0.1: How do I get support for the FWTK? 
TIS engineers continue to monitor the FWTK mailing lists, but no direct support is available. The fwtk-support list, which has been used for users of the FWTK to send problem reports to TIS, is available to anyone who would like to be added to it, and the user community will provide its own support.
0.2: How can I join the FWTK mailing list?
Subscribe to the FWTK users mailing list by sending a message to majordomo@listserv.nai.com. In the body of the message put the following line:

               subscribe fwtk-users

After subscribing, you can e-mail the FWTK users mailing list by sending an e-mail to fwtk-users@listserv.nai.com .
0.3: How can I unsubscribe from the FWTK mailing list?
Unsubscribe to the FWTK mailing list by sending a message to majordomo@listserv.nai.com. In the body of the message put the following line:

                unsubscribe fwtk-users

Also, every e-mail from the mailing list has instructions on how to unsubscribe your own e-mail address and which of your e-mail addresses is subscirbed to the list.

0.4: I am having problems with the mailing list...
Contact the FWTK list owner at Support.Listserv@nai.com.  

0.5: Where can I find an archive of the mailing list? 
The FWTK users mail list archive is at ftp://ftp.tislabs.com/pub/firewall/toolkit/fwtk-users-archive/ . You can find a searchable online archive at: http://www.progressive-comp.com/Lists/?l=fwtk-users&r=1&w=2#fwtk-users
0.6: What companies provide paid support for the toolkit? Can I provide paid support?
Not really. This is against the FWTK license.

Unofficially, NAI is not completely enforcing this part of the license. They do, however, completely enforce selling of the FWTK or systems based on a "FWTK firewall".
From: John Kelley <johnk@tislabs.com>
Subject: Re: Request for licensing details

Basically, we allow consultant configurations as long as it is a part of a whole consulting package.  For example, you cannot advertise as a fwtk consultant or fwtk expert, or sell fwtk consulting.  But if it is a part of a whole consulting package, we have no problems with it.

We appreciate being kept informed of who you are doing this work for, and ask that you don't do a large number (say, over 5) fwtk configurations a year.

I hope that is clearer.  Fwtk is not officially supported by NAI, so consulting with its configuration is entirely understandable.  We just limit what commercial gain can be acquired from it directly.

Compiling the toolkit
1.1.1: "Undefined symbol `_crypt' referenced from text segment" errors
Make sure that you add "-lcrypt" to the AUXLIB setting in Makefile.config.
1.1.2: How do you build the toolkit with USE_UDPSYSLOG?
That code's pretty simple - however, on a FreeBSD system you probably should fix it to use vsnprintf() rather than the way it tries to detect overflow. Change all the exit() calls to _exit() as well, while you're at it; if somehow someone manages to overflow its internal buffer they can corrupt data in random places. Since it uses a static buffer - not on the stack - this is much harder to exploit than the usual stack basher; fixing the exit calls to _exit makes it even harder to exploit. 
1.1.3: "ld: Error: Undefined: IceProcessMessages..." errors
Try changing the "XLIBS=" line to add "-lSM -lICE" after "-lX11" in Makefile.config.
1.1.4: I get an error while trying to compile daemon.c....
The error which you get is related to a typedef for size_t in /usr/include/sys/signal.h

Fix:  In daemon.c include types.h before signal.h.

1.2.1: How do I compile the toolkit under HP-UX 9.0x? 
After configuring firewall.h and copying over Makefile.config.hpux , you need to edit fixmake as: 
    *** fixmake     Thu Sep  4 09:49:06 1997 
    --- fixmake.orig        Thu Sep  4 09:49:15 1997 
    *** 30,36 **** 
        echo renaming $name to $name.proto 
        mv $name $name.proto 
       sed 's/^include[        ]*\([^  ].*\)/include \1/' $name.proto > $name 
       echo "built $name" 
    --- 30,36 ---- 
        echo renaming $name to $name.proto 
        mv $name $name.proto 
    !   sed 's/^include[        ]*\([^  ].*\)/.include "\1"/' $name.proto >
       echo "built $name" 
Then run fixmake. Make sure that your makefiles contain: 
    include ../Makefile.config 
rather than 
    .include "../Makefile.config"
1.2.2: What is the config to compile under HP-UX 10.20/11.x?
First, install and use gcc. It works much better on compiling the toolkit than HP's compiler. 

Also, it looks like 11.0 supplies getenv(); edit getenv.c to remove the "|| defined(HPUX)" from line 38. 

1.3.1: "fwtk/auth/db.c:66: undefined reference to `dbm_open'" errors
Make a backup of the current Makefile.config, then copy Makefile.config.linux to Makefile.config. If you are still getting DBM errors, then do a "man dbm_open" should give you information on what to put into the DBMLIB= line of Makefile.config. Any of "-ldbm", "-ldb", "-lgdbm", "-lndbm" could work depending on who built your distribution. 

If you are still having problems, get the latest gdbm package from ftp://ftp.gnu.org and compile/install the entire package (including header files) with the "install-compat" option. Then, change the DBMLIB= line in Makefile.config to "-lgdbm" to point to your new /usr/lib/libgdbm.a library file. 
1.3.2: "cannot open -libc" or "cannot open -lc" errors
Make a backup of the current Makefile.config, then copy Makefile.config.linux to Makefile.config. If this doesn't work, you might want to remove the "-static" from the "LDFL=" line, but you lose the advantages of static binaries. 
1.3.3: "error.c: Parse error before string constant" errors
Find occurences of the string "errno" in error.c. Change them to "zerrno". 
1.3.4: "ulib.h:23: X11/Intrinsic.h: No such file or directory" error
You need the X11 programming environment installed to build x-gw. One of your packages probably has these - should be there as part of the X11R6 stuff. 
1.3.5: "hmain.c:1060: warning: passing arg 3 of `select' from incompatible pointer type" error
You can safely ignore these. 
1.3.6: "Undefined symbol `_crypt' referenced from text segment" errors
See the answer to the same question in the FreeBSD section of this FAQ. 

