PATCHES

Fixes for FWTK 2.1

*** ftp-gw.c.ORG Sat Jan 18 20:05:49 1997
--- ftp-gw.c Tue Apr 15 14:24:49 1997
***************
*** 151,156 ****
--- 151,158 ----
"stat",  OP_CONN, /* overload */ cmd_abor,
"dele",  OP_CONN|OP_XTND,   0,
"size",  OP_CONN,   0,
+  /* Passthrough service for gate-ftp */
+  "passerve", OP_WCON,   cmd_passthru,
0,  0,    0
};

From:
    faka[i++] = "-f";
To:
    faka[i++] = "-if";
 
 

1.3: Fix to make http-gw use http/1.0 responses

The http-gw daemon in FWTK 2.1 and below use http/0.9 responses. Some browsers (including IE 4.0) require http/1.0 codes.

Download the following patch to give this ability:
    http1.pch
 
 

1.4: Fix for javascript quoting bug

This patch will fix http-gw so that it removes only pairs of double quotes. It is from Kees van Veen <cvn@interchain.nl> and rewritten by Phil Randal <prandal@herefordshire.gov.uk>:

---------------  cut here ----------------
*** http-gw.c Sat Feb  7 00:32:25 1998
--- http-gw.c.new Fri Sep 18 19:55:00 1998
***************
*** 2285,2292 ****
       seek_and_destroy(value);

   /* Quote at end removed to avoid double write */
!  p = value + strlen(value) - 1;
!  if ((*p == '"') || (*p == '\'') *p = 0;

   /* write out the saved (or rewritten) field now */
   if (!in_blocked)
--- 2285,2297 ----
      seek_and_destroy(value);

   /* Quote at end removed to avoid double write */
!  if (*value == '"' || *value == '\'') {
!    /* leave single quote intact */
!    if (strlen(value) > 1) {
!      char *p2 = value + strlen(value) - 1;
!      if (*value == *p2) *p2 = 0;
!    }
!  }

   /* write out the saved (or rewritten) field now */
   if (!in_blocked)
------------------- cut here ---------------

                        q += 3;
                        while(isspace(*q))
                                q++;

+                        if(q == (char *)0) {
+                                printf("501 Syntax error\r\n");
+                                fflush(stdout);
+                                continue;
+                        }
#ifdef  SPECIALDOMAIN

msg_int = auth_perm(confp,authuser,"ftp-gw",riaddr,tokav[0]);
if(msg_int == 1 || msg_int == 0) { 

msg_int = auth_perm(confp,authuser,"ftp-gw",riaddr,tokav);
if(msg_int == 1 || msg_int == -1) {

Here is the improper code in sig.c:

void *data;
{
int ret;
list_t *p=pidlist;

while(p) {
if( (ret=handle_sigpid(p->id))>= -1 && cb)
 ret=cb(p->id,data,ret);
if( ret>= -1)
/*************************************************
* Function deleteListItem does a "free" on pointer p and then the next line of code attempts
* to use this memory.  On Sun operating systems you get away with this without causing
* a segmentation fault.  With Debian Linux this causes a segmentation fault.  Possibly other
* Linux operating systems may also do the same.
*/
 pidlist=(list_t*)deleteListItem(pidlist,p->id);
p=p->next;
}
return pidlist;
}

void *data;
{
int ret;
list_t *p=pidlist;
list_t *ptemp;   /* Define a temporary pointer to list_t */

while(p) {
if( (ret=handle_sigpid(p->id))>= -1 && cb)
 ret=cb(p->id,data,ret);
if( ret>= -1) {
/*  Assign the next pid to ptemp even if it's NULL   */
 ptemp=p->next;
/*  Now we can call deleteListItem and free memory for p  */
 pidlist=(list_t*)deleteListItem(pidlist,p->id);
/*  Now we put the next pid value into memory location p */
 p=ptemp;
} else { /* If child pid still active and has not died then do this */
 p=p->next;
}
}
return pidlist;
}

The line to fix is line 129 of ftp-gw.c:

  if (cnt <= 0)

replacing it with

  if (cnt < 0)

Patches

Here is a diff for the smap.c code (note that this code has already been patched for Solaris 2 -- your milage may vary).  I've tested it briefly,  and everything seems okay.  This will save a copy of each message to a directory called "backup" that is located directly under your regular "smap" spool directory, as specified in your netperm-table:

smap, smapd:    directory /var/spool/mqueue.smap

would use /var/spool/mqueue.smap/backup as the back directory.  This is necessary because this could also be your chroot environment.

