NNTP server behind firewall

by Dobrica Pavlinusic, Faculty of Organization and Informatics, Varazdin.

This paper presents solution used on Faculty of Organization and Informatics in Varazdin for placing NNTP server behind the firewall and still being able to post and fetch news from normal upstream host located on Internet. This solution is motivated by limitation of out equipment, and is great example of mdd usage.

This paper is written with version 0.3 in mind. However, examples are now changed for version 0.4 (or later). Also, from version 0.4 you can use host names also.

1. Problem

During out test usage of internal NNTP server we noticed that having local news server it is much better solution than to contacting to remote upstream server. Main reason for that is out connection with rest of Internet which is rather slow modem with only 31.2 Kb per second. Having local server made Usenet reading fast and fun. However, when installing news server I wrongly anticipated that 80Mb of disk space will be sufficient for news and proxy needs of our network. That wasn't the case, so solution had to be found.

Following picture shows our initial configuration of news service:

Network configuration with news server on firewall

2. Finding solutions

Luck struck us when another Unix machine get connected with nearly 500Mb hard drive which had about 400Mb of unused space. Perfect for news spool. However, newly installed machine was located behind firewall. Contacting of our old clients (which are also behind firewall) isn't problem, but contacting upstream news server located on Internet is the problem because of firewall.

Limited by configuration of firewall and new Unix machine (both PC compatible 386 with 8 and 4 Mb of RAM respectably and Linux 1.2.13) following solutions presented to us:

  1. Install new Linux kernel 2.0.x and use IP alias to fake that new news server is on Internet by using relay from IP alias on Internet to our new news server behind firewall
  2. Install new Linux kernel and use IP tunneling to perform similar task
  3. Install redirection from current IP of news server to new news server

3. Pro and cons analysis

Solutions which where found are then evaluated using pro and cons analysis as follows:

Solution + -
IP alias Solves our problem, it is fairly easy to do. Needs new installation of Linux kernel 2.0.x which required updating of some portions of our Slackware installed boxes.
IP tunneling Solves problem and puts whole host to Internet (this may be useful in future). Needs new kernel and update of software, additional work on protecting, in fact, another firewall (or should I call it security hole?).
redirection of old news host No need for complicated kernel and software update.

No need for changing DNS records.

How to redirect news fetch back to upstream news host on Internet ?

4. Present configuration

I decided to redirect old host, and got following situation:

New configuration of news server behind firewall

It was, of course, possible to reconfigure all clients to contact new NNTP server directly, but almost 100% of our NNTP requests comes from server which is on the "wrong" side of firewall anyway.

Problem was following: firewall should act as news server for our clients, but when contacted by NNTP server, it should forward all data to upstream NNTP server. This was perfect job for mdd. I configured mdd to react on client address and when it recognized NNTP server it relayed all to upstream news server and otherwise it just relayed all data to new NNTP server.

Our firewall is now configured as follows:

nntp stream tcp nowait news /usr/sbin/tcpd /usr/local/sbin/in.mdd-nntp in.mdd-nntp -f /usr/local/etc/mdd-nntp.conf

This is entry in inetd.conf which called mdd to process requests from news clients or our news server. Name in.mdd-nntp is chosen to allow us to use tcpd (tcp wrapper) for additional protection.


*: -w 10 news.carnet.hr nntp
*:*:/usr/local/sbin/nc -w 10 unisysgw.prof.foi.hr nntp

First line is tunnel to news.carnet.hr upstream news host (which is on Internet) using netcat if the connection is originating from our local news host (which has IP address - mdd still hasn't hostname resolving :-(), and second line handles all other hosts (probably clients wanting to read news) which are redirected to our local news server.

We used leafnode for news server, but configuration of leafnode is not subject of this paper.

5. References

Dobrica Pavlinusic is Unix administrator and addict who was working at Faculty of Organization and Informatics in Varazdin on administration of Unix hosts and network management until January 2000. He can be reached using e-mail to: dpavlin@rot13.org.