>Hi Aaaron,
>    Any chance of you writing a FAQ about this?  ;)  I want to do this
>exact setup at home, but haven't had the time to do the research.  If you
>don't have time to do a complete faq, could you send me some pointers as to
>where to get fwtk?  How fast does the maciix go on the serial port and with
>which kernal?
>Thanks,

I wouldn't mind doing a FAQ on this in a couple of weeks... I'm kind of
busy right now, but if people tell me what they want covered in it, I'd be
happy to put some stuff together.

Just a few breif notes for anyone who wants to try it out now, the Firewall
Tool Kit (called fwtk on most of the firewall mailing lists) can be found
at ftp.tis.com in the directory /pub/firewalls/toolkit.  The only thing you
*NEED* is fwtk-v1.3.tar.Z, though I'd recommend getting the docs as well
(both are about 450k apeice.)

Ideally, its supposed to be used as a firewall... blocking all traffic
which tries to cross over into/from the internet.  You then set up proxies
on specific ports which allow specific types of traffic through.

The reason I'm using it, is because my "internet provider" (ie. the
University my wife is attending) supports only dynamic addresses for slip
and ppp, and only one address at a time at that.  By proxying through the
firewall, I can have multiple machines on an internal network which can
connect to the internet at the same time (by using the proxies, they appear
to have originated at the IP address assigned by the University.)

If you have an Internet Provider which will assign you multiple IP
addresses, then this is unnecessary, though you could still set up a
firewall for its protective purposes.

To get fwtk to compile under MacBSD, I had to run the fixmake script
provided with the tool kit to conform to BSD's makefile format.  After
that, I had to change the following line:
        extern     char    *sys_errlist[];
to:
        extern const char *const sys_errlist[];
in every file that referenced sys_errlist.  When I do the FAQ, I'll list
the specific files... hell, I might even write a script to do it.

After that, it compiled right out of the box.

So far I have only tried the telnet, ftp, http, and plug gateways.  The
first three are pretty self explanatory, but the plug gateway may need a
little explanation... it is simple a "pass-through" proxy.  Any packet sent
to that port on your firewall is passed through to the machine listed in
the configuration file (more on that in a minute).  This works for services
like nntp, smtp, and pop3, since they communicate only through one port
(somebody correct me if I'm wrong on that).  Ftp and telnet, however, do
negotiation for multiple ports.  For ftp, this is so you can be transfering
a file on one port, while being updated on status or aborting the transfer
on another.  For telnet, I assume this is so outgoing and incoming traffic
can occur simultaneously on different ports, but I don't know this for sure
(again, corrections are welcome for the FAQ) The HTTP gateway is needed, as
you aren't going to be always connecting to the same destination, so the
plug gateway would fail.

After comileing and installing fwtk, you need to assign all of your
internal machines unique IP addresses.   I would recommend something in the
range of 192.168.x.y, as current routers know that these addresses are
"internal" only and won't forward them on to other networks.  If you don't
use these, and you pick addresses actually used by somebody, you will
probably have problems connecting to them at some point.

The fwtk tells you to disable IP-forwarding in the kernel.  For MacBSD,
this is the option GATEWAYS I believe.  I didn't do this and haven't had a
problem.  I suspect this is because (a) I am using known internal addresses
(ie, should a packet from 192.168.1.2 make it to the University's router,
it knows to ignore it) and (b) because I am not really doing this for the
security aspects.  For a network like the one where I work, we have
legitimate IP addresses for our internal network.  If IP forwarding were
turned on on our firewall, people who telnetted in or out wouldn't be
blocked by the firewall, therefor, no security.

(OK, so this isn't as brief as I anticipated... I'll reformat it when I do
the FAQ)

After the ip addresses are assigned, the following changes need to be made
to your /etc/inetd.conf file:

the "ftp  stream tcp..." line needs to be changed to...

ftp             stream  tcp     nowait  root    /usr/local/etc/ftp-gw   ftp-gw

the telnet line to...

telnet          stream  tcp     nowait  root    /usr/local/etc/tn-gw    tn-gw

and the http line to...

http            stream  tcp     nowait  root    /usr/local/etc/http-gw  http-gw

After typing `kill -1 `cat /var/run/inetd.conf` or rebooting, the changes
will go into effect.  You might want to add the following lines to
inetd.conf as well:

ftp-a           stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -l
telnet-a        stream  tcp     nowait  root    /usr/libexec/telnetd    telnetd

and the following lines to /etc/services

telnet-a        24/tcp
ftp-a           22/tcp

These allow you to easily access your firewall itself.