It uses the same filename as the temporary file.  This is in the format  "smaXXXXXX".

I believe the code is as secure as the stuff TIS provides, since it's basically their code, just duplicated for the second file. You are probably going to have problems when the directory starts getting full. Here's some suggestions:

1) Run a daily/weekly cron job to move the files to off-line storage
2) put the backup directory on a different disk spindle for better performance

To compile, include the flag -DDUPMAIL in the Makefile.

--  Marc Mosko <marc@tear.com>
 
 

2.2: Patches for smap to reduce e-mail spam and spam relaying

There are several different patches/changes you can do to smap to keep it from sending spam. You can verify that your server is not a spam relay by going to http://maps.vix.com/tsi/

1. Have a look in smap.c for the #ifdef SPECIALDOMAIN hack.  You can modify the list of domains in that part of the code.  Save the unmodified smap executable, and then recompile it with -DSPECIALDOMAIN to enable the 3rd party relay hack.  Rename the new one to smap-norelay. You then need to use netacl and the netperm-table to launch the right version of smap:  the regular smap for internal mail going out, and smap-norelay for incoming mail.  There are no changes to smapd for this hack.
2. Joe Yao has a patch for a "more hardened and documented smap". It adds alot of anti-spam code, anti-relaying, documentation, and source code cleanup. You can download it from yao-smap.pch. You can also download the EHLO addon to Joe's patch (written by Pat Verner) at yao-smap2.pch.
3. Craig Hagan and Bruce Ellis have made patches available to help reduce the amount of spam e-mail going through the firewall. The URL address is: http://www.cih.com/~hagan/smap-hacks/
4. Andrew Dunstan wrote an anti-relaying patch for smap/smapd, which is at smapx.pch. You can find instructions for this at smapx.txt
5. You can also look at the patch called NoSpam! (which also supports MAPS RBL) by Jason Rhoads at: http://www.sabernet.net/support/tools/

Then, just add something like this to the netperm-table:

ftp-gw: permit-hosts 192.168.0.* -plug-to internal.ftp.domain.com

A good use for this patch would be to mirror an internal FTP site onto an external one. You might want to take a look at mirror.pl, available at ftp://sunsite.doc.ic.ac.uk/packages/mirror. From the mirror.pl README file:
    "Mirror is a package written in Perl that uses the ftp protocol to duplicate a directory hierarchy between the machine it is run on and a remote host.  It avoids copying files unnecessarily by comparing the file timestamps and sizes before transfering.  Amongst other things can optionally compress, gzip, and split files."
 
 

2.4: Patch to give the toolkit transparency

You can download the transparency patch for FWTK 2.1 at transp.pch. If you are looking for instructions on it, check out trans-p.html. If you are having problems, you might need to apply this patch after you installed the transparency patch:

--- ./lib/hnam.c.croall  Thu Jul 16 15:35:31 1998
+++ ./lib/hnam.c    Thu Jul 16 15:37:34 1998
@@ -63,7 +63,8 @@
     struct sockaddr_in sin;
     struct hostent    * hp;
     int sl = sizeof(struct sockaddr_in), err = 0, local_h = 0, i = 0;
-    char         buf[255], hostbuf[255];
+    static char       buf[255];
+    char         hostbuf[255];
 #ifdef __FreeBSD__
     struct sockaddr_in rsin;
     struct natlookup   natlookup;

My source code has the following patches:

FTP-GW:   Files affected: ftp-gw.c

• patched for PASV FTP
• patched for -plug-to option (patch got thru FAQ)

• patched for PASV FTP
• patched for -plug-to option
• patched to accept !(NOT) in first field of "hosts" or "permit-hosts" in netperm-table.

These patches are not tested fully. I have the code running in my machines plus about fifteen other fwtk-users are using it. I would appreciate any efforts to bring out the bugs from the patch.

One request: Please send me a one liner with your email address and name before using this, so that I know somebody is using it. In case I find any bugs in it I shall send the files to you in future.