1.4.1: How do I compile the toolkit under NeXTStep?
Read the HOWTO written by Timothy J Luoma at nextstep.html.

1.5.1: "Symbol signal in /usr/ccs/lib/libc.a is multiply defined" error
Don't compile fwtk/lib/signal.c unless you need it. You probably don't. (Edit Makefile.config.sco5 to change the "SYSVOBJ=signal.o" to comment it out, then "make clean;make" from the toplevel.) 

1.6.1: "Badly placed ()'s/*** Error code 1 (bu21)" error
Don't use SGI's make. Use gmake instead. 
1.6.2: I can't compile the toolkit using SGI's compiler...
Add -cckr to your CFLAGS.  You'll still get harmless warnings, which you can suppress with the -w flag (or just use the gcc compiler instead). 

1.7.1: What configuration should I use with SINIX?
It will work when you use the Berkley C-compiler 

In Makefile.config set: 

    CC = /usr/ucb/cc 
    RANLIB= touch 
    (comment out) SYSVOBJ= signal.o

Solaris 2.x
1.8.1: "`LOCK_EX' undeclared (first use this function)" errors
Make a backup of the current Makefile.config, then copy Makefile.config.solaris to Makefile.config
1.8.2: "Undefined symbol socket getpeername" error
Make a backup of the current Makefile.config, then copy Makefile.config.solaris to Makefile.config
1.8.3: "undefined symbol: MAXHOSTNAMELEN" error
Include something like in http-gw.h prior to the first MAXHOSTNAMELEN reference: 

SunOS 4.x (Solaris 1.x)
1.9.1: SunOS kernel panics
This is a Sun bug. A common reason is doing a getsockopt() after a connection has been reset. You will need to install a Sun patch, which you will get through your regular Sun support channel. 
OS version Patch ID
4.1.3 100584
4.1.3_U1 102010
4.1.4 102517
1.9.2: "ld: Undefined symbol _res_query" error
Some systems don't have their DNS resolver routines in libc, but instead in some other, separate library.  Try to look for it: 
     ls -l /usr/lib/libres* 
You should find a file named libres.a, or libres.so, or libresolv.a, or libresolv.so.  Whichever you find, go into your Makefile, and make sure that the compile-and-load line ('$(CC) -o smap ...') ends with -lXXX, where XXX is the part between "lib" and the dot.  E.g., for the examples I gave above, you would add either -lres or -lresolv. 

1.10.1: I can't get the toolkit to compile under Ultrix 4.0
I'm not sure many people still use Ultrix, never mind run it as part of their firewall, but if so, these patches are required for a clean compile. Neither patch should impact the ability of the FWTK to compile elsewhere. 

Darren Reed <darrenr@cyber.com.au

RCS file: RCS/hmain.c,v 
retrieving revision 1.9 
diff -c -r1.9 hmain.c 
*** hmain.c 1997/01/18 20:23:16 1.9 
--- hmain.c 1997/11/06 07:25:22 
*** 93,99 **** 

!  if ( !(tab_ptr[*cnt_ptr] = strdup(browser_name)) ) { 
syslog(LLEV,"failed to get storage for browser entry %m"); 

--- 93,99 ---- 

!  if ( !(tab_ptr[*cnt_ptr] = makestring(browser_name)) ) { 
syslog(LLEV,"failed to get storage for browser entry %m"); 

RCS file: RCS/daemon.c,v 
retrieving revision 1.8 
diff -c -r1.8 daemon.c 
*** daemon.c 1997/01/18 19:12:56 1.8 
--- daemon.c 1997/11/06 05:08:43 
*** 24,30 **** 
#include <netdb.h> 
#include <sys/time.h> 
#include <sys/resource.h> 
! #include <sys/fcntl.h> 

#include "firewall.h" 

--- 24,30 ---- 
#include <netdb.h> 
#include <sys/time.h> 
#include <sys/resource.h> 
! #include <fcntl.h> 

#include "firewall.h" 

1.11: FIXMAKE - when to use, when not to
There's nothing at all wrong with the makefiles as distributed - however, they make use of an "include" directive to include the Makefile.config in order to provide a central place where customizations take place. Every version of make except the one shipped with BSD takes one form of the include command (include Makefile.config) but BSD make requires a different format (.include "Makefile.config"). What fixmake does is to edit the include directives in the makefiles to the form that is correct for your system. The old fixmake deleted the "include" commands and actually inserted the current contents of the Makefile.config - this meant that if you edited the Makefile.config you had to do a "fixmake unfix; fixmake" to propagate it. That's why 2.0 reformats the include directives only - changes to Makefile.config are reflected immediately. 

Now, it's true that if you run fixmake on a non-BSD system, it'll break the makefiles - fixmake unfix will put them back - but the README is pretty clear about when you need to fix and when you don't. For Linux you (probably) don't. 
1.12: I am getting "xxx-gw.c: differs from default RCS version" errors when trying to apply a patch
If you don't care about the revision control system, just type "find . -name RCS -exec rm -rf {} \" in your FWTK root dir before you try applying the patches. 

