Introduction
- References
- IP Masquerading HOWTO
- TrinityOS Ch 8, 10, 11.
- Linux IP Masquerading Web Site
- Linux IP Masqerade Resource
- IP Chains HOWTO
- We need to get ipmasqadm. The rpm can be retrieved from Juanjo's website . We retrieve the actual rpm.
- I startup the firewall by calling a created file /etc/rc.d/rc.firewall, from /etc/rc.d/rc.local. I know this is not strictly RedHat's Sys V way of doing things. Look in Trinity OS for an approach that creates a /etc/rc.d/init.d/firewall startup / shutdown script.
Restricting Permissions
- It is wise to only have root rwx permissions for files in /etc/rc.d:
- chown -R root:root /etc/rc.d/*
- chmod -R 700 /etc/rc.d/*
- Remember to do the same with rc.firewall once we have created it.
The Firewall Startup Scripts
- Modify the /etc/rc.d/rc.local start up script, so it looks like (use your own names):
- rc.local
- >>>>>>>>>>>>>>>>>>>>>>>/etc/rc.d/rc.local
#!/bin/sh # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. if [ -f /etc/rc.d/rc.firewall ]; then /etc/rc.d/rc.firewall fi if [ -f /etc/redhat-release ]; then R=$(cat /etc/redhat-release) arch=$(uname -m) a="a" case "_$arch" in _a*) a="an";; _i*) a="an";; esac # This will overwrite /etc/issue at every boot. So, make any changes you # want to make to /etc/issue here or you will lose them when you reboot. # NOTE: we do not want users on the net with bad intent to know the OS and # version at the login prompt. echo "" > /etc/issue echo "Novatek Electronics Limited" >> /etc/issue echo "***************************" >> /etc/issue echo "" >> /etc/issue cp -f /etc/issue /etc/issue.net echo "$R" >> /etc/issue echo "Kernel $(uname -r) on $a $(uname -m)" >> /etc/issue echo "" >> /etc/issue echo "\l@$(uname -n)" >> /etc/issue echo "telnet@$(uname -n)" >> /etc/issue.net echo "" >> /etc/issue echo "" >> /etc/issue.net fi<<<<<<<<<<<<<<<<<<<<<<<</etc/rc.d/rc.local
- Notes on rc.local
- Do a file check on rc.firewall before calling it.
- Heed the security advice not to let any telnet users know the package, release, and version that they are logging into - further limit exploitation of package/release/version specific holes.
- rc.firewall
>>>>>>>>>>>>>>>>>>>>>>/etc/rc.d/rc.firewall
#!/bin/sh # #/etc/rc.d/rc.firewall # #Created by Jonathan Marks, 5/21/99 # Do not need to do a depmod, as this is done in rc.sysinit #/sbin/depmod -a # Lets install the required ip_masq modules #/sbin/modprobe ip_masq_cuseeme /sbin/modprobe ip_masq_ftp /sbin/modprobe ip_masq_irc #/sbin/modprobe ip_masq_quake /sbin/modprobe ip_masq_raudio /sbin/modprobe ip_masq_user #/sbin/modprobe ip_masq_vdolive # Flush old firewall rules - just in case /sbin/ipchains -F # Masquerading firewall timeouts: tcp conns 2hrs, tcp after fin pkt 10s, udp 120s /sbin/ipchains -M -S 7200 10 120 # Set up ipchains for a masqerading firewall /sbin/ipchains -P forward REJECT /sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ # Input chain rules # We do not have any! # Port forwarding - first flush out any forwards - just in case /usr/sbin/ipmasqadm portfw -f # Add port forwarding for http, smtp and ftp to henry # www.novatek.co.nz /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 80 -R 192.168.0.200 80 # www.cmex.org /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.98.164 80 -R 192.168.0.202 80 # ftp.novatek.co.nz /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 21 -R 192.168.0.201 21 # ftp.cmex.org /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.98.164 21 -R 192.168.0.203 21 # mail.novatek.co.nz /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 25 -R 192.168.0.204 25 # mail.cmex.org /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.98.164 25 -R 192.168.0.205 25 # cvs.cmex.org /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.98.164 2401 -R 192.168.0.206 2401 # ICQ tcp return port setup # First to Hershel /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2000 -R 192.168.0.6 2000 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2001 -R 192.168.0.6 2001 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2002 -R 192.168.0.6 2002 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2003 -R 192.168.0.6 2003 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2004 -R 192.168.0.6 2004 