The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

Интерактивная система просмотра системных руководств (man-ов)

 ТемаНаборКатегория 
 
 [Cписок руководств | Печать]

xfwp (1)
  • >> xfwp (1) ( Solaris man: Команды и прикладные программы пользовательского уровня )
  • 
    NAME
         xfwp - X firewall proxy
    
    SYNOPSIS
         xfwp [option ...]
    
    COMMAND LINE OPTIONS
         The command line options that can be specified are:
    
         -cdt num_secs
                 Used to override the default  time-to-close  (604800
                 seconds)  for  xfwp client data connections on which
                 there is  no  activity  (connections  over  which  X
                 protocol is already being relayed by xfwp)
    
         -clt num_secs
                 Used to override the  default  time-to-close  (86400
                 seconds) for xfwp client listen ports (ports on xfwp
                 to which X clients  first  connect  when  trying  to
                 reach an X server)
    
         -pdt num_secs
                 Used to override  the  default  time-to-close  (3600
                 seconds)  for  Proxy  Manager  connections  on which
                 there is no activity
    
         -config file_name
                 Used to specify the configuration the  name  of  the
                 configuration file
    
         -pmport port_number
                 Used to override the default port address (4444) for
                 proxy manager connections
    
         -verify Used to display the configuration file rule that was
                 actually matched for each service request
    
         -logfile file_name
                 Used to specify the  name  of  a  file  where  audit
                 information  should  be  logged.   The  format  of a
                 logged entry is: time of day; event code; source  IP
                 address;  destination  IP address; and configuration
                 rule  number.   The  event  codes  are:  "0"  for  a
                 successful connection; "1" if a connection is denied
                 because of  a  configuration  rule;  and  "2"  if  a
                 connection  is  denied  because  of an authorization
                 failure.   If  the  event  code  is   "1",   and   a
                 configuration  file  is used, the configuration rule
                 number is the line number of the configuration  file
                 where   the   match   was   made  (see  the  section
                 CONFIGURATION FILE for more  information).   If  the
                 event  code  is not "1", or if no configuration file
                 is used, the configuration rule number is "-1".
    
         -loglevel {0,1}
                 Used to specify the  amount  of  audit  detail  that
                 should  be  logged.   If  "0",  all  connections are
                 logged.  If "1", only unsuccessful  connections  are
                 logged.
    
         -max_pm_conns num_connections
                 Used to specify the maximum number of Proxy  Manager
                 connections.  The default is 10.
    
         -max_pm_conns num_connections
                 Used to specify  the  maximum  number  of  X  server
                 connections.  The default is 100.
    
    DESCRIPTION
         The X firewall proxy (xfwp) is an application layer  gateway
         proxy  that may be run on a network firewall host to forward
         X traffic across the firewall.  Used in conjunction with the
         X server Security extension and authorization checking, xfwp
         constitutes a safe, simple, and reliable mechanism  both  to
         hide  the addresses of X servers located on the Intranet and
         to enforce a server connection policy.  Xfwp cannot  protect
         against  mischief originating on the Intranet; however, when
         properly configured  it  can  guarantee  that  only  trusted
         clients  originating  on  authorized external Internet hosts
         will be allowed inbound access to local X servers.
    
         To use xfwp there must be an X proxy manager running in  the
         local  environment  which has been configured at start-up to
         know the location of the xfwp. [NOTE:   There  may  be  more
         than  one  xfwp  running  in  a local environment; see notes
         below on load balancing for further discussion.]  Using  the
         xfindproxy  utility  (which  relays its requests through the
         proxy manager) a user asks xfwp to allocate a client  listen
         port   for  a  particular  X  server,  which  is  internally
         associated with all  future  connection  requests  for  that
         server.   This client listen port address is returned by the
         proxy manager through xfindproxy.   The  xfwp  hostname  and
         port  number  is  then  passed  out-of-band (i.e., via a Web
         browser) to some remote X client,  which  will  subsequently
         connect to xfwp instead of to the target X server.
    
