# README.config,v 1.1.1.1 1995/06/16 21:10:40 seth Exp ********************************************************************* * Introduction * ********************************************************************* The file gives you samples for some of the many configuration files which a Freestone firewall might have. You *cannot* take these file verbatim since at a minimum the IP addresses and such have to change and usually you might well have a different security policy you are trying to enforce. There will be a short section on each of the major configuration files. These are NOT intended to be the definitive source of information on each file. Instead, they are supposed to give you a few hints about what the file is used for and perhaps how Freestone uses it differently than is typically used. You should refer to the manual pages and documentation for the package in question for detailed information. Also, the admin is responsible for deciding which files are chroot()ed and which are not. (e.g. if you chroot syslog in /usr/local/BS/syslog, the path to the syslog configuration file is /usr/local/BS/syslog/etc/syslog.conf) ********************************************************************* * syslog * ********************************************************************* There are very small differences between how we use syslog and how the normal OS uses syslog. The major difference is that if you use the version from a Freestone ftp site, there is a new configuration file /etc/syslog.snets which contains the lists of hostmasks which are allowed to syslog to this machine. /etc/syslog.snets ---------------------------------------------------------------------- -1.1.1.1/0.0.0.0 ---------------------------------------------------------------------- The above prevents anyone from syslogging to the firewall. /etc/syslog.conf ---------------------------------------------------------------------- *.debug /log/all *.emerg;user.none * ---------------------------------------------------------------------- ********************************************************************* * inetd * ********************************************************************* If you choose our inetd, we have added a new field between user and path which is the number of calls a minute the service will allow before saying that the service is looping. The default number for most inetds is 40. However, with mail and socks running out of inetd, you can legitimately get more than 40 calls a minute. One important note is that if you use the SOS version of inetd, you must start inetd with daemon because it does not auto-daemonize. Note the use of the TCP wrapper. It is important. /etc/inetd.conf ---------------------------------------------------------------------- telnet stream tcp nowait root 40 /usr/local/etc/tcpd btelnet ftp stream tcp nowait root 40 /usr/local/etc/tcpd bftp smtp stream tcp nowait root 99 /usr/local/etc/tcpd bmaild socks stream tcp nowait root 99 /usr/local/etc/tcpd sockd -i supdup stream tcp nowait root 40 /usr/local/etc/tcpd /usr/etc/in.telnetd ---------------------------------------------------------------------- ********************************************************************* * TCP Wrapper * ********************************************************************* We have hacked the TCP wrapper to support delayed changing UIDs, GIDs, and chroot()ing. chroot()ing is very important for security reasons. The in.telnetd line is important to customize since that is what allows or denies access to the network administrative functions. Note, we strongly suggest that you have in.telnetd call a one-time password login program like keylogin from S/Key. We also strongly suggest that you use an encrypting telnet for privacy. /etc/hosts.allow ---------------------------------------------------------------------- btelnet : ALL : chroot = /usr/local/BS/proxy : group = nogroup : user = nobody bftp : ALL : chroot = /usr/local/BS/proxy : group = nogroup : user = nobody bmaild : ALL : chroot = /usr/local/BS/mail : group = nogroup : user = nobody sockd : ALL : chroot = /usr/local/BS/socks : group = nogroup : user = nobody in.telnetd : 127.0.0.1/255.255.255.255 : allow ALL:ALL:deny ---------------------------------------------------------------------- ********************************************************************* * Socks * ********************************************************************* Socks is very critical to get correct since after all it does allow unauthenticated access through the firewall. Please note the way we restrict access to the ``protected'' networks even if you are supposedly coming from a ``protected'' network. /etc/sockd.conf ---------------------------------------------------------------------- deny 0.0.0.0 0.0.0.0 204.52.227.0 