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2005 -R 192.168.0.6 2005 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2006 -R 192.168.0.6 2006 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2007 -R 192.168.0.6 2007 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2008 -R 192.168.0.6 2008 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2009 -R 192.168.0.6 2009 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2010 -R 192.168.0.6 2010 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2011 -R 192.168.0.6 2011 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2012 -R 192.168.0.6 2012 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2013 -R 192.168.0.6 2013 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2014 -R 192.168.0.6 2014 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2015 -R 192.168.0.6 2015 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2016 -R 192.168.0.6 2016 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2017 -R 192.168.0.6 2017 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2018 -R 192.168.0.6 2018 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2019 -R 192.168.0.6 2019 # Secondly to Hercules /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2020 -R 192.168.0.1 2020 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2021 -R 192.168.0.1 2021 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2022 -R 192.168.0.1 2022 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2023 -R 192.168.0.1 2023 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2024 -R 192.168.0.1 2024 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2025 -R 192.168.0.1 2025 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2026 -R 192.168.0.1 2026 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2027 -R 192.168.0.1 2027 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2028 -R 192.168.0.1 2028 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2029 -R 192.168.0.1 2029 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2030 -R 192.168.0.1 2030 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2031 -R 192.168.0.1 2031 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2032 -R 192.168.0.1 2032 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2033 -R 192.168.0.1 2033 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2034 -R 192.168.0.1 2034 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2035 -R 192.168.0.1 2035 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2036 -R 192.168.0.1 2036 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2037 -R 192.168.0.1 2037 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2038 -R 192.168.0.1 2038 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2039 -R 192.168.0.1 2039 # Thirdly on Homer /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2040 -R 192.168.0.2 2040 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2041 -R 192.168.0.2 2041 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2042 -R 192.168.0.2 2042 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2043 -R 192.168.0.2 2043 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2044 -R 192.168.0.2 2044 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2045 -R 192.168.0.2 2045 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2046 -R 192.168.0.2 2046 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2047 -R 192.168.0.2 2047 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2048 -R 192.168.0.2 2048 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2049 -R 192.168.0.2 2049 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2050 -R 192.168.0.2 2050 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2051 -R 192.168.0.2 2051 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2052 -R 192.168.0.2 2052 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2053 -R 192.168.0.2 2053 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2054 -R 192.168.0.2 2054 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2055 -R 192.168.0.2 2055 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2056 -R 192.168.0.2 2056 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2057 -R 192.168.0.2 2057 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2058 -R 192.168.0.2 2058 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2059 -R 192.168.0.2 2059<<<<<<<<<<<<<<<<<<<<<<<</etc/rc.d/rc.local- Notes on rc.firewall