--Gopu <gopu@global.com>
 
 

2.6: Patch for OPIE and SMAIL support

From the author:

Sorry if this has been reported and/or done before, but I've got three small fixes/additions for FWTK 2.0 to share:

1- smapd & smail
Out of the box, FWTK 2.0 won't work with smail under some cases...  The fix is very tiny.

2- opie and authsrv
I've created a patch that adds NRL's OPIE support to authsrv.

The details and source are on our web site.  Please see:
http://www.glyphic.com/free/fwtkfixes.html

Mark Lentczner <markl@glyphic.com>
 
 

2.7: Patch to add specific IP port binding

The patch is at ipbind-1.1.tar.gz. From the author:

By default, FWTK 2.1 does not support the binding of its proxies to only certain IP addresses.  It requires that these proxies be listening on all interfaces simultaneously.  There are obvious security problems with this situation so this patch was developed to address it.

The -daemon option has been modified so that the argument can now contain an IP address to bind to.  If one isn't specified the previous "all interfaces" approach is defaulted.  The specified name can be ip numbers (xxx.xxx.xxx.xxx) or a hostname that can be resolved by gethostbyname() on the firewall/service machine.

The -name option has been added so that multiple proxy definitions can exist in the netperm-table for the relevant proxy.

The proxies should function identically as unpatched if the extensions are not used in invocation.

William L. Hamlin <whamlin@connetsys.com>

Note: If this patch does not work for you, after you have installed the above patch, change daemon.c (around line 155) from:

sa.sin_family = AF_INET;
bzero( (char *)&sa.sin_addr, sizeof(sa.sin_addr));
sa.sin_port = htons(port);

bzero ((char *)&sa, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_port = htons(port);

The patch ftp-gw.patch adds a "data-port" option to your netperm-table that will allow this to work. Add something like the below to the netperm-table.
    ftp-gw: data-port 20
 
 

2.10: Patch for limiting size downloads in ftp-gw [2.0/2.1]

The below patch will:
- sizelimit directive in netperm-table (giving the size in bytes, and 0 for no control)
- separate syslog (including a global dest variable) in order to keep stats untouched and ease the summary of size limit exceeded
- close the data connection by emulating a QUIT user command

Bruno LEBAYLE (lebayle@esrf.fr)

Netperm-table (e.g. for 10KB)
-------------
ftp-gw:         sizelimit 10240

Header (before main)
--------------------
#define SIZELIMIT
#ifdef SIZELIMIT
static  int                     sizelimit, currentsize;
#define DESTSIZE                256
static  char                    desthost[DESTSIZE];
#endif

Init (after reading timeout configuration option)
-------------------------------------------------
#ifdef SIZELIMIT
        sizelimit, currentsize = 0;
        if((cf = cfg_get("sizelimit",confp)) != (Cfg *)0) {
                if(cf->argc != 1) {
                        syslog(LLEV,"fwtkcfgerr: sizelimit must have one parameter, line %d",cf->ln);
                        exit(1);
                }
                if((sizelimit = atoi(cf->argv[0])) <= 0) {
                        syslog(LLEV,"fwtkcfgerr: sizelimit %s invalid, line %d",cf->argv[0],cf->ln);
                        exit(1);
                }
        }
#endif

In cmd_user routine, after permit syslog
----------------------------------------
        syslog(LLEV,"permit host=%s/%s connect to %s",rladdr,riaddr,dest);
#ifdef SIZELIMIT
        if (strlen(dest) <= DESTSIZE) strcpy(desthost,dest);
        else {
                strncpy(desthost,dest,DESTSIZE-1);
                desthost[DESTSIZE-1] = (char) 0;
        }
#endif

copyin and copyout routines, between read and write
---------------------------------------------------
#ifdef SIZELIMIT
        currentsize += x;
        if (sizelimit != 0) {
                if (currentsize >= sizelimit) {
                        syslog(LLEV,"sizelimit exceeded %d host=%s/%s
dest=%s",sizelimit,rladdr,riaddr,desthost);
                        sprintf(buf,"226 Proxy size limit exceeded %d
bytes",sizelimit);
                        sayn(0,buf,strlen(buf));
                        cmd_quit();
                        exit(0);
                }
        }
#endif
 

Other addons

If you implement Squid, you might want to use Paul Duerr's http-gw ==> Squid forwarding patch. You can find it at http-pat.tar.gz or you can use squid-gw (em-gw) by Eberhard Mattes found below.

