| Version Changes Administrator's Manual Links & Resources Product Announcements Howto Guides |
Technical difficulties
or feedback:
webmaster@cequrux.com
SECTION O - OTHER SERVICES
Kill the authd daemon (by running `zap authd'), and restart it with a line of the form `authd -F /tmp/audit'. An audit trail of authd's rule checking will then be written to the file /tmp/audit.
Note: These instructions apply to firewall versions 4.0.x (for all services) and 4.1.x if the service in question is not http, https, ftp, nntp or pop3. If you are using 4.1.x and one of these services, then you can set it up in the virtual domain screen.
Note also, (for either 4.0.x or 4.1.x) that if you want this incoming proxy on your primary external IP address that you simply setup an incoming proxy in you TCP proxy screen, and do nothing else.
OK, but back to the external aliased address, there are 4 things to do:
tcp1444 1444/tcp
In both fwadmin and in /usr/local/custom, you can now use the name that you've defined for the service.
ipfw add accept tcp from any to 10.10.10.5 5900
These two lines assume that the external aliased IP address is 10.10.10.5, and that the port in question is 5900.
ipfw add accept tcp from 192.168.100.7 80 to 192.168.100.1
This line assumes that the relay server is 192.168.100.7, that the relay port is port 80 (http), and that the firewall's DMZ interface is 192.168.100.1
10.10.10.5 proxy5900 stream tcp nowait root /usr/local/bin/genrelay genrelay -T 70 -t 300 -u nobody -d /usr/local/proxy -X -s 192.168.1.5 -ro -Bo proxy5900
This one is for an external interface of 10.10.10.5, going through to an internal server on 192.168.1.5 firewall (5900) is the same port as on the relay server.
10.10.10.6 proxy5900 stream tcp nowait root /usr/local/bin/genrelay genrelay -T 70 -t 300 -u nobody -d /usr/local/proxy -X -s 192.168.1.6 -ro -Bo -p 5555 proxy5900
Here the port changes from 5900 on the outside of the firewall to 5555 on the relay server.
A rule to decide whether to use fwadmin or /usr/local/custom for proxies:
If the _source_ of the proxy is either:
This is a simple matter of setting up TCP Gateways for the following ports:
6699, 7777, 8875 and 8888
Remember also to set 'Allow outgoing ICMP' to 'YES' if you want to see response times from other Napster users.
Using https via the Squid caching proxy:
Using a TCP gateway:
On the Firewall: Add a TCP gateway for port 1863
The configuration for AOL Instant Messenger is much the same as that for Mirabilis ICQ.
Using https via the Squid caching proxy:
Using a TCP gateway:
On the firewall, add one outgoing TCP gateway for service 7070 (realaudio) and one for service 554
The following steps are the same for the Windows and the Linux client.
Tweak the other settings to your own preference and once you are done, click the 'OK' button to effect the changes.
No proxies are supposed to start in the DMZ, and hence you cannot configure this with fwadmin or remadmin.
Assume the following:
Edit /usr/local/custom/services and enter a line reading:
proxy(E) (E)/tcp
where (E) is replaced by the actual digits making up the port number.
Edit /usr/local/custom/cdsinetd.conf and enter the line:
(B) proxy(E) stream tcp nowait root /usr/local/bin/genrelay genrelay -Bo -T 20 -u nobody -d /usr/local/proxy -t 300 -X -s (D) proxy(E)
where (E) is replaced by the actual digits making up the port number and (B) and (D) are IP addresses.
lastly, edit /usr/local/custom/filters and enter the 3 lines:
ipfw add allow tcp from (A) to (B) (E)
where (E) is replaced by the actual digits making up the port number and (A),(B) and (D) are IP addresses.
Let's assume that my DMZ host's address is 10.20.30.20, my firewall's DMZ interface is 10.20.30.10, the external host is 196.30.227.197 and my firewall's external interface is 200.100.1.20
Looking at /etc/services, services already exist that are mapped to ftp, namely 20 and 21, so I don't need to edit /usr/local/custom/services.
Editing /usr/local/custom/cdsinetd.conf, I add the following line:
10.20.30.10 ftp stream tcp nowait root /usr/local/bin/pxftp pxftp -X -ri -Bi -u root -s 196.30.227.197
Note that I used pxftp instread of genrelay. This is because genrelay only understands a single port, while the ftp protocol uses a pair. For complicated protocols, genrelay will not work.
Now I edit /usr/local/custom/filters and insert the following:
ipfw add allow tcp from 10.20.30.20 to 10.20.30.10 20
Run fwadmin -A and that should be it!
This is not a supported feature, therefore some customisation will need to be done.
dmesg | less
This should display some system information within a pager. Use the up/down cursor keys
In the above example, ed6 is the fourth network interface.
NOTE: Do not forget the lo0 entry in the network_interfaces line, it is
the loopback device.
