Brief history of changes made to this software: March 1997 to present - FWTK 2.0+ Add "pdf" to list of binary file types in http-gw Fix typo in syslog.c that was causing builds to fail when USE_UDP_SYSLOG defined Fix syslogd signal handling botch that leads to syslogd crash. Correct SYSV switching in smap to remove wait3() reference Fix off-by-one check in syslog Fix skey prompting Fix authsrv "onetime" parsing/setting Correct tn-gw daemon argument processing Fix hostmatch() core dump Read plug-gw rules using service name, then "plug-gw" Fixes since 2.0a beta: Add patches for AIX 3.x from Pavel P. Zabortsev <ppz@cdu.elektra.ru> Fix plug-gw service name rules to look for "plug-gw" lines if there's no service name lines. Fix various compile warnings and typos found during test. September, 1996 to January 1997- FWTK 2.0 Fixes to Linux makefile configuration to try to support more variants of Linux. (Especially the dbm library.) Clean up README references - especially to suggested mail addresses. Fix authadduser.sh argument order (the "password" command was reversed.) Always warn when authdump/authload can't read netperm-table. Fix syslog() calls to limit string lengths to avoid buffer overflows. Fix several buffer termination bugs in authload Fix command abiguity bug in authmgr/authsrv Remove gets() call in authmgr (replace with fgets() call) Fix buffer overflow possibility in authmgr password change Rationalize authsrv time checking code Fix "enable user one-time" command Fix wizard checking in list commands so it works as expected (group wizards can check their group only.) Clean up authsrv client IO module Fix authsrv database routines to open/close when necessary; make sure files are closed when done. Add SCO5 and OSF/1 conditionals and configuration files Allow ftp-gw to be a daemon on other than the normal FTP port Fix ftp-gw telnet options processing for IAC IAC, etc. Add additional characters to the http-gw reserved list (characters that http-gw doesn't change in URLs.) Change all http-gw FTP users to "http-gw@host". Add "%m" to several http-gw error reports so more detail is available Fix netperm-table reader so an unterminated last line in the netperm-table is not fatal Add hostname length checking in DNS calls Fix character set bugs in enargv(); correct several parsing errors. Improve portability of getpassword() code Don't allow empty string to map to UID 0 (root) Fixes for syslog() overflow bugs - make buffer static (not on the stack), increase buffer size. On overflow bail out. Fix port handling in plug-gw so that the target port number is not overwritten Fix plug-gw destination permit handling Fix smap message limit code (552, not 550). Correct smap end-of-message handling. Change smapd child handling to not use SIGCHLD - poll when processing messages instead. Properly parse addresses (including route addresses) for bad formats. Allow "/" with following whitespace. Allow "-daemon" for telnet-gw to permit listening on other ports (not just 23). Fix telnet options processing Fix invalid timeout handling in tn-gw (don't change the timeout). Don't allow tn-gw options buffer to overflow Remove "mercury.hsi.com" from deny-summ.sh reporting script. Fix syslogd signal handling to allow POSIX signals March, 1996 to September, 1996 - FWTK 2.0 beta Centralize configuration differences in Makefile.config and provide example copies for BSD/OS, SunOS, Solaris, HPUX. Update BSD "fixmake" script to reference Makefile.config, not insert it (so that edits to Makefile.config don't require a redundant fixmake unfix;fixmake pass). Fix porting problems on Solaris, HP-UX. Apply authsrv bug to permit extended auth to work Fix ftp-gw messages to remove extra null character Correct ftp-gw deny message to log then correctly report the denial to the client Add "+" to list of HTTP reserved characters Increase max URL length to 4096 bytes Add Carl Claunch's java/javascript/ActiveX filtering to http-gw Fix net_write to not error out on zero byte writes Block persistent connection attempts Upgrade http-gw internal icons (fix Netscape bug) Make peername unknown non-fatal Background proxy and become process group leader when operating a proxy in '-daemon' mode Add pattern matching for a single IP address digit (?) Fix IP options checking to not hardwire FD 0 Add ssl tunneling support to http-gw (-ssl on plug-gw line in netperm-table). Remove trailing nulls in rlogin-gw messages Handle overlong host addresses in rlogin, tn-gw Add missing newline to smap "Received" line String backquotes from mail addresses Fix smap temp file handling Update smapd waiting to allow multiple children Update smapd error handling to minimize looping messages Update bad address parsing code to allow additional valid addresses Update tn-gw echo negotiation to avoid connect hangs Remove trailing nulls from message strings in tn-gw Fix "printf" vs "sprintf" botch in x-gw Correct x-gw message handling (add newlines, etc.) Nov 5, 1994 to March, 1996 - Fixes to V1.3 Changed to allow System V (Solaris) compile Fixes to authsrv/authmgr to replace password prompting with our own routine (allowing > 8 char passwords) and