Running the FWTK - General Questions
2.1.1: Where can I get example copies of system files, such as rc*, netperm-table, and inetd.conf for FWTK?
You can find examples of the system files in the $FWTK/conf directory. Remember that these should only be used as a guideline and may/may not reflect the settings on your system. 
2.1.2: Why are my timestamps messed up in my logfile? 
You probably are running the toolkit in a chrooted environment. Because of that, you need to copy the timezone file to the chrooted directory. Places to look for the "localtime" file are /etc/zoneinfo, /usr/lib/tztab , /usr/share/lib/zoneinfo, /usr/contrib/lib/zoneinfo, /usr/lib/zoneinfo, etc. 
2.1.3: I can't seem to get the right files to run chrooted under Solaris.
Check the man page for ftpd. It has a script that you can use to build the chrooted directory tree. If things still do not work (which may happen if a proxy requires files or libraries that ftpd does not) then it may be helpful to try 

truss chroot <newroot> <command> 

and see what fails. 
Be aware that syslog will break under a chrooted environment. Sun forgot to put something in the different man pages when they changed the behaviour. There is a dev entry that is missing. The additional dev entry that has to be there is /dev/conslog within the chroot()'ed environment. This was changed as of SunOS 5.5 and newer. You might also need Neil Readwin's patch to create the special /etc/syslog.pid file, which can be found at /patches/sun-syslog.pch
2.1.4: Why doesn't FTP work with my web browser?
Change the FTP Proxy settings of your web browser to point to the same host name and port number of your http proxy. 
2.1.5: Why are connections to the proxies so slow?
Make sure that your DNS resolver can be reached. The toolkit tries to do host<==>IPAddr lookups, so if your nameserver is slow or down, it will slow all of the connections down. 
2.1.6: How do I proxy UDP packets with the toolkit?
The FWTK doesn't handle UDP packets; it only works with TCP. If you want to proxy UDP (for Quake, Realaudio, etc.), then check out the patches section of this FAQ for udprelay. 
2.1.7: How do I publish web pages through the firewall?
The problem here is not with the FWTK, but instead with the clients. Netscape, as of yet, will not let you use a proxy server (besides their own) to publish pages. 

The only solution is to use ftp-gw and manually put the files on the web server. 
2.1.8: I am trying to get ftpd from the toolkit working... 
Don't. It is very out of date and contains some bugs. Look at using another ftp daemon, like wu-ftpd
2.1.9: How do I get the toolkit to run under MacBSD?
You can look at the MacBSD/FWTK FAQ, written by Aaron S. Magill, which is found at macbsd-faq.html
2.1.10: Is there a way to setup a VPN using the FWTK?
At this time, no, and I doubt that TIS will add it in the near future since it is an important addition to Gauntlet. You might want to look at ssh, mentioned in this FAQ, for secure telnet connections between hosts. 
2.1.11: Is the FWTK year 2000 compliant?
The real answer is that since FWTK does nothing with dates other than logging, there's no problem with anything that I know of with respect to Y2K. 

I would make sure that your operating system and hardware will support year 2000. As long as that is true, you should be okay. The only way to verify it is to test it first in your environment. 
2.1.12: Host address lookups fail with "failed to connect to server test (80) reason: hostname unknown"
In order for the FWTK to work correctly, you must have your /etc/resolv.conf configured correctly and, in some instances, be running BIND. 

Programs in some OSs don't automatically use DNS (assuming that's your default name service.)  Programs you compile from source can be made to if they use the res_*() routines and you link with -lresolv.  Most programs in the system though look in system static files (ie /etc/hosts ) then in NIS (former "yellow pages") if it is configured. 

A nice package which gets around this is resolv+2.1.1. (version # may be later now).  It works by substituting its own versions of the gethostby{name,addr} routines in the /lib/libc.so file. Those versions call DNS.  When set up, every system binary that uses these routines can automatically use DNS.  resolv+2.1.1 is a subset of what you get with BIND, which also includes a replacement for DNS. It's a good substitute for the more general /etc/nsswitch.conf and /usr/lib/libnsl in Solaris. Check your favorite search engine. 
2.1.13: I can't start the toolkit; I am getting "Failed to bind to port XXX" or "Address already in use".
That depends on how you're starting things. Only one process can listen on a given port and address combination. Having an entry in your inetd.conf for a port (http, for example) will cause the error above if you try to start a proxy in daemon mode on the http port if you already have a web server running. You should go through your inetd.conf and remove all the unnecessary lines, specifically the "login", "telnet", and "ftp" lines. Best make it empty then turn on what you *really* need - you are probably wide open at this point with all sorts of unnecessary services. 
2.1.14: Does the proxy hide internal addresses? What are the "illegal" addresses?
Yes. You may use "illegal" addresses inside of your firewall, as long as your external interface's address is assigned by either the Internic or your ISP. 

Here is a list of the "illegal" address (per RFC 1918): 
Subnet address Broadcast address  (10/8 prefix)  (172.16/12 prefix) (192.168/16 prefix)

2.1.15: Should I be able to ping the Internet from the internal network?
NO! If you can, then you are leaking packets. Check the routing setup on your firewall box. Also make sure that you do not have another unprotected route to the Internet. External pings may easily be stopped at two points: at the router, where the ICMP service requests may be blocked (while maintaining the ability to ping the server from within the network), or the kernel can be recompiled to not include ping (ICMP) responses since the kernel responds to the ping. 
2.1.16: How to I specify a subnet mask in the netperm-table?
Use "network-number:netmask" or something like: 

This feature is only available in FWTK 2.x and above. 
2.1.17: Why do I get an "inetd: xxx-gw/tcp: unknown service" error when I start a proxy?
It means that a service that you listed in your /etc/inetd.conf file doesn't match a service in your /etc/services file. 

For example, look at your inetd.conf line: 
    ftp-gw stream tcp nowait root /usr/local/etc/ftp-gw ftp-gw 
The last token is the service name; change it to ftp and you should be OK. 

Also, if you are running Solaris 2.x, make sure that the services line in your /etc/nsswitch.conf is configured correctly to look only in "files" and not in "nisplus". 
2.1.18: What is the maximum number of ethernet interfaces that the toolkit will support?
Since the proxies don't deal with interfaces (only addresses), they support as many interfaces as the platform on which they run. 

