# README,v 1.1.1.1 1995/06/16 21:10:39 seth Exp ********************************************************************* * Contact Information * ********************************************************************* ---------------------------------------------------------------------- Contact information: freestone-announce@majordomo.soscorp.com - announcements freestone@majordomo.soscorp.com - users/admins freestone-workers@majordomo.soscorp.com - developers Please send mail to *-request@majordomo.soscorp.com for administrivia. -------------------------------------------------- SOS can be reached through: http://www.soscorp.com +1 800 SOS UNIX SOS Corporation 461 5th Ave; 16th floor New York, NY 10017 ---------------------------------------------------------------------- ********************************************************************* * General Introduction * ********************************************************************* Freestone is simple, yet complex. It is simple in terms that the code is very readable and straightforward; yet it is complex in terms of the initial effort required for most people to get everything needed to get it compiled and configured as a secure firewall. Freestone should be thought of as providing many of the tools needed to make a secure firewall, rather than being a turnkey solution. People attempting to install Freestone as a fully functional firewall (as opposed to just looking) should be intimately familiar with the process of compiling, configurating, and installing major pieces of software on their operating systems. They should also be intimately familiar with "Firewalls and Internet Security: Repelling the Wily Hacker" by Cheswick and Bellovin and should thus have a very good idea of what is required to build a secure firewall. You are the only person responsible for making sure that the way you compiled and configued everything results in a secure environment. ********************************************************************* * Compilation * ********************************************************************* In order to simply compile the core Freestone programs (e.g. btelnet, bftp, bmaild, brequeued), there are several packages which most people will have to retrieve. Please read the file README.requirements and retrieve the suggested packages. You should install the various program in your search path, install the library's in the linker's search path, and install the include files in cpp's search path. Once you have compiled and installed everything *except* freestone, you are finally ready to type make. You have a number of targets which you can make. The most useful are: make freestone # Standard compile using S/Key make test # Above plus debugging make noauth # Standard compile without S/Key make depend # Include file dependency building make build # Compile tree make clobber # Delete compile tree make neat # Clean most (except .depend and target) make clean # Clean everything You must select a compile target (one of the choices in the first section) the first time you compile and whenever you `make clean`. This selects what authentication types and what other options should be used. If you have problems, read README.porting before doing anything else. ********************************************************************* * Installation/Configuration * ********************************************************************* In our opinion, installation and configuration are the hardest parts of securely installing a firewall. It is not enough that the code be correct, the interaction between different packages and the manner in which the programs are invoked is critical for security. We recommend, in the below instructions, chroot()ing everything which can possibly be chroot()ed and a few things which many people would say cannot be chroot()ed. We also recommend having everything interacting with the user run on an alternate UID. We would like to emphasize once more that this stage is critical. If you do not understand why we are doing something in a certain manner, you perhaps should go off and read the Firewalls book some more until you understand in all fullness. We provide some sample configuration files plus minimal instruction in README.config, but it is critical to understand what they are trying to do since you will not be configuring your system with the same addresses, DNS maps, remote hosts, that we do. Install xforward and bsrelay in /usr/local/BS/proxy/meta Install btelnet and bftp in /usr/local/BS/proxy/bin remember /usr/local/BS/proxy/etc/bs.client.conf can be used to configure them. Install bmaild and brequeued in /usr/local/BS/mail/bin remember /usr/local/BS/mail/etc/bs.client.conf can be used to configure them. Install sendmail in /usr/lib/sendmail, /usr/local/BS/mail/usr/lib/sendmail, /usr/local/BS/watcher/usr/lib/sendmail Configure sendmail in each enviornment Install inetd in /usr/etc/inetd Remember to configure /etc/inetd.conf to use tcpd Install tcpd in /usr/local/etc/tcpd Remember to configure /etc/hosts.allow Install perl5 in /bin/perl5 and /usr/local/BS/watcher/bin/perl5 Install syslogd in /usr/local/BS/syslog/bin Install swatch++ in /usr/local/BS/watcher/bin Configure swatch++ in /usr/local/BS/watcher/etc/bsmon.swatch++ Install NTP in /usr/local/BS/ntp/usr/local/etc Remember to configure /usr/local/BS/ntp/etc/ntp.conf Use the restrict keyword Install named in /usr/local/BS/named/var/private/bin Install a properly configured resolv.conf in almost any .../etc directory you can find Install tripwire someplace. You will most likely have to experiment to see what files are required in each chroot()ed environment. Things like /etc/resolv.conf, /etc/services, and /dev/log are needed by most people. /dev/null and /dev/zero are also needed in some configurations. If your machine does not support static libraries, tell your vendor that, yes, indeed sometimes static compilation is good for the soul, and then install the dynamic libraries and run time linkers in each chroot()ed environment. Finally, last but certainly not least, turn off IP forwarding, ICMP redirects, source routing, multicasting, NFS, and anything else which seems un-needed. ********************************************************************* * Management * ********************************************************************* Once you have everything set up, tested, and working, you now need to add users and restrict their actions. This is done through the Freestone ACL, which is minimally documented in bs.acl.conf(5). This file should be located, on the firewall, in /usr/local/BS/proxy/etc/bs.acl.conf You should avail yourself of the checkconfig, testauth, and testconfig programs to verify that the rules do what you want. You should be able to access the firewall through the console, and if you have it configured, through the SUPDUP port. We strongly suggest that if you are using SUPDUP, that you use an encrypting telnet along with one-time passwords.