The free TIS FWTK, from Trusted Information Systems, includes a number of proxy servers of various types. The TIS FWTK also provides a number of other tools for authentication and other purposes, which are discussed where appropriate in other chapters of this book. Appendix B provides information on how to get the TIS FWTK.
Whereas SOCKS attempts to provide a single, general proxy, the TIS FWTK provides individual proxies for the most common Internet services (as shown in Figure 7.4). The idea is that by using small separate programs with a common configuration file, it can provide intelligent proxies that are provably safe, while still allowing central control. The result is an extremely flexible toolkit and a rather large configuration file.
The TIS FWTK provides FTP proxying either with modified client programs or modified user procedures (ftp-gw). If you wish to use the same machine to support proxied FTP and straight FTP (for example, allowing people on the Internet to pick up files from the same machine that does outbound proxying for your users), the toolkit will support that but you will have to use modified user procedures.
Using modified user procedures is the most common configuration for the TIS FWTK. The support for modified client programs is somewhat half-hearted (for example, no modified clients or libraries are provided). Because it's a dedicated FTP proxy, it provides logging, denial, and extra user authentication of particular FTP commands.
The TIS FWTK Telnet (telnet-gw) and rlogin (rlogin-gw) proxies support modified user procedures only. Users connect via Telnet or rlogin to the proxy host, and instead of getting a "login" prompt for the proxy host, they are presented with a prompt from the proxy program, allowing them to specify what host to connect to (and whether to make an X connection if the x-gw software is installed, as we describe in "Other TIS FWTK Proxies" below).
The TIS FWTK provides a purely generic proxy, plug-gw, which requires no modifications to clients, but supports a limited range of protocols and uses. It examines the address it received a connection from and the port the connection came in on, and it creates a connection to another host on an appropriate port. You can't specify which host it should connect to while making that connection; it's determined by the incoming host. This makes plug-gw inappropriate for services that are employed by users, who rarely want to connect to the same host every time. It provides logging but no other security enhancements, and therefore needs to be used with caution even in situations where it's appropriate (e.g., for NNTP connections).
TIS FWTK proxies HTTP and Gopher via the http-gw program. This program supports either modified clients or modified procedures. Most HTTP clients support proxying; you just need to tell them where the proxy server is. To use http-gw with an HTTP client that's not proxy-aware, you add http://firewall/ in front of the URL. Using it with a Gopher client that is not proxy-aware is slightly more complex, since all the host and port information has to be moved into the path specification.
x-gw is an X gateway. It provides some minimal security by requiring confirmation from the user before allowing a remote X client to connect. The X gateway is started up by connecting to the Telnet or rlogin proxy and typing "x", which puts up a control window.