You may want to look at the bind-to patches. That will allow you to bind selected proxies to selected interfaces, rather than the un-patched behavior of binding to all of them. 
2.1.19: How do I enable PPTP using the FWTK?
Since PPTP control run on port 1723, you can easily plug that using plug-gw. However, the encryption protocol is GRE (which is IP protocol 47) which the FWTK can't understand since it is not TCP/IP. You can't support PPTP using just the FWTK; you will need some other kind of packet filter to accomplish this. 
2.1.20: What is the configuration to allow ICQ?
Use udprelay on port 4000. Relay to icq.mirabilis.com then point your clients to the firewall. 
Disadvantage:  file transfers don't work - udprelay only works for ICQ chat. 
2.1.21: How do I wrap lines in the netperm-table?
Unfortunately, you can't. All lines must terminate and cannot continue with the "\" character.
2.1.22: Which is the best way for starting FWTK: inetd or daemon mode in an "rc" script?
Definately use an "rc" script. The FWTK 2.x proxies are designed to be run by themselves, so you don't need to worry about inetd speed or throttling problems.

    * auth
2.2.1: I keep getting segmentation faults when adding users...
The problem might be due to the db library that you are using. The authsrv program will build without complaining when you use -ldb in the Makefile , but will result in crashes.  You must re-build and installed the full version of gdbm-1.7.x with the ndbm and dbm compatibility options. 

Also make sure that you are using a recent version of your compiler. 
2.2.2: How do I use SecureID/Skey with the toolkit?
First, you must obtain the SecureID library from Axent Technologies (Security Dynamics) or the Skey library.  In order to compile the SecureID with the toolkit, change the "tis_sd_init" reference in securid.c to "sd_init". The "tis_" variant is a TIS fix that ships with Gauntlet since the SecurID software won't work well with multi-homed hosts. 
For both, you need to edit the Makefile in the auth directory for the proper modules to be compiled and linked. Remove the "#" from the "SKEYDIR=" (etc..) lines and re-make. 

    #if you are using the SKEY modules, define SKEYDIR to be the source 
    #directory where the SKEY libraries and include files are. 
    #SKEYLIB= $(SKEYDIR)/libskey.a 
    #SKEYOBJ= skey.o 

    #if you are using the SecurID module, define SECURDIR to be the source 
    #directory where the SecurID libraries and include files are. 
    #SECURDIR= /var/ace/client 
    #SECUROBJ= securid.o

2.2.3: Does authsrv ever disable users automatically?
Yes, it will after 5 unsucessful login attempts. 
2.2.4: Why do I get "Unrecognized command parameter" errors when adding users?
This is a bug in FWTK 2.0. Either upgrade to FWTK 2.1 or apply the authserv patches available on the TIS FTP site: 

2.2.5: I am getting lots of "undefined references" when trying to compile.
In your skey Makefile, you haven't defined your encryption type. Uncomment these two lines:

# MD5
LIBOBJS=skeylogin.o skeysubr.o md5c.o put.o skey.o

# MD5

    * ftp-gw
2.3.1: Why can't I FTP to an Internet site using a command-line FTP program?
The traditional Unix ftp program can be used in a proxy environment by first connecting to the proxy server and then issuing some command to get to the final destination.  For example, to ftp from inside a company to your favorite ISP, you would do something like this: 
    # ftp proxy-server 

    Welcome to the proxy server.... 

    User (proxy-server:(none)): username@my.isp.net

    Connected to my.isp.net 
    Password required for username 

There are also some proxy aware ftp tools.  For example, WS_FTP or CuteFTP (for the Windows world) allows more transparent access by simply setting a configuration option. 
2.3.2: How do I FTP through multiple ftp-gw servers?
FTP to the first firewall in the chain. At the "username" prompt, type "username@target-host@second-firewall". The second firewall will connect to "target-host"and ask for a password. This is similar to the password-hacks that you can use (user@password@host) with things like CuteFTP or WS_FTP. 
2.3.3: What does "500 Illegal PORT Command" mean?
The "Illegal PORT Command" error message is coming from your FTP client. I don't know what it is expecting or what's wrong with what it's hearing. Is this FWTK 2.1? Perhaps you're using one of the older versions of FWTK that sent the PORT command as two separate write() operations - some FTP clients expect to see the PORT and terminating cr/lf in a single packet. You can also try setting your client to use PASV mode.
2.3.4: Why do some sites refuse my connection?
Actually, this is usually not a FWTK problem. 

Make sure that the remote FTP site can perform a reverse-DNS lookup of the external interface of your bastion host. An increasing number of sites will refuse to accept host attachments unless your host name is verified. 
2.3.5: Why does FTP hang when getting a directory listing or downloading a file?
This is due to the fact that a router or firewall between ftp-gw and the remote FTP server is blocking the returning PORT command. FTP uses two connections - a control connection (made to port 21 on the target host) and a data connection. The data connnection uses a random port; what port number gets used is up to your operating system. Check to see where that connection is dropped.

If you have a Checkpoint firewall, you should be running at least FWTK 2.1 and you should apply the patch which allows you to specify the data port. The data port should be set to 20.

    * http-gw
2.4.1: My http-gw keeps hanging; Why is http-gw freezing, but the server responds to pings?
You can either upgrade to FWTK 2.x and run the individual proxies as daemons (bypassing inetd completely), or follow the below directions. 

Most inetd's based on BSD inetd have a throttle built into them such that if more than about 60 connects per minute come in on any well-known port, inetd figures the server is looping or something else has gone awry and shuts down the service. To fix this, change your current /etc/inetd.conf file to look like this (note the "nowait.1000"): 
            http-gw    stream    tcp    nowait.1000    root    /usr/local/etc/http-gw    http-gw 

If this line doesn't work, check the man page for inetd. 
If you are running SunOS 4.1.x, you'll need to patch inetd. The appropriate SunOS patches are as follows: 
SunOS version Patch
4.1.1, 4.1.2, 4.1.3 100178 
4.1.3_U1 101618
4.1.4 102416
They are all a drop in replacement for inetd allowing you to specify the number of connections to be handled in a minute in the command line at startup (usually in /etc/rc for SunOS). e.g. 

