FWTK FAQ

Docs
Downloading
FAQ
Patches

Note: Neither myself (nor the author of the patch) is responsible from the use/misuse of these patches.
    Fixes for FWTK 2.1
If you have problems applying a patch, read Joe Yao's "How to apply a patch" in the Docs web page.
 
1.1: "Jumbo" patch kit for http-gw and x-gw
This "jumbo" kit, which includes several fixes, was written by Tony Gale <gale@syntax.dera.gov.uk>.

The included fixes are:

  • http-gw: complete list of URL escape characters, as per RFC1738
  • http-gw: accommodate FTP servers that don't need a username/password
  • http-gw: be less stringent about \r handling - for FTP servers
  • http-gw: try and send messages in a single packet, fixes broken FTP servers
  • http-gw: allow for browsers that send CRLF on POST commands (they do this for backwards compatibility)
  • http-gw: javascript quoting bug
  • x-gw: correct debug messages
  • x-gw: fix potential format bug overflow
  • x-gw: fix dereference-after-free bug
You can download the patch kit here.
 
 
1.2: Fix to get gate-ftp and Win95 ftp working through ftp-gw
Apply the below patch to allow gate-ftp (which is included in tools/client/gate-ftp directory) and the Win95 command-line FTP through the FWTK. Patch is by <jonathan.laventhol@imagination.co.uk>
--- ftp-gw.c_ORIG       Fri Feb  6 00:05:43 1998
+++ ftp-gw.c_NEW        Fri Jan 15 11:15:24 1999
@@ -155,6 +155,30 @@
        "stat",         OP_CONN,        /* overload */  cmd_abor,
        "dele",         OP_CONN|OP_XTND,                        0,
        "size",         OP_CONN,                        0,
+       /* this is for gate-ftp (proxy-aware Unix ftp client)
+        *
+        * -- jonathan.laventhol@imagination.co.uk 15.01.1999
+        */
+       "passerve",     OP_WCON,                        cmd_passthru,
+
+       /* RFC 1123 Host Requirements sect 4.1.3.1 says we SHOULD
+        * accept these for backwards compatibility, though perhaps
+        * we should translate them into RFC 959 forms before
+        * passing them on to the target server.
+        * NB: Windows 95 Command-line FTP client sends xmkd, xrmd
+        *
+        * -- jonathan.laventhol@imagination.co.uk 15.01.1999
+        */
+       "xmkd",         OP_CONN|OP_XTND,                0,
+       "xrmd",         OP_CONN|OP_XTND,                0,
+       /* xpwd already included above */
+       "xcup",         OP_CONN,                        0,
+       "xcwd",         OP_CONN,                        0,
+
        0,              0,                              0
 };
1.3: Fix to cause smap to read EOF in messages, instead of a "." on a line
If you see messages which have a single period "." on a line getting truncated in smap, then change the following in smapd.c.

From:
    faka[i++] = "-f";
To:
    faka[i++] = "-if";
 
1.4: Fix for null "To:" address coredump in smap
Apply this simple patch to smap.c:

                        q += 3;
                        while(isspace(*q))
                                q++;

+                        if(q == (char *)0) {
+                                printf("501 Syntax error\r\n");
+                                fflush(stdout);
+                                continue;
+                        }
#ifdef  SPECIALDOMAIN

1.5: Fix for extended ftp permissions in ftp-gw
This simple fix will stop a coredump when using extended permissions in ftp-gw. In ftp-gw.c, change lines 1431 & 1432 from:
msg_int = auth_perm(confp,authuser,"ftp-gw",riaddr,tokav[0]);
if(msg_int == 1 || msg_int == 0) { 
To:
msg_int = auth_perm(confp,authuser,"ftp-gw",riaddr,tokav);
if(msg_int == 1 || msg_int == -1) {
1.6: Fix to allow tn-gw to pass OOB data correctly

Apply this patch if out of band data is not correctly getting passed.

--- tn-gw.old   Sun Dec 10 21:40:49 2000
+++ tn-gw.c     Sun Dec 10 21:42:12 2000
@@ -186,7 +186,11 @@
 #endif
        signal(SIGCHLD, waitwaitwait);
 #ifndef SCO5
-       signal(SIGURG,trap_sigurg);
+        /* set up out of band handler */
+        signal(SIGURG, trap_sigurg);
+#else
+        (void) setsockopt(serfd, SOL_SOCKET, SO_OOBINLINE,
+                                (char *) &opt, sizeof (opt));
 #endif
        set_oob_notification(0);
 
1.7: Fix for smap to clean up files left during broken pipes

Smap can be made to fill it's spool with temporary files if it gets a SIGPIPE (broken pipe) because of improper TCP teardown by the client. Fix is by Tor Perkins <nptbl@noid.net>

--- smap.c.org  Tue Jan 13 14:56:14 1998
+++ smap.c      Mon Jul  3 21:49:37 2000
@@ -98,6 +98,14 @@
        alarm(timeout);
 }

+static  void
+brokenpipe()
+{
+  syslog(LLEV,"received SIGPIPE (broken pipe), aborting");
+  if(tempfile != (char *)0)
+    unlink(tempfile);
+  smap_exit(1);
+}

main(ac,av)
int    ac;
@@ -170,6 +178,8 @@
                close(sockl);
                close(sock);
        }
+
+  signal(SIGPIPE,brokenpipe);

        if(peername(0,rladdr,riaddr,sizeof(riaddr))) {
                syslog(LLEV,"cannot get remote host");
 
1.8: Fix for URL scheme case sensitivity
This patch, by Liudvikas Bukys <bukys@cs.rochester.edu> will cause http-gw to treat HTTP:// and http:// the same.

You can download the patch here.
 
