.TH CMD-GW 8 "August 2007" "OpenFWTK" .SH NAME cmd-gw \- network diagnostic utilities shell .SH SYNOPSIS .B cmd-gw .RB "[-daemon ] " .RB "[-fastdaemon ] [-as ]" .sp .SH DESCRIPTION .IX "cmd-gw" "" "\(em network diagnostic utilities shell" .I cmd-gw enables users to execute programs such as ping and traceroute on the gateway host by using .I telnet. A client program, .I cmd-tn , is also provided to simplify usage. Usage policy may be configured based on: .IP "\(bu" 4m source IP address .IP "\(bu" 4m source host name .IP "\(bu" 4m command name .PP The CMD proxy .RB "(" cmd-gw ")" generally runs as a daemon (invoked from system startup script, p.e. .IR "/etc/rc.local" ) and listens for requests on the specified port (tcp/32 is reasonable default). Whenever the system receives an connection request on this port, .IR cmd-gw checks its configuration information (in the .IR "netperm-table" ) and determines whether the initiating host has permission to use the shell. If the host does not have permission, .IR cmd-gw logs the connection attempt and displays an error message. .PP The proxy may also be invoked from tcp/ip "superserver" (inetd or xinetd). .IR "-daemon" parameter should be omitted in this case. .PP If the host has permission, the proxy authenticates the user (if required), and executes commands on user's behalf. .PP .SH OPTIONS .SS Command Line Options The gateway shell recognizes the following command line options (whether started from the command line or from within .IR /etc/rc.local ): .TP .BI "-daemon " port Indicates that .IR cmd-gw runs as a daemon, and the port (name or number) on which it listens. When .IR "-daemon" option is used, configuration is being read from .IR netperm-table for every new connection accepted by proxy. .IP .I port Specifies either a numeric id or symbolic name from the .I /etc/services file. .TP .BI "-fastdaemon " port Indicates that .IR cmd-gw runs as a daemon, and the port (name or number) on which the proxy listens. When .IR "-fastdaemon" option is used, configuration is being read from .IR netperm-table once the daemon starts or if .IR SIGHUP is received. .TP .BI "-as " tag Changes default application tag for .IR netperm-table from "cmd-gw" to any given string. .SS Configuration Options The proxy reads configuration rules from the .IR "/usr/local/etc/netperm-table" . It reads all rules using the .B cmd-gw and .B * (wildcard) keywords. The proxy reads the .I netperm-table from top to bottom. If there are multiple rules in the table that could apply for a particular attribute, the proxy uses the first one that it finds. See .BR "netperm-table" (5) for a more complete explanation of .I netperm-table syntax and precedence. .PP The proxy recognizes the following attributes: .TP .BI "authserver " "host port" Specifies the host running the authentication server (and the port on which it runs) that the proxies use for authenticating users. .RS .TP .I host Specifies an IP address or host name. .TP .I port Specifies a service name or port number. .RE .TP .B hosts host-pattern [host-pattern2...] [options] rules specify host and access permissions. Typically, a hosts rule will be in the form of: .na .sp 1 cmd-gw: deny-hosts unknown .sp cmd-gw: hosts 10.0.0.3 -commands * .sp cmd-gw: hosts 10.0.0.0/255.255.255.0 -commands { ping traceroute } .ad .sp 1 There may be several host patterns following the "hosts" keyword, ending with the first optional parameter beginning with '-'. Optional parameters permit the selective enabling or disabling of logging information, etc. Sub-options are: .IP .IP .B \-authall specifies that the proxy should request authentication before providing the interactive shell. .IP .B \-cmd operation .br .B \-cmd { operation1 operation2 ... } .br specifies operations allowed. .IP .B \-auth operation .br .B \-auth { operation1 operation2 ... } .br specifies operations allowed once user authenticated itself. .sp At least one of .I \-auth , .I \-cmd is mandatory, otherwise no commands will be permitted. Builtin commands are not subject of restrictions above, they are always available. .IP .B \-extnd specifies that the proxy should request per-operation permissions from authsrv. .TP .BI "groupid " group Specifies the name of the group the proxy shell uses when running. .RS .TP .I group Specifies either a name or numeric id from the .I /etc/group file. .RE .TP .BI "timeout " seconds Specifies the number of seconds the shell is idle (with no network activity) before disconnecting .TP .BI "userid " user Specifies the user ID the proxy uses when running. .RS .TP .I user Specifies either a name or numeric id from the .I /etc/passwd file. This option is equivalent to the .B -user command in previous versions. .RE .SS Shell Commands .TP .B help Displays a list of valid proxy commands. .TP .B ? Alias for .I help. .TP .B quit Exits the shell. .TP .B exit Alias for .I quit .TP .B auth [] Authenticate user .TP .B login [] Alias for .I auth .TP .B dig Execute .I dig command .TP .B finger [] Execute .I finger command .TP .B ping Execute .I ping command .TP .B traceroute Execute .I traceroute command .TP .B once [..] Execute one command and quit .SH EXAMPLES Sample interactive session providing .I ping command via proxy. .sp 1 .nf .na .RS .RB "paranoid.alpha.int $ " "telnet firewall 32" Trying 192.168.0.1... Connected to firewall.alpha.int. Escape character is '^]'. Welcome to cmd-gw. .RB "Command: " "ping www.google.com" PING www.l.google.com (209.85.135.147) 56(84) bytes of data. 64 bytes from mu-in-f147.google.com (209.85.135.147): icmp_seq=1 ttl=244 time=67.4 ms 64 bytes from mu-in-f147.google.com (209.85.135.147): icmp_seq=2 ttl=244 time=67.6 ms 64 bytes from mu-in-f147.google.com (209.85.135.147): icmp_seq=3 ttl=244 time=68.9 ms .B ^C --- www.l.google.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 67.451/68.027/68.957/0.663 ms Command: .RE .fa .fi .SH FILES .IP /etc/rc.local Command script that controls automatic reboot, and includes startup information for the cmd-gw. .IP /usr/local/etc/netperm-table The network permissions file contains configuration information for the Firewall Toolkit, including cmd-gw. .SH BUGS .I cmd-gw is only as safe as your .I dig, finger, ping, and .I traceroute clients are. If these have some way for running a program named on the command line or for compromising the gateway host in other ways, you're in trouble. Otherwise, .I cmd-gw should be safe. At least, it's safer than telnetting into the gateway host to issue the commands. .sp Note that the .I finger command will allow anyone who is allowed access to .I cmd-gw to find out who's working on the gateway host (of course, noone should be working on the gateway host). .sp .I chroot operation is not fully supported at the moment. You may try to set it up, but it is on your own risk. .sp Command list is fixed and defined at compile time. Consider that a security feature, not a bug. .sp Fully featured .I telnet server is not implemented, nor .I pty allocation is. So you cannot run curses-based programs or ones that require password to be entered in no-echo mode. This feature is not planned to be included in this gateway; we plan to create a more functional (and, obviously, less secure ;-) restricted shell as a separate program. .sp Report bugs to arkenoi@gmail.com or fwtk-users@buoy.com mailing list. Include a complete example, explaining what you expected to happen and what actually happened. Be sure to indicate the type of system (operating system, hardware, etc.) you are using, as well as the version of cmd-gw. .SH AUTHOR Eberhard Mattes. .SH SEE ALSO .BR netperm-table "(5), " rc "(8), "authsrv "(8), "netacl "(8)"