255.255.255.0 : /bin/logger -t sockd -p auth.warning 'SOCKD: internal net -- from %u(%U)@%A to host %Z (service %S)' permit 204.52.227.0 255.255.255.0 255.255.255.255 0.0.0.0 deny 0.0.0.0 0.0.0.0 : /bin/logger -t sockd -p auth.warning 'SOCKD: rejected -- from %u(%U)@%A to host %Z (service %S)' ---------------------------------------------------------------------- ********************************************************************* * NTP * ********************************************************************* The ntp configuration file is a complex beast to get customized since you must select hosts which are running NTP and are willing to serve time to you. For hopefully obvious reasons we will not give any defaults (or rather we will give you a incorrect default). Likewise, you are responsible for setting up the authentication keys properly, if you are interested in authenticated time. Please see the NTP documentation for more information. /etc/ntp.conf ---------------------------------------------------------------------- server 127.0.0.2 driftfile /etc/ntp.drift authenticate yes resolver /usr/local/etc/xntpres # # Authenticated time keys /etc/ntp.keys trustedkey 104 2 3 authenticate yes monitor yes requestkey 65535 controlkey 65534 # # Don't allow anyone to muck with our time. restrict 0.0.0.0 mask 0.0.0.0 notrust noquery nomodify notrap restrict 127.0.0.2 nomodify noquery notrap restrict 127.0.0.1 ---------------------------------------------------------------------- ********************************************************************* * sendmail.cf * ********************************************************************* Sendmail configs are tricky things, and while I think ours are pretty good, I will not impose my policy on you, so instead I will give you the important lines which changed. ---------------------------------------------------------------------- $R -- relayhost Should point to the machine which should get mail sent to a user without a qualifying hostname (e.g. get ``root'' mail, etc) ---------------------------------------------------------------------- ---------------------------------------------------------------------- CL Nobody should get mail delivered on the firewall ---------------------------------------------------------------------- ---------------------------------------------------------------------- HReceived: $?sfrom $s $.$?A($A) $.by $j ($?V$V/$.$v/$Z)$?r with $r$. id $?I$I/$.$i$?u for $u$.; $b The changes in the Received lines reflect variables and names which brequeued puts in to give full information about the mail message. ---------------------------------------------------------------------- You might want to nuke or change the local mailer rules just to be sure. ********************************************************************* * DNS * ********************************************************************* DNS is another tricky beast to configure. You should read the Firewalls book to figure out whether you want to have ``split DNS'' (where you hid internal names) or things like that. Again, we will not give you sample server configuration files, but we will give you some hints. named.boot on internal machines: use ``slave forwarder mode'' named.boot on firewall: If you want to implement split DNS, you must be primary for external zones. Internal machine will also be primary. /etc/resolv.conf: Should point to *internal* machine running primary DNS which is a slave forwarder. There are other security measures you can take (xfernets, etc) which you should read about in DNS documentation. ********************************************************************* * bs.client.conf * ********************************************************************* Please see the Freestone client man pages. We will give an example without further comment: /etc/bs.client.conf ---------------------------------------------------------------------- TELNET_GREET TELNET_GREET This is the Freestone firewall proxy client. TELNET_GREET TELNET_GREET In compliance with Federal Law, we must inform you that if you TELNET_GREET are not an authorized user of this machine, you can be prosecuted. TELNET_GREET Use constitutes consent to security testing and monitoring. TELNET_GREET NO UNAUTHORIZED USERS ARE WANTED OR ALLOWED ON OUR COMPUTERS. TELNET_GREET TELNET_GREET TELNET_PROMPT proxy telnet> TELNET_WELCOME TELNET_WELCOME Welcome to the Freestone firewall proxy client. TELNET_WELCOME TELNET_WELCOME If you have not used this service before, please type ``help'' TELNET_WELCOME TELNET_FAIL TELNET_FAIL You failed to be authenticated. If you are an authorized TELNET_FAIL user, please reset your token generator, think about your TELNET_FAIL firewall username and token passwords, and try once or TELNET_FAIL twice more, then if you