You can also cache NNTP by using nntpcache, which is found at http://www.nntpcache.org/
 
 

3.2: RealAudio/RealVideo and FWTK

You can download the RealAudio/Video Firewall Admin Proxy Kit ( http://www.real.com/firewall/ ) which will proxy RealAudio/RealVideo via TCP. Also, RealAudio client versions 4.0 and above support downloading audio/video streams via HTTP.
 

3.3: Perl Syslog summary script

There is a perl script at fwtk-summ.perl which you can use to produce a daily summary of FWTK traffic. It has similar functionality to the standard tools/admin/reporting/*-summ.sh scripts, but only scans the log-file once.
 

3.4: How do I encrypt my telnet/rsh sessions?

You might want to take a look at the ssh suite of tools. You can look at the ssh-faq at http://www.cs.hut.fi/ssh/ or download a freely available Unix version at ftp://ftp.cs.hut.fi/pub/ssh/ .

You can use plug-gw as a ssh proxy between two distinct hosts or look at the ssh proxy listed in this FAQ if you want encrypted traffic between your client and the firewall.
 
 

3.5: Free authentication clients/servers for the toolkit

Look at S/key, which is a one-time password generation and use application. You can find it at ftp://thumper.bellcore.com/pub/nmh. You can also use the version that came with W. Venema's logdaemon kit, which can be downloaded from ftp://coast.cs.purdue.edu/pub/tools/unix/logdaemon.
 

3.6: Proxy for traceroute/ping

You can either use the small "wrapper" by Eberhard Mattes <mattes@azu.informatik.uni-stuttgart.de>, or use the NEC socks5 proxy, which comes with traceroute and ping proxies. The wrapper can be found at em-gw.tar.gz, which can be modified for other programs like finger. The NEC socks5 proxy is located at http://www.socks.nec.com/
 

3.7: Proxy for UDP traffic

Try UDPRELAY. It works with most services. It is at ftp://coast.cs.purdue.edu/pub/tools/unix.
 

3.8: Proxy for multicast backbone

An MBone proxy is now available for alpha testing with the FWTK. The MBone (Multicast Backbone) is one of the earliest and best known technologies for multimedia conferencing over the Internet.  MBone traffic is carried in multicast UDP datagrams. The Advanced Research and Engineering Division of TIS has developed an approach that allows FWTK-based firewalls to pass restricted, bidirectional MBone traffic while reducing the risk that inbound datagrams can be used to attack hosts inside the firewall-enforced security perimeter. The MBone proxy is designed to work with a special wrapper program that runs on Unix-based, inside clients.  The wrapper carries out an initial dialog with the firewall proxy and then spawns unmodified MBone applications as children processes.  The MBone proxy and wrapper work with the following MBone applications: sdr (session directory), vat (audio), vic (video), and wb (whiteboard).  The proxy has been tested with BSD/OS Version 2.1 and FWTK 2.0. The wrapper has been tested on a variety of Unix systems, including BSD/OS, Irix, and SunOS.

For alpha testing, the proxy and wrapper can be obtained from in the contrib section of the FWTK ftp site:

ftp://ftp.tis.com/pub/firewalls/toolkit/contrib/mbone-gw.tar.gz

A more complete description of the proxy and wrapper are provided in a recent paper presented at the 1997 IEEE Symposium on Security and Privacy, "An MBone Proxy for an Application Gateway Firewall".  This paper is available on line at

http://www.tis.com/docs/research/network/mbone/mboneabs.html
 
 

3.9: Proxies for NNTP, POP3, Squid, and other services such as traceroute (em-gw)

You can find em-gw.tar.gz at em-gw.tar.gz. Note from the author:

------------------------------------------------------------------------------
em-gw.tar.gz  - Four proxies contributed by Eberhard Mattes:
    cmd-gw: running traceroute etc. remotely on gateway
    nntp-gw: NNTP proxy
    pop-gw: POP3 proxy (inbound)
    squid-gw: HTTP proxy, front-end for Squid cache
------------------------------------------------------------------------------

The PGP sig for em-gw.tar.gz can be downloaded at em-gw.asc

--  Eberhard Mattes <mattes@azu.informatik.uni-stuttgart.de>
 
 

3.10: Proxy for IRC

This proxy allows you to proxy IRC across the firewall. Both the standard connection and DCC are supported in this latest release (1.0 beta release 1).