1.9: Fix to display the entire version in http-gw error messages
This small fix by Liudvikas Bukys <bukys@cs.rochester.edu> will make http-gw display the entire version number when it displays error messages.

diff -r1.1 error.c
62c62
<               while(*p && *p != ' ')p++;
---
>               /* while(*p && *p != ' ')p++; */
 
1.10: Fix for http-gw to allow you to ftp to non-standard ports
From the author (Liudvikas Bukys <bukys@cs.rochester.edu>): 

If you try an FTP URL with a port number (try ftp://localhost:666), you'll find that FWTK 2.1 overrides the user-specified port, forcing it to port 21.  The reason it did that was because the http-gw.c code defaulted the port number to 80 for FTP URLs, and the (incorrect) workaround was to force it to 21 in all cases.  The patch defaults to port 21, then allows the user to override with the URL.

*** ftp.c       1998/09/24 14:53:52     1.1
--- ftp.c       2000/09/08 16:54:32
***************
*** 281,286 ****

!       port = FTPPORT;
!       port = get_port(host, port);
!       rem_port = port;

--- 281,289 ----

!       if( rem_port == 0){
!               port = FTPPORT;
!               port = get_port(host, port);
!               rem_port = port;
!       }else{
!               port = rem_port;
!       }

-------------------------------------------------------------------------------

*** http-gw.c   2000/09/08 15:24:21     1.3
--- http-gw.c   2000/09/08 17:43:28
***************
*** 441,442 ****
--- 441,444 ----
                        parse_vec[3] = "70";
+               else if (!strcasecmp(parse_vec[0], "ftp"))
+                       parse_vec[3] = "21";
                else


    Patches
2.1: Patch to save duplicates of smap messages
The patch is available at smap2.txt. Note from the author:

Here is a diff for the smap.c code (note that this code has already been patched for Solaris 2 -- your milage may vary).  I've tested it briefly,  and everything seems okay.  This will save a copy of each message to a directory called "backup" that is located directly under your regular "smap" spool directory, as specified in your netperm-table:

smap, smapd:    directory /var/spool/mqueue.smap

would use /var/spool/mqueue.smap/backup as the back directory.  This is necessary because this could also be your chroot environment.

It uses the same filename as the temporary file.  This is in the format  "smaXXXXXX".

I believe the code is as secure as the stuff TIS provides, since it's basically their code, just duplicated for the second file. You are probably going to have problems when the directory starts getting full. Here's some suggestions:

1) Run a daily/weekly cron job to move the files to off-line storage
2) put the backup directory on a different disk spindle for better performance

To compile, include the flag -DDUPMAIL in the Makefile.

--  Marc Mosko <marc@tear.com>
 
 
2.2: Patches for smap to reduce e-mail spam and spam relaying
There are several different patches/changes you can do to smap to keep it from sending spam. You can verify that your server is not a spam relay by going to http://maps.vix.com/tsi/

  1. Have a look in smap.c for the #ifdef SPECIALDOMAIN hack.  You can modify the list of domains in that part of the code.  Save the unmodified smap executable, and then recompile it with -DSPECIALDOMAIN to enable the 3rd party relay hack.  Rename the new one to smap-norelay. You then need to use netacl and the netperm-table to launch the right version of smap:  the regular smap for internal mail going out, and smap-norelay for incoming mail.  There are no changes to smapd for this hack.
  2. Joe Yao has a patch for a "more hardened and documented smap". It adds alot of anti-spam code, anti-relaying, documentation, and source code cleanup. You can download it from yao-smap.pch. You can also download the EHLO addon to Joe's patch (written by Pat Verner) at yao-smap2.pch.
  3. Craig Hagan and Bruce Ellis have made patches available to help reduce the amount of spam e-mail going through the firewall. The URL address is: http://www.cih.com/~hagan/smap-hacks/
  4. Andrew Dunstan wrote an anti-relaying patch for smap/smapd, which is at smapx.pch. You can find instructions for this at smapx.txt
  5. You can also look at the patch called NoSpam! (which also supports MAPS RBL) by Jason Rhoads at: http://www.sabernet.net/software/nospam.html
  6. Bruno Lebayle wrote a large patch which supports NoSpam!, MAPS RBL, anti-relay, checking for malformed "from" addresses, and SPAMBODY checks. The patch is called smap-jumbo.tar.Z.
2.3: Patch to give ftp-gw a "plug" capability 
This patch, written by Kevin P. Fleming, allows the ftp-gw proxy to support a "plug-to" option in  netperm-table. This can be used to implement a sort of "reverse proxy", where ftp-gw is used to accept incoming ftp sessions from users on the Internet, and proxy them over to the internal, protected ftp server. This also allows commands issued by those users to be restricted and/or logged at the firewall, instead of in the ftp server. The patch is available at ftp-plug.pch. Make sure that you remove the RCS stuff before you try the patch.

Then, just add something like this to the netperm-table:

ftp-gw: permit-hosts 192.168.0.* -plug-to internal.ftp.domain.com

A good use for this patch would be to mirror an internal FTP site onto an external one. You might want to take a look at mirror.pl, available at ftp://sunsite.doc.ic.ac.uk/packages/mirror. From the mirror.pl README file:
    "Mirror is a package written in Perl that uses the ftp protocol to duplicate a directory hierarchy between the machine it is run on and a remote host.  It avoids copying files unnecessarily by comparing the file timestamps and sizes before transfering.  Amongst other things can optionally compress, gzip, and split files."
 
