Re: X Mosaic 2.0 and Closed to Open subnet gateway

Dave_Raggett (dsr@hplb.hpl.hp.com)
Tue, 30 Nov 93 11:43:02 GMT


The opensubnet relay patch for X Mosaic 2.0 and source code for the
gateway itself can be found at:

ftp://15.254.100.100/pub/subnet.tar.Z

with contents:

-rw-r--r-- 1 dsr rubicon 18653 Nov 29 12:29 HTTCP.c
-rw-r--r-- 1 dsr rubicon 2662 Nov 29 14:25 README
-rw-r--r-- 1 dsr rubicon 16430 Nov 30 11:04 relay.c

The relay program is designed to be invoked by inetd on a trusted host
with direct access to systems outside the firewall. We use inetd.sec
to act as a first line of defence, prohibiting outsiders from accessing
the relay. The program itself provides a second line of defence with
a match on the client's IP address via a simple mask. It also supports
a user name/password check which is useful when traveling else where
in the company. This feature is not supported by the patch to Mosaica and
*must* be omitted at compile time if your site doesn't support inetd.sec

The relay was designed for minimal maintenance in conjunction with our
admin folks. You will need to edit a few equates at the start of the file
before compiling relay.c. Its simplicity and operation under inetd were
requirements for audit purposes.

Note that I haven't yet provided a patch to HTFTP.c to use PASV. This is
needed to allow Mosaic to access external FTP servers as currently servers
try (and fail) to connect to the client to transfer data. The PASV command
(see RFC 859 - October 1985) allows the client to connect to the server
for data transfers, which will then work with the relay as provided.

The tcp/ip relay is simpler than the socks package and avoids the need
for a separate configuration file. The time out interval is the same
for both programs - 5 minutes of inactivity will cause the connection with
client and remote host to be closed and the process terminated. No logging
is performed since the pattern of useage for WWW would quickly swamp the
syslog files. The relay program goes beyond socks in supporting user name
+ password access for users with accounts on the trusted system. I hope
to persuade NCSA (with your help) to support this feature in due course.

Regards,

Dave Raggett