still have problems please contact TELNET_FAIL your network or security administator. TELNET_FAIL TELNET_FAIL If you are NOT an authorized user, please do not try to TELNET_FAIL log in again and force us to waste our time tracking you TELNET_FAIL down. Thanks. TELNET_FAIL TELNET_HELP TELNET_HELP Available commands: TELNET_HELP TELNET_HELP open [[-]port] - Open a telnet connection to hostname TELNET_HELP (If port is specified, then TELNET_HELP open the connection to the TELNET_HELP specified port. If there TELNET_HELP is a leading -, then it TELNET_HELP will be a telnet connection, TELNET_HELP otherwise it will be a raw TELNET_HELP connection) TELNET_HELP Note: the connection will TELNET_HELP only be made if the ACL for TELNET_HELP user permits it. TELNET_HELP close - Log out TELNET_HELP exit - Log out TELNET_HELP fork - Fork one of the following protocol TELNET_HELP proxies TELNET_HELP x (x protocol) TELNET_HELP relay (tcp/upd protocol) TELNET_HELP help - View this message TELNET_HELP TELNET_HELP SMTP_HELP Available commands: SMTP_HELP HELO EHLO MAIL RCPT DATA RSET SMTP_HELP VRFY EXPN HELP NOOP QUIT SMTP_HELP However, VRFY EXPN HELP NOOP are unlikely to help much. SMTP_HELP HELO/EHLO are required, but will not gain you much. SMTP_HELP You must have MAIL before RCPT and RCPT before DATA. SMTP_HELP For further information, see RFC 821 FTP_GREET FTP_GREET Welcome to the Freestone FTP Proxy Server FTP_GREET FTP_GREET Accesses to, actions on, and transfers accross this server are being FTP_GREET LOGGED and MONITORED. You have been advised. In addition this FTP_GREET server will not honor a leading hyphen on your user name as most FTP_GREET full blown ftp servers will. FTP_GREET FTP_GREET In compliance with Federal Law, we must inform you that if you FTP_GREET are not an authorized user of this machine, you can be prosecuted. FTP_GREET Use constitutes consent to security testing and monitoring. FTP_GREET NO UNAUTHORIZED USERS ARE WANTED OR ALLOWED ON OUR COMPUTERS. FTP_GREET FTP_GREET OK. Please authenticate yourself to the server. FTP_GREET FTP_AUTHTIMEOUT 600 FTP_FAIL FTP_FAIL I'm sorry, your authentication round has failed. Common causes FTP_FAIL are misstyped username or authentication response, a token FTP_FAIL generator which needs resetting, or incorrect username or FTP_FAIL authentication response (perhaps a valid on another system?). If FTP_FAIL you are a valid user please feel to try again once or twice. FTP_WELCOME FTP_WELCOME You have been authenticated; welcome once again. Please FTP_WELCOME type help to find out the very limited subset of FTP commands FTP_WELCOME supported by this server. The next step is to connect to your FTP_WELCOME final destination. Please enter: FTP_WELCOME FTP_WELCOME USER @ FTP_WELCOME FTP_WELCOME in order to make the connection. For most session your next FTP_WELCOME prompt will ask you for enter password or authentication response FTP_WELCOME for logging into final.destination.host. FTP_WELCOME FTP_HELP FTP_HELP Command accepted by this FTP proxy FTP_HELP USER HELP QUIT NOOP FTP_HELP FTP_HELP CMD ARGS DESC FTP_HELP FTP_HELP USER user@machine Connect to remote ftp server FTP_HELP QUIT Quit the server. FTP_HELP NOOP Generate a wise crack. FTP_HELP FTP_BADINPUT Command not understood or supported by this proxy. Consider HELP. FTP_NOOP FTP_NOOP Well I'm just sitting here burning cycles at your request. FTP_NOOP Seems somewhat useless to me, but then I'm just a lousy machine FTP_NOOP and you're the wise and all-knowing file thief. FTP_NOOP FTP_NOOP I hate doing nothing; let's do *something* or at least agree that FTP_NOOP doing *something* is always better than doing nothing; although FTP_NOOP you might argue that the act of doing nothing *is* something and FTP_NOOP therefore not nothing. Hmm.. Cordelia should have thought along these FTP_NOOP lines right from the start. It would have saved a lot of high school FTP_NOOP students a lot of uncessary reading and writing. FTP_NOOP FTP_FAKE_USER Ignored text here. FTP_CONNECT_REMOTE FTP_CONNECT_REMOTE ****************************************************** FTP_CONNECT_REMOTE ** You are now connected to the remote ftp server. ** FTP_CONNECT_REMOTE ** From now on, all ftp command will be interpreted ** FTP_CONNECT_REMOTE ** by that machine and NOT by the firewall ** FTP_CONNECT_REMOTE ****************************************************** FTP_CONNECT_REMOTE FTP_CONNECT_FAIL FTP_CONNECT_FAIL You failed to connect to the remote ftp server. FTP_CONNECT_FAIL All commands are still interpreted by the firewall. BSRELAY_PASSIVETIMEOUT 0 ---------------------------------------------------------------------- ********************************************************************* * bs.acl.conf * ********************************************************************* Again, this