This paper is written with version 0.3 in mind. However, examples are now
changed for version 0.4 (or later). Also, from version 0.4 you can
use host names also.
This paper presents solution used on Faculty of Organization and Informatics in Varazdin for placing NNTP server behind the firewall and still being able to post and fetch news from normal upstream host located on Internet. This solution is motivated by limitation of out equipment, and is great example of mdd usage.
This paper is written with version 0.3 in mind. However, examples are now changed for version 0.4 (or later). Also, from version 0.4 you can use host names also.
During out test usage of internal NNTP server we noticed that having local news server it is much better solution than to contacting to remote upstream server. Main reason for that is out connection with rest of Internet which is rather slow modem with only 31.2 Kb per second. Having local server made Usenet reading fast and fun. However, when installing news server I wrongly anticipated that 80Mb of disk space will be sufficient for news and proxy needs of our network. That wasn't the case, so solution had to be found.
Following picture shows our initial configuration of news service:
Luck struck us when another Unix machine get connected with nearly 500Mb hard drive which had about 400Mb of unused space. Perfect for news spool. However, newly installed machine was located behind firewall. Contacting of our old clients (which are also behind firewall) isn't problem, but contacting upstream news server located on Internet is the problem because of firewall.
Limited by configuration of firewall and new Unix machine (both PC compatible 386 with 8 and 4 Mb of RAM respectably and Linux 1.2.13) following solutions presented to us:
Solutions which where found are then evaluated using pro and cons analysis as follows:
|Solves our problem, it is fairly easy to do.
|Needs new installation of Linux kernel 2.0.x which required updating of some portions of our Slackware installed boxes.
|Solves problem and puts whole host to Internet (this may be useful in future).
|Needs new kernel and update of software, additional work on protecting, in fact, another firewall (or should I call it security hole?).
|redirection of old news host
|No need for complicated kernel and software update.
No need for changing DNS records.
|How to redirect news fetch back to upstream news host on Internet ?
I decided to redirect old host, and got following situation:
It was, of course, possible to reconfigure all clients to contact new NNTP server directly, but almost 100% of our NNTP requests comes from server which is on the "wrong" side of firewall anyway.
Problem was following: firewall should act as news server for our clients, but when contacted by NNTP server, it should forward all data to upstream NNTP server. This was perfect job for mdd. I configured mdd to react on client address and when it recognized NNTP server it relayed all to upstream news server and otherwise it just relayed all data to new NNTP server.
Our firewall is now configured as follows:
nntp stream tcp nowait news /usr/sbin/tcpd /usr/local/sbin/in.mdd-nntp in.mdd-nntp -f /usr/local/etc/mdd-nntp.conf
This is entry in inetd.conf which called mdd to process requests from news clients or our news server. Name in.mdd-nntp is chosen to allow us to use tcpd (tcp wrapper) for additional protection.
*:192.168.3.250:/usr/local/sbin/nc -w 10 news.carnet.hr nntp *:*:/usr/local/sbin/nc -w 10 unisysgw.prof.foi.hr nntp
First line is tunnel to news.carnet.hr upstream news host (which is on Internet) using netcat if the connection is originating from our local news host (which has IP address 192.168.3.250 - mdd still hasn't hostname resolving :-(), and second line handles all other hosts (probably clients wanting to read news) which are redirected to our local news server.
We used leafnode for news server, but configuration of leafnode is not subject of this paper.
Dobrica Pavlinusic is Unix administrator and addict who was working at Faculty of Organization and Informatics in Varazdin on administration of Unix hosts and network management until January 2000. He can be reached using e-mail to: email@example.com.