.1.* is your network address (or a specific IP address) and news.host is your NNTP server. Again, different machines on your local network could have pointers to different NNTP servers, but each machine can only access one server. After restarting inetd with the kill command given above, set your News Client on your Local machine to get its news from your Firewall. The proxy will connect your local machine through to the remote site. Other tcp based services like this can be proxyed in the same manner. UDP based services do not lend themselves to an inetd type daemon, so they are not supported by the FWTK. Some firewalls do support UDP proxying, and I've read in the Firewalling FAQ for Linux that a UDP proxy is being worked on, but I have been unable to contact the author for comments. ------------------------------------------------------------------------------ 16. What are the limitations in using the fwtk? ------------------------------------------------------------------------------ The firewall toolkit is only usefull for proxying those services which are specifically supported (X, HTTP, Telnet, FTP) or which can be entirely initiated and maintained by the client (NNTP, SMTP, POP, etc) as they can be handled by the passthrough proxy. Any UDP traffic is blocked, as are any other services which require the remote server to initiate a second connection to your client machine. If you are using the Firewall Toolkit as a security firewall, and are using a packet screening router, or packet filter as well, these services which you deem more important than the security risk they pose, can be "passed through". However, the purpose of this FAQ is to describe how to allow a local network access to the InterNet through a single IP address, so I won't go into the details of setting up a pass-through filter -- which would differ depending upon the hardware you were using anyway. Services like RealAudio and CUSeeMe do not work with the FWTK used in this manner. Both the RealAudio and CUSeeMe people have announced that they plan to support some Firewall products for proxying their data, but I do not know if their code will be limited to commercial firewalls, or if additions to the FWTK will be provided as well. NFS also does not work through the firewall (though it may be possible to NFS mount a remote volume on the MacBSD host and the allow local machines to NFS mount volumes off of the MacBSD host. There is an ongoing debate over whether or not a non-local volume can be NFS shared. It is supported on some systems, but I do not know about MacBSD. I haven't tried, so I do not know the answer. ;-) I did not discuss X service proxying because it is not something I have had the need to work with yet. The documentation which can be ftp'd from TIS covers this for those who need support for it. ------------------------------------------------------------------------------ Well, I hope this FAQ has been helpfull. If you see any mistakes or have any comments, please email me at amagill@uiuc.edu. I do not take any responsibilty for any loss or damaged sustained from the use or misuse of any information contained within this FAQ. I do not speak for TIS, nor do I support their products. I am mearly relaying information which I have found to work for me. It should work, within the definitions I have given above, but I offer no guarantees. Aaron Magill April, 1996