The above rc.conf entries will only take affect upon reboot, so in order to bring
ifconfig ed6 10.20.30.1 netmask 255.255.255.0
In order to verify the configuration, the ifconfig -a command may be given.
Make sure that you see the words UP,BROADCAST,RUNNING and that the address and netmask
Now to set up the relevant filters and cdsinetd entries.
For our relay port, we are using a non-existant service of 2025, therefore we must
Edit /usr/local/custom/filters and insert lines as per the following example:
ipfw add allow icmp from any to 10.20.30.1
In the above example, the firewall's external interface is 192.96.22.27 and the external host
10.20.30.1 myservice stream tcp nowait root /usr/local/bin/genrelay genrelay -X
-ro -Bo -T 70 -u nobody -d /usr/local/proxy -t 300 -s 192.96.22.18 -p 25 myservice
Remember to substitute myservice, 192.96.22.18 and -p 25 with values applicable to your
The final step is now to run fwadmin -A to regenerate configuration files and restart
You will need to install the latest version of MIT Kerberos5 (version 1.2.1) or Heimdal Kerberos5 (version 0.3a).
In CEQURUX v4.3, this will be a standard feature, so most customers will just wait for it.
Firstly mail support@cequrux.com explaining why you need it.
Once you have the udprelay binary, read these installation instructions.
In order to make this work, you must have the caching web proxy on the Firewall enabled.
192.168.2.10 www stream tcp nowait root /usr/local/bin/logwww logwww -ri -Bi -l -H http
ipfw add accept tcp from any to 192.168.1.17 3128
Firstly work out what the interface name of the DMZ interface is.
ifconfig_fxp0_alias1="172.16.4.253 netmask 255.255.255.255"
Note that you must always use a netmask of 255.255.255.255, regardless
of what the real netmask is in that network. After you have finished saving and exiting, all you need do now is reboot the firewall.
We have created a number of gateway/proxy entries for a service, for different clients. However, the behaviour is not as we expect. How can we
check which entry gets used when a client attempts a connection?
How do I set up incoming proxies on my externally aliased IP addresses?
You do this inside the virtual domain settings inside fwadmin.
Go to a new (blank) page, and add the appropriate IP address in the space provided.
Save and exit.
You can just grep for the number, thusly: grep 1352 /etc/services
If the service is not listed in /etc/services, then you need to edit /usr/local/custom/services and add an entry for it.
You can either use a meaningful name or some garbage.
So, my /usr/local/custom/services could look like:
irc 6667/tcp
Firstly, you have to add packet filters to allow people on the internet to access the proxy.
This is done in /usr/local/custom/filters.
In this file, you would add two lines like:
ipfw add accept tcp from 10.10.10.5 5900 to any
Now, although we will have set this up in /usr/local/custom/services, (as probably 'vnc'), in this filters file we actually enter the port number.
Secondly, if the relay service is on the DMZ (not the INSIDE), then we have to add one more line to filters, which allows the traffic from the server sitting on the DMZ to the firewall's DMZ interface. So:
An exercise for the reader: If the relay server is on the INSIDE (as opposed to the DMZ), why don't we need to add that last filter line? Hint: try running 'ipfw list | less' on you firewall.
This line will usually take up 3 normal screen lines. Consider:
If you want to use a different port on the relay server, you would use a line like:
- an external aliased IP address
- a DMZ host
then use /usr/local/custom otherwise use fwadmin.
What do I have to do to be able to use the Napster client for Windows?
How do I configure Mirabilis ICQ to work from behind the firewall?
NOTE: This is not a 'real' TCP proxy. The Firewall interprets it as a permission for Squid.
You may in fact use any port number you like - the ICQ server accepts connections on any port.
If you do not wish to use a non-standard port then make sure that you have a 'permission' entry for https.
If you didn't specify a non-standard port, but are using a normal https permission entry, then the port setting will be 443
You may in fact use any port number you like - the ICQ server accepts connections on any port.
How do I configure the firewall for MSN Messenger?
Several features of the MSN messenger such as "Talk" and file transfer do not work from behind the firewall because the messenger client incorrectly assumes it has a direct connection to the remote end, when in fact, the client machine's IP address is subject to NAT (Network Address Translation).
If you are using the caching web proxy on the Firewall, the MSN messenger can be configured to connect through it, but you will also not be able to use features mentioned above.
How do I configure AOL Instant Messenger to work from behind the firewall?
NOTE: This is not a 'real' TCP proxy. The Firewall interprets it as a permission for Squid.
You may in fact use any port number you like - the A.I.M server accepts connections on any port.
If you do not wish to use a non-standard port then make sure that you have a 'permission' entry for https.
If you didn't specify a non-standard port, but are using a normal https permission entry, then the port setting will be 443
You may in fact use any port number you like - the A.I.M server accepts connections on any port.
How do I configure the Firewall for RealPlayer?
Now you will need to configure the RealPlayer client as follows:
What about creating proxies that start from the DMZ?