to permit an authorization routine more flexibility in prompting. Properly handle too-long lines in netperm-table Handle multi-homed hosts in connects (try each address until one works). Allow all proxies to run as daemons (no longer need to use inetd) replace sys_errlist[errno] references with strerror() calls for portability. Fix urgent handling to use proper fd in SIOCPGRP ioctl call Add strerror() and inet_ntoa() source to libfwall directory for systems that don't have them. Add option to rlogin-gw to automatically start an X session. Add timeout processing to rlogin-gw. Fix SMAP to allow multiple deliveries in a single transaction. Correct SMAPD error/exit handling. Make peername() return non-zero on failures. Remove duplicate entries in ftp-gw operations table. Correct netacl setuid() using a group id (call setgid instead). Fix smapd file mode check. Fix smapd empty file warning message to not report errno when inappropriate. Fix ftp-gw cpu loop on connect failures. Ensure ftp-gw deny messages get syslog'd. http-gw: Fix incorrect quoting in split anchors. http-gw: Fix incorrect handling of bad URLs with three / chars Use proper fd when querying peername in x-gw. Fix http-gw FTP directory listing to strip "*", "@", etc. from listings Fix core dump when smapd tries to report an unexpected envelope. http-gw: disallow embedded newlines in gopher URLs Fix stuck http-gw processes (waiting for a read that will never complete). Add security proxy handoff to http-gw Add common default timeout definition to firewall.h Feb 21 - Nov 5, 1994 - Fixes to V1.2 ------------------------------------- Added DISCLAIMER -- READ it. Added much better header parsing code to smapd (by Wietse Venema) Added http proxy Added X-windows gateway, and x-gw option in tn-gw and rlogin-gw Took out the "loghost" option in syslog.c Modified smapd to do more sensible things with its queue. It will now keep a limited number of children going at a time, and will not completely bury the system on startup after a delay. Fixed netperm-table reading code to handle all blank lines. Fixed timeout code in ftp-gw to be more forgiving of systems that decrement the passed timeout value. Revamping of Makefiles to include a master Makefile.config. Please see comments in Makefile.config. Added ip-options detection based on 4.4bsd sources for rlogind. Moved the "struct direct" configuration option for smapd into firewall.h -- see the comments near where it says DIRECT_STRUCT Added improved(I hope!) options negotiation that works better with TN3270 and other telnet clients. Added checksum printing code to snkkey.c Moved the smapd compile directive to scan for bad addresses to firewall.h -- see the comments near where it says SMAPD_SCANBADADDR Clarifications: system log entries now are tagged with relevance strings for sorting and searching. If the system log entry contains the word: "securityalert" -- it's probably something you want to know about "fwtkcfgerr" -- a firewall toolkit component thinks it is misconfiged "fwtksyserr" -- something in how the fwtk uses the O/S failed in a mission-critical way Using facilities and levels would be easier but this guarantees that other system alerts won't clash with toolkit notices. Changed Makefiles to rely on top-level FLAGS and AUXLIBS parameters. This makes it easier to add global system libraries such as -lresolv or -lsocket, etc. Updated README Fixed ordering bug in search for permitted destinations in cmd_passthrough() of ftp-gw Fixed byte count not getting updated by tn-gw when in raw mode Fix to reset curbytes and currecip in smap upon start of new message body (DATA command) Added FWTK_VERSION string to firewall.h and included a reference to it in lib/config.c, which is linked into just about all components of the toolkit. Do a: strings file | grep -i toolkit to extract it Fixed minor pointer problem with "localhost" mapping in ftp-gw Added deny connect logging to tn/rlogin/ftpgw Added ftp-gw summarizer Fixed minor problem in auth/db.c where it failed to check for an already closed db in authload Added authdump and authload to "make install" target for auth Fixed loop drop-out in tn-gw where it failed to let you change your s/key password [Remy.Giraud@meteo.fr] Modified ftp-gw to exit and log an error if given improper configuration options. Made authsrv log at LFAC instead of LOG_USER S/key challenge now uses spaces instead of quotes, for termkey users. (nmh@thumper.bellcore.com) Revampment of reporting scripts in tools/admin/reporting Oct 29, 1993 - Feb 17, 1994 - Fixes to V1.1 ------------------------------------------- Added a general purpose routine for setting out of band signalling (HP/UX and SunOs do it differently). See firewall.h *updated* user's guide, admin guide, and overview slightly. Support rand() interface for systems too crippled to use random() Changed mapu() to better named mapuid() and added ability to set group values as well. Included AIX authentication module to talk to auth server. (Morten.Hermanrud@ibmuio.uio.no) Added support for Enigma Logics Silver Card. (AUTHPROTO_ENIGMA) Updated version numbers in rlogin-gw, smap, tn-gw, ftp-gw. Changed