Installing the FWTK Firewall Toolkit
Due to the special terms and conditions in the licensing agreement, FWTK is only available for download via FTP from the TIS FTP site. You have to read the license, agree to it, and register your identity on their site before actually downloading the software. Start this process by reading the text file located at ftp://ftp.tislabs.com/pub/firewalls/ toolkit/LICENSE.
After you've reviewed this license agreement and found it acceptable, send an e-mail to the address [email protected] that contains the word "accepted" as the only content in the body of the message. This message is processed automatically by TIS's mailer, which sends you a reply that contains the exact location from which to download the software; the directory location is arbitrary and will only exist for about 12 hours. Listing 11.1 contains an example of the e-mail you'll receive from TIS acknowledging your request.
PART 4
Listing 11.1 TIS e-mail acknowledgment of license agreement
From: [email protected]
Subject: Response to your fwtk-request request
Thank you for your interest in our Firewall Toolkit. You will find the current source in the following "hidden" directory on ftp.tislabs.com:
/pub/firewalls/toolkit/dist/fwtk-02d13d
Please change directory directly to the entire path provided. This Directory will exist for at least 12 hours. If you are unable to download before this time period expires, you can send another request to [email protected] to receive a new path.
If you are unable to establish a connection on ftp.tislabs.com, your IP address may not have the appropriate reverse mapping of address to hostname in the Domain Name System.
As a security precaution, we do not allow connections to our ftp server that do not have this DNS information properly configured. Please contact your System Administrator in regard to correcting this.
-NAI Labs
NOTE Note that in order for you to download the FWTK software, your host must have a valid reverse DNS (PTR) record. The TIS FTP server will not allow you to access it if it can't match your IP address to a known host name.
Once you receive the e-mail (it should only take 5-10 minutes), log on to the TIS FTP site (see Listing 11.2) and go to the directory specified in the body of the message. You need to download (in binary form) two files:
■ The main FWTK distribution (fwtk.tar.Z)
■ The documentation archive (fwtk-doc-only.tar.Z)
Listing 11.2 Downloading FWTK from the TIS FTP site
[ramon]$ ftp ftp.tislabs.com
Connected to portal.gw.tislabs.com.
220 portal FTP server (Version 5.60auth/mjr) ready. 500 'AUTH GSSAPI': command not understood. Name (ftp.tislabs.com:hontanon): anonymous Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /pub/firewalls/toolkit/dist/fwtk-02d13d ftp> dir fw*
227 Entering Passive Mode (192,94,214,101,194,195)
150 Opening ASCII mode data connection for /bin/ls.
-rw-r—r— 1 179 10 423991 Sep 13 1996 fwtk-doc-only.tar.Z
lrwxrwxrwx 1 0 1 13 Feb 27 1998 fwtk.tar.Z -> $
fwtk2.1.tar.Z
-rw-r—r— 1 179 10 481055 Mar 2 1998 fwtk2.1.tar.Z
226 Transfer complete.
ftp> get fwtk-doc-only.tar.Z
local: fwtk-doc-only.tar.Z remote: fwtk-doc-only.tar.Z
227 Entering Passive Mode (192,94,214,101,194,190)
150 Opening BINARY mode data connection for fwtk-doc-only.tar.Z$ (423991 bytes).
226 Transfer complete.
423991 bytes received in 3.2 seconds (1.3e+02 Kbytes/s) ftp> get fwtk.tar.Z
local: fwtk.tar.Z remote: fwtk.tar.Z .i:
227 Entering Passive Mode (192,94,214,101,194,194) § 150 Opening BINARY mode data connection for fwtk.tar.Z (481055$ "
481055 bytes received in 3.1 seconds (1.5e+02 Kbytes/s) ftp> quit
NOTE As of the writing of this book, the most current version of FTWK is 2.1, which dates back to early 1998. FTWK development is a volunteer effort, and although no resources have been available to work on it for the last three years, it's still surprisingly robust, even by today's security standards.