 
2.4: Patch to give the toolkit transparency 
You can download the transparency patch for FWTK 2.1 at transp.pch. If you are looking for instructions on it, check out trans-p.html. If you are having problems, you might need to apply this patch after you installed the transparency patch:

--- ./lib/hnam.c.croall  Thu Jul 16 15:35:31 1998
+++ ./lib/hnam.c    Thu Jul 16 15:37:34 1998
@@ -63,7 +63,8 @@
     struct sockaddr_in sin;
     struct hostent    * hp;
     int sl = sizeof(struct sockaddr_in), err = 0, local_h = 0, i = 0;
-    char         buf[255], hostbuf[255];
+    static char       buf[255];
+    char         hostbuf[255];
 #ifdef __FreeBSD__
     struct sockaddr_in rsin;
     struct natlookup   natlookup;
2.5: Patch for PASV support and plug-to 
The patch can be found at gopu.tar.gz . Note from the author:

My source code has the following patches:

FTP-GW:   Files affected: ftp-gw.c

  • patched for PASV FTP
  • patched for -plug-to option (patch got thru FAQ)
HTTP-GW: Files affected: hmain.c, http-gw.c, ftp.c, http-gw.h
  • patched for PASV FTP
  • patched for -plug-to option
  • patched to accept !(NOT) in first field of "hosts" or "permit-hosts" in netperm-table.
I was trying to patch the look and feel of FTP output. But parsing the output of "ls -laF" seemed to be a herculian task since the output differs from machine to machine. Also, this will add to the complexity of  the code. If somebody has done this please let me know.

These patches are not tested fully. I have the code running in my machines plus about fifteen other fwtk-users are using it. I would appreciate any efforts to bring out the bugs from the patch.

One request: Please send me a one liner with your email address and name before using this, so that I know somebody is using it. In case I find any bugs in it I shall send the files to you in future.

--Gopu <gopu@global.com>
 
 
2.6: Patch for OPIE and SMAIL support 
From the author:

Sorry if this has been reported and/or done before, but I've got three small fixes/additions for FWTK 2.0 to share:

1- smapd & smail
Out of the box, FWTK 2.0 won't work with smail under some cases...  The fix is very tiny.

2- opie and authsrv
I've created a patch that adds NRL's OPIE support to authsrv.

The details and source are on our web site.  Please see:
http://www.glyphic.com/free/fwtkfixes.html

Mark Lentczner <markl@glyphic.com>
 
 
2.7: Patch to add specific IP port binding
The patch is at ipbind-1.2.tar.gz. From the author:

By default, FWTK 2.1 does not support the binding of its proxies to only certain IP addresses.  It requires that these proxies be listening on all interfaces simultaneously.  There are obvious security problems with this situation so this patch was developed to address it.

The -daemon option has been modified so that the argument can now contain an IP address to bind to.  If one isn't specified the previous "all interfaces" approach is defaulted.  The specified name can be ip numbers (xxx.xxx.xxx.xxx) or a hostname that can be resolved by gethostbyname() on the firewall/service machine.

The -name option has been added so that multiple proxy definitions can exist in the netperm-table for the relevant proxy.

The proxies should function identically as unpatched if the extensions are not used in invocation.

You can also download this from the FWTK IPBind web site: http://www.connetsys.com/products/ipbind/

William L. Hamlin <whamlin@connetsys.com>
=========
You may also want to apply a minor patch to the above; it fixes issues where some systems cannot bind correctly. This patch was written by Ben Laurie <ben@algroup.co.uk>.
---- start patch -----
--- lib/daemon.c.orig        Tue Oct 17 12:55:37 2000
+++ lib/daemon.c Sun Oct 15 16:12:18 2000
@@ -160,7 +160,8 @@
                exit(0);        /* parent exits */
 

-       bzero( (char *)&sa.sin_addr, sizeof(sa.sin_addr));
+       bzero( (char *)&sa, sizeof(sa));
+
        sa.sin_family = AF_INET;
        sa.sin_port = htons(port);
---- end patch -----
 
 
2.8: Patch for SSL, SASL, and anti-spam patches for SMAP [2.0/2.1]
This patch series, written by Habeeb J. Dihu (aka MacGyver) <macgyver@tos.net>, enable the following features either selectively or in combination: 

   1.SSL encryption for SMAP. 
   2.SASL authentication for SMAP (includes login, S/Key, and CRAM-MD5 support). 
   3.Spam protection. 

SASL authentication is in use by more and more mail clients today. It essentially allows you to authenticate yourself to the mail server, before having it accept mail. When used in combination with the included anti-spam software, it can be an effective means of eliminating SPAM while allowing authorized users to send mail from anywhere on the Internet. 

The patches and documentation are available at: http://www.macgyver.org/software/smap-sasl.html. We have also mirrored the latest (as of this writing) version of the patch here.
 
2.9: Patch for specifying ftp data port in netperm-table
The FWTK ftp proxy does not use a privileged port for it's data connection. Any system that requires that ftp data come from a fixed port will not work unless that ftp-gw code is modified to bind to the required port number.

The patch ftp-gw.patch adds a "data-port" option to your netperm-table that will allow this to work. Add something like the below to the netperm-table.
    ftp-gw: data-port 20
 
 
2.10: Patch for limiting size downloads in ftp-gw
The below patch will:
- sizelimit directive in netperm-table (giving the size in bytes, and 0 for no control)
- separate syslog (including a global dest variable) in order to keep stats untouched and ease the summary of size limit exceeded
- close the data connection by simulating an error

You can also shut people down who keep getting files below the limit. The stopftp.cron script will add them to the netperm-table is their downloads go above the set amount in the log file.

Bruno LEBAYLE (lebayle@esrf.fr)

Netperm-table (e.g. for 10KB)
-------------
ftp-gw:         sizelimit 10240

Header (before main)
--------------------
#define SIZELIMIT
#ifdef SIZELIMIT
static  int                     sizelimit, currentsize;
#define DESTSIZE                256
static  char                    desthost[DESTSIZE];
#endif

Init (after reading timeout configuration option)
-------------------------------------------------
#ifdef SIZELIMIT
        sizelimit, currentsize = 0;
        if((cf = cfg_get("sizelimit",confp)) != (Cfg *)0) {
                if(cf->argc != 1) {
                        syslog(LLEV,"fwtkcfgerr: sizelimit must have one parameter, line %d",cf->ln);
                        exit(1);
                }
                if((sizelimit = atoi(cf->argv[0])) <= 0) {
                        syslog(LLEV,"fwtkcfgerr: sizelimit %s invalid, line %d",cf->argv[0],cf->ln);
                        exit(1);
                }
        }
#endif