/usr/etc/inetd -r 1000 
2.4.2: How do I get SSL/HTTPS working with the toolkit?
It is very easy. Just make sure that you are running version 2.x of the toolkit and point your Security Proxy setting of your browser to the same host name and port number of your http proxy. With version 2.x, you can also use SSL tunneling support in plug-gw.  From plug-gw.c

        To use as an SSL plug, include a line like 
             plug-gw: port 4430 10.* -plug-to https -ssl 
         Meaning listen on port 4430 for connections from 10.*  which are interpreted as ssl security handoff proxy requests. 
2.4.3: Authentication (-authall) doesn't work with http-gw. How do I get authentication working with the toolkit?
There is no authentication support in http-gw; primarily because it's very hard to do it right. There are proxies (like squid) that do a "good enough" authentication for most people. Doing it "right" means that you can use one-time password sources for authentication without permitting replay of the authentication info (such as the name name and password). 

Most people don't care about replay. Squid and squid-gw may fit the bill for you. 
2.4.4: How do I run http-gw and a web server on the same machine? 
Use a normal httpd configuration such as stand-alone Apache via port 80. Setup the http-gw proxy to another port (ex. 8080) for outgoing internal users conections. You might also want to set the "No proxy for" setting in the browsers not to go to the firewall for your web server, otherwise it will slow down your connections to the web server. 
2.4.5: What does "Network error: net_flags[X] >set (read)" mean?
This means that something attempted to read on a connection that had failed. In the past, this would have left a hung http-gw that wouldn't die. It's really an indication of a bug in the http-gw code somewhere - an error happened on that connection at one point so we shouldn't be re-reading from that socket. The code captures this case and quits. 
2.4.6: Why do targets (on pages) with spaces get destroyed?
URLs should not contain spaces, since people behind the firewall are "protected" from %## characters in URLs and usually can't use URLs containing them..  The coder of the page should be using underscores or dashes instead. 
2.4.7: How do I change the output of http-gw when I connect to FTP sites? 
If it was easy it would have been changed :-). It is not easy; the proxy has to create a HTML page describing the FTP directory. There's no simple way to obtain file type or size information that the proxy could use.The FTP code in http-gw is somewhat limited - it tries to handle different client types by using a listing format that does not provide size information. (There is no standard format for a directory listing that includes this information; long list formats are OS-dependent). 

The easy thing to change are the icons, but the icons are stored in the executable. However, you can specify an alternate location and provide your own icons.

Put this into your netperm-table:
http-gw: icon-source http://mywebserver/firewallicons/

One of the following will be appended to the above path.

menu.gif menuplus.gif html.gif gif.gif jpeg.gif image.gif audio.gif search.gif telnet.gif video.gif cso.gif macbin.gif dosbin.gif binary.gif text.gif blank.gif
2.4.8: Http-gw keeps core dumping on a BSD variant.
It is an OS issue. Just rename the variable "offtime" to something else. 
2.4.9: How do I FTP files through http-gw as a specific user?
Try using "ftp://user@hostname.dom".  If a password is required, the browser will display a dialog box. Otherwise, you can use "ftp://user:password@hostname.dom" This should work if you can normally do an ftp from your machine to the desired machine. 
2.4.10: Why do I get an error like "The response 'http-gw@firewall' is not valid" when trying to FTP in a browser?
Http-gw builds a password to send using the full hostname of the firewall. You should fix your firewall system to use the fully-qualified domain name as the hostname ("hostname firewall.your.domain" somewhere in the startup files.) 
2.4.11: Why does http-gw return blank pages to my Netscape browser?
Actually, this is not a FWTK issue. When Netscape 3.x and below reads some Microsoft FrontPage pages, it displays the background, but no text. It seems to be a known bug that Netscape fixed in its Communicator 4.x, but never publicly acknowledged. Example code that causes it to choke: 

    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> 
    <meta name="GENERATOR" content="Microsoft FrontPage 2.0">
Upgrade to 4.x or above to fix. 
2.4.12: Http-gw causes my browser to display "document contains no data".
Make sure that you have created the http-gw directory that you specified in the netperm-table and that you have the appropriate chroot() files in that directory. Be sure the http-gw is being run by a user that can read that directory. 


    http-gw:        directory /usr/home/www
You may also get this error when you are trying to FTP. In that case, configure your web browser's FTP proxy to point to the same port that it uses for http. 
2.4.13: How do I forward http requests from the firewall to an internal web server?
The http-gw is designed to permit trusted hosts to cross a firewall to access http servers. It is not designed to be used to permit untrusted hosts access to your inside network. Your best bet for this is to use a plug-gw; however, that will not protect the web server from penetration attempts. 

You can, however, use something like: 
        http-gw: forward * -protocol http -tohost server:80 
"forward /" means to forward anything that starts with "/". You've got to be specific about the protocol, else it seems to try gopher. 

I don't think that using http-gw backwards this way is such a great idea because of problems like this; besides, it's not designed to protect things when used this way. One example of why this is the case is the support for security proxying. If you don't rip CONNECT support out of the source, your inbound http-gw can be used to telnet right past the firewall to any host on the inside; probably not what you want. You MUST disable the https support; otherwise, anyone can telnet to the proxy and go: 
    CONNECT internal-ip-address:23 <return> <return> 
and get a telnet session uncontrolled right through your firewall. 

