Specifications
3
Firewall Administration System (FAS)
Page 2/2 Internal FTP Proxy Configuration
In this module, the filter rules are also generated automatically. The internal
network of Example, Inc., is added for the allowed clients:
Access allowed for: 192.168.10.0/24
Generic TCP Proxy
rinetd is used as the generic proxy. This is software that accepts a connection
on one interface and forwards the incoming data with another interface to
a different machine. This is port-dependent. It is really the routing of TCP
connections on the application level.
rinetd can only route connections across one channel. It cannot be used as an
FTP proxy because an FTP connection uses two channels.
The generic proxy rinetd should be used if there is no dedicated Application
Level Gateway (such as ftp-proxy-suite or Squid). With rinetd, for example,
direct connections for pop3 through the firewall in a simple and secure man-
ner.
rinetd also supports complete logging — all incoming connections are
recorded by syslogd.
Read more in the man page for rinetd (man rinetd).
Configuring the Generic Proxy
The ‘Forwarding’ dialog is shown in Figure 3.29 on the following page. Click
‘Add’ to make the settings for rinetd connections.
In the first dialog (Figure 3.30 on page 71), enter the following data:
Bind address is the IP address on which rinetd should accept a connection.
Bind port is the port number of the service to forward.
Connection address is the IP address of the host providing a service.
Connection port is the corresponding port number for the service.
Click the ‘RINETD ACLs’ tab to define the “allow” and “deny” rules. These
rules restrict the source addresses of incoming TCP connections. Specify in-
dividual IP addresses or IP address ranges. Allowed characters in the allow
and deny attributes are the digits 0 to 9, period (‘.’), question mark (‘?’),
69SuSE Linux – Firewall on CD2