ipbind-1.2 patch for FWTK 2.1

William L. Hamlin
Convergent Networking Systems, Inc.
whamlin@connetsys.com


QUICK SUMMARY

The extensions in this patch were created to allow the firewall
toolkit proxies to intelligently make use of the multiple network
interfaces that almost certainly exist in application-proxy
firewalls.

This patch has been tested and verified on the following systems:

	Solaris 2.5.1 (sparc)
	Solaris 2.5 (x86)



FILES CHANGED

auth/authsrv.c
ftp-gw/ftp-gw.c
http-gw/hmain.c
lib/daemon.c
netacl/netacl.c
plug-gw/plug-gw.c
rlogin-gw/rlogin-gw.c
tn-gw/tn-gw.c



CHANGES

The following changes exist:

* -daemon command line option extension.  Previously, the -daemon
   command line option took one argument - a port number or service
   name.  This patch changes the argument so that it can be of one
   of the following forms:
	port
	servicename
	ip:port
	ip:servicename

   The first two forms function identically to the unpatched version -
   binding to the specified port on all available interfaces.  The
   second two, however, bind only to the specified ip address.  This
   allows multiple instances of the proxies to exist serving different
   purposes on different network interfaces.

* -name command line option.  In order to accommodate the multiple
   instances of each proxy that can be executing simultaneously, this
   option, which requires one argument, describes which tag to use when
   performing lookups against the netperm-table file.

* Some cleaning up of command-line error messages has been thrown in
   to provide some more consistent logging.  Specifically, all errors
   relating to command-line arguments have been prefaced with the
   text "fwtkusageerr".  In the past, some log messages had
   "fwtkusageerr", some had "fwtkcfgerr", and some had no indicative
   leading text.

* The plug-gw proxy now has an additional netperm-table option of
   '-connect-from' which specifies the local IP address to use for
   outgoing connections.

* The auth-srv, ftp-gw, http-gw, rlogin-gw, and tn-gw proxies now
   have an additional netperm-table command of 'connect-from' which
   specifies the local IP address to use for outgoing connections.


INSTALLATION

% cd <PATH>/fwtk
% patch < ipbind-1.2.patch

Voila!

(NOTE: If patch doesn't work right for you, you probably don't have
 the most recent version.  Check out the GNU archives for something
 a bit less archaic.)



EXAMPLE

Command line:
http-gw -daemon address1.company.com:80 -name http-general-proxy
http-gw -daemon address2.company.com:80 -name http-special-proxy

netperm-table excerpt:
http-general-proxy: forward /* -proto http -tohost www.company.com
http-general-proxy: permit-hosts *
http-special-proxy: forward /* -proto http -tohost www-dev.company.com
http-special-proxy: permit-hosts *
http-special-proxy: connect-from http-proxy.company.com



OTHER FUTURE(?) ENHANCEMENTS

* In order to provide better logging capabilities, it might be 
   appropriate to change the "ident" parameter that is passed to
   the openlog() call to either the "-name" argument or the
   value passed to some new argument like "-log-as" or somesuch.
   If anyone has any real interest in seeing this functionality,
   drop me a note, and I'll put it on my list of things to do.

* Hey, let me know what you think it needs!



POSSIBLE PROBLEMS

Many measures were taken to provide backward compatibility so that
things should just work as previously if no desire to make use of
the extensions exists.  However, one of the changes might affect
certain users:

* If people are doing log analysis/monitoring and are expecting the
   previous versions of the logged error messages, their reports/
   alarms may not function as expected.  Anyone doing such monitoring
   should be sure to note the syslog() message changes and adjust
   their scripts accordingly.



UPDATES

Updates to this patch will be announced on the FWTK Users Mailing List,
in the FWTK FAQ (http://www.fwtk.org), and on the ConNetSys web site
(http://www.connetsys.com).



DISCLAIMER

While this patch has been tested fairly completely, William L. Hamlin
and Convergent Networking Systems, Inc. make no guarantees of its
performance or lack of bugs/problems.  Use this patch AT YOUR OWN
RISK!



CURTAIN CALL

Well, that's a quick blast of info on the patch.  Probably more than
some need and less than others.  Such is life.  If anyone has any
questions, suggestions, complaints, or offers of free food or
unconditional love, send 'em my way...

Additionally, if anyone has to make changes to this patch to make it
work on other platforms, please forward them to me so we can save
other people the hassle of duplicating the effort.  Thanks!


William L. Hamlin
Convergent Networking Systems, Inc.
whamlin@connetsys.com
June 23, 1999
