.TH CVS-GW 8 "August 2007" "OpenFWTK" .SH NAME cvs-gw \- CVS pserver proxy .SH SYNOPSIS .B cvs-gw .RB "[-daemon ] " .RB "[-fastdaemon ] [-as ]" .sp .SH DESCRIPTION .IX "cvs-gw" "" "\(em CVS pserver proxy" The Firewall Toolkit CVS proxy is an application level proxy that provides configurable access control, authentication and logging mechanisms. The CVS proxy, which runs on the firewall, passes CVS requests through the firewall (at the application level), using rules you supply. You can configure the proxies to allow connections based on: .IP "\(bu" 4m source IP address .IP "\(bu" 4m source host name .IP "\(bu" 4m destination IP address .IP "\(bu" 4m destination host name .IP "\(bu" 4m pserver command (say, checkout or commit) .PP All packets, and therefore all application requests go to the firewall. On the firewall, the CVS proxy software relays information from one side of the firewall to the other. The proxy prevents the applications on outside networks from talking directly with the applications on your inside network, and vice versa. No IP packets pass from one side of the firewall to the other. All data are passed at the application level. .PP To use the proxy in non-transparent mode, .I PSERVER \'username\' part should be substituted with .I username$host[$port] where .I $ is separator symbol which may be configured otherwise. .PP The CVS proxy .RB "(" cvs-gw ")" generally runs as a daemon (invoked from system startup script, p.e. .IR "/etc/rc.local" ) and listens for requests on the specified port (tcp/2401, as indicated in .IR "/etc/services" ,is reasonable default). Whenever the system receives an CVS request on this port, the CVS proxy checks its configuration information (in the .IR "netperm-table" ) and determines whether the initiating host has permission to use CVS. If the host does not have permission, the proxy logs the connection attempt and displays an error message. .PP The proxy may also be invoked from tcp/ip "superserver" (inetd or xinetd). .IR "-daemon" parameter should be omitted in this case. .PP If the host has permission, the proxy authenticates the user (if required), logs the transaction and passes the request to the destination host. .PP .SH OPTIONS .SS Command Line Options The CVS proxy recognizes the following command line options (whether started from the command line or from within .IR /etc/rc.local ): .TP .BI "-daemon " port Indicates that the CVS proxy runs as a daemon, and the port (name or number) on which the CVS proxy listens. When .IR "-daemon" option is used, configuration is being read from .IR netperm-table for every new connection accepted by proxy. .IP .I port Specifies either a numeric id or symbolic name from the .I /etc/services file. .TP .BI "-fastdaemon " port Indicates that the CVS proxy runs as a daemon, and the port (name or number) on which the CVS proxy listens. When .IR "-fastdaemon" option is used, configuration is being read from .IR netperm-table once the daemon starts or if .IR SIGHUP is received. .TP .BI "-as " tag Changes default application tag for .IR netperm-table from "cvs-gw" to any given string. .SS Configuration Options The CVS proxy reads configuration rules from the .IR "/usr/local/etc/netperm-table" . It reads all rules using the .B cvs-gw and .B * (wildcard) keywords. The CVS proxy reads the .I netperm-table from top to bottom. If there are multiple rules in the table that could apply for a particular attribute, the CVS proxy uses the first one that it finds. See .BR "netperm-table" (5) for a more complete explanation of .I netperm-table syntax and precedence. .PP The CVS proxy recognizes the following attributes: .TP .BI "user-limit " number Specifies max permitted username length. .TP .BI "pass-limit " number Specifies max permitted password length. .TP .B hosts host-pattern [host-pattern2...] [options] rules specify host and access permissions. Typically, a hosts rule will be in the form of: .na .sp 1 cvs-gw: deny-hosts unknown .sp cvs-gw: hosts 192.33.112.* 192.94.214.* -mode rw .ad .sp 1 There may be several host patterns following the "hosts" keyword, ending with the first optional parameter beginning with '-'. Optional parameters permit the selective enabling or disabling of logging information, etc. Sub-options are: .IP .IP .B \-transparent specifies that the proxy runs in transparent mode; see OS-specific details on how to setup transparent redirection. Proxy destination host is not extracted from username part but taken from connection properties instead. This makes proxy "transparent", so no special client setup is required. .IP .B \-plug-to server-address specifies that proxy is "hardwired" to a given server. .IP .B \-port server-port overrides default pserver port