7. Install TIS
7.1 Get TIS
From
FTP: //ftp.tis.com/ Download. Don't repeat the mistake I have made. Let's read the ReadMe file there.
Tisfwtk is placed in a hidden directory .tis requires you to fwardk-
Request@tis.com sent to the application, the letter
Text only written, don't write the title, within 12 hours, you will get the system automatic reply, that is, the implies of the FWTK source code
Directory name.
I got TIS is 2.0 (beta) version, compiled no problem (a little exception), work is also very good. The following description
Based on this version. When they release a formal version, I will update this document.
Before installing FWTK, build a FWTK-2.0 directory in your / usr / src directory. FWTK (fwtk-2.0.tar.gz)
COPY to the directory and extract (TAR ZXF FWTK-2.0.Tar.gz).
FWTK itself does not support the agent for SSL Web, but there is an Addon, the author is Jean-Christophe Touvet. You can:
ftp://ftp.edelweb.fr/pub/contrib/fwtk/ssl-gw.tar.z
Download. Touvet does not provide technical support.
I use a modified that I can support Netscape Secure News Servers, the author is:
Eric Wedel. Site is:
ftp://mdi.meridian-data.com/pub/tis.fwtk/ssl-gw/ssl-gw2.tar.z.
Establish an SSL-GW directory in /usr/src/fwtk-2.0 when installing. Before compiling, you want to
Do some changes.
The first is SSL-GW.C less an incdude file, where it is joined:
#if Defined (__ linux)
#include
#ENDIF
Another one is there in it contains Makefile, my solution is to copy one from other gateway directories, and put the gateway name.
Modified: SSL-GW
7.2 Compile TIS FWTK
FWTK version 2.0 is easier to compile than any previous version, but I still discover some need in this beta version.
To correct it. I hope that these errors can be corrected in the official version.
First go to the / src / fwardk / fwardk directory, copy it with makefile.config.linux to copy Makefile.config
file.
Note: Don't run fixmake as you say in the operation instruction. Otherwise, you will be bad in each directory.
I have a way to solve the fixmake, which is to add '.' And '' in the Makefile in the Makefile.
The corresponding SED script is:
Sed 's / ^ incrude [] * / ([^]. * /) / include / 1 /' $ name .proto> $ NAME
Then we have to edit makefile.config. There are two places to modify.
The author is compiled in his HOME directory, and we put the code in / usr / src, so we have to target environment variables.
FWTKSRCDIR makes corresponding changes:
FWTKSRCDIR = / usr / src / fwtk / fwtk
Second, some Linux systems use the GDBM database. And the default is that DBM may be repaired by DBM.
Change. My / Linux version is RedHat 3.0.3.
DBMLIB = -LGDBM
In the last place in X-GW, this beta version of Socket.c has bugs, the solution is to remove the following code:
#ifdef SCM_Rights / * 4.3BSD Reno and Later * /
SIZEOF (UN_NAME-> SUN_LEN) 1
#ENDIF
If you add SSL-GW in the FWTK source directory, add its directory to makefile:
DIRS = SMAP Smapd Netacl Plug-GW FTP-GW TN-GW RLogin-GW HTTP-GW X-GW SSL-GW
Now you can run make.
7.3 Install TIS FWTK
Run Make Install
The default installation directory is / usr / local / etc. You can change it to a more secure directory, I didn't change, but this
The permissions of a directory are set to 'CHMOD 700'.
The rest is only the configuration work.
7.4 Configuring TIS FWTK
This is the part that is really fascinating. We want the system to call these newly joined services and establish corresponding controls
information.
I don't want to repeat the contents of the Tis Fwtk manual. It only shows some problems I have encountered and their solutions.
There are three files that make up all controls.
* / Etc / services
Tell the port of the system service
* /Etc/inetd.conf
Decide which program called when inetd receives service requests from a port
* / usr / local / etc / netperm-table
Deciding that FWTK's license / refusion to make FWTK play a role, you'd better edit these files from head. Ignore it
Any one may cause system failure.
NetPerm-Table
This file is used to control access to the TIS FWTK service. To consider the situation on both sides of the firewall. External user must
Access to access is required after verification, and internal users can allow direct pass.
TIS firewall can authenticate authentication, the system manages data from a user ID and password through an AuthSRV program
Library. NetPerm-Table authorization section specifies the location and access rights of the database.
I have encountered some troubles when I read the service. Note that I gave it to '*' in the Permit-Host line.
All user access rights. The correct settings should be
'' Authsrv: Premit-hosts localhost.
#
# Proxy Configuration Table
#
# Authentication Server and Client Rules
Authsrv: Database / USR / local / etc / fw-authdb
Authsrv: Permit-Hosts *
Authsrv: Badsleep 1200
Authsrv: NoBogus True
# Client Applications Using The Authentication Server
*: Authserver 127.0.0.1 114
When initializing the database, you must first sust to root, run under / var / local / etc ./authsrv creates a user's record,
As follows:
You can find information created by creating users and groups in FWTK documents.