In cmd_user routine, after permit syslog
----------------------------------------
        syslog(LLEV,"permit host=%s/%s connect to %s",rladdr,riaddr,dest);
#ifdef SIZELIMIT
        if (strlen(dest) <= DESTSIZE) strcpy(desthost,dest);
        else {
                strncpy(desthost,dest,DESTSIZE-1);
                desthost[DESTSIZE-1] = (char) 0;
        }
#endif

copyin and copyout routines, between read and write
---------------------------------------------------
#ifdef SIZELIMIT
        currentsize += x;
        if (sizelimit != 0) {
                if (currentsize >= sizelimit) {
                        syslog(LLEV,"sizelimit exceeded %d host=%s/%s
dest=%s",sizelimit,rladdr,riaddr,desthost);
                        sprintf(buf,"226 Proxy size limit exceeded %d
bytes",sizelimit);
                        sayn(0,buf,strlen(buf));
                        return(1); /* avoid being stuck and log the exit */
                }
        }
#endif
 
 
2.11: Patch for enhanced PASV support

From the author regarding his patch (ftp-pasv.tgz):

This document is mostly relevant for folks who are using packet filters in conjunction with ftp-gw.

When ftp-gw is actively proxy-ing, it acts like an ftp server on one side, and an ftp client on the other side.  The proxy may choose to use PORT or PASV independently of what the real client host chooses. 

Let's look at some variations:

      1)      client --PORT-> ftp-gw --PORT-> remote
                     <-data--        <-data--

      2)      client --PORT-> ftp-gw --PASV-> remote
                     <-data--        --data->

      3)      client --PASV-> ftp-gw --PORT-> remote
                     --data->        <-data--

      4)      client --PASV-> ftp-gw --PASV-> remote
                     --data->        --data->

Scenarios 1 and 3 require that new inbound connections on ports 1024+ be allowed from the outside (remote side) of the proxy by the packet filters.  Because this is undesirable, we can configure the proxy to always use PASV:

  ftp-gw: pasv true

Now scenarios 2 and 4 are all that remain.  Scenario 4 requires that new inbound connections on ports 1024+ be allowed from the inside (client side) of the proxy by the packet filters.  Let's send a "502 Command not implemented" to these clients:

  ftp-gw: pasv true -portonly

Most clients default to PORT.  Any client that has been configured to use PASV will most likely fall back to PORT when it gets the 502.  Now scenario 2 is our last remaining scenario.

The good news about scenario 2 is that we can deny any incoming packet that does not have the ACK bit toggled and is coming in on a high port number.  The bad news is that there are lots of high port numbers. Let's narrow down the possibilities:

  ftp-gw: data-port 62345

The proxy is initiating the data channel connection (sending that first SYN packet); it is sending to a destination port that was sent to it over the control channel.  This is a kinda-random high port on the
destination host.  The port number is sufficiently unique that the proxy is free to choose a source port that is always the same for all data connections without having to worry about "duplicate bind" issues.

We can now use a quite restrictive filtering scheme.  We only allow inbound packets to one high port (62345) and then only if the ACK bit is toggled.  This rule is good for all interfaces.

CAVEAT:  We're in trouble if the remote 502's us; we don't fall back... :^)

HTTP-GW:  The ftp proxy capabilities of http-gw are not needed if ftp-gw has the tranparency patch.

Tor Perkins <3c9x5@altabates.com>
 
 
2.12: Patch to add login/password to authmgr command line [2.1]

From the author (Jean-Christophe MONIER <jcmonier@euriware.fr>):

I've writting a small patch to extand syntax of the 'login' command of the authmgr software.
This patch allow you to use login in 3 differents methods :

- original : enter "login" and authmgr prompt you for Username: and
Password:
or
- enter "login <username>" and authmgr prompt you only for Password:
or 
- enter "login <username> <user's password>" and authmgr prompt nothing

The last method allow you to login into authmgr from a script like a perl program for example. I use this in a perl script that allow me to put new users from a flat-text file.

Here is the patch

----------- CUT HERE ------------------------------

--- /usr/src/fwtk/auth/authmgr.c        Tue Sep  5 13:04:34 2000
+++ authmgr.c   Tue Sep  5 11:35:06 2000
@@ -45,7 +45,7 @@
  static        Cmd     *find_command();

  static Cmd ctab[] = {
-"login",       FLG_LOCAL,      "login",                        do_login,
+"login",       FLG_LOCAL,      "login [username [password]]",
do_login,
  "adduser",    0,      "adduser username [longname]",          0,
  "deluser",    0,              "deluser username",             0,
  "display",    FLG_LOCAL,      "display username",
do_multiline,
@@ -203,6 +203,12 @@
        char           *p;

        logged_in = 0;
+       if(ac > 2) {
+               strncpy(usrbuf,av[1], 512);
+               usrbuf[511] = '\0';
+               strncpy(pbuf,av[2], 512);
+               rbuf[511] = '\0';
+       } else {
        if(ac > 1) {
                strncpy(usrbuf,av[1], 512);
                usrbuf[511] = '\0';
@@ -212,6 +218,7 @@
                if(fgets(usrbuf,sizeof(usrbuf),stdin) == (char *)0)
                        do_quit();
        }
+       }
        sprintf(rbuf,"authorize %s",usrbuf);
        if(auth_send(rbuf))
                lostconn();
@@ -238,9 +245,17 @@
                if(!strncmp(rbuf,"chalnecho ",10)) {
                        p = getpassword(&rbuf[10]);
                } else
-               if(!strncmp(rbuf,"password",8)) {
-                       p = getpassword("Password: ");
-               } else {
+               if (ac <= 2) {
+                       if(!strncmp(rbuf,"password",8)) {
+                               p = getpassword("Password: ");
+                       }
+               }
+               else
+               if  (ac > 2) {
+                       p = pbuf;
+               }
+               else
+               {
                        fprintf(stderr,"%s\n",rbuf);
                        return(1);
                }

