NNTP server behind firewall
by Dobrica Pavlinusic, Faculty of Organization and Informatics, Varazdin.Abstract:
This paper is written with version 0.3 in mind. However, examples are now
changed for version 0.4 (or later). Also, from version 0.4 you can
use host names also.
This paper presents solution used on Faculty of Organization
and Informatics in Varazdin for placing NNTP server behind the firewall
and still being able to post and fetch news from normal upstream host located
on Internet. This solution is motivated by limitation of out equipment,
and is great example of mdd usage.
1. Problem
During out test usage of internal NNTP server we noticed that having local news server it is much better solution than to contacting to remote upstream server. Main reason for that is out connection with rest of Internet which is rather slow modem with only 31.2 Kb per second. Having local server made Usenet reading fast and fun. However, when installing news server I wrongly anticipated that 80Mb of disk space will be sufficient for news and proxy needs of our network. That wasn't the case, so solution had to be found.
Following picture shows our initial configuration of news service:
2. Finding solutions
Luck struck us when another Unix machine get connected with nearly 500Mb hard drive which had about 400Mb of unused space. Perfect for news spool. However, newly installed machine was located behind firewall. Contacting of our old clients (which are also behind firewall) isn't problem, but contacting upstream news server located on Internet is the problem because of firewall.
Limited by configuration of firewall and new Unix machine (both PC compatible 386 with 8 and 4 Mb of RAM respectably and Linux 1.2.13) following solutions presented to us:
- Install new Linux kernel 2.0.x and use IP alias to fake that new news server is on Internet by using relay from IP alias on Internet to our new news server behind firewall
- Install new Linux kernel and use IP tunneling to perform similar task
- Install redirection from current IP of news server to new news server
3. Pro and cons analysis
Solutions which where found are then evaluated using pro and cons analysis as follows:
| Solution | + | - |
|---|---|---|
| IP alias | Solves our problem, it is fairly easy to do. | Needs new installation of Linux kernel 2.0.x which required updating of some portions of our Slackware installed boxes. |
| IP tunneling | Solves problem and puts whole host to Internet (this may be useful in future). | Needs new kernel and update of software, additional work on protecting, in fact, another firewall (or should I call it security hole?). |
| redirection of old news host | No need for complicated kernel and software update.
No need for changing DNS records. |
How to redirect news fetch back to upstream news host on Internet ? |
4. Present configuration
I decided to redirect old host, and got following situation:
It was, of course, possible to reconfigure all clients to contact new NNTP server directly, but almost 100% of our NNTP requests comes from server which is on the "wrong" side of firewall anyway.
Problem was following: firewall should act as news server for our clients, but when contacted by NNTP server, it should forward all data to upstream NNTP server. This was perfect job for mdd. I configured mdd to react on client address and when it recognized NNTP server it relayed all to upstream news server and otherwise it just relayed all data to new NNTP server.
Our firewall is now configured as follows:
/etc/inetd.conf
nntp stream tcp nowait news /usr/sbin/tcpd /usr/local/sbin/in.mdd-nntp in.mdd-nntp -f /usr/local/etc/mdd-nntp.conf
This is entry in inetd.conf which called mdd to process requests from news clients or our news server. Name in.mdd-nntp is chosen to allow us to use tcpd (tcp wrapper) for additional protection.
/usr/local/etc/mdd-nntp.conf
*:192.168.3.250:/usr/local/sbin/nc -w 10 news.carnet.hr nntp *:*:/usr/local/sbin/nc -w 10 unisysgw.prof.foi.hr nntp
First line is tunnel to news.carnet.hr upstream news host (which is on Internet) using netcat if the connection is originating from our local news host (which has IP address 192.168.3.250 - mdd still hasn't hostname resolving :-(), and second line handles all other hosts (probably clients wanting to read news) which are redirected to our local news server.
We used leafnode for news server, but configuration of leafnode is not subject of this paper.
5. References
- Multi domed daemon is a program written by me, which has it's support page at http://www.rot13.org/~dpavlin/mdd.html
- NetCat is useful relay utility which can be found (among other places) on freashmeat.
Dobrica Pavlinusic is Unix administrator and addict who was working at Faculty of Organization and Informatics in Varazdin on administration of Unix hosts and network management until January 2000. He can be reached using e-mail to: dpavlin@rot13.org.