[ Pobierz całość w formacie PDF ]
.This is accomplished byediting the /etc/services file and changing it to be something similar to the following:334 Part II: Gaining Access and Securing the Gatewaytelnet 23/tcptelnet-a 2023/tcpThese changes are only effective after /etc/inetd.conf has been changed to reflect the configura-tion shown here:telnet stream tcp nowait root /usr/local/etc/tn-gw tn-gwtelnet-a stream tcp nowait root /usr/local/etc/netacl telnetdWhen an incoming connection is received on the telnet port with this configuration, the tn-gwapplication is started.When tn-gw receives a request, it first verifies that the requesting host ispermitted to connect to the proxy.Access to the proxy is determined by the rules established inthe netperm-table.These rules resemble those seen previously for the netacl application.However, there are application-specific parameters.The rule clauses for tn-gw are listed intable 7.3.Table 7.3tn-gw Rules and ClausesOption Descriptionuserid user Specify a numeric user-id or the name of a password file entry.Ifthis value is specified, tn-gw will set its user-id before providingservice.directory pathname Specifies a directory to which tn-gw will chroot(2) prior toproviding service.prompt string Specifies a prompt for tn-gw to use while it is in command mode.denial-msg filename Specifies the name of a file to display to the remote user if he or sheis denied permission to use the proxy.If this option is not set, adefault message is generated.timeout seconds Specifies the number of seconds of idleness after which the proxyshould disconnect.Default is no timeout.welcome-msg filename Specifies the name of a file to display as a welcome banner uponsuccessful connection.If this option is not set, a default message isgenerated.help-msg filename Specifies the name of a file to display if the  help command isissued.If this option is not set, a list of the internal commands isprinted.denydest-msg filename Specifies the name of a file to display if a user attempts to connectto a remote server for which he or she is not authorized.If thisoption is not set, a default message is generated.How to Build a Firewall 335Option Descriptionauthserver hostname Specifies the name or address of a system to use for network[portnumber [cipherkey]] authentication.If tn-gw is built with a compiled-in value for theserver and port, these values will be used as defaults but can beoverridden if specified in the authserver rule.If support forDES-encryption of traffic is present in the server, an optionalcipherkey can be provided to secure communications with theserver.hosts host-pattern Rules specify host and access permissions.[host-pattern2.] [options]The initial configuration for the tn-gw application is shown here.tn-gw: denial-msg /usr/local/etc/tn-deny.txttn-gw: welcome-msg /usr/local/etc/tn-welcome.txttn-gw: help-msg /usr/local/etc/tn-help.txttn-gw: timeout 3600tn-gw: permit-hosts 204.191.3.* -dest *.fonorola.net -dest !* -passok -xokNote If any of the files identified in the denial-msg, welcome-msg, help-msg, or denydest-msg clauses are missing, the connection will be dropped as soon as a request ismade for that file.This configuration informs users when they are or are not allowed to connect to the proxyserver, and when connections are denied due to their destination.The timeout line indicateshow long the telnet connection can be idle before the firewall will terminate it.The last lineestablishes an access rule to the tn-gw application.This rule and the optional parameters arediscussed shortly.A sample connection showing the host denial message is shown as follows:$ telnet pcConnecting to pc.**** ATTENTION ****Your attempt to use this server s telnet proxy is not permitted due toorganizational security policies.Your connection attempt has been loggedand recorded.Use of the telnet proxy Service on this machine is restricted to specific sites.336 Part II: Gaining Access and Securing the GatewayIf you believe that you are an authorized site, please contact Jon Smithat 555-1212 ext 502, or e-mail to ftpadmin@org.com.Connection closed by foreign host$If the host is permitted to converse with the tn-gw application, tn-gw enters a command loopwhere it accepts commands to connect to remote hosts.The commands available within thetn-gw shell are listed in table 7.4.Table 7.4tn-gw CommandsCommand Descriptionc[onnect] hostname [port] Connects to a remote host.Access to the remote host may betelnet hostname [port] denied based on a host destination rule.openx[-gw] [display/hostname] This command invokes the X Windows gateway for a connectionto the user s display.By default, the display name is the connect-ing machine followed by :0.0, as in pc.myorg.com:0.The x-gwcommand is discussed later in this chapter.help Displays a user-definable help file.?quit Exits the gateway.exitcloseConnecting through the Telnet ProxyWhen a permitted host connects to the proxy, it is greeted by the contents of the welcomefile configured in the tn-gw options and by a prompt.At the prompt, tn-gw expects toreceive one of the commands listed in table 7.4.When the connect request is made, the accessrules are applied to the destination host to confirm that a connection to that host is permitted.If the connection is permitted, the connection is made.A successful connection is shown asfollows:Welcome to the URG Firewall Telnet ProxySupported commands arec[onnect] hostname [port]x-gwhelpexitHow to Build a Firewall 337To report problems, please contact Network Security Services at 555-1212 orby e-mail at security@org.comEnter Command>c sco.sco.comNot permitted to connect to sco.sco.comEnter Command>c nds.fonorola.netTrying 204.191.124.252 port 23.SunOS Unix (nds.fonorola.net)login:In this output you can see that a telnet connection is established to the firewall, from whichthe tn-gw application is started.The user first attempts to contact sco.sco.com, which isdenied.A second connection request to nds.fonorola.net is then permitted.This sequence begsthe question  what s the difference? The answer is that host destination rules are in force.This means that a given system may be blocked through options on the host command in thetn-gw rules.Host Access RulesThe host rules that permit and deny access to the telnet proxy can be modified by a number ofadditional options, or rules that have other host access permissions.As seen in table 7.3, thehost rules are stated:tn-gw: deny-hosts unknowntn-gw: hosts 192.33.112.* 192.94.214.*These statements indicate that hosts that cannot be found in the DNS in-addr.arpa domain areunknown, and therefore denied, or that hosts connecting from the network 192.33.112 and192.94.214 are allowed to connect to the proxy.Optional parameters, which begin with ahyphen, further restrict the hosts that can connect to the proxy, or where the remote host canconnect to behind the firewall [ Pobierz całość w formacie PDF ]

zanotowane.pl

doc.pisz.pl

pdf.pisz.pl

funlifepok.htw.pl

• Menu

  • Index
  • Filozofia. Zarys historii A Karpiński, J Kojkoł
  • Philip K. Dick Czas poza czasem (2)
  • Fenix 1'92 Opowiadania
  • Kornel Makuszynski Szatan z siodmej klasy
  • Tielle St Clare Shadow of the Dragon 03 Smocze narodziny (całoÂść)
  • Bishop Anne Efemera 02 Belladonna
  • Sw. Brygida
  • Peter Zarrow China in War
  • Erskine Caldwell Poletko Pana Boga
  • Rodziewiczowna Maria Miedzy ustami a brzegiem puchar
  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • apo.htw.pl