Copyright ©1996, Que Corporation. All rights reserved. No part of this book may be used or reproduced in any form or by any means, or stored in a database or retrieval system without prior written permission of the publisher except in the case of brief quotations embodied in critical articles and reviews. Making copies of any part of this book for any purpose other than your own personal use is a violation of United States copyright laws. For information, address Que Corporation, 201 West 103^rd Street, Indianapolis, IN 46290 or at support@mcp .com.

Appendix E - Setting Up a Firewall

Sometimes the standard security precautions aren't considered stringent enough to protect a site's data. If this is the case for your site, then you may need to set up a firewall to protect your systems from intrusive data. (See chapter 12, "Security," for help on deciding whether or not your site needs a firewall.)

The firewall software you'll install with this book is Socks version 5. It allows the hosts behind your firewall to access the Internet without permitting hosts outside the firewall access them.

Be sure to have a separate machine for your firewall for good security. Then, the machine that contains your servers (e.g., ftpd, httpd) should be outside the firewall, so people from the outside world can access it. Your users should be inside the firewall (see fig. E.1).

There are also commercial firewall packages available for Linux, but they are often too expensive for anyone except those who are running large sites. The best way to find the commercial system (generally software and hardware) is by searching the Web. For example, try ZEBU.

Compiling and Installing the Binaries

First, you need to get the binaries compiled before you can set up your server. So, let's go through that process now.

Preparing to Compile Socks

Before you can compile Socks, you need to set up a Makefile containing the specific settings you need for your site. This will ensure that the firewall software is compiled for your needs.

To configure your source for compilation, complete the following steps on the machine you intend to use as your firewall server (as root):

1. Copy the source from /socks5 on the CD-ROM to your favorite unpacking and compiling location.
2. Gunzip the source.
3. Untar the source.
4. Change to the socks5 directory.
5. Type configure to run the script that will look over your system and configure things for you. This is an automated script that locates all of the items it needs to be able to compile Socks, and sets up the Makefile and a list of other necessary files accordingly. A few screens worth of information slide by as it looks for what it needs and then creates the files.

Compiling and Installing the binaries

Compiling and installing the general Socks binary is fairly simple. Just do the following (as root):

1. Go to your Socks directory.
2. Type make to compile Socks. Use what you've learned throughout this book about fixing source (e.g. in chapter 10, "Installing FTP Server software") that won't compile to get it working if you run into any problems.
3. Type make check to run any self-test programs included with the distribution.
4. Type make install to install the binaries and documentation for Socks.
5. Type make clean to get rid of the mess of interim files created during the compilation.
6. Type make distclean to get rid of the interim files the configuration script created.

Setting Up Your Socks Server

Now, it's time to set up your firewall itself. Take your time and put a lot of thought into this section. Whatever you leave out now, you'll have to add later.

Setting Up socks5.conf

The socks5.conf file is where you will define most of your firewall's permissions and how it handles access. To set this file up, do the following (as root):

1. Edit the file /etc/services.
2. Add the line:

socks 1080/tcp

1. Edit the file /etc/socks5.conf.
2. First, you're going to determine your site's most basic IP address and your netmask. For example, my site's IP addresses all start with 199.60.103. with one more number specifying the machine. If I use 199.60.103.0, the 0 in the last digit tells Socks that any machine with the same inital three parts of the IP address is one of mine. For the netmask, because I have a class C address, I'd use 255.255.255.0. This item is used in a few of the definitions you'll encounter in this file.
3. Now, assign what kind of authentication is required for each location. Your choices are as follows:

• n no authentication required
• u username, plus password if you require one
• k kerberos 5 required
• - any form of authentication required

1. For each item you want to assign a type of authentication to, you need to have a line containing the following items:

• Use the word auth to tell the server this is an authentication assignment line.
• Supply the address for the service the authentication type is being assigned to. This address can be the one determined in step 4: a full host + domain name or a domain name.
• Specify the port for the above mentioned service.
• Specify the type of authentication required.

1. If, for example, I had a Web server on port 80 with the address www.renaissoft.com and I didn't want to require authentication so outside users could access it, I would use the following for its authentication line:

auth www.renaissoft.com 80 n

1. If you have any machines with multiple IP addresses, you need to tell your firewall how to handle them. The items you need to have on a line assigning routing are the following:

• Use the word route to tell the server this is a routing definition.
• Supply the address for the service or host you are defining. This address can be expressed in the form of step 4: a full host + domain name or a domain name.
• Specify the port number of the service you are defining or the name of the service.
• Specify the IP address of the interface card or the name assigned to the interface.

If you don't have machines with multiple IP addresses, a routing definition is not necessary.

