TIS Firewall Toolkit Trusted Information Systems, Inc. February 26, 1998 WHAT IS THE TIS FIREWALL TOOLKIT? --------------------------------- Trusted Information Systems, Inc. (TIS) is pleased to provide the TIS Firewall Toolkit, a software kit for building and maintaining internetwork Firewalls. It is distributed in source code form, with all modules written in the C programming language and runs on many BSD UNIX derived platforms. The Toolkit is being made available for use as specified in the license agreement (LICENSE). USERS' GROUP ------------ TIS maintains the electronic-mail users' group for discussion of the toolkit. To join, send electronic mail to . TIS Firewall Toolkit technical questions, license issues, bug reports, etc. should be addressed to . The frequently asked questions (FAQ) document for FWTK is maintained by Keith Young and is available from at the following URL: http://www.erols.com/avenger/ further information on FWTK is also available from the TIS web site at http://www.tis.com/docs/products/fwtk/ Information about other TIS network security products or commercial licensing requests should be sent to or by telephone to (301) 527-9500. DISCLAIMER ---------- Please read the docment "DISCLAIMER" which describes TIS' support policy with respect to use of this software by other parties. WHAT IS HERE? ------------- README - This file fwtk-doc-only.tar.Z - Toolkit documentation fwtk-2.1.tar.Z - Toolkit sources and Makefiles (no documentation) Toolkit Roadmap: ---------------- Makefile - toplevel Makefile README - this file auth - authentication server and libraries (optional) config - sample configuration/permissions tables doc - documentation firewall.h - compile-time configuration ftp-gw - sources for FTP proxy server http-gw - http/gopher proxy lib - sources for library routines netacl - sources for TCP/IP access control "wrapper" plug-gw - sources for plug-board proxy server rlogin-gw - sources for rlogin proxy server smap - sources for sendmail wrapper client smapd - sources for sendmail wrapper daemon tn-gw - sources for TELNET proxy server tools - miscellaneous/unsupported tools x-gw - X11 proxy Building this software: ----------------------- As packaged, the Makefiles included in this kit will attempt to build the firewall components and miscellaneous tools. We have supplied example configuration files (Makefile.config) for platforms that have known requirements - look for a Makefile.config. that corresponds to your operating system. If you find one, save the original Makefile.config and move the OS-specific version into Makefile.config. You may need to edit firewall.h to tailor to the local operating system and environment. On some platforms (such as those with dynamically linked executables) you may wish to edit some of the individual Makefiles to tailor the compilation options such as compiler/linker flags and installation directories. The firewall toolkit is written in K&R C. If you are using a compiler that assumes ANSI C you may need to add a global compiler flag to cause it to accept K&R syntax. Global compilation options and flags are configured in a master Makefile called "Makefile.config" You should examine and edit this Makefile to reflect your system, before attempting to build the toolkit. Not all versions of make may support this syntax (most notably, the BSD derived versions which use ".include" instead) -- if your system is in the latter category, you have the choice of either obtaining GNU make or modifying the Makefiles. There is a program called "fixmake" which will rebuild the Makefiles for you. Simply edit Makefile.config and when you're happy with it, run "fixmake" and it will update the "include" directives to the BSD format. Repeatedly running "fixmake" is OK. If your system does not have X11 libraries with X11 include files installed on it, you will not be able to build X-gw. X-gw relies on the athena widget set (Xaw and Xmu) which must also be present on the system. To set the paths for X libraries, see Makefile.config. If you do not wish to build the X-gw, simply comment out the entry for x-gw in the DIRS= smap smapd netacl plug-gw ftp-gw tn-gw rlogin-gw http-gw x-gw entry in the top-level Makefile. Once firewall.h has been configured, typing "make" should build the basic firewall components. "make install" will install the components in a default location. A second directory of tools contains support software and modified client software. Many of the programs in the "tools" directory are from the BSD Net2 sources, and may be more or less difficult to get running, depending on the operating system platform. Rather than attempting to shadow the BSD distribution, they are provided "as is" with a README file in each tool's directory describing what platforms it is known to work on. If you plan to build/use the authentication server, you may wish to examine and edit "auth.h" to set the types of authentication you wish to support, and where the databases will reside. If you wish to use the authentication server with DES encryption for protecting transactions, you will need to obtain a DES encryption library, which is not supplied with the rest of the toolkit, and which must be obtained separately. The Digital Pathways SecureNet Key software also requires a compatible DES library. See the README in the "auth" directory for details. General Building Notes: ----------------------- Many of the components can be configured to perform a chroot(2) and run in a restricted environment. Generally, they should be linked against a resolver library [if you care about name resolution] that can be configured to work under chroot. Wherever possible, all required information is read before performing a chroot, so password files, etc, need not be provided. Support: -------- Legend: "tested" -- TIS has independently verified correct operation of toolkit components "builds" -- TIS has either ported and compiled, but not verified correct operation, or has second-hand reports from third parties that the software builds and works SunOS4.1.X - tested Solaris - Builds (not tested) HP/UX A.10.01 - builds (not tested) CMU MACH - builds (not tested) ULTRIX - builds (not tested) undefine USE_UDPSYSLOG in firewall.h BSDI - tested BSD/386 - tested by other party IBM/AIX - tested by other party ftp-gw, tn-gw, rlogin-gw require including #include SCO XENIX - tested requires -lsocket to lots of Makefiles and change of SIGOOB handling to SIGUSR1 LINUX - Builds (not tested) Systems that do not have a bcopy/bzero library routine will need to have one provided for them. User support, bugs, comments, mail, etc, should be directed to fwtk-support@tis.com and fwtk-users@tis.com.