You can download the proxy from irc-gw-1.0bpl2.tar.gz. The proxy was written by ArkanoiD <ark@eltex.spb.ru>
 

3.11: Proxy for ssh to the firewall

The ssh-gw proxy allows you to have encrypted ssh connections from a ssh client to the firewall. From your firewall into your internal network the traffic is not encrypted.

This is a good solution if you trust your internal network, but want encrypted packets on the Internet.

The proxy is at ssh-gw.tar.gz. The proxy was written by ArkanoiD <ark@eltex.spb.ru>
 

3.12: Proxy for outbound POP3

pop3-gw v0.4alpha
^^^^^^^ ^^^^^^^^^

This proxy implements pop3 protocol gateway with optional USER/PASS -> APOP auth protocol translation for outbound pop3 connections.

It supports RFC-1939 pop3 commands only and does not work with AUTH type authentication (and who does?). Only outbound APOP is supported; that means you can't use it to authenticate to proxy itself (if you use plugged or transparent operation, you can, but..).

Please note that messages pass over the internet unencrypted even if you use APOP. Use PGP to avoid that.

setting up proxy
^^^^^^^ ^^ ^^^^^
Edit Makefile to add -DIPFILTER to c options and IPFILTER variable to point to IPFilter source if you use IPFilter tranparency.

Compile the source and edit inetd.conf to point to the binary. Set up connection divertor if you use transparent operation.

netperm-table general options:

userid <uid>,groupid <gid>  similar to fwtk

{permit-|deny-}hosts    similar to fwtk

netperm-table hosts options:

-dest <list>    similar to fwtk

-fallback    permit fallback to insecure protocol

-transparent    tranparent operation

-plug-to <server>   plug to a pre-defined server (can be useful for inbound operation)

-apop-only    being used with -transparent or -plug-to, disallow user/pass authentication on client side
     (recommended for inbound proxy)

-user <username-list>   specify the list of users allowed to access proxy. "!" modifier is valid.

-separator <separator-char>  a character to replace @ as separator.

(unimplemented)
-extnd     turn extended permissions processing on (see authsrv documentation)

setting up client side
^^^^^^^ ^^ ^^^^^^ ^^^^
Use your firewall name as POP3 server name and user@host[:port] syntax to specify real destination for non-transparent operation.

For transparent operations no special client setup is required.

BUGS
^^^^
Just an alpha release - so there should be some.
I've noticed it does not work good with hotmail.com. If somebody knows why please tell me.

ToDo
^^^^
Fix hotmail bug.
Make real proxying when in TRANSACTION state.

For developers
^^^ ^^^^^^^^^^
Feel free to improve the program the way you want - but send me a copy of your patches.

Revision history
^^^^^^^^ ^^^^^^^
0.1alpha  First version

0.2alpha  bugfix: fixed typo caused "userid" config parameter to be ignored
   added transparency support and plug-to support
   added client APOP support when using one of those renamed from pop3-gw.out to pop3-gw
   Removed gaunlet-style authentication from ToDo list (considered harmful)

0.3alpha  added -user option

0.4alpha  added -separator option - Netscape (HATE!) workaround.
 

Email
^^^^^
home: ark@mpak.convey.ru
work: ark@eltex.spb.ru
 
 

3.13: Proxy to fake ident responses

ident-spoofer v1.0beta
^^^^^^^^^^^^^ ^^^^^^^^
This program is designed to make servers over the internet happy when they expect to get ident (RFC-1430) information from a host behind fwtk firewall. Works great with irc-gw bogus-user option.

The program is not designed to provide information on services running on the host: it works with remote port numbers only.

setting it up
^^^^^^^ ^^ ^^
Compile the source and edit inetd.conf to point to the binary.
You should create netperm-table entries like:

{permit-|deny-}hosts <hostmask> - similar to fwtk
ostype <put desired OSTYPE here, say, UNIX>
service <service name/port> <userid>

service name is a name or port number you connect to, like in:

ident-spoofer:  service smtp            root
ident-spoofer:  service ftp             ftp
ident-spoofer:  service irc-client      nobody

and so on.