#
# Authsrv
Authsrv # list
Authsrv # adduser admin "Auth DB Admin"
OK - User Added Initially Disabled
Authsrv # ena admin
enabled
Authsrv # Proto Admin Pass
changed
Authsrv # Pass Admin "Plugh"
Password changed.
Authsrv # superwiz admin
SET WIZARD
Authsrv # list
Report for Uses in Database
User group longname ok? proto LAST
------ ------ -------------------------------
Admin Auth DB Admin Ena Passw Never
Authsrv # Display admin
Report for User Admin (Auth DB Admin)
Authentication Protocol: Password
Flags: wizard
Authsrv # ^ D
EOT
#
The Telnet Gateway is the most straightforward and it is your first to set it.
In my example, all internal users do not have to authenticate (Permit-Hosts 196.1.2. * -Passok-xok), and the rest
The user must pass the ID and password verification. (Permit-hosts * -auth) I also allowed 196.1.2.202 users to directly access the proxy server without the firewall. The two elements of inetacl-in.telnetd show this,
I will explain the process of calling.
Telnet's Timeout should be minimized.
# Telnet Gateway Rules:
TN-GW: Denial-msg /usr/local/tc/tn-de.txt
TN-GW: Welcome-msg /usr/local/etc/tn-welcome.txt
TN-GW: Help-msg /usr/local/etc/tn-help.txt
TN-GW: TIMEOUT 90
TN-GW: Permit-Hosts 196.1.2. * -passok -xok
TN-GW: permit-hosts * -auth
# Only The Administrator Can Telnet Directly to The FireWall Via Port 24
NetaCl-in.telnetd: permit-hosts 196.1.2.202 -EXEC /USR/SBIN/IN.TELNETD
The command of rlogin is similar to Telnet.
# Rlogin Gateway Rules:
Rlogin-gw: denial-msg /usr/local/etc/rlogin-deny.txt
Rlogin-gw: welcome-msg /usr/local/etc/rlogin-welcome.txt
Rlogin-gw: help-msg /usr/local/etc/rlogin-help.txt
Rlogin-GW: Timeout 90
Rlogin-GW: permit-hosts 196.1.2. * -passok -xok
Rlogin-gw: permit-hosts * -auth -xok
# Only The Administrator Can Telnet Directly to The FireWall Via Port
NetaCl-rlogind: permit-hosts 196.1.2.202 -EXEC / USR / LIBEXEC / RLOGIND -A
Don't allow anyone to access your firewall directly, even if FTP access is not possible. Therefore, we must avoid it on firewall machine.
Pack FTP service.
It is worth to reiterate that all internal users are allowed to access Internet, while other users must pass verification. I
Documentary records are also enabled.
(-log {retris})
FTP Timeout Specifies the longest wait time for the firewall to a failure FTP connection.
# Ftp Gateway Rules:
FTP-GW: Denial-msg /usr/local/etc/ftp-de.txt
FTP-GW: Welcome-msg /usr/local/etc/ftp-welcome.txt
FTP-GW: Help-msg /usr/local/etc/ftp-help.txt
FTP-GW: TIMEOUT 300
FTP-GW: Permit-Hosts 196.1.2. * -log {retrist}
FTP-GW: permit-hosts * -authall -log {retrous
Web, gopher, and browser-based FTP are completed by HTTP-GW. The first two lines establish a directory to cache through the firewall
Web pages and ftp files, I set the owners of these files to root and saved in the directory that only root can access.
Web Connection should be kept in a smaller value, which controls the user waiting for a failure connection.
# Www and gopher geteway rules:
HTTP-GW: Userid Root
HTTP-GW: Directory / Jail
HTTP-GW: TIMEOUT 90
HTTP-GW: Default-httpd www.afs.nethttp-gw: hosts 196.1.2. * -log {read write ftp}
HTTP-GW: DENY-HOSTS *
SSL-GW has only one transfer effect, be careful. Here, I allow internal users to access 127.0.0. * and
192.1.1. * All external addresses outside. You can only access 443 to 563 ports, which are generic SSL ports.
# SSL GATEWAY RULES:
SSL-GW: TIMEOUT 300
SSL-GW: Hosts 196.1.2. * -dest {! 127.0.0. *! 192.1.1. * *: 443: 563}
SSL-GW: DENY-HOSTS *
The following example shows how to use the PLUG-GW proxy News Server, only the internal users are allowed to access an external server, and can only
Access a port.
The second line setting allows the news server to send the data into the internal network.
Almost all NEWS Client keeps the connection status while the user reads NEWS, so this is specified here.
A longer waiting time (Time Out).
# Netnews PLUGED GATEWAY
PLUG-GW: Timeout 3600
PLUG-GW: Port NNTP 196.1.2. * -plug-to 199.5.175.22 -port nntp
Plug-GW: Port NNTP 199.5.175.22 -plug-to 196.1.2. * -port nntp
Finger-gw is relatively simple, any internal user can only log in to the firewall, then run the finger, other visits will get
One information (finger.txt).