smapd to fopen() files with "r+" -- System V file locking requires [at least on SCO] seekability on the file. smap does not share this problem if using the provided version on mkstemp(). Removed unnecessary berklisms (fchmod and ftruncate) from smap in an attempt to make it more agreeable to sysV machines. Fixed minor oversight in options processing in oktotalkto() in tn-gw Fixed array offset bug in stash_option in tn-gw Fixed "password" length compares in source and docs Added update to securid client side to work with latest ACE software Fixed ftpd to not permit users without password entries to attempt to login Added hook into ftp-gw to check for command argument to treat as a username. This, combined with an ftpd that supports it permits ftpd to exec the ftp-gw if it finds an '@' in the user name. Added changes to the user() command in the ftpd in tools/server/ftpd Added "user@" through proxy to explicitly mean "localhost" Added logic to strip first null byte if first byte is null going through telnet proxy. This appears to be a bug in some versions of telnet, but the exact nature of it remains unknown. The null byte was confusing to some telnet servers, so this appears to be an effective, inexpensive, though somewhat ad hoc patch. Fixed login-sh to set $SHELL environment variable Removed truncation bug in tn-gw that chopped long destination names at 20 chars Fixed an exit(1) in login-sh that should have been return(1) Added welcome banner to rlogin-gw Oct 22-29, 1993 - Fixes to V1.0 ------------------------------- Fixed synchronization problem with how FTP proxy talks to the authentication server. Changed all proxies that use authentication (rlogin-gw, tn-gw, ftp-gw) to exit if they have an incorrectly configured option. This was deemed proper, since if someone wants to configure authentication, and doesn't get the syntax correct, the proxy should fail to work at all, rather than working without using authentication. Changed rlogin-gw to reset local user identity to whomever the user authenticated as, if using authentication server. Fixed local/global declaration of confp in crypto/cliio.c Re-arranged parameter order for password command in authsrv to match order of other commands. Somewhat beefed up diagnostic messages. Major revamping of how tn-gw lies to the client. No more timers and all that stuff. I don't know why I didn't think of doing it this way before. Works lots better. Made the FTP proxy a little more flexible in its handling of responses to challenges. It turns out that challenges with whitespace in them make some FTP clients unhappy, which raised all manner of quoting issues. Made FTP proxy handle "USER" command more sensibly with authentication, to replace the somewhat awkward "quote auth user" approach. Updated docs. Added words on rlogin proxy to user's guide. Adjusted man pages. Removed logentry and logfile options from smap and netacl. Everything should use one logging mechanism: syslog. Fixed return() that should have been continue; in login-sh, which caused it to exit on comments. Fixed handling of "baddir" in smapd. Changed auth server issuance of bogus challenge to be optional. This means that the auth server protocol now must recognize that the responses to an "authenticate username" may now be: password challenge challengestring <other text> Where the other text is some form of error message. This change was reflected in tn-gw, rlogin-gw, ftp-gw, ftpd, and login-sh as well as the documentation. Added comment to auth protocol, to permit proxies to give better logging information to the server. Now all proxies send: "authorize username 'comment'" which is logged. This entailed changes to authsrv and all clients. Change is backwards compatible with existing code. Added out of band signal support to rlogin-gw so that window size changes now propagate correctly. Note that some systems without fcntl F_SETOWN will now have to adapt code. Added hooks to drop tn-gw into a "raw" mode when talking to non-telnet ports through the proxy. This works OK with many versions of telnet but some do not function properly because they are broken in the first place (Sun's PC-NFS telnet client doesn't map cr/lf right) smapd's notion of where the sendmail executable resides is now configurable. Fixed offset bug in -dest !hosts in tn/ftp/rlogin-gw and documented the '!' hosts feature (which was present but broken and undocumented in V1.0) Added more sample config files to config, including some samples from TIS' bastion host. Changed smap/smapd to no longer operate on publicly readable files. Added a sleep timeout to authentication failures (see "badsleep" in the man page for authsrv. Instead of locking a user account permanently, by configuring badsleep, you can disable account locking, or set it to a 5 minute (or whatever) lockout. Added "SCANBADADDR" option to smapd. If this is configured in the smapd makefile, it will perform a draconian translation of all '|' characters found in the message envelope (not header) to '#' characters. Fixed a bug in how "unknown" was processed. Fixed conn.c to check rbuf != null, which caused a core dump. :(