Once you have downloaded both files, simply decompress them and extract their contents. Both the source and document archives write files to an fwtk directory:
[ramon]$ uncompress fwtk-doc-only.tar.Z fwtk.tar.Z [ramon]$ tar xf fwtk-doc-only.tar bytes). 226 Transfer complete.
[ramon]$ tar xf fwtk.tar
|
-rw-r----- |
1 |
ramon |
users |
15984 |
Feb |
5 |
1998 |
CHANGES |
|
-rw-r----- |
1 |
ramon |
users |
1465 |
Nov |
4 |
1994 |
DISCLAIMER |
|
-rw-r----- |
1 |
ramon |
users |
5846 |
Mar |
12 |
1997 |
LICENSE |
|
-rw-r----- |
1 |
ramon |
users |
989 |
Nov |
4 |
1994 |
Makefile |
|
Makefile.config |
ramon |
users |
2591 |
Mar |
4 |
1997 |
$ | |
|
-rw-r--r-- 1 ramon Makefile.config.aix3 |
users |
2660 |
Feb |
5 |
1998 |
$ | ||
|
Makefile.config.decosf |
users |
2626 |
Mar |
4 |
1997 |
$ | ||
|
-rw-r--r-- 1 Makefile.config. |
ramon hpux |
users |
2571 |
Mar |
4 |
1997 |
$ | |
|
-r--r--r-- 1 Makefile.config. |
ramon linux |
users |
3014 |
Jan |
13 |
1998 |
$ | |
|
Makefile.config. |
ramon sco5 |
users |
2696 |
Mar |
4 |
1997 |
$ | |
|
-rw-r--r-- 1 Makefile.config. |
ramon solaris |
users |
2928 |
Mar |
4 |
1997 |
$ | |
|
-rw-r--r--Makefile.confi |
1 g. |
ramon sunos |
users |
2600 |
Jul |
15 |
1997 |
$ |
|
-rw-r----- |
1 |
ramon |
users |
6969 |
Feb |
26 |
1998 |
README |
|
drwxr-x— |
2 |
ramon |
users |
1024 |
Mar |
1 |
1998 |
auth |
|
-rw-r----- |
1 |
ramon |
users |
3219 |
Nov |
4 |
1994 |
auth.h |
|
drwxr-x— |
2 |
ramon |
users |
1024 |
Mar |
1 |
1998 |
config |
|
drwxr-xr-x |
3 |
ramon |
users |
1024 |
Sep |
12 |
1996 |
doc |
|
-r--r----- |
1 |
ramon |
users |
5389 |
Mar |
1 |
1998 |
firewall.h |
|
-rwxr-x— |
1 |
ramon |
users |
791 |
Sep |
5 |
1996 |
fixmake |
|
drwxr-x— |
2 |
ramon |
users |
1024 |
Mar |
1 |
1998 |
ftp-gw |
|
drwxr-x— |
2 |
ramon |
users |
1024 |
Mar |
1 |
1998 |
http-gw |
|
drwxr-x— |
2 |
ramon |
users |
1024 |
Mar |
1 |
1998 |
lib |
|
drwxr-x— |
2 |
ramon |
users |
1024 |
Mar |
1 |
1998 |
netacl |
|
drwxr |
-x--- |
2 |
ramon |
users |
1024 |
Mar |
1 |
1998 |
plug-gw |
|
drwxr |
-x--- |
2 |
ramon |
users |
1024 |
Mar |
1 |
1998 |
rlogin-gw |
|
drwxr |
-x--- |
2 |
ramon |
users |
1024 |
Mar |
1 |
1998 |
smap |
|
drwxr |
-x--- |
2 |
ramon |
users |
1024 |
Mar |
1 |
1998 |
smapd |
|
-rw-r |
--r-- |
1 |
ramon |
users |
5526 |
Mar |
26 |
1996 |
sysexits.h |
|
drwxr |
-x--- |
2 |
ramon |
users |
1024 |
Mar |
1 |
1998 |
tn-gw |
|
drwxr |
-x--- |
5 |
ramon |
users |
1024 |
Jan |
18 |
1997 |
tools |
|
drwxr |
-x--- |
2 |
ramon |
users |
1024 |
Mar |
1 |
1998 |
x-gw |
As you can see, the FTWK distribution includes a number of preconfigured Makefile.config examples for several popular operating systems, including Linux. Note also that the source code for each of the proxies (ftp-gw, http-gw, etc.) is housed in a different subdirectory. Start by preserving the original Makefile.config file and moving the supplied Makefile.config.linux file in its place using the following commands:
[ramon]$ mv Makefile.config Makefile.config.ORIG [ramon]$ cp Makefile.config.linux Makefile.config
TIP If you're building FWTK on Red Hat 7.0, you'll have to edit the resulting Makefile.config file and change the value of the XLIBDIR variable from /usr/ X11/lib to /usr/X11R6/lib. In addition, you'll have to set the value of AUXLIB to -lcrypt and the value of DBMLIB to -lndbm.