----------- CUT HERE ------------------------------
 

Here is the perl script I use :
 

----------- CUT HERE ------------------------------
#!/usr/bin/perl5
#USAGE: authadd.pl [ userfile ]
# userfile is : userid \t groupid \t password \t longname
$DATABASE = @ARGV[0];
$AUTHSRV="/usr/local/etc/authmgr";

open(IN, "$DATABASE");
open(OUT, "| $AUTHSRV");
# Authenticate with a SUPER-WIZ user
print OUT "login adminuser adminpwd\n";

# Add users from userfile (one user per line)
while (<IN>) {
   $_ =~  s/[\r\n]//g;
   ($uid, $group, $PASSWORD, @longnameparts) = split(/[ \t]/, $_);
   $longname = "\"" . join(" ", @longnameparts) . "\"";
    print OUT "adduser $uid $longname\n";
    print OUT "group $uid $group\n";
    print OUT "password $uid $PASSWORD\n";
    print OUT "enable $uid\n";
    print OUT "display $uid\n";
}
print OUT "quit\n";

----------- CUT HERE ------------------------------
 
 


    Other addons
3.1: FWTK caching module? 
No, the FWTK doesn't cache any data. One http server that does is Squid, and a commercial one is Netscape's proxy server. Look at the man pages for http-gw or the question "How do I run http-gw and a web server.." in this FAQ to find out how to configure this.

If you implement Squid, you might want to use Paul Duerr's http-gw ==> Squid forwarding patch. You can find it at http-pat.tar.gz or you can use squid-gw (em-gw) by Eberhard Mattes found below.

You can also cache NNTP by using nntpcache, which is found at http://www.nntpcache.org/
 
 
3.2: RealAudio/RealVideo and FWTK
You can download the RealAudio/Video Firewall Admin Proxy Kit ( http://www.real.com/firewall/ ) which will proxy RealAudio/RealVideo via TCP. Also, RealAudio client versions 4.0 and above support downloading audio/video streams via HTTP.
 
3.3: Perl Syslog summary script 
There is a perl script at fwtk-summ.pl.gz which you can use to produce a daily summary of FWTK traffic. It has similar functionality to the standard tools/admin/reporting/*-summ.sh scripts, but only scans the log-file once.
 
3.4: How do I encrypt my telnet/rsh sessions? 
You might want to take a look at the ssh suite of tools. You can look at the ssh-faq at http://www.cs.hut.fi/ssh/ or download a freely available Unix version at ftp://ftp.cs.hut.fi/pub/ssh/ .

You can use plug-gw as a ssh proxy between two distinct hosts or look at the ssh proxy listed in this FAQ if you want encrypted traffic between your client and the firewall. You can also tunnel ssh through SSL in http-gw by using the ssh-tunnel.pl script.

Also look for the SSH proxy lower in this file.
 
3.5: Free authentication clients/servers for the toolkit
Look at S/key, which is a one-time password generation and use application. You can find it at ftp://thumper.bellcore.com/pub/nmh. You can also use the version that came with W. Venema's logdaemon kit, which can be downloaded from ftp://coast.cs.purdue.edu/pub/tools/unix/logdaemon.
 
3.6: Proxy for traceroute/ping
You can either use the small "wrapper" by Eberhard Mattes <mattes@azu.informatik.uni-stuttgart.de>, or use the NEC socks5 proxy, which comes with traceroute and ping proxies. The wrapper can be found at em-gw.tar.gz, which can be modified for other programs like finger. The NEC socks5 proxy is located at http://www.socks.nec.com/
 
3.7: Proxy for UDP traffic (udprelay)
Try udprelay, which was originally written by Tom Fitzgerald <fitz@wang.com> and is currently being updated by Ted Rule <Ted_Rule@flextech.co.uk>.

The latest release is 0.3.0-pl18 and can be found here. Latest changes are:

rel0_3_0_patch18: 

29th August 2001 

       Change of default timeout down to 40 seconds in line with other UDP "firewall" products.
Dropped debug timer to 10secs
Disable LOGINSTANCES define by default to suppress excessive logging with debug disabled. See README for some details on the corresponding differences to syslogging - and the source to really understand...
Updated README/Makefile with RedHat 6.2 settings
Updated initscript for RedHat to include latest suggestions for an RH7 script from Michael St Laurent
Updated acknowledgement/thanks to include Michael  

rel0_3_0_patch17: 

3rd May 2000 

seg fault found in parsehost() - traced to parsehostname returning either hostname or ip-address or ip-addr+mask. parsehost() debug code only allowed for the first case. 

rel0_3_0_patch16:

18th November 1999

patch number updated in Makefile!
README updated with latest compilation reports.
RedHat init script updated with chkconfig support.
Acknowledgements and thanks section added.

rel0_3_0_patch15:

09th November 1999

patch of recvfrom call checking to allow a null UDP size packet to be relayed. This is necessary to allow relaying of the UDP timed service on port 37 - should you be crazy enough to require it!
 
3.8: Proxy for multicast backbone
An MBone proxy is now available for alpha testing with the FWTK. The MBone (Multicast Backbone) is one of the earliest and best known technologies for multimedia conferencing over the Internet.  MBone traffic is carried in multicast UDP datagrams. The Advanced Research and Engineering Division of TIS has developed an approach that allows FWTK-based firewalls to pass restricted, bidirectional MBone traffic while reducing the risk that inbound datagrams can be used to attack hosts inside the firewall-enforced security perimeter. The MBone proxy is designed to work with a special wrapper program that runs on Unix-based, inside clients.  The wrapper carries out an initial dialog with the firewall proxy and then spawns unmodified MBone applications as children processes.  The MBone proxy and wrapper work with the following MBone applications: sdr (session directory), vat (audio), vic (video), and wb (whiteboard).  The proxy has been tested with BSD/OS Version 2.1 and FWTK 2.0. The wrapper has been tested on a variety of Unix systems, including BSD/OS, Irix, and SunOS.

