Supported Services

The core services provided by the firewall, to which all internal hosts have access, are DNS  (Domain Name Service), SMTP mail , and ICMP  echo (that is, ping ). SMTP mail is also accessible from any external host, unless the host's address is specifically blocked. The DNS service will usually be accessible from all external hosts as well, but this depends upon the configuration. ICMP echo is not accessible from outside, except for echo responses from the firewall itself.

The firewall allows several publicly accessible services to be run on the firewall itself, or on hosts on the internal net, or in a third `demilitarised zone' network (DMZ). If the services are not run on the firewall itself, the firewall will run TCP proxies for the services, and relay requests to the appropriate internal or DMZ hosts. Public services executed on the firewall itself are run in a chrooted environment. These public services are:

Anonymous FTP

  Files can be uploaded to or downloaded from the /pub directory on the firewall if this service is enabled. This service can be restricted to download only, and limits can be placed on the amount of space that can be used for uploads.

World Wide Web

  The firewall can run a Web server and host your organisation's home pages. The firewall also supports `virtual WWW domains'; that is, the firewall can act as a proxy public web server for more than one domain.

Gopher

  A publicly accessible gopher server can be enabled.

WAIS

  A publicly accessible Wide Area Information Service server (for document searches) can be enabled.

Unless the data on your public servers rarely changes, it is preferable to run these services on servers in the DMZ network, as it means those responsible for updating the information need not have login access to the firewall.

The firewall also supports several services specifically to allow remote administration. These are:

Telnet

  Telnet access to the firewall itself on some specified port can be allowed to a single user (called the `trusted friend' ; see Section 4.14). This is restricted to a designated set of hosts using a one-time password. It is recommended that it be disabled when not required;

SSH

  Instead of telnet, SSH can be used for remote access to the firewall itself. This offers a much higher level of security than telnet, as it requires mandatory strong authentication and uses an encrypted communication link;

Remadmin

This service allows the configuration file to be uploaded by or downloaded to an MS-Windows-based remote administation program via an encrypted link on a specified port;

Keyadmin

This is a similar service to remadmin, but is used to upload or download the key database containing user passwords and cryptographic keys. The database can then be edited using an MS-Windows based key administration program;

Webadmin

This service allows reports and graphs of firewall useage to be accessed via a standard web browser. Either unencrypted (HTTP) or encrypted (HTTPS/SSL) connections are allowed.

The firewall allows arbitrary additional services to be added, by means of TCP proxies, transparent TCP `gateways', and transparent UDP `gateways'. The TCP proxies are used to relay connections to a TCP port on the firewall to the same or some other TCP port on some other host. The target host must usually be pre-specified when the proxies are set up; the exceptions are the telnet, FTP, SOCKS and HTTP proxies, which can be used to connect to arbitrary hosts. The transparent TCP and UDP `gateways' allow transparent outgoing access to the specified services. These are more general than the TCP proxies in that no target relay host needs to be specified; a host that is allowed access to such a service will be able to transparently connect to any external host on the specified port unless access to that external host and service is explicitly blocked.

The firewall also allows NetBIOS services to be transparently gatewayed, with or without authentication, and with or without network address translation. This is strongly discouraged, but may be a requirement at some sites. If it is used, it should be in conjunction with authentication and packet-filtering mechanisms both on the firewall and possibly on external routers in order for it to be done with some degree of security.