         When an X client connection request appears on one of xfwp's
         listen  ports, xfwp connects to the X server associated with
         this listen port and performs authorization  checks  against
         the  server  as  well as against its own configurable access
         control list for requesting clients.  If these checks  fail,
         or  if  the requested server does not support the X Security
         Extension, the client connection is refused.  Otherwise, the
         connection  is  accepted and all ensuing data between client
         and server is relayed by xfwp until  the  client  terminates
         the  connection or, in the case of an inactive client, until
         a configured timeout period is exceeded.  Xfwp  is  designed
         to  block  while  waiting  for  activity on its connections,
         thereby minimizing demand for system cycles.
    
         If xfwp is run without a  configuration  file  and  thus  no
         sitepolicy  is  defined,  if xfwp is using an X server where
         xhost + has been run to turn  off  host-based  authorization
         checks,  when a client tries to connect to this X server via
         xfwp, the X server will deny the connection.  If  xfwp  does
         not  define  a  sitepolicy, host-based authorization must be
         turned on for clients to connect to  an  X  server  via  the
         xfwp.
    
    INTEROPERATION WITH IP PACKET-FILTERING ROUTERS
         The whole purpose of the xfwp is to provide reliable control
         over  access  to  Intranet  X servers by clients originating
         outside the firewall.  At  the  present  time,  such  access
         control  is  typically  achieved  by firewall configurations
         incorporating IP packet-filtering routers.  Frequently,  the
         rules  for such filters deny access to X server ports (range
         6000 - 6xxx) for all Intranet host machines.
    
         In order for xfwp to do its job, restrictions on access  for
         ports  6001 - 6xxx must be removed from the rule-base of the
         IP packet-filtering router.  [NOTE:  xfwp only assigns ports
         in the range beginning with 6001; access to port 6000 on all
         Intranet hosts may continue to be denied.]   This  does  not
         mean the Intranet firewall will be opened for indiscriminate
         entry  by  X  clients.   Instead,  xfwp  supports  a   fully
         configurable  rule-based  access  control system, similar to
         that of the IP packet-filter router itself. Xfwp  in  effect
         adds  another  level  of  packet-filtering  control which is
         fully configurable and applies specifically  to  X  traffic.
         See  section entitled CONFIGURATION FILE, below, for further
         details.
    
    INSTALLATION, SETUP AND TROUBLESHOOTING
         Xfwp is  typically  run  as  a  background  process  on  the
         Intranet firewall host.  It can be launched using any of the
         command-line options described above.  As noted above,  xfwp
         works  only  in  conjunction  with  proxy  manager  and  the
         xfindproxy utility.  It can also be configured to support  a
         user-defined  X  server site security policy, in which the X
         server is required to indicate to xfwp  whether  or  not  it
         supports  the  particular  policy.  Consult the X server man
         pages for further information  on  these  components.   Xfwp
         diagnostics  can  be turned on by compiling with the -DDEBUG
         switch. Connection status  can  be  recorded  by  using  the
         -logfile and -loglevel command line options.
    
    PERFORMANCE, LOAD BALANCING AND RESOURCE MANAGEMENT
         Xfwp manages four different  kinds  of  connections:   proxy
         manager  (PM)  data,  X  client listen, X client data, and X
         server.  The sysadmin employing xfwp must understand how the
         resources  for  each of these connection types are allocated
         and reclaimed by xfwp in order to optimize the  availability
         of xfwp service.
    
         Each connection-type has  a  default  number  of  allocation
         slots and a default timeout.  The number of allocation slots
         for PM connections and X server connections is  configurable
         via  command  line  options.   Connection  timeouts are also
         configurable via  command  line  options.   Each  connection
         timeout represents the period the connection will be allowed
         to remain open in  the  absence  of  any  activity  on  that
         connection.  Whenever there is activity on a connection, the
         time-to-close   is   automatically   reset.    The   default
         distribution  of  total  process connection slots across the
         four connection types, as well  as  the  choice  of  default
         timeouts  for  the connection types, is governed by a number
         of assumptions embedded in the xfwp use model.
    
