Usenet news continues to be one of the most widely used Internet applications. Many sites rely on Usenet news for information on the latest technology. Although the Network News Transfer Protocol (NNTP) does little in comparison to other network protocols, you must configure it carefully to protect internal news groups that may contain sensitive proprietary information.
The plug proxy included with the Gauntlet Firewall allows administrators to tunnel NNTP-based news feeds through their firewall. The NNTP connections come from known sites (as opposed to the multitude of sites that may connect via SMTP to deliver mail). NNTP is also a very straightforward protocol. For these reasons, it can be proxied using the generic plug proxy.
The following sections discuss the concepts behind the News proxy and explain how it works and how to configure the proxy for NNTP-based news:
The Gauntlet plug proxy is a TCP gateway that provides configurable access control and logging mechanisms. The plug proxy, which runs on the firewall, passes NNTP or other application requests through the firewall, using rules you supply. It essentially tunnels information from a port on the firewall to a specific port on another system.
You can configure the News proxy to allow connections based on:
source IP address
source hostname
source port
destination IP address
destination hostname
destination port
Using these options, you can configure the firewall to allow your service provider's host on the outside to connect to the firewall and pass news via NNTP to your news system on the inside network. You can also configure the firewall to allow a set of news clients on your internal system to connect to news servers on hosts outside your firewall.
The News proxy logs all successful and unsuccessful connection attempts and the amount of data transferred.
These access controls allow you to have more control over the connections to and from your system than without a firewall. The logging capabilities are also more extensive.
The firewall runs the News proxy as a daemon listening for requests on the standard NNTP port (TCP port 119). When the News proxy receives a request, the proxy checks its configuration information and determines whether the initiating host has permission to initiate this type of request. If the host has permission, the proxy passes the connection to the specified port on the specified system. This News proxy remains active until either side terminates the connection.
The default configuration for the Gauntlet Firewall allows requests to and from one internal news server and one external news server. The firewall itself cannot run an NNTP news server, or any other service that you are passing through the plug proxy, because the plug proxy is using the standard port for these services.
Hosts on both the inside and outside think the firewall is servicing requests. The external news server thinks it is feeding news to the firewall, and the internal news server thinks that it is receiving news from the firewall. The firewall is simply acting as the tunnel, via the plug proxy.
Another common configuration allows request from internal news clients to multiple news server. Again, the firewall is simply acting as a tunnel.
Configuring the Gauntlet Firewall for news services involves planning, configuring the firewall, configuring the proxy to enforce company security policy, and enabling the proxy.
Do not use the firewall as a news server.
Restrict or disallow automatic group creation and deletion.
Allow external NNTP connections from known servers only.
To configure News Feed settings:
From within the Gauntlet Firewall Manager, select Environment.
Click the News tab.
The News window displays.
Provide information about your internal news server.
Internal News Server
IP address or host name for your internal NNTP news server.
Click Add.
The News Feed Server Identification Screen displays.
Provide information about your external news feeds.
External News Feed
IP address or host name for the system that provides your external NNTP news server.
Click OK.
To configure News Reader settings:
From within the Gauntlet Firewall Manager, click Services.
Click the News tab.
The News window displays.
Indicate whether news readers can connect to any external news server or only to specific servers.
If you wish to limit the external news servers, click Add.
The External News Server window displays.
Provide information about allowed external news servers.
News Server
IP address or host name of an external NNTP news server.
Click OK.
Enabling the News reader proxy service also enables the News feed proxy service. If you want to use only one of these services, do not configure settings for the other service. Because the firewall follows the rule “That which is not expressly permitted is denied,” you are not leaving the firewall vulnerable to attack if you only configure one type of News service.
To enable the News proxy service:
On either of the News configuration tabs, click Enabled.
Add the News proxy configuration to the service groups that you want to use the News proxy.
Before exiting the Gauntlet Firewall Manager, Save and Apply your changes.
The firewall enables the News proxy.
If you are using the News feed configuration of the proxy, inform your external news feed provider (often your Internet service provider) that tall NNTP news should be sent to the firewall (instead of the internal news server). Be sure to provide them with the outside IP address for your firewall.
If you are using the News feed configuration of the proxy, configure your internal news server software to transfer and receive articles from the firewall, rather than your external news server. Specify the inside IP address for the firewall.
The firewall and the plug proxy for NNTP traffic are transparent to the user. If you are using the News feed configuration, users should continue to point their news readers (rn, trn) or other news-aware tools (Netscape Navigator, Microsoft Internet Explorer) towards your internal news server.
If you are using the News Reader configuration, users should continue to point their news readers or other news-aware tools towards the appropriate news server on the outside of the firewall.