For alpha testing, the proxy and wrapper can be obtained from in the contrib section of the FWTK ftp site:

ftp://ftp.tis.com/pub/firewalls/toolkit/contrib/mbone-gw.tar.gz

A more complete description of the proxy and wrapper are provided in a recent paper presented at the 1997 IEEE Symposium on Security and Privacy, "An MBone Proxy for an Application Gateway Firewall".  This paper is available on line at

http://www.tis.com/docs/research/network/mbone/mboneabs.html
 
 
3.9: Proxies for NNTP, POP3, Squid, and other services such as traceroute (em-gw)
You can find em-gw.tar.gz at em-gw.tar.gz. Note from the author:

------------------------------------------------------------------------------
em-gw.tar.gz  - Four proxies contributed by Eberhard Mattes:
    cmd-gw: running traceroute etc. remotely on gateway
    nntp-gw: NNTP proxy
    pop-gw: POP3 proxy (inbound)
    squid-gw: HTTP proxy, front-end for Squid cache
    http-in: allow web requests from outside to inside
    netpermd: change the netperm-table without a shell account
------------------------------------------------------------------------------

The PGP sig for em-gw.tar.gz can be downloaded at em-gw.asc

--  Eberhard Mattes <mattes@azu.informatik.uni-stuttgart.de>
 
 
3.10: Proxy for IRC
This proxy allows you to proxy IRC across the firewall. Both the standard connection and DCC are supported in this latest release (1.0 beta release 1).

You can download the proxy from irc-gw-1.0bpl2.tar.gz. The proxy was written by ArkanoiD <ark@eltex.spb.ru>
 
3.11: Proxy for ssh to the firewall
The ssh-gw proxy allows you to have encrypted ssh connections from a ssh client to the firewall. From your firewall into your internal network the traffic is not encrypted.

This is a good solution if you trust your internal network, but want encrypted packets on the Internet.

The proxy is at ssh-gw.tar.gz. The proxy was written by ArkanoiD <ark@eltex.spb.ru>
 
3.12: Proxy for outbound POP3

pop3-gw v0.4alpha
^^^^^^^ ^^^^^^^^^

This proxy implements pop3 protocol gateway with optional USER/PASS -> APOP auth protocol translation for outbound pop3 connections.

It supports RFC-1939 pop3 commands only and does not work with AUTH type authentication (and who does?). Only outbound APOP is supported; that means you can't use it to authenticate to proxy itself (if you use plugged or transparent operation, you can, but..).

Please note that messages pass over the internet unencrypted even if you use APOP. Use PGP to avoid that.

setting up proxy
^^^^^^^ ^^ ^^^^^
Edit Makefile to add -DIPFILTER to c options and IPFILTER variable to point to IPFilter source if you use IPFilter tranparency.

Compile the source and edit inetd.conf to point to the binary. Set up connection divertor if you use transparent operation.

netperm-table general options:

userid <uid>,groupid <gid>  similar to fwtk

{permit-|deny-}hosts    similar to fwtk

netperm-table hosts options:

-dest <list>    similar to fwtk

-fallback    permit fallback to insecure protocol

-transparent    tranparent operation

-plug-to <server>   plug to a pre-defined server (can be useful for inbound operation)

-apop-only    being used with -transparent or -plug-to, disallow user/pass authentication on client side
     (recommended for inbound proxy)

-user <username-list>   specify the list of users allowed to access proxy. "!" modifier is valid.

-separator <separator-char>  a character to replace @ as separator.

(unimplemented)
-extnd     turn extended permissions processing on (see authsrv documentation)

setting up client side
^^^^^^^ ^^ ^^^^^^ ^^^^
Use your firewall name as POP3 server name and user@host[:port] syntax to specify real destination for non-transparent operation.

For transparent operations no special client setup is required.

BUGS
^^^^
Just an alpha release - so there should be some.
I've noticed it does not work good with hotmail.com. If somebody knows why please tell me.

ToDo
^^^^
Fix hotmail bug.
Make real proxying when in TRANSACTION state.

For developers
^^^ ^^^^^^^^^^
Feel free to improve the program the way you want - but send me a copy of your patches.

Revision history
^^^^^^^^ ^^^^^^^
0.1alpha  First version

0.2alpha  bugfix: fixed typo caused "userid" config parameter to be ignored
   added transparency support and plug-to support
   added client APOP support when using one of those renamed from pop3-gw.out to pop3-gw
   Removed gaunlet-style authentication from ToDo list (considered harmful)

0.3alpha  added -user option

0.4alpha  added -separator option - Netscape (HATE!) workaround.
 

Email
^^^^^
home: ark@mpak.convey.ru
work: ark@eltex.spb.ru
 
 
3.13: Proxy to fake ident responses

ident-spoofer v1.0beta
^^^^^^^^^^^^^ ^^^^^^^^
This program is designed to make servers over the internet happy when they expect to get ident (RFC-1430) information from a host behind fwtk firewall. Works great with irc-gw bogus-user option.

The program is not designed to provide information on services running on the host: it works with remote port numbers only.

setting it up
^^^^^^^ ^^ ^^
Compile the source and edit inetd.conf to point to the binary.
You should create netperm-table entries like:

{permit-|deny-}hosts <hostmask> - similar to fwtk
ostype <put desired OSTYPE here, say, UNIX>
service <service name/port> <userid>

service name is a name or port number you connect to, like in:

ident-spoofer:  service smtp            root
ident-spoofer:  service ftp             ftp
ident-spoofer:  service irc-client      nobody

and so on.

BUGS
^^^^
report to me if you find any.

ToDo
^^^^
suggestions are welcome.