BUGS
^^^^
report to me if you find any.

ToDo
^^^^
suggestions are welcome.

Email
^^^^^
home: ark@mpak.convey.ru
work: ark@eltex.spb.ru
 

3.14: Proxy for rsh

rsh-gw-0.1alpha.tar.gz

This file is README for rsh-gw, a proxy for rshd(8) protocol and fwtk-style firewalls. It makes (should do) usage of rsh and rsh-based services like rsync,rdist,cvs and so on possible across firewalls.

WARNING: this proxy (due to nature of rsh protocol) does not support authentication techniques other than generic one which is based solely on rsh client and host system security. So it is at least not wise to use it to access "trusted" networks from "untrusted" ones. Once again: the primary purpose of the program is to allow "internal" users acess to [semi-]public rsh-based services.

Another purpose is to run x-gw authomagically from script.

If you got any interesting services running please send me your setup and log fragments - I need it for future documentation.

setting up proxy
^^^^^^^ ^^ ^^^^^
Edit Makefile to add -DIPFILTER to c options and IPFILTER variable to point to IPFilter source if you use IPFilter tranparency.

Compile the source and edit inetd.conf to point to the binary. If your system does not have rcmd(3) system call you can use a generic BSD implementation provided in this distribution for reference purposes.

Set up connection divertor if you use transparent operation.

netperm-table general options:

{permit-|deny-}hosts                    similar to fwtk

xforwarder                              similar to tn-gw/rlogin-gw

netperm-table hosts options:

- -dest <list>                          similar to fwtk

- -transparent                          tranparent operation

- -plug-to <server>                     plug to a pre-defined server

- -user <username-list>                 specify the list of users allowed
                                        to access proxy. "!" modifier is
                                        valid.

- -ausers <username-list>                       specify the list of users treated
                                        as "authenticated" if rsh 
                                        authentication was successful

- -xok                                  permit x-gw access

- -extnd                                        turn extended permissions processing
                                        on (see authsrv documentation)

setting up client side
^^^^^^^ ^^ ^^^^^^ ^^^^
Use "rsh -l user@host firewall-host command" syntax to specify real destination for non-transparent operation.

For transparent operations no special client setup is required.

"rsh firewall-host x" will just run x-gw on firewall. You can redirect stdout from this command to somewhere and use it as future reference to "remote" display. 

Example:

eval `rsh myfirewall x|sed "s/display port/RDISPLAY/"`
rsh -l me@somewhere.out myfirewall xperfmon++ -display $RDISPLAY
 

BUGS
^^^^
Just an alpha release - so there should be some.

I think I should make it more portable.

ToDo
^^^^
Anything else?

For developers
^^^ ^^^^^^^^^^
Feel free to improve the program the way you want - but send me a copy of your patches.

Email
^^^^^
home: ark@mpak.convey.ru
work: ark@eltex.ru
 

3.15: Simple mail MTA (ssmtp)

ssmtp-0.5alpha.tar.gz

A dirty hack designed to eliminate sendmail (and other "smart" MTA's) on the firewall completely. Based on ssmtp program (i left the original name unchanged, although code differs much), see source comments for more information and original authors list.

setting it up
^^^^^^^ ^^ ^^
Make and install the program, then edit the netperm-table to specify MTA options like:

smapd:          sendmail /usr/local/etc/ssmtp (or whatever your binary
                location is)

ssmtp:         relay mylocalnet.net -via mymailhub.internal.net
ssmtp:         default-relay extmailhub.myisp.net

ssmtp know nothing about MX'es and other things like that. It does SMTP _only_ and uses static routes defined in netperm-table to deliver mail.

BUGS
^^^^
report to me if you find any.

Sendmail emulation is really bad, but we do not need anything better to work with smapd and scripts like /etc/daily.

Code requires more audit to find possible buffer overrun vulnerabilities.

ToDo
^^^^
Fix possible security problems, general code cleanup/whatever..
Better handling of mail failures/postmaster noticiation/etc.
Implemet some MIME content filtering.
PGP enforcer? ;-) Content audit?

Email
^^^^^
home: ark@mpak.convey.ru
work: ark@eltex.ru