The best recommended solution: Put the web server in your firewall's DMZ and use plug-gw to pass traffic to it. Otherwise, if someone is able to break a security hole on your web server, they are then inside of your network.
2.4.14: URLs like "http://user:password@www.site.com" don't work...
This violates RFC1738 which states: 
    An HTTP URL takes the form: 

Since http-gw follows the RFC spec, it does not allow "http://user:password@www.site.com" URLs.
2.4.15: FTP through http-gw gives a "-501 Unknown ftp problem" error message.
That'll only happen if the connection is being terminated prematurely for some reason. You'll probably find more reason why in the logs. 
2.4.16: How do I disable FTP access in http-gw?
You should add a "ftp-proxy" line in your netperm-table. What "ftp-proxy foo" should do is to change the handling of ftp URLs from connecting to the target host to using the given ftp host. For example, if you send "ftp://target/dir/file" with a line in your netperm-table like "http-gw: ftp-proxy proxy" what will change is that the http-gw will connect to host "proxy" on the ftp port, then send "user anonymous@target" as the user (expecting that there's a ftp-gw proxy in use.) Your netperm-table seems to be configured with the "ftp-proxy" having the name of a program to run; what you probably want is "http-gw: ftp-proxy" 
2.4.17: What is the configuration to connect to web servers running on non-standard ports?
Nothing special has to be done.  Just make sure that your browser's proxies and no-proxy list are properly set up, then ask it to show you a URL like "http://host.domain:port/page.html" 
2.4.18: Why am I getting "Error - 404.   Reason:  hostname unknown" errors?
Either your DNS is not working correctly on the firewall, or you're chroot'ing http-gw without providing the files it needs to use the resolver. Try taking off the chroot temporarily by changing the "directory" option in your netperm-table
2.4.19: What does "network connection closed during write" mean?
It means that the network connection between the proxy and either the browser or the web server was closed while the proxy was writing data. Often this happens because the user pressed the "stop" button. It's almost never a sign of a problem.

    * netacl
2.5.1: I am getting "Transport endpoint is not connected" errors
The "endpoint is not connected" error usually means that something has started up netacl with it's stdin not connected to a network socket. Like most of the fwtk proxies, netacl is expecting to be started either as a daemon or from something that connects it to a socket, like inetd. Make sure that the netacl listener is started. 

    * plug-gw
2.6.1: What is the configuration for POP mail services?
Add a line to the netperm-table such as this and point your browsers to the firewall: 

    plug-gw: port popmail my.domain.*  -plug-to  pop.server.B -port popmail 
Also make sure that you add "popmail 110/tcp" to /etc/services and the appropriate line to /etc/inetd.conf or /etc/rc, if necessary. 
You can also look at cmd-gw, available in the FWTK patches at http://www.fwtk.org
Some things to think about: 
    1. pop3 sends usernames and passwords in the clear.  You might want to consider APOP 
    2. Unless you know the IP/hostname of the outside users and they are fixed, you could be opening your internal pop3 server to access from the outside. 
2.6.2: How do I use plug-gw to plug to a second proxy?
You can't use a plug-gw as a HTTP proxy but you can use the plug to forward the connection if the browser isn't set up to use that firewall as the proxy. 

When it's connecting to a web server - the plug-gw case - the browser sends "GET /page HTTP/1.0"; when it's connecting to a proxy the browser sends "GET http://host/page HTTP/1.0" and expects the proxy to decode the scheme and remove that before passing it on to the real server. Plug-gw won't work in this case. 
2.6.3: How do I plug samba/SMB (for Win95/WinNT file sharing) through the firewall? 
SMB uses 137 for the name service (UDP normally), 138 UDP for support services and 139 TCP for the session services. The only problem is that you won't automatically reconnect to a share, you have to do it by hand every time (after the time-out, plug-gw disconnects you). You might need to add an entry to your c:\windows\lmhosts file (create it, if it doesn't exist). 
2.6.4: How do I allow SQL requests through? 
Plug-gw is a TCP stream data processor. It does not support things that expect specific handling of URG, PUSH, etc; those require a SQL application-specific proxy. 

    When people have tried this in the past it has been found to not work when plug-gw is used - the SQL Server protocol is sensitive to the data stream. If it writes 1200 bytes it expects to read all 1200 bytes in a single packet. Plug-gw does not guarantee that. Perhaps more recent versions of SQL server don't work that way any longer. 

    You must be running a recent version of Sybase. Just use plug-gw. 

    The listener for Oracle SQL*Net is on port 1525. Just use plug-gw to plug the request through. However, multithreaded SQL*Net does not work. 
2.6.5: What is the plug-gw config for Usenet News?
If you want a proxy specifically for news, look at nntp-gw located in the patches section of this FAQ. 

Or, if you want to use plug-gw follow these directions: 
Add a line to the netperm-table such as this and point your news readers to the firewall: 
    nntp: port nntp my.domain.*  -plug-to  ext.news.dom -port nntp 
Also make sure that you add "nntp 119/tcp" to /etc/services and the appropriate line to /etc/inetd.conf, if necessary.  For ease, define "news" internally to be the address of the news bastion host (firewall), and point users at the "host" named "news". 

If you have several external news servers,  pick a different port for each news server that you want to attach to, say 9001, 9002, etc., on the firewall box. Of course, you will most likely be attaching (plugging) to port 119 (nntp) on the actual news server(s). 

