Next: Message Log Up: No Title Previous: Ftp Dialogue with

Generic Service Passer

By default, the Eagle allows only the ftp and telnet network services to pass through a protected network, subject to rules you place in your authorization file. There are many other network services, some of which you might want to allow through your G Box. The Generic Service Passer allows you to do so by importing (or exporting) a service from a computer on one side of the Eagle to a machine on the other side. A network service is set up by someone elsewhere to provide access to their machine for a specific purpose. Some services are informational (WAIS, WWW, gopher, archie, etc.), some are recreational (MUDs, IRC, etc.) and of course, there is USENET news. There are more services and servers than we can describe here. A summary of some services may be obtained via anonymous ftp from the host ftp.rpi.edu, by copying the file pub/communications/internet-tools.

As a security measure, the Eagle disallows direct access between a local computer and an external computer. The Generic Service Passer is a mechanism you can use to permit specific services into or out of your network, through what might be called a proxy connection through the Eagle to the real service machine.

There are two steps needed to set up passing a service. First, add the service to the Passer's configuration file /usr/adm/sg/passer.cf, on the G Box. This specifies where the real server machine is, and what service name to use to get to it. The second step is to modify the gateway configuration file /usr/adm/sg/gateway.cf (on the A Box) to specify which machines may have access to the service.

To add a service to the passer configuration file, enter a line of the form:

service serverhost
service serverhost/serverport +
service serverhost countdeny

Serverhost names the server computer by its hostname or IP address. Service is either a service name from the /etc/services file or a portnumber/protocol pair for the service (where protocol is either UDP or TCP). Serverport allows you to specify the port on serverhost to connect to, otherwise it is the same port as service. Serverport is used in situations where the service is provided on a port number other than the standard one, or when you want to receive the service on a different port. The `+' option (TCP only) tells the Generic Service Passer to write as the first packet of a connection the message:

IPaddr port

This is meant to let the real server know what the real client's Internet address and port are (the server will probably need to be set up specially to understand this). The stands for an ASCII linefeed character (hex 0A).

The countdeny argument increments the sliding time window (see Dynamic Activity Monitoring) only on access denied events.

To allow the use of a service, edit the gateway configuration file on the Authorization machine. Add the service to the option list for a rule which allows or denies the connection. For example, if the line in the Passer config file was:

service servicehost

and you wanted only mymachine to use that service, the line in the gateway config file would be:

mymachine allow servicehost(service)

In practice, mymachine connects to the Eagle instead of servicehost, and specifies the desired service. The Eagle verifies that the connection is allowed. If the connection is allowed, the Eagle then connects to servicehost. From that point the Eagle simply relays characters between mymachine and servicehost. For UDP services in which there is no connection per se, a pseudo-connection is used which will shut down after a minute of inactivity. All connections are logged.

More examples follow, but first a caution: network service clients may have security holes which could allow someone to break into your network through the service passer. While the chance of such a breach is remote, the potential remains because you can allow any service to pass through the service passer. You can minimize the risk of break-in by running up-to-date system software and limiting these connections to trusted machines. Otherwise, you can defeat the purpose of the Eagle, and Raptor Systems cannot guarantee the security of your system.

The following example sets up the local machine newshost to receive USENET news on its NNTP port. When a remote machine wants to send news, it connects to the Eagle at the NNTP port (119/tcp). The Eagle then connects to the same port on newshost, and copies the data between the two connections. The entry in the configuration file (passer.cf) would look like this:

nntp newshost

An authorization rule for this entry which allows remotenews to access the service would be:

remotenews allow newshost(nntp)

Please note that this configuration allows incoming USENET news only. Articles posted by local users will appear on your internal news server, but will not be propagated to the outside world. See Raptor Systems Technical Note #2 for an alternative mechanism which enables bidirectional NNTP service.

In the next example, we set up UDP port 1123 on the Eagle to allow local client machines to use the Network Time Protocol service (123/udp) on the server machine mimsy.umd.edu:

1123/udp mimsy.umd.edu/123

Note that in this example, we changed port numbers from the default port 123 to 1123 on the Eagle.

The warning about enabling potentially insecure services and/or access by untrusted machines bears repeating. Your purpose in purchasing the Eagle was to protect your network. Unwise use of the Service Passer could defeat this purpose, and Raptor Systems cannot be responsible for security breaches caused by such use.



Next: Message Log Up: No Title Previous: Ftp Dialogue with


tkevans@delmarva.com