This section lists a sample netperm-table file. To help you understand this file better, a prodigious amount of comments are included. In addition, a wide variety of options are included so that you can see how the examples used in the chapter would appear when configuring the TIS Toolkit.
#
# Sample netperm configuration table
#
# Change YOURNET to be your network IP address
# Change YOURADDRESS to be the IP address of a specific host
#
# Example netacl rules:
#
---# if the next 2 lines are uncommented, people can get a login prompt
# on the firewall machine through the telnet proxy
# This is okay, but means that anyone who is authorized to connect to the
# firewall box through the proxy can get a login prompt on the firewall.
# In most circumstances, it is to provide tight controls on who can log in
# directly to the firewall.
#netacl-telnetd: permit-hosts 127.0.0.1 -exec /usr/libexec/telnetd
#netacl-telnetd: permit-hosts YOURADDRESS -exec /usr/libexec/telnetd
#
# This rule says that only telnet sessions through netacl from these two hosts
# will be accepted.
netacl-telnetd: permit-hosts 206.116.65.2 206.116.65.3 -exec /usr/libexec/telnetd
#
# if the next line is uncommented, the telnet proxy is available
#netacl-telnetd: permit-hosts * -exec /usr/local/etc/tn-gw
#
# if the next 2 lines are uncommented, people can get a login prompt
# on the firewall machine through the rlogin proxy
#netacl-rlogind: permit-hosts 127.0.0.1 -exec /usr/libexec/rlogind -a
#netacl-rlogind: permit-hosts YOURADDRESS 198.6.73.2 -exec /usr/libexec/rlogind -a
#
# if the next line is uncommented, the rlogin proxy is available to any host
#netacl-rlogind: permit-hosts * -exec /usr/local/etc/rlogin-gw
#
# The next line allows FTP sessions from the specified network(s) to the
# firewall system itself.
netacl-ftpd: permit-hosts 206.116.65.* -exec /usr/libexec/ftpd -A -l
#
# Uncommenting the next line will turn off FTP and print a message to that
# effect whenever someone attempts to access the FTP port.
# netacl-ftpd: permit-hosts 206.116.65.147 -exec /bin/cat /usr/local/etc/noftp.txt
#
# to enable finger service uncomment these 2 lines
#netacl-fingerd: permit-hosts YOURNET.* -exec /usr/libexec/fingerd
#netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger.txt
#
# Example smap rules:
#
---# These rules control the operation of the SMAP and SMAPD applications.
smap: userid 6
smap: directory /var/spool/smap smap: timeout 3600
#
# Change this to increase/decrease the maximum message size that will be
# permitted.
smap: maxbytes 10000 smap: maxrecip 20
#
# This configuration section is for the SMAPD application
#
smapd: executable /usr/local/etc/smapd smapd: sendmail /usr/sbin/sendmail
---# These rules control the operation of the FTP proxy
#
# Use the following lines to configure the denial, welcome and help messages
# for the proxy.
ftp-gw: denial-msg /usr/local/etc/ftp-deny.txt ftp-gw: welcome-msg /usr/local/etc/ftp-welcome.txt ftp-gw: help-msg /usr/local/etc/ftp-help.txt
#
# Use the following lines to use the authentication server ftp-gw: authserver localhost 7777
#
# set the timeout
ftp-gw: timeout 3600
# uncomment the following line if you want internal users to be
# able to do FTP with the internet
# ftp-gw: permit-hosts 206.116.65.*
#
# the following line logs all get and put requests, and authorizes put
# requests.
ftp-gw: permit-hosts 206.116.65.* -log { retr stor } -auth { stor }
# uncomment the following line if you want external users to be
# able to do FTP with the internal network using authentication
#ftp-gw: permit-hosts * -authall -log { retr stor }
# the following line permits a telnet only to hosts in the .fonorola.net
# domain. All other requests are denied.
#tngw: permithosts 206.116.65.* dest *.fonorola.net dest !* passok
-➥xok
tn-gw: permit-hosts 206.116.65.* -passok -xok
# tn-gw: deny-hosts * -dest 206.116.65.150
# if this line is uncommented incoming traffic is permitted WITH
# authentication required
# tn-gw: permit-hosts * -auth
# Example rlogin gateway rules:
#
---#rlogin-gw: permit-hosts YOURNET.* -passok -xok
rlogin-gw: denial-msg /usr/local/etc/rlogin-deny.txt rlogin-gw: welcome-msg /usr/local/etc/rlogin-welcome.txt rlogin-gw: denydest-msg /usr/local/etc/rlogin-dest.txt
#rlogin-gw: help-msg /usr/local/etc/rlogin-help.txt rlogin-gw: timeout 3600
rlogin-gw: prompt “Enter Command>”
rlogin-gw: permit-hosts 206.116.65.* -dest *.fonorola.net -dest !* -passok -xok rlogin-gw: deny-hosts * -dest 206.116.65.150
# if this line is uncommented incoming traffic is permitted WITH
# authentication required
#rlogin-gw: permit-hosts * -auth -xok
# Example auth server and client rules
# ---authsrv: hosts 127.0.0.1
authsrv: database /usr/local/etc/fw-authdb authsrv: badsleep 1200
authsrv: nobogus true
authsrv: permit-hosts localhost
# clients using the auth server
*: authserver 127.0.0.1 7777
# X-forwarder rules
tn-gw, rlogin-gw: xforwarder /usr/local/etc/x-gw
#
# Plug-gw
#
---# The following rules provide examples on using plug-gw to access other
# services, such as POP mail and NNTP.
#
# Uncomment the next line to allow NNTP connections to be routed to an
# external news server for news reading.
#
# plug-gw: port 119 YOURNET.* -plug-to NEWS_SERVER_IP
#
# Uncomment the next line to allow POP mail connections from the private
# network to an external POP mail host.
#
# plug-gw: port 110 YOURNET.* -plug-to POP_MAIL_HOST_IP
#
# HTTP-GW
#
---# This section provides some examples for the http-gw proxy
#
http-gw: userid www
# http-gw: directory /usr/local/secure/www http-gw: timeout 1800
http-gw: default-httpd www.fonorola.net http-gw: default-gopher gopher.fonorola.net http-gw: permit-hosts 206.116.65.*
# http-gw: deny-hosts 206.116.65.2 http-gw: deny-hosts unknown