Trusted Information Systems, Inc.
October 20, 1993
Trusted Information Systems, Inc. (TIS) is pleased to provide the TIS Firewall Toolkit, a software kit for building and maintaining internetwork Firewalls. It is distributed in source code form, with all modules written in the C programming language and runs on many BSD UNIX derived platforms. The Toolkit is being made available for use as specified in the license agreement (LICENSE).
TIS maintains the electronic-mail users' group <fwall-users@tis.com> for discussion of the toolkit. To join, send electronic mail to <fwall-users-request@tis.com>.
TIS Firewall Toolkit technical questions, license issues, bug reports, etc. should be addressed to <fwall-support@tis.com>.
Information about other TIS network security products or commercial
licensing requests should be sent to
Please read the docment "DISCLAIMER" which describes TIS' support
policy with respect to use of this software by other parties.
Global compilation options and flags are configured
in a master Makefile called "Makefile.config" You should
examine and edit this Makefile to reflect your system,
before attempting to build the toolkit. Not all versions
of make may support this syntax (most notably, the BSD
derived versions which use ".include" instead) -- if your
system is in the latter category, you have the choice of
either obtaining GNU make or modifying the Makefiles.
There is a program called "fixmake" which will rebuild
the Makefiles for you. Simply edit Makefile.config and
when you're happy with it, run "fixmake" and it will
manually perform the equivalent of the "include"
directive. Repeatedly running "fixmake" is OK.
If your system does not have X11 libraries with
X11 include files installed on it, you will not be able
to build X-gw. X-gw relies on the athena widget set
(Xaw and Xmu) which must also be present on the system.
To set the paths for X libraries, see Makefile.config.
If you do not wish to build the X-gw, simply comment out
the entry for x-gw in the
If you plan to build/use the authentication server,
you may wish to examine and edit "auth.h" to set the types
of authentication you wish to support, and where the databases
will reside. If you wish to use the authentication server with
DES encryption for protecting transactions, you will need to
obtain the DES communication library, which is packaged separately
from the rest of the toolkit, and which is only available to US
citizens. The Digital Pathways SecureNet Key software also
requires a compatible DES library. See the README in the "auth"
directory for details.
Toolkit Roadmap:
----------------
Makefile - toplevel Makefile
README - this file
auth - authentication server and libraries (optional)
config - sample configuration/permissions tables
doc - documentation
firewall.h - compile-time configuration
ftp-gw - sources for FTP proxy server
http-gw - http/gopher proxy
lib - sources for library routines
netacl - sources for TCP/IP access control "wrapper"
plug-gw - sources for plug-board proxy server
rlogin-gw - sources for rlogin proxy server
smap - sources for sendmail wrapper client
smapd - sources for sendmail wrapper daemon
tn-gw - sources for TELNET proxy server
tools - miscellaneous/unsupported tools
x-gw - X11 proxy
As packaged, the Makefiles included in this kit
will attempt to build the firewall components and miscellaneous
tools. Before compiling, edit firewall.h to tailor to the
local operating system and environment. On some platforms
(such as those with dynamically linked executables) you
may wish to edit some of the individual Makefiles to tailor
the compilation options such as compiler/linker flags and
installation directories. The firewall toolkit is written
in K&R C. If you are using a compiler that assumes ANSI C
you may need to add a global compiler flag to cause it to
accept K&R syntax.
DIRS= smap smapd netacl plug-gw ftp-gw tn-gw rlogin-gw http-gw x-gw
Once firewall.h has been configured, typing "make"
should build the basic firewall components. "make install"
will install the components in a default location. A second
directory of tools contains support software and modified
client software. Many of the programs in the "tools" directory
are from the BSD Net2 sources, and may be more or less difficult
to get running, depending on the operating system platform.
Rather than attempting to shadow the BSD distribution, they
are provided "as is" with a README file in each tool's
directory describing what platforms it is known to work on.
entry in the top-level Makefile.
Many of the components can be configured to perform
a chroot(2) and run in a restricted environment. Generally,
they should be linked against a resolver library [if you care
about name resolution] that can be configured to work under
chroot. Wherever possible, all required information is read
before performing a chroot, so password files, etc, need not
be provided.
Legend:
"tested" -- TIS has independently verified correct operation
of toolkit components
"builds" -- TIS has either ported and compiled, but not verified
correct operation, or has second-hand reports from
third parties that the software builds and works
SunOS4.1.X - tested
Solaris - builds with BSD library -- note that possible error
with SIGPOLL getting sent to tn-gw appears to
result from bug(?) in socket emulation library
HP/UX A.09.01 - builds (not tested)
CMU MACH - builds (not tested)
ULTRIX - builds (not tested)
undefine USE_UDPSYSLOG in firewall.h
BSDI - tested
DEC OSF/1 Axp - builds (not tested)
smapd requires change struct direct -> struct dirent
tools (client ftp, telnet) fail to build
BSD/386 - tested by other party
IBM/AIX - tested by other party
ftp-gw, tn-gw, rlogin-gw require including
#include