is highly site-dependent and you should read the Freestone manual pages for more information. /etc/bs.acl.conf ----------------------------------------------------------------------0 %% SHIFT1 = (Mon-Fri/9-17) %% MLKD = (1/17/1994), (1/16/1995), (1/15/1996) FOOL = (4/1/1994), (4/1/1995), (4/1/1996) XMAS = (12/25/1994), (12/25/1995), (12/25/1996) JULY4 = (7/4/1994), (7/4/1995), (7/4/1996) LABDAY = (9/5/1994), (9/4/1995), (9/2/1996) MEMDAY = (5/30/1994), (5/29/1995), (5/27/1996) PRESDAY = (2/21/1994), (2/20/1995), (2/19/1996) NEWYEAR = (1/3/1994), (1/2/1995), (1/1/1996) COLUMBUS = (10/10/1994), (10/9/1995), (10/14/1996) THANKSGIVING = (11/24/1994), (11/23/1995), (11/28/1996) HOLIDAYS = *NEWYEAR, *MLKD, *PRESDAY, *FOOL, *MEMDAY, *JULY4, *LABDAY, *COLUMBUS, *THANKSGIVING, *XMAS STD = -*HOLIDAYS, *ANY %% LOCALHOST = (127.0.0.1,255.255.255.255) INTERNAL = *LOCALHOST EXTERNAL = -*INTERNAL,*ANY %% X11 = (6000) TEL = (telnet) FTP = (ftp) STD = *TEL, *FTP %% STD = (*SHIFT1,*STD,*ANY,*ANY,*ANY,*STD) OUT = (*ANY,*ANY,*ANY,*ANY,*EXTERNAL,*STD) %% out = 1:PASS:"yourpasswordhere":*OUT:0:0:0:x:x:x:"Outgoing user" ------------------------------------------------------------------------------- ********************************************************************* * RC scripts * ********************************************************************* Most people will again need to customize these a great deal. Indeed, those with System V boxes may need to port them to a System V approach (or perhaps modify inittab to take a BSD approach :-) /etc/rc.local ---------------------------------------------------------------------- # # This file was automagically generated by the host # database system. Do NOT NOT NOT edit this file. # Changes should be made to the source. # PATH=/bin:/usr/bin:/usr/etc:/usr/ucb; export PATH # Variables DAEMON="/usr/local/bin/daemon -D -p 0" FUNI="/bin/funi -u nobody -g nogroup" # Syslog runs in chrooted environment if [ -f /usr/local/BS/syslog/bin/syslogd ]; then echo 'starting system logger' chroot /usr/local/BS/syslog /bin/syslogd fi # Remove old swatch pid file before rc.link does something rash if [ -f /usr/local/BS/watcher/tmp/.swatch++pid ]; then rm /usr/local/BS/watcher/tmp/.swatch++pid fi # Give everyone a syslog sh /etc/rc.link # # Set up static routing # sh /etc/rc.route # If we are a diskless client, synchronize time-of-day with the server. # if [ -f /usr/local/BS/ntp/usr/local/etc/ntpdate ]; then /usr/etc/chroot /usr/local/BS/ntp /usr/local/etc/ntpdate -b -t 2 -o 1 `egrep '^server ' /usr/local/BS/ntp/etc/ntp.conf | awk '{print $2}'` fi if [ -f /usr/local/BS/ntp/usr/local/etc/xntpd ]; then chroot /usr/local/BS/ntp /usr/local/etc/tickadj -Aqs; $DAEMON chroot /usr/local/BS/ntp /usr/local/etc/xntpd; (echo -n ' ntpd') >/dev/console fi if [ -f /usr/local/BS/named/var/private/bin/named ]; then $DAEMON chroot /usr/local/BS/named /var/private/bin/named (echo -n ' named') > /dev/console fi # # Sendmail--queue only # SENDMAILQ="/usr/lib/sendmail -q1h" $DAEMON $FUNI $SENDMAILQ $DAEMON $FUNI -c /usr/local/BS/mail $SENDMAILQ $DAEMON $FUNI -c /usr/local/BS/watcher $SENDMAILQ if [ -f /usr/local/BS/mail/bin/brequeued ]; then $DAEMON $FUNI -c /usr/local/BS/mail /bin/brequeued (echo -n ' mail relay') > /dev/console fi if [ -f /usr/local/BS/watcher/bin/swatch++ ]; then $DAEMON $FUNI -c /usr/local/BS/watcher /bin/swatch++ -fc /etc/bsmon.swatch++ /log/all (echo -n ' log watcher') > /dev/console fi (echo '.') if [ -f /etc/rc.private ]; then sh /etc/rc.private fi exit 0 ---------------------------------------------------------------------- /etc/rc.link ---------------------------------------------------------------------- #!/bin/sh # # Link/copy files that might change into chrooted environments # # BASEDIR=/usr/local/BS # # LOGDIR="proxy mail named ntp socks watcher" VMUNI="ntp" rm /dev/log ln $BASEDIR/syslog/dev/log /dev/log for f in $LOGDIR do if [ -d $BASEDIR/$f/dev ]; then rm -f $BASEDIR/$f/dev/log ln $BASEDIR/syslog/dev/log $BASEDIR/$f/dev/log fi done # Copy vmunix to prevent reverse corruption for f in $VMUNI do if [ -d $BASEDIR/$f ]; then rm -f $BASEDIR/$f/bsd cp /bsd $BASEDIR/$f/bsd fi done # Link in kvm database rm /usr/local/BS/ntp/var/run/kvm_bsd.db ln /var/run/kvm_bsd.db /usr/local/BS/ntp/var/run # Link in all-syslog rm /usr/local/BS/watcher/log/all ln /usr/local/BS/syslog/log/all /usr/local/BS/watcher/log/all # Notify swatch++ if [ -f /usr/local/BS/watcher/tmp/.swatch++pid ]; then kill -1 `cat /usr/local/BS/watcher/tmp/.swatch++pid` fi ---------------------------------------------------------------------- /etc/rc.route ---------------------------------------------------------------------- #!/bin/sh # # Static routing # route add default 45.61.0.1 1 ----------------------------------------------------------------------