I know! I Know! It is not as secure as it could be. However, between the firewall, and tcp wrappers, the security is adequate for this situation. Look at the above references, they create more security than I. Flush out ipchains and portfw. This is useful if this file is run manually, after bootup (say during debugging / testing). Now lets confirm that the settings are okay.
- lsmod
- ---------------------------
Module Size Used by ip_masq_user 2764 0 (unused) ip_masq_raudio 3128 0 (unused) ip_masq_irc 1688 0 ip_masq_ftp 2552 0- ------------------------------
Next we do an
- ipchains -L
- ---------------------------
Chain input (policy ACCEPT): Chain forward (policy REJECT): target prot opt source destination ports MASQ all ------ 192.168.0.0/24 anywhere n/a Chain output (policy ACCEPT):- ----------------------------------
And lastly we do a:
- ipmasqadm portfw -ln
- ---------------------------
prot localaddr rediraddr lport rport pcnt pref TCP 24.113.94.87 192.168.0.2 2059 2059 10 10 TCP 24.113.94.87 192.168.0.2 2058 2058 10 10 TCP 24.113.94.87 192.168.0.2 2057 2057 10 10 TCP 24.113.94.87 192.168.0.2 2056 2056 10 10 TCP 24.113.94.87 192.168.0.2 2055 2055 10 10 TCP 24.113.94.87 192.168.0.2 2054 2054 10 10 TCP 24.113.94.87 192.168.0.2 2053 2053 10 10 TCP 24.113.94.87 192.168.0.2 2052 2052 10 10 TCP 24.113.94.87 192.168.0.2 2051 2051 10 10 TCP 24.113.94.87 192.168.0.2 2050 2050 10 10 TCP 24.113.94.87 192.168.0.2 2049 2049 10 10 TCP 24.113.94.87 192.168.0.2 2048 2048 10 10 TCP 24.113.94.87 192.168.0.2 2047 2047 10 10 TCP 24.113.94.87 192.168.0.2 2046 2046 10 10 TCP 24.113.94.87 192.168.0.2 2045 2045 10 10 TCP 24.113.94.87 192.168.0.2 2044 2044 10 10 TCP 24.113.94.87 192.168.0.2 2043 2043 10 10 TCP 24.113.94.87 192.168.0.2 2042 2042 10 10 TCP 24.113.94.87 192.168.0.2 2041 2041 10 10 TCP 24.113.94.87 192.168.0.2 2040 2040 10 10 TCP 24.113.94.87 192.168.0.1 2039 2039 10 10 TCP 24.113.94.87 192.168.0.1 2038 2038 10 10 TCP 24.113.94.87 192.168.0.1 2037 2037 10 10 TCP 24.113.94.87 192.168.0.1 2036 2036 10 10 TCP 24.113.94.87 192.168.0.1 2035 2035 10 10 TCP 24.113.94.87 192.168.0.1 2034 2034 10 10 TCP 24.113.94.87 192.168.0.1 2033 2033 10 10 TCP 24.113.94.87 192.168.0.1 2032 2032 10 10 TCP 24.113.94.87 192.168.0.1 2031 2031 10 10 TCP 24.113.94.87 192.168.0.1 2030 2030 10 10 TCP 24.113.94.87 192.168.0.1 2029 2029 10 10 TCP 24.113.94.87 192.168.0.1 2028 2028 10 10 TCP 24.113.94.87 192.168.0.1 2027 2027 10 10 TCP 24.113.94.87 192.168.0.1 2026 2026 10 10 TCP 24.113.94.87 192.168.0.1 2025 2025 10 10 TCP 24.113.94.87 192.168.0.1 2024 2024 10 10 TCP 24.113.94.87 192.168.0.1 2023 2023 10 10 TCP 24.113.94.87 192.168.0.1 2022 2022 10 10 TCP 24.113.94.87 192.168.0.1 2021 2021 10 10 TCP 24.113.94.87 192.168.0.1 2020 2020 10 10 TCP 24.113.94.87 192.168.0.6 2019 2019 10 10 TCP 24.113.94.87 192.168.0.6 2018 2018 10 10 TCP 24.113.94.87 192.168.0.6 2017 2017 10 10 TCP 24.113.94.87 192.168.0.6 2016 2016 10 10 TCP 24.113.94.87 192.168.0.6 2015 2015 10 10 TCP 24.113.94.87 192.168.0.6 2014 2014 10 10 TCP 24.113.94.87 192.168.0.6 2013 2013 10 10 TCP 24.113.94.87 192.168.0.6 2012 2012 10 10 TCP 24.113.94.87 192.168.0.6 2011 2011 10 10 TCP 24.113.94.87 192.168.0.6 2010 2010 10 10 TCP 24.113.94.87 192.168.0.6 2009 2009 10 10 TCP 24.113.94.87 192.168.0.6 2008 2008 10 10 TCP 24.113.94.87 192.168.0.6 2007 2007 10 10 TCP 24.113.94.87 192.168.0.6 2006 2006 10 10 TCP 24.113.94.87 192.168.0.6 2005 2005 10 10 TCP 24.113.94.87 192.168.0.6 2004 2004 10 10 TCP 24.113.94.87 192.168.0.6 2003 2003 10 10 TCP 24.113.94.87 192.168.0.6 2002 2002 10 10 TCP 24.113.94.87 192.168.0.6 2001 2001 10 10 TCP 24.113.94.87 192.168.0.6 2000 2000 10 10 TCP 24.113.98.164 192.168.0.206 2401 2401 8 10 TCP 24.113.98.164 192.168.0.205 25 25 8 10 TCP 24.113.98.164 192.168.0.203 21 21 9 10 TCP 24.113.94.87 192.168.0.201 21 21 7 10 TCP 24.113.94.87 192.168.0.204 25 25 7 10 TCP 24.113.98.164 192.168.0.202 80 80 7 10 TCP 24.113.94.87 192.168.0.200 80 80 2 10- ----------------------------------
Now, ping a host on the external network. Use its ip address if the internal name server is not set up yet.
