Next: EtherGuard Up: Optional Authorization Fields Previous: Time Dependent Authorization

Service Limits

As installed, the Eagle blocks the passage of all network services into and out of your network, with the exception of SMTP (electronic mail). You can enable other network services to pass under the control of a the authorization file. Customers want to be able to use the common ftp and telnet services, the ability to permit the passage of these services and to control who can use them, both inside of and outside of your Eagle-secured network. All services, except SMTP, are denied to hosts not listed in your authorization file. You may want to provide additional services to some hosts and limit services to others. For example, you might only allow outside hosts to upload files via ftp to a single host on your internal network while allowing all inside nodes to download files from outside hosts. Similarly, you could deny a service altogether, such as telnet, except to designated hosts.

Service limit rules are enclosed in parentheses ( ) and may specify one or more of the limits in the table below.

For example, to restrict users from faraway.outbound.com to file transfers only use this service limit:

faraway.outbound.com allow mymachine (notelnet)

Users may specify an alternative port number or symbolic service name (from /etc/services) on the destination machine. Authorization rules may contain restrictions on this facility. Examples follow:

mymachine allow faraway.outbound.com (telnet.all)

This example allows users on mymachine to use telnet to specify all alternative port numbers on faraway.outbound.com. Other options include telnet.none (deny use of alternative ports), telnet.finger (limit use of alternative ports to the finger service, usually port number 79), telnet.nofinger (all use of all alternative ports except the finger service. In addition, you can specify any port number/service in an authorization rule, such as telnet.3001

By default, all users in the Eagle-protected network are authorized access all ports on remote hosts, while all remote hosts are limited to the standard telnet service.

You can specify an alternative port in the telnet dialogue, as follows:

Hostname: faraway.outbound.com portnumber
Hostname: faraway.outbound.com service name

Such telnet connections will use the telnet protocol for communication with the remote host if the service on the specified portnumber is a telnet-based service. Otherwise, the Eagle will merely pass characters between the two hosts. To force the connection to use the telnet protocol, use the following syntax (note the leading -):

Hostname: faraway.outbound.com -portnumber
Hostname: faraway.outbound.com -service name

By default, telnet and ftp users may have to identify themselves and enter a password to get into or out of a protected network. Use the auth service limit to specify a particular user authentication method. Use noauth to allow access to a machine without requiring user authentication. The syntax for specifying auth and noauth service limits is:

auth = [ method ]
noauth

where method is gwpasswd for Gateway User Authentication, or ace for Secure ID, or both separated by a comma. If you list more than one method, each is tried until one succeeds. Refer to Chapter for additional information on user authentication methods.

The user and group service limits refer to user authentication. These limits specify one or more users or groups that must identify themselves with a symbolic name and enter a password to get into or out of the protected network. Refer to Chapter for details. The syntax for specifying user and group service limits is:

user = [ userlist ]
group = [ grouplist ]

where userlist is a list of one or more users (separated by commas) in the Gateway User Database, /usr/adm/sg/gwpasswd. Grouplist is a list of one or more groups (separated by commas) in the Gateway Groups Database, /usr/adm/sg/gwgroup. To negate the service limit, place an exclamation point at the start of the user list specification. If you wanted to permit telnet access only to users sandi and steve, for example, you would enter:

user = [ sandi,steve ]

To allow all users except sandi and steve to use telnet, enter:

user = ![ sandi,steve ]

The user list has precedence over the group list. For example if steve is in group systems, the following still allows steve to have access:

my.univ.edu allow myhost (user=[steve], group=![systems])



Next: EtherGuard Up: Optional Authorization Fields Previous: Time Dependent Authorization


tkevans@delmarva.com