See the plug-gw docs for details. 
2.6.6: How do I make Microsoft SNA Server requests go through?
Run regedit.exe and make the following change: 


Create a value called Firewall, of type REG_MULTI_SZ, and populate it with the IP address of the proxy.  This does mean that you need to run plug-gw on both 1478/tcp and 1477/tcp. 
2.6.7: How do I plug to a Lotus Notes server?
Lotus Notes is actually one of the easier applications to proxy with FWTK.  Notes uses port 1352/tcp exclusively, so all you really need to do is set up plug-gw to listen on port 1352.  Something like this should work: 

    plug-gw:        port 1352 * -plug-to notes.server.dom -port 1352 
The real trick is the Notes end of things.  The intuitive thing to do would be to tell Notes to connect to your FWTK box and you'd see the server you were plugging to.  Not quite.  When you tell Notes to connect to a server by FQDN, it expects the response from the server to match the FQDN, or else it complains.  What you need to do is to create a connection doc (in your personal address book, for instance) that defines a correct connection to your Notes server. 
2.6.8: How can AOL clients get through the firewall?
The AOL client uses port 5190. Just use the following plug-gw config in your netperm-table

    plug-gw:    port 5190 192.168.0.* -plug-to Americaonline.aol.com -port 5190 
Also, there is a CCL directory under the AOL directory that contains a file called TCP.CCL (Macs have a file called TCP located in the Online Files directory).  This file has to be edited to point to your firewall address instead of AmericaOnline.aol.com. 
Be warned, however, that this can be unsecure due to AOL's tunneling protocol. 
2.6.9: Why is plug-gw denying everything even though it is correct in the netperm-table?
It's supposed to look for entries first using the service name - the first argument - then, if there's none, look for plug-gw entries. 

If you run the plug with: 
    /<path>/plug-gw -daemon nntp nntp 
it will look for "nntp: ..." entries in the netperm-table. If there's none of those, it'll look for "plug-gw: ..." entries. Running it with "plug-gw", or with "nntp-gw" and changing the netperm entries to "nntp-gw" will probably make it work. However, most netperm-tables have a  "*: authserver 7777" line which matches the news lookup so you find no rules at all 
2.6.10: How do I plug LDAP through the firewall?
LDAP runs on port 389. Just plug the requests from the client to the server. 

    * smap/smapd
2.7.1: smap doesn't work & logs show "bogus queue file, uid=6, mode=100600"
What this means is that sendmail found a queue file owned by UID 6 (probably uucp) but that sendmail was not running as that same uid. Normally, when you front-end sendmail with smap/smapd, you should be running sendmail setuid the same user that smap/smapd uses. 
2.7.2: How do I configure smap so that it rejects the mail in a way that the sender does not retry to send the message?
This probably should not be done through smap; you should just configure sendmail to bounce the message instead. 
2.7.3: Why am I getting "fwtksyserr: cannot chroot to /var/spool/smap:Operation not permitted" errors?
"Only the super-user may change the root directory." Is your 'smap' starting off life as the super-user? Other possibilities could be that the effective UID does not match the owner of the file, and is not zero; or the owner or group were specified incorrectly. 
2.7.4: How does smap handle temp files; what should I do with old xmaXXXX/smaXXXX files?
I think you'll find that the system works as follows: 
  • smap gets a connection
  • smap opens xmaXXXXXX (see var 'tempfile') smap gets message and closes 'tempfile' smap renames 'tempfile' to smaXXXXXX (see call to function add_too_file() and the function itself)
  • smapd wakes up every x (60?) seconds smapd looks for smaXXXXXX
  • smapd calls sendmail to send smaXXXXXX if successful delivery
    • smapd removes smaXXXXXX
  • else
    • smapd moves smaXXXXXX to 'baddir'
  • thats it....
So, if you have 'old' xmaXXXXXX files lying around, either delete them, or 

rename xmaXXXXXX to smaXXXXXX 
watch logfile as smapd tries to process them and you'll see, either 
file delivered successfully -> the file is now gone, 
some complaint from smapd -> you can delete the file.
2.7.5: Smap has received the e-mail, but how do I process the mail queue? 
You will need to start the smapd daemon in your startup file in addition to a daemon to periodically scan the mail queue... that is /usr/local/etc/mqueue script....  and the smap entries in the netperm-table tell smap how to invoke sendmail (of course, you will need a valid sendmail configuration file, usually in the /etc/sendmail.cf file, but that depends on your sendmail version and configuration)... 

startup entries for smap/mqueue: 

    # smtp queuer 
    (cd /var/spool/mqueue; rm -f nf* lf*) 
    echo "    smtp queuer" 
    /usr/local/etc/smapd & 
    # process the mail queue for undelivered mail 
    /usr/local/etc/mqueue &
netperm-table entries for smap: 
    # Example smap rules: 
    # ------------------- 
    smap, smapd:    userid 15 
    smap, smapd:    directory /var/spool/smap 
    smapd:          executable /usr/local/etc/smapd 
    smapd:          sendmail /usr/sbin/sendmail 
    smap:           timeout 3600
that's really about all. You might just want to check your sendmail configuration rules per normal testing using /usr/bin/sendmail -bt 
2.7.6: How do I append messages/disclaimers to the bottom of e-mail messages? 
A way of doing a similar thing is attaching something not between smap and smapd but between smapd and sendmail.  It is like this: 

In netperm-table: 
smapd:  sendmail /my/own/sendmail-wrapper 

Write a program named /my/own/sendmail-wrapper, which will be something like this: 

  1. The input command line is "/my/own/sendmail-wrapper -f from rcpt ..."
  2. Process the message text read from the standard input.
  3. Invoke sendmail with the arguments " -f from rcpt ..." and pass the message text to sendmail through the standard output.
The advantage of this way is that you do not have to care about the internal matters between smap and smapd. 
2.7.7: Why do I get "SYSERR(smap): prescan: token too long" errors?
Although this error says "smap", it is in fact coming from sendmail's parseaddr module.  It is telling you that, in trying to interpret the header of an incoming alleged mail message one word ["token"] at a time, it came across one that was too long for its input buffer.  This input buffer is 256 bytes long. 
2.7.8: Why is mail getting sent with smap username instead of the actual sender? Why am I getting sendmail authentication warnings?
This is because smap is running without any privileges and sendmail recognizes it as the last "agent" to deliver the mail.  In order to get sendmail to recognize smap as a "trusted agent" (similar to the way "uucp" would be trusted in a dialup environment), ensure that the sendmail configuration file (sendmail.cf) contains a line indicating that smap is a trusted user: 

2.7.9: What does "smapd[xxxx]: discarding (OS error) pid=xxxx code=71" mean?
Sendmail returns this value if (among other things): 
 *can't open a pipe to the delivery agent 
 *can't execute the delivery agent 
 *if the delivery agent returns EX_OSERR 
 *if sendmail cannot fork
 *if setuid or setgid fails (RunAsUser...) 