Email
^^^^^
home: ark@mpak.convey.ru
work: ark@eltex.spb.ru
 
3.14: Proxy for rsh

rsh-gw-0.1alpha.tar.gz

This file is README for rsh-gw, a proxy for rshd(8) protocol and fwtk-style firewalls. It makes (should do) usage of rsh and rsh-based services like rsync,rdist,cvs and so on possible across firewalls.

WARNING: this proxy (due to nature of rsh protocol) does not support authentication techniques other than generic one which is based solely on rsh client and host system security. So it is at least not wise to use it to access "trusted" networks from "untrusted" ones. Once again: the primary purpose of the program is to allow "internal" users acess to [semi-]public rsh-based services.

Another purpose is to run x-gw authomagically from script.

If you got any interesting services running please send me your setup and log fragments - I need it for future documentation.

setting up proxy
^^^^^^^ ^^ ^^^^^
Edit Makefile to add -DIPFILTER to c options and IPFILTER variable to point to IPFilter source if you use IPFilter tranparency.

Compile the source and edit inetd.conf to point to the binary. If your system does not have rcmd(3) system call you can use a generic BSD implementation provided in this distribution for reference purposes.

Set up connection divertor if you use transparent operation.

netperm-table general options:

{permit-|deny-}hosts                    similar to fwtk

xforwarder                              similar to tn-gw/rlogin-gw

netperm-table hosts options:

- -dest <list>                          similar to fwtk

- -transparent                          tranparent operation

- -plug-to <server>                     plug to a pre-defined server

- -user <username-list>                 specify the list of users allowed
                                        to access proxy. "!" modifier is
                                        valid.

- -ausers <username-list>                       specify the list of users treated
                                        as "authenticated" if rsh 
                                        authentication was successful

- -xok                                  permit x-gw access

- -extnd                                        turn extended permissions processing
                                        on (see authsrv documentation)

setting up client side
^^^^^^^ ^^ ^^^^^^ ^^^^
Use "rsh -l user@host firewall-host command" syntax to specify real destination for non-transparent operation.

For transparent operations no special client setup is required.

"rsh firewall-host x" will just run x-gw on firewall. You can redirect stdout from this command to somewhere and use it as future reference to "remote" display. 

Example:

eval `rsh myfirewall x|sed "s/display port/RDISPLAY/"`
rsh -l me@somewhere.out myfirewall xperfmon++ -display $RDISPLAY
 

BUGS
^^^^
Just an alpha release - so there should be some.

I think I should make it more portable.

ToDo
^^^^
Anything else?

For developers
^^^ ^^^^^^^^^^
Feel free to improve the program the way you want - but send me a copy of your patches.

Email
^^^^^
home: ark@mpak.convey.ru
work: ark@eltex.ru
 
3.15: Simple mail MTA (ssmtp)

ssmtp-0.5alpha.tar.gz

A dirty hack designed to eliminate sendmail (and other "smart" MTA's) on the firewall completely. Based on ssmtp program (i left the original name unchanged, although code differs much), see source comments for more information and original authors list.

setting it up
^^^^^^^ ^^ ^^
Make and install the program, then edit the netperm-table to specify MTA options like:

smapd:          sendmail /usr/local/etc/ssmtp (or whatever your binary
               location is)

ssmtp:         relay mylocalnet.net -via mymailhub.internal.net
ssmtp:         default-relay extmailhub.myisp.net

ssmtp know nothing about MX'es and other things like that. It does SMTP _only_ and uses static routes defined in netperm-table to deliver mail.

BUGS
^^^^
report to me if you find any.

Sendmail emulation is really bad, but we do not need anything better to work with smapd and scripts like /etc/daily.

Code requires more audit to find possible buffer overrun vulnerabilities.

ToDo
^^^^
Fix possible security problems, general code cleanup/whatever..
Better handling of mail failures/postmaster noticiation/etc.
Implemet some MIME content filtering.
PGP enforcer? ;-) Content audit?

Email
^^^^^
home: ark@mpak.convey.ru
work: ark@eltex.ru
 
 
3.16: Proxy for Sybase protocol

sybase-gw v0.3beta
^^^^^^^^^ ^^^^^^^^

This file is README for sybase-gw, a proxy for TDS protocol 5.0 and fwtk-style firewalls. It should work and tested with Sybase 11. Another functionality it provides is creating encrypted tunnel between two firewalls for database applications.

setting up proxy
^^^^^^^ ^^ ^^^^^

Edit Makefile to add -DIPFILTER to c options and IPFILTER variable to point to IPFilter source if you use IPFilter tranparency.

Compile the source and edit inetd.conf to point to the binary. Requires libblowfish (available from ftp.funet.fi) and md5 library (if your system does not have libmd5 you are probably running linux. try to
get it separately. Don't ask me where.)

Set up connection divertor if you use transparent operation.

netperm-table general options:

{permit-|deny-}hosts                    similar to fwtk

netperm-table hosts options:

- -dest <list>                          similar to fwtk

- -transparent                          tranparent operation

- -plug-to <server>                     plug to a pre-defined server

- -port <port>                          use this port number when connecting to server

- -authuser <username>                  similar to fwtk

- -user <username-list>                 specify the list of users allowed to access proxy. "!" modifier is valid.

- -loguser                              log username when authenticating on database server

- -client-encrypt <method>              use encryption on client side,  blowfish only is implemented for now

- -client-md5key <any string>           string hash will be encryption key

- -server-encrypt <method>              use encryption on server side, blowfish only is implemented for now

- -server-md5key <any string>           string hash will be encryption key

- -extnd                                        turn extended permissions processing on (see authsrv documentation)

setting up client side
^^^^^^^ ^^ ^^^^^^ ^^^^

Use user@host syntax
to specify real destination for non-transparent operation.

For transparent operations no special client setup is required.

BUGS
^^^^
Just a beta release - so there should be some.

I think i should make it more portable. There are some possible problems if your compliler does not understand pack() #pragma.

Packet check after authenitcation is embryonic.