You're now ready to compile, link, and install the package using the following two commands:
[ramon]$ make
[ramon]$ sudo make install
I found that the man pages do not get installed by default, so I copied them in place by hand:
[ramon]$ cd doc/man
The FWTK package installs both its executables and configuration files in the /usr/ local/etc directory tree. Here's what this directory should look like once the FWTK package is completely installed:
PART 4
|
-rwxr- |
xr |
-x |
1 |
root |
root |
1954587 |
Jan |
28 |
14: |
28 |
ftp-gw |
|
-rwxr- |
xr |
-x |
1 |
root |
root |
2073268 |
Jan |
28 |
14: |
28 |
http-gw |
|
-rwxr- |
x- |
-- |
1 |
root |
root |
362 |
Jan |
28 |
14: |
28 |
mqueue |
|
-rwxr- |
xr |
-x |
1 |
root |
root |
1777157 |
Jan |
28 |
14: |
28 |
netacl |
|
-rw-r- |
-r |
-- |
1 |
root |
root |
3101 |
Jan |
28 |
14: |
28 |
netperm-table |
|
-rwxr- |
xr |
-x |
1 |
root |
root |
1866661 |
Jan |
28 |
14: |
28 |
plug-gw |
|
-rwxr- |
xr |
-x |
1 |
root |
root |
1912963 |
Jan |
28 |
14: |
28 |
rlogin-gw |
|
-rwxr- |
xr |
-x |
1 |
root |
root |
1794972 |
Jan |
28 |
14: |
28 |
smap |
|
-rwxr- |
xr |
-x |
1 |
root |
root |
1697757 |
Jan |
28 |
14: |
28 |
smapd |
|
-rwxr- |
xr |
-x |
1 |
root |
root |
1944219 |
Jan |
28 |
14: |
28 |
tn-gw |
|
-rwxr- |
xr |
-x |
1 |
root |
root |
217794 |
Jan |
28 |
14: |
28 |
x-gw |
The FTWK developers subscribed to the divide-and-conquer approach to security software design. Instead of creating a single monolithic tool, they developed separate packages that work independently and provide separate services (e.g., FTP, Telnet, and HTTP). The advantage of this is that a vulnerability is only likely to affect one of the packages, and therefore will only compromise a single service running on your Linux system. This makes each FWTK component straightforward enough to be understood completely by the system administrator, and it even makes it possible for you to read the component's source code to verify its integrity and correctness, if necessary. Each of these applications will be discussed later in this chapter. For now, simply make sure that these files are present in the /usr/local/etc directory.
The next section of this chapter guides you through the process of preparing your system to act as an application layer firewall, and configuring the FTWK environment to provide the proxy service through your Linux server. The first step in that process is to understand the FWTK architectures.
Continue reading here: A VPN Primer
Was this article helpful?