# Enable finger service
NetaCl-fingerd: permit-hosts 196.1.2. * -EXEC / USR / LIBEXEC / FINGERD
NetaCl-fingerd: permit-hosts * -exec / bin / cat /usr/local/etc/finger.txt
I have not made a proxy for Mail and X-Windows services, and I can't provide the corresponding example, welcome to the letter to add.
About inetd.conf
Below is an inetd.conf file, all unnecessary services are commented. But I still include the entire file,
To clarify how to turn off the service and open a new service for the firewall.
#echo stream tcp nowait root internal
#echo dgram udp Wait root internal
#discard Stream TCP NOWAIT ROOT INTERNAL
#discard Dgram Udp Wait Root Internal
#daytime stream TCP NOWAIT ROOT INTERNAL
# Daytime Dgram Udp Wait Root Internal
#chargen stream TCP NOWAIT ROOT INTERNAL
#Chargen Dgram UDP WAIT ROOT INTERNAL
# Ftp firewall gateway
FTP-GW Stream TCP NOWAIT.400 ROOT / USR / LOCAL / ETC / FTP-GW FTP-GW
# Telnet FireWall Gateway
Telnet Stream TCP NOWAIT ROOT / USR / LOCAL / ETC / TN-GW / USR / LOCAL / ETC / TN-GW
# Local Telnet Services
Telnet-a stream TCP NOWAIT ROOT / USR / local / etc / netacl in.telnetd
# Gopher FireWall Gateway
Gopher stream tcp noAit.400 root / usr / local / etc / http-gw / usr / local / etc / http-gw
# Www firewall gatewayhttp stream tcp noAit.400 root / usr / local / etc / http-gw / usr / local / etc / http-gw
# SSL FireWall Gateway
SSL-GW Stream TCP NOWAIT ROOT / USR / LOCAL / ETC / SSL-GW SSL-GW
# NetNews FireWall Proxy (USING PLUG-GW)
NNTP Stream TCP NOWAIT ROOT / USR / LOCAL / ETC / PLUG-GW PLUG-GW NNTP
#nntp stream tcp noait root / usr / sbin / tcpd in.nntpd
# SMTP (Email) FireWall Gateway
#SMTP Stream TCP NOWAIT ROOT / USR / LOCAL / ETC / SMAP SMAP
#
# Shell, login, Exec AND Talk Are BSD protocols.
#
#SHELL Stream TCP NOWAIT ROOT / USR / SBIN / TCPD in .rshd
#login stream tcp noait root / usr / sbin / tcpd in.rlogind
#exec stream tcp noetait root / usr / sbin / tcpd in.rexecd
#talk dgram udp Wait root / usr / sbin / tcpd in.talkd
#ntalk Dgram Udp Wait Root / USR / SBIN / TCPD IN.NTALKD
#dtalk stream tcp waut nobody / usr / sbin / tcpd in.dtalkd
#
# POP AND IMAP MAIL Services ET AL
#
# POP-2 stream TCP NOWAIT ROOT / USR / SBIN / TCPD IPOP2D
# POP-3 Stream TCP NOWAIT ROOT / USR / SBIN / TCPD IPOP3D
#imap stream TCP NOWAIT ROOT / USR / SBIN / TCPD IMAPD
#
# The Internet uucp service.
#
#uucp stream tcp nowait uucp / usr / sbin / tcpd / usr / lib / uucp / uucico -l
#
# TFTP Service IS Provided Primarily for Booting. Most Sites
# Run this only on machineines acting as "boot servers." DO NOT UNCOMMENT
# This unless YOU * NEED * IT.
#
#TFTP DGRAM UDP WAIT ROOT / USR / SBIN / TCPD in.tftpd
#bootps Dgram Udp Wait Root / USR / SBIN / TCPD BOOTPD
#
# Finger, SYSTAT AND NETSTAT GIVE OUT USER Information Which May BE
# Valuable to Potential "System Crackers." MANY SITES choose to disable
# Some or all of these services to impRove Security.
#
# Cfinger is for gnu finger, Which is currently not in use in rhs linux
#
Finger stream tcp noait root / usr / sbin / tcpd in.fingerd
#cfinger stream TCP NOWAIT ROOT / USR / SBIN / TCPD in.cfingerd # SYSTAT Stream TCP NOWAIT GUEST / USR / SBIN / TCPD / BIN / PS --AUWWX
#NetStat Stream TCP NOWAIT GUEST / USR / SBIN / TCPD / BIN / NETSTAT-F inet
#
# Time service is buy for clock syncronization.
#
#time stream tcp nowait root / usr / sbin / tcpd in.timed
#Time Dgram UDP WAIT ROOT / USR / SBIN / TCPD in.TIMED
#
# Authentication
#
Auth Stream TCP WAIT ROOT / USR / SBIN / TCPD IN.IDENTD -W -T120
Authsrv Stream TCP NOWAIT ROOT / USR / LOCAL / ETC / Authsrv Authsrv
#
# End of inetd.conf