Protocol seems to be quite brain-dead so expect slowdowns or something.

Encryption is far from being optimal.

ToDo
^^^^
Fix the above.

Implement more encryption and hash functions.

Think on 2-level authentication (if it is possible at all)

Get protocol specs from Sybase (all the code is based on reverse engineering and non-reliable sources. it is much better than Gauntlet sybase proxy anyways ;)

Anything else?

For developers
^^^ ^^^^^^^^^^
Feel free to improve the program the way you want - but send me a copy of your patches.
 

Revision history
^^^^^^^^ ^^^^^^^
0.1alpha                First version
0.2alpha                Bugfixes, workarounds
0.3beta                 Attempt to fix (i think protocol, not mine) bug
                        that caused connection to slow down.
                        Some cosmetic changes and code cleanup, so i 
                        call it beta now. 

Email
^^^^^
home:   ark@mpak.convey.ru
work:   ark@eltex.ru
 
3.17: Proxy for MSSQL protocol 

ms-sql-gw v0.3beta
^^^^^^^^^ ^^^^^^^^

This file is README for ms-sql-gw, a proxy for TDS protocol 4.2 or 4.6 and fwtk-style firewalls. It should work with MS SQL 6 and 7 and older Sybase ( <10 ) versions. Another functionality it provides is creating encrypted tunnel between two firewalls for database applications.

setting up proxy
^^^^^^^ ^^ ^^^^^
Edit Makefile to add -DIPFILTER to c options and IPFILTER variable to point to IPFilter source if you use IPFilter tranparency.

Compile the source and edit inetd.conf to point to the binary. Requires libblowfish (available from ftp.funet.fi) and md5 library (if your system does not have libmd5 you are probably running linux. try to
get it separately. Don't ask me where.)

Set up connection divertor if you use transparent operation.

netperm-table general options:

{permit-|deny-}hosts                    similar to fwtk

netperm-table hosts options:

- -dest <list>                          similar to fwtk

- -transparent                          tranparent operation

- -plug-to <server>                     plug to a pre-defined server

- -port <port>                          use this port number when connecting to server

- -authuser <username>                  similar to fwtk

- -user <username-list>                 specify the list of users allowed to access proxy. "!" modifier is valid.

- -loguser                              log username when authenticating on database server

- -client-encrypt <method>              use encryption on client side, blowfish only is implemented for now

- -client-md5key <any string>           string hash will be encryption key

- -server-encrypt <method>              use encryption on server side, blowfish only is implemented for now

- -server-md5key <any string>           string hash will be encryption key

- -oob                                  emulate client oob behavior

- -sqlv6                                       specify protocol version

- -tdsv42                               "

- -sqlv7                                        "

- -tds46                                        "

- -extnd                                        turn extended permissions processing on (see authsrv documentation)

setting up client side
^^^^^^^ ^^ ^^^^^^ ^^^^
Use user@host syntax
to specify real destination for non-transparent operation.

For transparent operations no special client setup is required.

BUGS
^^^^
Just a beta release - so there should be some.

I think i should make it more portable. There are some possible problems if your compliler does not understand pack() #pragma.

Packet check after authenitcation is embryonic.

Protocol seems to be quite brain-dead so expect slowdowns or something.

Encryption is far from being optimal.

ToDo
^^^^
Fix the above.

Implement more encryption and hash functions.

Think on 2-level authentication (if it is possible at all)

Get protocol specs from Sybase (all the code is based on reverse engineering and non-reliable sources. it is much better than Gauntlet ms sql proxy anyways ;)

Anything else?

For developers
^^^ ^^^^^^^^^^
Feel free to improve the program the way you want - but send me a copy of your patches.

Revision history
^^^^^^^^ ^^^^^^^
0.1alpha                First version
0.2alpha                Bugfixes, workarounds
0.3beta                 Some cosmetic changes and code cleanup, so I call it beta now. 

Email
^^^^^
home:   ark@mpak.convey.ru
work:   ark@eltex.ru
 
3.18: Proxy for lp (printing)

lp-gw v0.2alpha
^^^^^^^^^ ^^^^^^^^

This file is README for lp-gw, a proxy for line printer protocol and fwtk-style firewalls. It does (i hope) conform to rfc1179 strictly and can be used with lprNG clients and servers and even to enforce lprNG clients usage.

setting up proxy
^^^^^^^ ^^ ^^^^^

Compile the source and edit inetd.conf to point to the binary.

netperm-table general options:

{permit-|deny-}hosts    similar to fwtk

printer <user-queue> -printer <server-queue> -host <server>

     map "user-queue" on firewall to
     "server-queue" on "server"

     if "user-queue" is "*", map all
     queues to server lpd.

netperm-table hosts options:

-queue <list>    list queues client is permitted to
     connect (note the names are "user"
     queues, not server ones)

-deny <list>     specify the list of permitted operations
     (null,restart,print,qstate_s,
     qstate_l,remove)

-log <list>    causes operation to be logged. 
     Not really useful.

-lprng     force client to use lprNG protocol.
 

setting up client side
^^^^^^^ ^^ ^^^^^^ ^^^^
Just access the proxy as generic lpd server. 
 

Email
^^^^^
home:   ark@mpak.convey.ru
work:   ark@eltex.ru
 
 
3.19: PAM module for authsrv authentication

According to the author (Mark D. Roth <roth@uiuc.edu>), the addon is a PAM module to do authsrv authentication which works under both RedHat Linux 6.1 and Solaris 7.

This patch is pam_authsrv-20000512.tar.gz. Extract it into fwtk/tools/server and read the included README for more information.
 
3.20: Proxy for SOCKS4/SOCKS5

This proxy for SOCKS4/5 connections was written by Yakov Kravets <ygk@nb.com>. Note that it only supports TCP/IP connections.

The patch is socks-gw.tar.gz.

END OF PATCH PAGE

If you would like to contribute patches to this page, post them on the FWTK-users mailing list.