    
         The default number of PM connections is 10 and  the  default
         duration  for  PM  connections is 3,600 seconds (1 hour) for
         each connection after time of last  activity.  At  start-up,
         xfwp  listens for PM connection requests on any non-reserved
         port (default of 4444 if not specified on the xfwp  command-
         line).  The PM normally connects to xfwp only when a call is
         made to the PM with xfindproxy. Thereafter, the  PM  remains
         connected to xfwp, even after the messaging between them has
         been completed, for the default connection duration  period.
         In  some  cases this may result in depletion of available PM
         connection slots.  If the sysadmin expects connections to  a
         single xfwp from many PM's, xfwp should be started using the
         -pdt command line option, with a  timeout  value  reflecting
         the  desired  duration  that  inactive  connections  will be
         permitted to remain open.
    
         Xfwp client listeners are set up by a call to xfindproxy and
         continue  to  listen  for X client connection requests for a
         default duration of 86,400 seconds (24 hours) from the point
         of  last  activity.   After this time they are automatically
         closed and their fd's recovered for future  allocation.   In
         addressing  the  question  of how to choose some alternative
         timeout value  which  will  guarantee  the  availability  of
         client    listen   ports,   sysadmins   should   take   into
         consideration the expected delay between the time  when  the
         listener  was allocated (using xfindproxy) and the time when
         a client actually attempts to connect to xfwp, as  well  the
         likelihood  that  client listeners will be re-used after the
         initial client data connection is closed.
         Each client connection is allocated a  default  lifetime  of
         604,800  seconds  (7 * 24 hours) from the point when it last
         saw activity.  After this time it  is  automatically  closed
         and  its  fd's  recovered  for  future  allocation.  Because
         server connections are  not  actually  established  until  a
         connection  request from a remote X client arrives at one of
         the xfwp's client listen  ports,  the  client  data  timeout
         applies  both to client-xfwp connections as well as to xfwp-
         server connections.  If  the  system  administrator  expects
         many  client data connections through xfwp, an overriding of
         the default timeout should be considered.
    
    CONFIGURATION FILE
         The xfwp configuration file resides on the xfwp host machine
         and  is  used  to determine whether X client data connection
         requests will be permitted or denied.  The path to the  file
         is  specified at start-up time.  If no configuration file is
         specified, all X  client  data  connection  requests  routed
         through  xfwp  will  be  by default permitted, assuming that
         other X server authorization checks are  successful.   If  a
         configuration  file  is  supplied  but  none  of its entries
         matches the connection request then  the  connection  is  by
         default denied.
    
         If a line in the configuration  file  begins  with  the  '#'
         character  or  a new-line character, the line is ignored and
         the evaluator will skip the line.
    
         The configuration file  supports  two  entirely  independent
         authorization  checks:   one  which  is  performed  by  xfwp
         itself, and a second which is the result of xfwp's  querying
         the   target   X  server.   For  the  first  of  these,  the
         configuration file employs a syntax and semantic similar  to
         that  of  IP  packet-filtering routers.  It contains zero or
         more source-destination rules of the following form:
    
         {permit  |  deny}  <src>  <src  mask>  [<dest>  <dest  mask>
         [<operator> <service>]]
    
    
         permit/deny the keywords  ``permit''  or  ``deny''  indicate
                     whether  the rule will enable or disable access,
                     respectively
    
         src         the IP address against the host  who  originated
                     the   connection   request   will   be  matched,
                     expressed in IP format (x.x.x.x)
    
         src mask    a subnet mask, also in IP  format,  for  further
                     qualifying  the  source  mask.   Bits set in the
                     mask indicate bits of the incoming address to be
                     ignored when comparing to the specified src
    
         dest        the IP address against which the destination  of
                     the  incoming  connection request (i.e. the host
                     IP of the X server to which the incoming  client
                     is attempting to connect) will be matched
    
         dest mask   a subnet mask, also in IP  format,  for  further
                     qualifying  the  destination  mask.  Bits set in
                     the  mask  indicate  bits  of  the   destination
                     address  to  be  ignored  when  comparing to the
                     specified dest
    
         operator    always ``eq'' (if the service field is not NULL)
    
         service     one of the  following  three  strings:   ``pm'',
                     ``fp'',   or   ``cd'',  corresponding  to  proxy
                     manager,    xfindproxy,    or    client    data,
                     respectively
    
         For  the   second   type   of   authorization   check,   the
         configuration  file  contains zero or more site policy rules
         of the following form:
    