for plug-to .IP .B \-log-request operation .br .B \-log-request { operation1 operation2 ... } .br specifies that a log entry to the system log should be made whenever the listed operations are performed through the proxy. (See .B pserver protocol description for a list of known CVS requests) .IP .B \-log-response operation .br .B \-log-response { operation1 operation2 ... } .br specifies that a log entry to the system log should be made whenever the listed responses are received through the proxy. (See .B pserver protocol description for a list of known CVS responses) .IP .B \-dest pattern .br .B \-dest { pattern1 pattern2 ... } .br specifies a list of valid destinations. If no list is specified, all destinations are considered valid. The -dest list is processed in order as it appears on the options line. -dest entries preceeded with a '!' character are treated as negation entries. Therefore the rule: .sp .nf .na -dest !*.mit.edu -dest * .fi .ad .sp will permit hosts that are not in the domain "mit.edu" to be connected to. .IP .B \-deny-request operation .br .B \-deny-request { operation1 operation2 ... } .br specifies a list of CVS operations to deny. By default, all operations are permitted, unless .I \`ro\' mode is specified. .IP .B \-deny-response operation .br .B \-deny-response { operation1 operation2 ... } .br specifies that a log entry to the system log should be made whenever the listed responses are received through the proxy. .IP .B \-mode ro .br .B \-mode rw this option overrides some flags specified by .I \'\-deny-request\' and .I \'\-deny-response\' options. It disallows to user to make .I commit .I (\'ro\') or gives full access to repository ( .I \'rw\' is set by default). .IP .B \-user username .br .B \-user { username1 username2 ... } specifies a list of users allowed to authenticate to remote server. By default, all users are permitted. .IP .B \-extnd specifies that the proxy should request per-operation permissions from authsrv. .IP .B \-separator separator-char specifies separator character used to distinguish user and host name parts in non-transparent mode (instead of default `@'). .IP .B \-client-dscp dscp-tag-name .br .B \-client-dscp dscp-hex-value specifies diffserv codepoint (QoS/ToS mark) for client to proxy command stream. .IP .B \-server-dscp dscp-tag-name .br .B \-server-dscp dscp-hex-value specifies diffserv codepoint (QoS/ToS mark) for proxy to server command stream. .TP .BI "directory " directory Specifies the directory that the CVS proxy makes its root directory before providing service. .TP .BI "groupid " group Specifies the name of the group the CVS proxy uses when running. .RS .TP .I group Specifies either a name or numeric id from the .I /etc/group file. .RE .TP .BI "timeout " seconds Specifies the number of seconds the CVS proxy is idle (with no network activity) before disconnecting .TP .BI "userid " user Specifies the user ID the proxy uses when running. .RS .TP .I user Specifies either a name or numeric id from the .I /etc/passwd file. This option is equivalent to the .B -user command in previous versions. .RE .SH EXAMPLES Given the proxy is configured like: .sp .nf .na .RS # permit workstations at LAN to access outside cvs servers cvs-gw: permit-hosts 10.0.0.* -separator $ -mode rw .RE .fa .fi .sp , a sample pserver session via proxy may look like: .sp .nf .na .RS .RB "paranoid ~$ " "cvs -d \':pserver:johndoe$cvs.illuminati.int@firewall:/project/openfwtk\' login" Logging in to :pserver:johndoe$cvs.illuminati.int@firewall:/project/openfwtk CVS password: paranoid ~$ .RE .fa .fi .SH FILES .IP /etc/rc.local Command script that controls automatic reboot, and includes startup information for the CVS proxy. .IP /usr/local/etc/netperm-table The network permissions file contains configuration information for the Firewall Toolkit, including the CVS proxy. .SH BUGS The proxy supports version 1.11.1p1 of the protocol specification and doesn't work with .I \'kserver\' and .I \'server\' connection method. At this time it supports only .I \'pserver\'. No compression methods ( .I \'\-z\' option ) are supported. .sp Please note that the .I pserver authentication protocol trivially encodes the passwords. This is only to prevent inadvertent compromise; it provides no protection against even a relatively unsophisticated attacker. .sp Report bugs to arkenoi@gmail.com or fwtk-users@buoy.com mailing list. Include a complete example, explaining what you expected to happen and what actually happened. Be sure to indicate the type of system (operating system, hardware, etc.) you are using, as well as the version of the CVS proxy. .SH AUTHOR Alexander Kosheverov. .SH SEE ALSO .BR netperm-table "(5), " rc "(8), "authsrv "(8), "netacl "(8)"