The reason being that should a cracker compromise your DMZ server, he can then use this DMZ proxy to attack the internal servers.
If you really think that you need one, however, here's how to do it:
The DMZ host's IP address is A, the firewall's DMZ interface IP
address is B, the firewall's internal/external address is C, the internal/external relay host address is D and the port to be used is E.
Whether you specify the firewall's internal or external address for C will depend on whether the relay host address (D) is on the inside or the outside of the firewall.
ipfw add allow tcp from (B) (E) to (A)
ipfw add allow tcp from (D) (E) to (C)
Example:
I want to create an ftp proxy that will allow a machine on the DMZ to ftp to a host on the outside.
ipfw add allow tcp from 10.20.30.10 20 to 10.20.30.20
ipfw add allow tcp from 196.30.227.197 20 to 200.100.1.20
ipfw add allow tcp from 10.20.30.20 to 10.20.30.10 21
ipfw add allow tcp from 10.20.30.10 21 to 10.20.30.20
ipfw add allow tcp from 196.30.227.197 21 to 200.100.1.20
What if I want proxies starting from a second DMZ with a fourth network interface?
Firstly the network interface will need to be configured as follows:
As root user on the firewall, type the following command:
or the PgUp/PgDn keys to find the fourth network interface.
The dmesg lines will look something like this:
ed3 <NE2000 PCI Ethernet (RealTek 8029)> rev 0 int a irq 11 on pci0:9:0
ed3: address 00:c0:df:ee:b5:a7, type NE2000 (16 bit)
ed4 <NE2000 PCI Ethernet (RealTek 8029)> rev 0 int a irq 10 on pci0:10:0
ed4: address 00:00:21:f8:c2:ee, type NE2000 (16 bit)
ed5 <NE2000 PCI Ethernet (RealTek 8029)> rev 0 int a irq 12 on pci0:11:0
ed5: address 00:00:21:fa:73:b9, type NE2000 (16 bit)
ed6 <NE2000 PCI Ethernet (RealTek 8029)> rev 0 int a irq 5 on pci0:12:0
ed6: address 00:00:21:f0:a6:88, type NE2000 (16 bit)
Press the q key to quit the pager.
Now edit the file /usr/local/custom/rc.conf and insert two lines as per the
following example:
network_interfaces="ed6 ed4 ed5 ed3 lo0"
ifconfig_ed6="inet 10.20.30.1 netmask 255.255.255.0 up"
In the above example, 10.20.30.1 is the second DMZ address. Remember to replace
relevant sections with values applicable to your firewall.
the interface up immediately, use the following example command:
The relevant response line should look something like this:
ed6: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.20.30.1 netmask 0xffffff00 broadcast 10.20.30.255
ether 00:00:21:f0:a6:88
are correct.
In the example entries that will follow, we have used a relay from port 2025 on the
firewall's second DMZ interface to an external host on port 25.
You will need to modify the examples to suit your application.
create an entry in /usr/local/custom/services as follows:
myservice tcp/2025
ipfw add allow icmp from 10.20.30.1 to any
ipfw add allow tcp from any to 10.20.30.1 2025
ipfw add allow tcp from 10.20.30.1 2025 to any
ipfw add allow tcp from 192.96.22.18 25 to 192.96.22.27
that the proxy will relay to is 192.96.22.18 and the port that will be relayed to is 25.
The icmp entries are only necessary if you wish to be able to ping outwards from hosts
behind the second DMZ interface.
Now for the cdsinetd setup. Insert a line as the the following example into
/usr/local/custom/cdsinetd.conf
configuration.
the inetd service.
What must I do to make Kerberos5 work with the KDC and server applications outside the firewall and the client applications on the inside?
See the MIT Kerberos5 home page and the Heimdal Kerberos5 home page for details.
You will also need to run the 'kinit' command with a '-A' flag (MIT) or '--anonymous' in the case of the Heimdal version to request an address-less ticket.
What if I really need UDP proxies?
In v4.3, these 'UDP proxies' will be configured in the usual way from fwadmin or remadmin.
If, however, you have a special need for this, and can't wait the remaining weeks for v4.3, there is a possibility of implementing this on v4.1.x.
How do I allow browsing access for machines on the DMZ?
The following instructions require that you edit some files on the Firewall.
To do this, you will need to be logged in as root on the firewall's console, or via SSH.
For these instructions, a DMZ interface IP address of 192.168.2.10 and a caching proxy TCP port of 3128 are used.
Please remember to substitute these with the correct values for your system.
Don't forget to substitute the IP address and port with your values.
How do I bind another IP address to the DMZ interface?
You can do this with an ifconfig -a.
Suppose that the interface name is 'fxp0' and the new IP address you want to add is 172.16.4.253.
What you would then do, is to edit /usr/local/custom/rc.conf and add the following line:
Notice also the letters
'fxp0' near the beginning of that line?
Once it has finished booting, type ifconfig -a and check that the IP address is bound the correct interface (fxp0 in our example above).
The End.