TCP Wrappers
- References
- hosts.allow man page
- /usr/doc/tcp_wrappers*/README
- As Gateway is a firewall server only the minimum of inet services must started, and they must be restricted only for the appropriate access. We do this first by enabling only the permitted services in /etc/inetd.conf
- inetd.conf
- >>>>>>>>>>>>>>>>>>>>>>>>/etc/inetd.conf
# inetd.conf This file describes the services that will be available # through the INETD TCP/IP super server. To re-configure # the running INETD process, edit this file, then send the # INETD process a SIGHUP signal. # # Version: @(#)/etc/inetd.conf 3.10 05/27/93 # # Authors: Original taken from BSD UNIX 4.3/TAHOE. # Fred N. van Kempen, <lwaltje@uwalt.nl.mugnet.org> # # Modified for Debian Linux by Ian A. Murdock <imurdock@shell.portal.com> # # Modified for RHS Linux by Marc Ewing <marc@redhat.com> # # <service_name> <sock_type> <proto> <flags> <user> <server_path> <args> # # Echo, discard, daytime, and chargen are used primarily for testing. # # To re-read this file after changes, just do a 'killall -HUP inetd' # #echo stream tcp nowait root internal #echo dgram udp wait root internal #discard stream tcp nowait root internal #discard dgram udp wait root internal daytime stream tcp nowait root internal daytime dgram udp wait root internal #chargen stream tcp nowait root internal #chargen dgram udp wait root internal time stream tcp nowait root internal time dgram udp wait root internal # # These are standard services. # ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd # # Shell, login, exec, comsat and talk are BSD protocols. # #shell stream tcp nowait root /usr/sbin/tcpd in.rshd #login stream tcp nowait root /usr/sbin/tcpd in.rlogind #exec stream tcp nowait root /usr/sbin/tcpd in.rexecd #comsat dgram udp wait root /usr/sbin/tcpd in.comsat #talk dgram udp wait nobody.tty /usr/sbin/tcpd in.talkd #ntalk dgram udp wait nobody.tty /usr/sbin/tcpd in.ntalkd #dtalk stream tcp wait nobody.tty /usr/sbin/tcpd in.dtalkd # # Pop and imap mail services et al # #pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d #pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d #imap stream tcp nowait root /usr/sbin/tcpd imapd # # The Internet UUCP service. # #uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/lib/uucp/uucico -l # # Tftp service is provided primarily for booting. Most sites # run this only on machines acting as "boot servers." Do not uncomment # this unless you *need* it. # #tftp dgram udp wait root /usr/sbin/tcpd in.tftpd #bootps dgram udp wait root /usr/sbin/tcpd bootpd # # Finger, systat and netstat give out user information which may be # valuable to potential "system crackers." Many sites choose to disable # some or all of these services to improve security. # #finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd #cfinger stream tcp nowait root /usr/sbin/tcpd in.cfingerd #systat stream tcp nowait guest /usr/sbin/tcpd /bin/ps -auwwx #netstat stream tcp nowait guest /usr/sbin/tcpd /bin/netstat -f inet # # Authentication # # identd is run standalone now # #auth stream tcp wait root /usr/sbin/in.identd in.identd -e -o # # End of inetd.conf #swat stream tcp nowait.400 root /usr/sbin/swat swat<<<<<<<<<<<<<<<<<<<<<<<<<</etc/inetd.conf
- Basically the only inet services enables are time, daytime, telnet and ftp. The only reason time and daytime are enabled is that gateway also serves as a time server, and is an accurate time reference for other hosts (internal and external) to obtain their time.
- The hosts.allow and hosts.deny files for tcp wrappers follow a mostly closed approach where everything in denyied initially, and only those permitted services are allowed.
- hosts.deny
- >>>>>>>>>>>>>>>>>>>>>>>>/etc/hosts.deny
# # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap! ALL: ALL- <<<<<<<<<<<<<<<<<<<<<<<</etc/hosts.deny
- hosts.allow
- >>>>>>>>>>>>>>>>>>>>>>>/etc/hosts.allow
# hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # Give complete access for all to the local host ALL: 127.0.0.1, 24.113.94.87, 24.113.98.164, 192.168.0.254 # Defind access rules for hosts on local network. # hal-9000, hershel, hercules, and henry are trusted to access this host. ALL: 192.168.0.1 192.168.0.3, 192.168.0.4, 192.168.0.6 # Telnet access for "trusted" external addresses in.telnetd: 24.113.94.163 # Ron's address in.telnetd: 163.241.175.102 # wormhole.amp.com in.telnetd: 208.239.159.2 # backdoor.macom.com- <<<<<<<<<<<<<<<<<<<<<<</etc/hosts.allow
- Note that telnet is further restricted by the limited number of users, and cryptic passwords. This is not bullet proof, and telnet is still susceptable to IP address spoofing. In the future this will become ssh. Ftp access can only occur from the internal network (port forwarding from the external network), and its setup is also very access restrictive, not allowing anonymous ftp. Using Wu-ftp as the ftp server, we remove its ability to guest or host anonymous ftp by editing its first line.
- ftpaccess
- >>>>>>>>>>>>>>>>>>>>>/etc/ftpaccess
class all real * email ftpmaster@novatek.co.nz loginfails 3 banner /etc/msgs/ftpbanner greeting brief readme README* login readme README* cwd=* message /welcome.msg login message .message cwd=* limit all 20 Any /etc/msgs/ftptoomany compress yes all tar yes all chmod no guest,anonymous delete no guest,anonymous overwrite no guest,anonymous rename no guest,anonymous upload /home/ftp * no upload /home/ftp /incoming yes ftp ftp 0666 log commands real log transfers anonymous,real inbound,outbound passwd-check rfc822 enforce- <<<<<<<<<<<<<<<<<<<<</etc/ftpaccess
Last modified: Tue Feb 8 22:00:00 PST 2000
Copyright © Jonathan Marks, 1999, 2000. All rights
reserved.
http:/jon.novatek.co.nz/linux/config/gateway-fws.html.