Make sure that you have created a legal user which you defined in the smap section in your netperm-table. If you verified this, then you are probably having other problems between your OS and sendmail. 
2.7.10: Sometimes I am getting "exiting too much data" errors from smap...
Smap is denying your e-mail since it is too big. Check your "maxbytes" setting in your netperm-table

            * syslogd
2.8.1: How do I separate the FWTK logs from the standard syslog file? 
The facility and level are set in your "firewall.h" file:
Choose a system logging level for the firewall
toolkit. All components of the toolkit will use
this value for logging entries.
#ifndef LLEV
#define LLEV    LOG_NOTICE

/* Choose a system logging facility for the firewall toolkit.  */
#ifndef LFAC
#define LFAC    LOG_DAEMON

Just edit firewall.h so it writes to one of the local facilities and edit syslog.conf to handle them special. 

Change firewall.h from: 
#define LFAC LOG_LOCAL6 

Then just put something like 
    local6.* /var/log/fwtk 
in syslog.conf and don't forget to "remove" the messages from the "catchall" entry, eg. 

*.info;local6,mail.none  /var/log/messages 

Also make sure that you have enabled logging via your netperm-table using the "-log" parameter. 
2.8.2: How do I create separate log files for each service?
First, install the syslogd that is included with the toolkit. Then, edit your /etc/syslog.conf file to something like this: 

    # patterns to match for 
    "authsrv"                    /home/log/auth 
    "netacl.*fingerd"        /home/log/in-fingerd 
    "netacl.*telnetd"        /home/log/in-telnetd 
    "smap"                      /home/log/smap 
    "ftp-gw"                    /home/log/ftp-gw 
    "plug-gw"                  /home/log/plug-gw 
    "rlogin-gw"                /home/log/rlogin-gw 
    "tn-gw"                     /home/log/tn-gw 
    # Standard system logs 
    *.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info;*.debug  /var/adm/messages 
    *.emerg                                         * 
    *.emerg;*.crit                                  /dev/console
Then, just send a HUP to the syslogd to make the changes active. 
2.8.3: Syslogd will not record anything under Linux
Apply the following patch in the syslogd directory: 

*** -     Fri Jun  5 09:40:08 1998
--- pathnames.h Fri Jun  5 09:41:08 1998 
*** 53,58 **** 
--- 53,66 ---- 
  #define       _PATH_DEVNULL   "/dev/null" 
+ #ifndef _PATH_KLOG 
  #define       _PATH_KLOG      "/dev/klog" 
+ #endif 

+ #ifndef _PATH_LOGCONF 
  #define       _PATH_LOGCONF   "/etc/syslog.conf" 
+ #endif 

+ #ifndef _PATH_LOGPID 
  #define       _PATH_LOGPID    "/etc/syslog.pid" 
+ #endif 

    * tn-gw/rlogin-gw
2.9.1: Why does tn-gw either display double characters, no characters, or echo the passwords?
Something isn't properly doing the options negotiation. Try "telnet" (no hostname) then "set opt", "connect firewall" then "connect destination".' See if there's something obvious going wrong in the different negotiation sessions. 

The basic problem is that it is extremely difficult to correctly proxy telnet - when your client connects to the proxy, it sends options negotiation commands to the proxy. We remember these and try to reset things to their prior state just before connecting to the real server. Back when the TELNET protocol was defined, this worked well - the settings were simple binary flags with no dependencies. Unfortunately, things that work well are often "improved". There are several options that have dependencies (for example, options 36, OLD_ENVIRON and 39 NEW_ENVIRON. Many telnet clients try to enable NEW_ENVIRON then if that fails try OLD_ENVIRON. They REMEMBER that the proxy refused NEW_ENVIRON and OLD_ENVIRON. Then, once you connect, the server tries to negotiate NEW_ENVIRON again; the client remembers that it was refused permission to turn this on, so ignores the server's request. That hangs the connection. Some servers don't like the negotiation flood that the telnet proxy sends when you first connect; that's what usually causes the double echo. 

All that we could do with the telnet proxy was to make it work as well as possible with as many clients as possible. Many telnet clients are broken (the Microsoft Windows 9x one, for example. The double echo you're seeing is probably due to the fix for the broken Windows Telnet client.) 

For some broken cases, you can fix things by playing around with telnet commands (echo, etc.) after the connection is made. 
2.9.2: How do I configure tn-gw to allow me to telnet to the firewall machine itself?
Configure tn-gw as you normally would. Then, check in the example $FWTK/conf/netperm-table or use the following lines in your netperm-table

    netacl-telnetd: permit-hosts -exec /usr/libexec/telnetd 
    netacl-telnetd: permit-hosts (your.own.ip.address) -exec /usr/libexec/telnetd 
    netacl-telnetd: permit-hosts (your.internal.ip.addresses) -exec /usr/local/etc/tn-gw 

    netacl-rlogind: permit-hosts -exec /usr/libexec/rlogind -a 
    netacl-rlogind: permit-hosts (your.own.ip.address) -exec /usr/libexec/rlogind -a

2.9.3: How can I make it transparent for people to telnet through the firewall?
There's a script in the tools/client/misc directory called "tn" (it requires Expect), which will accept a host and port on the command line just like telnet does, but it will operate the tn-gw for you, and make it seem that you can telnet directly to any outside destination. 

Expect can be found at the following site: 

    * x-gw