Server not running, called by the wrapper

Next: Server running on a Up: Sample configurations Previous: Redirecting firewall Contents

Server not running, called by the wrapper

This will be probably the most frequently used scheme. Here, the server processes (which are usually run from inetd) will not run at all. ProtoWrap will be installed in each individual server machine, and configured to wrap each individual server port. ProtoWrap can be run either in standalone or in inetd mode, and the server program will be called via a pipe, not via an IP connection. This way, the programs concurrently running at the server can be kept at a minimum, and network access to the protected services will be completely cut off.

$\resizebox* {0.6\textwidth}{!}{\includegraphics{include/server-not-running.eps}}$

For this scheme, we have:

$\begin{labeling}{00.00.0000} \item [Advantages]~ \end{labeling}$

Lower overall memory requirements
Server programs are completely isolated from outsiders
Does not require any usually awkward firewalling rules to be set
Is not vulnerable to the local network, the same defense level is applied both to local and remote users

$\begin{labeling}{00.00.0000} \item [Disadvantages]~ \end{labeling}$

Higher initialization overhead for each incoming connection
If many connections arrive simultaneously, memory usage can grow very fast
Must modify the configuration for each server manually
Will not work with servers that require interaction with a socket (IP connection), not with a file handle (STDIN)
Wrappers' executables and configuration are stored in each of the servers; this makes upgrading or adding rules a task requiring more effort than having them all in a single place

Server's /etc/rc.local includes:

/usr/local/bin/smtpwrap &

Server's /usr/local/bin/smtpwrap:


#!/usr/bin/perl 

use ProtoWrap::SMTP;
use strict;

my ($wrap);

$wrap = ProtoWrap::SMTP->new('standalone' => 1,
                             'listenPort' => 10025,
                             'destType' => 'ip',
                             'destAddr' => '127.0.0.1',
                             'logLevel' => 3,
                             'maxMsgSize' => 3000000,
                             'relayDomainList' => ['mydomain.com'],
                             'maxRcpt' => 10,
                             'setUidTo' => 32767
                             );
die 'Can\'t start SMTP wrapper' if (not defined $wrap);
$wrap->startServer() or warn 'Can\'t start wrapper for '.$wrap->getProp();

Next: Server running on a Up: Sample configurations Previous: Redirecting firewall Contents

Gunnar Wolf
2001-03-12