         {require | disallow} sitepolicy <site_policy>
    
    
         require     specifies that the X server must  be  configured
                     with  at  least  one  of  the corresponding site
                     policies, else it must refuse the connection.
    
         disallow    specifies  that  the  X  server  must   not   be
                     configured  with  any  of the corresponding site
                     policies, else it must refuse the connection.
    
         sitepolicy  a required keyword
    
         <site_policy>
                     specifies the policy  string.   The  string  may
                     contain    any   combination   of   alphanumeric
                     characters subject only to interpretation by the
                     target X server
    
    RULES FOR EVALUATING THE XFWP CONFIGURATION
         For the first type of configurable  authorization  checking,
         access  can  be permitted or denied for each connection type
         based upon source and, optionally, destination and  service.
         Each  file  entry  must  at  a  minimum  specify the keyword
         ``permit'' or ``deny''  and  the  two  source  fields.   The
         destination  and  service  fields  can  be  used  to provide
         finer-grained access control if desired.
    
         The algorithm for rule-matching is as follows:
    
              while (more entries to check)
              {
                if ((<originator IP> AND (NOT <src mask>)) == src)
                  [if ((<dest X server IP> AND (NOT <dest mask>))  ==
            dest)]
                    [if (service fields present and matching)]
                      do either permit or deny  connection  depending
            on keyword
                else
                  continue
              }
              if (no rule matches)
                deny connection
    
         If a permit or deny rule does  not  specify  a  service  and
         operation,  then  the  rule  applies  to all services.  If a
         configuration file is specified and it contains at least one
         valid  deny  or  permit  rule,  then  a  host  that  is  not
         explicitly permitted will be denied a connection.
    
         Site policy configuration checking  constitutes  a  separate
         (and   X   server  only)  authorization  check  on  incoming
         connection requests.  Any  number  of  require  or  disallow
         rules  may  be  specified, but all rules must be of the same
         type;  that  is,  a  single  rule  file  cannot  have   both
         ``require''  and  ``disallow''  keywords.  The algorithm for
         this check is as follows:
    
              if (X server recognizes any of the site policy strings)
                if (keyword == require)
                  permit connection
                else
                  deny connection
              else
                if (keyword == require)
                  deny connection
                else
                  permit connection
    
         The site policy check is  performed  by  xfwp  only  if  the
         source-destination rules permit the connection.
    
    
         EXAMPLES
    
         # if and only if server supports one of these policies then authorize
         # connections, but still subject to applicable rule matches
         #
         require sitepolicy policy1
         require sitepolicy policy2
         #
         # deny pm connections originating on 8.7.6.5 [NOTE:  If pm service
         # is explicitly qualified, line must include destination fields as
         # shown.]
         #
         deny  8.7.6.5  0.0.0.0  0.0.0.0  255.255.255.255  eq  pm
         #
         # permit xfindproxy X server connects to anywhere [NOTE:  If
         # fp service is explicitly qualified, line must include source fields
         # as shown.]
         #
         permit  0.0.0.0  255.255.255.255   0.0.0.0  255.255.255.255  eq  fp
         #
         # permit all connection types originating from the 192.0.0.0
         # IP domain only
         #
         permit  192.0.0.0   0.255.255.255
    
    
         Care should  be  taken  that  source-destination  rules  are
         written  in  the  correct  order, as the first matching rule
         will be applied.  In addition to parser syntax  checking,  a
         special  command-line  switch (-verify) has been provided to
         assist the sysadmin in determining which rule  was  actually
         matched.
    
    BUGS
         Xfwp should check server site policy and security  extension
         before allocating a listen port.
    
    SEE ALSO
         xfindproxy  (1),  Proxy  Management  Protocol   spec   V1.0,
         proxymngr(1), Xserver(1)
    
    AUTHOR
         Reed Augliere, consulting to X Consortium, Inc.
    
    
    
    


    Поиск по тексту MAN-ов: 




    Партнёры:
    PostgresPro
    Inferno Solutions
    Hosting by Hoster.ru
    Хостинг:

    Закладки на сайте
    Проследить за страницей
    Created 1996-2024 by Maxim Chirkov
    Добавить, Поддержать, Вебмастеру