# README,v 1.1.1.1 1995/06/16 21:10:39 seth Exp

 *********************************************************************
 *                       Contact Information                         *
 *********************************************************************

----------------------------------------------------------------------
Contact information:

freestone-announce@majordomo.soscorp.com	- announcements
freestone@majordomo.soscorp.com		- users/admins
freestone-workers@majordomo.soscorp.com	- developers

Please send mail to *-request@majordomo.soscorp.com for administrivia.

--------------------------------------------------
SOS can be reached through:

<sales@soscorp.com>

http://www.soscorp.com

+1 800 SOS UNIX

SOS Corporation
461 5th Ave; 16th floor
New York, NY 10017
----------------------------------------------------------------------



 *********************************************************************
 *                       General Introduction                        *
 *********************************************************************

Freestone is simple, yet complex.  It is simple in terms that the code
is very readable and straightforward; yet it is complex in terms of
the initial effort required for most people to get everything needed
to get it compiled and configured as a secure firewall.  Freestone
should be thought of as providing many of the tools needed to make a
secure firewall, rather than being a turnkey solution.

People attempting to install Freestone as a fully functional firewall
(as opposed to just looking) should be intimately familiar with the
process of compiling, configurating, and installing major pieces of
software on their operating systems.  They should also be intimately
familiar with "Firewalls and Internet Security: Repelling the Wily
Hacker" by Cheswick and Bellovin and should thus have a very good idea
of what is required to build a secure firewall.  You are the only
person responsible for making sure that the way you compiled and
configued everything results in a secure environment.



 *********************************************************************
 *                           Compilation                             *
 *********************************************************************

In order to simply compile the core Freestone programs (e.g. btelnet,
bftp, bmaild, brequeued), there are several packages which most people
will have to retrieve.  Please read the file README.requirements and
retrieve the suggested packages.  You should install the various
program in your search path, install the library's in the linker's
search path, and install the include files in cpp's search path.

Once you have compiled and installed everything *except* freestone,
you are finally ready to type make.  

You have a number of targets which you can make.  The most useful are:

make freestone			# Standard compile using S/Key
make test			# Above plus debugging
make noauth			# Standard compile without S/Key

make depend			# Include file dependency building

make build			# Compile tree
make clobber			# Delete compile tree

make neat			# Clean most (except .depend and target)
make clean			# Clean everything


You must select a compile target (one of the choices in the first
section) the first time you compile and whenever you `make clean`.
This selects what authentication types and what other options should
be used.

If you have problems, read README.porting before doing anything else.



 *********************************************************************
 *                    Installation/Configuration                     *
 *********************************************************************

In our opinion, installation and configuration are the hardest parts
of securely installing a firewall.  It is not enough that the code be
correct, the interaction between different packages and the manner in
which the programs are invoked is critical for security.

We recommend, in the below instructions, chroot()ing everything which
can possibly be chroot()ed and a few things which many people would
say cannot be chroot()ed.  We also recommend having everything
interacting with the user run on an alternate UID.

We would like to emphasize once more that this stage is critical.  If
you do not understand why we are doing something in a certain manner,
you perhaps should go off and read the Firewalls book some more until
you understand in all fullness.

We provide some sample configuration files plus minimal instruction in
README.config, but it is critical to understand what they are trying
to do since you will not be configuring your system with the same
addresses, DNS maps, remote hosts, that we do.

Install xforward and bsrelay in /usr/local/BS/proxy/meta
Install btelnet and bftp in /usr/local/BS/proxy/bin
	remember /usr/local/BS/proxy/etc/bs.client.conf
	can be used to configure them.

Install bmaild and brequeued in /usr/local/BS/mail/bin
	remember /usr/local/BS/mail/etc/bs.client.conf
	can be used to configure them.

Install sendmail in /usr/lib/sendmail, /usr/local/BS/mail/usr/lib/sendmail,
	/usr/local/BS/watcher/usr/lib/sendmail
Configure sendmail in each enviornment

Install inetd in /usr/etc/inetd
	Remember to configure /etc/inetd.conf to use tcpd
Install tcpd in /usr/local/etc/tcpd
	Remember to configure /etc/hosts.allow

Install perl5 in /bin/perl5 and /usr/local/BS/watcher/bin/perl5
Install syslogd in /usr/local/BS/syslog/bin

Install swatch++ in /usr/local/BS/watcher/bin
	Configure swatch++ in /usr/local/BS/watcher/etc/bsmon.swatch++

Install NTP in /usr/local/BS/ntp/usr/local/etc
	Remember to configure /usr/local/BS/ntp/etc/ntp.conf
	Use the restrict keyword

Install named in /usr/local/BS/named/var/private/bin
Install a properly configured resolv.conf in almost any
	.../etc directory you can find

Install tripwire someplace.


You will most likely have to experiment to see what files are required
in each chroot()ed environment.  Things like /etc/resolv.conf,
/etc/services, and /dev/log are needed by most people.  /dev/null and
/dev/zero are also needed in some configurations.  If your machine
does not support static libraries, tell your vendor that, yes, indeed
sometimes static compilation is good for the soul, and then install
the dynamic libraries and run time linkers in each chroot()ed
environment.

Finally, last but certainly not least, turn off IP forwarding, ICMP
redirects, source routing, multicasting, NFS, and anything else which
seems un-needed.



 *********************************************************************
 *                            Management                             *
 *********************************************************************

Once you have everything set up, tested, and working, you now need to
add users and restrict their actions.  This is done through the
Freestone ACL, which is minimally documented in bs.acl.conf(5).  This
file should be located, on the firewall, in
/usr/local/BS/proxy/etc/bs.acl.conf

You should avail yourself of the checkconfig, testauth, and testconfig
programs to verify that the rules do what you want.

You should be able to access the firewall through the console, and if
you have it configured, through the SUPDUP port.  We strongly suggest
that if you are using SUPDUP, that you use an encrypting telnet along
with one-time passwords.