1. For example, if the Web server I referred to in the previous example is on a machine with two IP addresses, then I need to assign its routing here. The definition, if the name of the interface card is le1, would be as follows:

• route www.renaissoft.com 80 le1

1. Now, you can set how you want your server to log some items, and what kinds of messages it should display. A line with this type of definition consists of the following items:

• Include the word set to tell it you're setting a logging or display definition.
• Specify the variable you want to set. The items you can set are as follows:

• SOCKS5_DEBUG Turns on all debugging information
• SOCKS5_LOG_STDERR Logs all messages to stderr
• SOCKS5_LOG_SYSLOG Logs all messages to syslog

1. For example, I can send all messages to initially go to the syslog. Then, I can set the syslog to separate these items according to type and save them to specific files. To do this, I would:

set SOCKS5_LOG_SYSLOG

1. If your Socks server has services it needs to access through other Socks servers, you need to assign some proxies. A proxy definition line contains the following items:

• Indicate the type of proxy, which can be s5 (socks5), s4 (socks4), or np (no proxy necessary).
• Indicate the address for the service or host you are defining. This address can be expressed in the form of step 4: a full host + domain name or a domain name.
• Specify either the port number or the name of the service you're defining.
• Specify either the IP address or the name of the proxy server to use for the service.
• Indicate the port on the proxy server to contact for the service.

1. For example, if the Web service I discussed earlier has to go through another Socks server, and if this proxy server is also a Socks5 setup at proxy.renaissoft.com and is set to wait for Web items at port 85, I would enter the following:

s5 www.renaissoft.com 80 proxy.renaissoft.com 85

1. Now set access controls to determine which requests for services will be honored and which will be denied. There are two types of access definitions: permit and deny. Both options require the same list of parameters, as follows:

• Determine the type of authentication methods necessary to trust the service connecting. Your choices are one or more of the following:

• n no authentication necessary
• u username authentication required with optional password
• k Kerberos 5 authentication required
• Establish the types of commands your server will accept from the process making the connection. You can choose one or more of the following:
• c Accept connections
• b Accept bind
• u Accept udp
• a Accept any and all commands
• Decide the address for the service or host the command is approved to come from. This address can be expressed in the form of step 4: a full host + domain name or a domain name.
• Decide the address for the service or host the command is approved to go to. This address can be expressed in the form of item 4: a full host + domain name or a domain name.
• Specify the port for the service or host the command is authorized to come from.
• Specify the port for the service or host the command is authorized to go to.
• Create an optional list of user names you are specifically authorizing, excluding all others.

1. For example, if I wanted to authorize all commands from the site neighbor.com from port 40, to be sent to the machine catherine.renaissoft.com on port 45 with no authentication required, then my line would read as follows:

permit a nieghbor.com catherine.renaissoft.com 40 45

1. If I wanted to ensure that three particular users (Ralph, Jane, and Spot) from the site enemy.com on port 40 could not get into the same area, I would use the following:

deny a enemy.com catherine.renaissoft.com 40 45 ralph jane spot

1. 10. Save and exit the file.

Preparing Your Clients

All of your client applications need to be recompiled to know how to talk to your firewall. Fortunately, even if your client of choice doesn't have an option in its source to work with a firewall, it's simple to add the necessary code (if you have access to the source).

Some preconfigured clients come with the firewall software in the clients directory. Compile them and give them a try if you like.

To determine whether a client's source can be changed to allow it to work with your firewall, do the following:

1. Go to the source directory for the client you want to convert.
2. Search it for the following item:

     SOCK_DGRAM

1. To do this search, use grep SOCK_DGRAM * to search all of the files in the directory for the term SOCK_DGRAM.
2. If this shows up, you cannot use this client with Socks. SOCK_DGRAM is a UDP item and does not get along with this firewall software.
3. Find another acceptable client that does not contain this item.

To change a client's source to allow it to work with your firewall, do the following:

1. Edit the file.
2. Locate the beginning of the main procedure.
3. Enter the following near the beginning of this procedure:

SOCKSinit(argv[0]);

1. Locate all lines that begin with cc. Add the following to the end of each of those lines:

-Dconnect=Rconnect -Dgetsockname=Rgetsockname -Dbind=Rbind \
 -Daccept=Raccept -Dlisten=Rlisten -Dselect=Rselect

If the client is compiled with a Makefile, add the above to the CFLAGS macro.

1. Locate the final target in the Makefile, which starts with cc or ld.
2. Add the following library:

-DSHORTENED_RBIND

1. Compile the client.
2. Test the client.

Locating Assistance

If you need assistance in setting up your firewall, there are a number of excellent sources you can look to for help. These sources are supported by the people who program the server itself.

The NEC Socks Home Page

NEC has an excellent home page with everything you want to know about Socks. Check it out at

• SOCKS

The Socks Mailing List

You can subscribe to a mailing list for discussions of Socks problems, postings of new FAQs, announcements, etc. To subscribe, send e-mail to majordomo@syl.dl.nec.com

For technical support for our books and software contact support@mcp.com

Copyright ©1996, Que Corporation