[ Pobierz całość w formacie PDF ]
.What about TIS Toolkit support for the Network News Transport Protocol (NNTP) or eventhe Post Office Protocol (POP)? Both of these services, and many others, are available throughthe plug-gw application.This application provides plugboard type connections; that is, itconnects a TCP/IP port on the firewall to another host using the same or a different TCP portnumber.This functionality makes it easy to provide other services through the firewall.Thenext few sections examine the operation and configuration of plug-gw by looking specifically attheir services.Configuring plug-gwplug-gw reads the configuration lines that start with plug-gw: from the netperm-table filejust like the other Toolkit applications.The clauses listed in table 7.17 are used with the plug-gw application.Table 7.17plug-gw Rules and ClausesRule Descriptiontimeout seconds Specifies a timeout value, after which inactive connec-tions are disconnected.If no timeout is specified, thedefault is to remain connected until one side or the othercloses its connection.port portid hostpattern [options] Specifies a connection rule.When a connection is made,a match is searched for on the port-id and calling host.The port-id may be either a numeric value (such as 119)or a value from /etc/services (such as  nntp ).If thecalling port matches, then the host-pattern is checked fora match following the standard address matching rulesemployed by the firewall.If the rule matches, theconnection will be made based on the remaining optionsin the rule, all of which begin with  -.How to Build a Firewall 373Rule Description-plug-to host Specifies the name or address of the host to connect to.This option is mandatory.-privport Indicates that a reserved port number should be usedwhen connecting.Reserved port numbers must bespecified for protocols, such as rlogin, which rely on themfor  security.-port portid Specifies a different port.The default port is the same asthe port used by the incoming connection.The purpose of plug-gw is to allow for other services to be passed through the firewall withadditional logging to track the use of these services.The availability of this service means thatadditional service specific applications do not need to be created unless required.Someapplications do not have extended authentication mechanisms in them; plug-gw makes theiruse with firewalls much less of a bother.The rules available for plug-gw, when used on a POP connection, look like this:plug-gw: port 110 206.116.65.* -plug-to 198.53.64.14This line indicates that any connection received on port 110 (Post Office Protocol) from the206.116.65 network is to be connected to 198.53.64.14.Additional options for the rule allowfor the specification of a priveleged port number.Few services actually require these.The finaloption allows for the specification of an alternate port number should the same service berunning on a different port number at the remote end.As with the other services, the host pattern that is specified with the port command allows forboth the allowed and non-allowed network or host IP addresses to be specified.plug-gw and NNTPThe NNTP news protocol is used for reading Internet newsgroups.This protocol also per-forms news feeds and is often used to provide news reading services at the workstation level.The configuration of the plug-gw proxy for an Internet news feed is essentially the same as theconfiguration for a news reader.In both cases, the NNTP port is defined in the etc/services file as 119.You must configure theplug-gw line as follows:plug-gw: port 119 206.116.65.* -plug-to 198.53.64.1374 Part II: Gaining Access and Securing the GatewayThis means that any connections received on port 119 from the local LAN will be directed tothe same port on the system at 198.53.64.1.The two major reasons for handling NNTP withplug-gw are to allow NNTP client access through the firewall, and to allow for a newsfeed.For the firewall to accept news connections, inetd must be configured to start the plug-gwapplication whenever a connection request is made for the NNTP port.This is done by addingthe following line to the /etc/inetd.conf file and restarting inetd:nntp stream tcp nowait root /usr/local/etc/plug-gw plug-gw 119If you configure plug-gw but forget this step, the TIS firewall Toolkit will seem not tooperate no log messages will print to the files or to the console.To configure an NNTP client, such as WinVN for the PC-based architecture, you must set upWinVN so that it knows where to connect.Normally, this would be the actual NNTP serverthat you want to access, but in this case, it is the name or IP address of the firewall.On thefirewall, the appropriate line in the netperm-table file must be included to specify where theNNTP client requests are to go.If several NNTP servers are available for reading news, youmay want to separate them onto different network ports on the firewall, so that traffic can besent to the different sites.Consider this sample part of the netperm-table file:plug-gw: port 2119 206.116.65.* -plug-to 198.53.64.1 -port 119plug-gw: port 2120 206.116.65.* -plug-to 198.53.64.5 -port 119In this scenario, when users want to read news from the 198.53.64.5 server, they must connectto the firewall on port 2120.Figure 7.3 illustrates the configuration of the WinVN client foraccess to news through the firewall.Figure 7.3Configuring WinVN touse the NNTP proxy.How to Build a Firewall 375Regardless of the news reader client software that you use, it needs to be configured to use thefirewall as the connection point or news host.What if different news servers are available that your hosts are permitted to connect to? Howdoes the system administrator configure multiple hosts at the same TCP/IP service port? Theanswer is to specify a different port on the firewall, and let plug-gw redirect to the correct porton the remote system.This is done by using a rule in the nbetperm-table file:plug-gw: port 2120 206.116.65.* -plug-to 198.53.64.5 -port 119According to this command, if a connection on port 2120 is requested, redirect that request onport 119 or the host at 198.53.64.5.This is only part of the solution.The /etc/services fileshould also be edited to add a news NNTP service entry to show the new service port for thisconnection.For example, the following line specifies that the service nntp-a is on port 2120:nntp-a 2120/tcp readnews untp # USENET News Transfer ProtocolThe next step is to tell inetd that connections on this port are to be sent to the plug-gwapplication.This is done by adding the following line to the /etc/inetd.conf file and restartinginetd.nntp-a stream tcp nowait root /usr/local/etc/plug-gw plug-gw 2120When the user wants to use this alternate server, he or she must reconfigure the news clientsoftware, as shown in figure 7.4, to point to the new services port.Figure 7.4Configuring WinVN andNNTP [ Pobierz całość w formacie PDF ]