The final step in configuring your firewall is to setup
/usr/local/etc/netperm-table.  The following lines need to be added:

ftp-gw:         permit-hosts 192.168.1.*
tn-gw:          permit-hosts 192.168.1.* -passok -xok
http-gw:        permit-hosts 192.168.1.* { all }

Now your firewall is setup.

To telnet from your internal network, you would telnet to your firewall
first.  You would then type 'telnet <external-host>' after getting a prompt
from your firewall.

To use ftp, you would ftp to your firewall first.  The for the username
requested, you would type <user>@<external-host> for whatever site you
wanted to connect to (eg. ftp@netbsd.org would attempt to connect
anonymously to netbsd.org.)

To use the web, your browser needs to support proxies.  Netscape does, but
I don't use Mosaic, so I'm not sure about it.  For netscape, you go to the
network preferences and tell it that you are using proxies.  Then set your
http, gopher, and ftp proxies to your firewall's name, at port 80 (or
whatever http is in your /etc/services if you've changed it.)  All three
need to be set to 80, even though you have a ftp-proxy.  Netscape won't use
the one at port 21.

I'll give examples of the plug gateway in the FAQ.

To "seamlessly" ftp through the firewall, on a Mac, look into Fetch 3.0
(shareware) as it will work with proxies.  I don't know of a Mac telnet
client which will do it seamlessly.  I don't know what software on the PC's
handles proxies at all (except for Netscape).  Input would be helpfull for
the FAQ.

You may need to tweak your named.boot file as well, I don't remember.  I'll
include that in the FAQ (its too late for me to think right now... 4 days
in a row of getting too little sleep because I'm setting MacBSD up is
taking its toll! ;-)

Currently I have a ppp line going to the Univeristy through a modem, and a
ppp line going to my PowerMac.  I'll be getting EtherNet cards soon, and
I'll go into how I set that up as well, if it involves anything different.

Does anyone have ppp scripts for dialing up through a modem and then later
disconnecting it that are clean?  I lifted a couple off of a LInux site,
but because it uses the killall command (not in MacBSD) I had to kludge it
and its pretty crappy.

TIS's fwtk includes a whole lot of other options as well, including
authentication (s-key, passwd, etc.) and X support to name a few.  I
haven't tried setting up the X stuff yet... that has to wait until I get
the Ethernet cards and can set up my PC running Linux again.

Oh, the ftp-a and telnet-a ports are so you can telnet and ftp directly
into your firewall.  Once you change the ftp and telnet entries in
/etc/inetd.conf, you can't use them to access your firewall.  With the
telnet-a entry, you can telnet to your firewall at port 24 to log directly
into it (<host> 24 as the name in NCSA's telnet).  Ftp will require using
port 22 to get the firewall.  Currently the telnet gateway doesn't support
telnetted connections to ports other than 23. (Telnetting to SMTP -- port
25 -- through the telnet gateway works, but that is because the protocol
doesn't require additional ports for communication.)

We fixed that at work, but I'll have to check the code and see what we
changed in the telnet-gw sources.

And finally, this does not support UDP packets as well.  Fewer and fewer
things are using UDP (many support both TCP and UDP now), but stuff like
Real Audio and NFS won't go through your firewall.  The Firewall can access
them fine, but your internal network can't.  Supposedly the company that
put out Real Audio is working on a work around for firewalls, but I don't
know its status.

And who knows what else will fail to work as well, but with ftp, telnet,
http, X, and smtp/pop3 all working, this seems to be the cheapest solution
I've seen... real Network Address Translators cost mucho dinero last time I
looked.

Whew!

I'll clean this up and make it look like a FAQ and include more info when I
get some time, but hopefully this will get some of you started.

Aaron


--
Aaron Scott Magill                                             amagill@uiuc.edu
-------------------------------------------------------------------------------
}{  "I have SEEN evil!  I have SEEN horror!  I have seen the unholy maggots  }{
}{    which feast in the dark recesses of the human soul!  I have seen all   }{
}{  this, officer, but until today, I had never seen... YOU!" - Gomez Addams }{
-------------------------------------------------------------------------------