                        TIS Firewall Toolkit

		  Trusted Information Systems, Inc.
	                 September 12, 1996


WHAT IS THE TIS FIREWALL TOOLKIT?

Trusted Information Systems, Inc. (TIS) is pleased to provide the TIS
Firewall Toolkit, a software kit for building and maintaining
internetwork Firewalls.  It is distributed in source code form, with
all modules written in the C programming language and runs on many
BSD UNIX derived platforms. The Toolkit is being made available for
use as specified in the license agreement (LICENSE).


USERS' GROUP

TIS maintains the electronic-mail users' group <fwtk-users@tis.com>
for discussion of the toolkit.  To join, send electronic mail to
<fwtk-users-request@tis.com>.

TIS Firewall Toolkit technical questions, license issues, bug reports,
etc. should be addressed to <fwtk-support@tis.com>. Anyone is encouraged
to subscribe to the fwtk-support mailing list to help assist other
Firewall Toolkit users.

Information about other TIS network security products or commercial
licensing requests should be sent to <netsec@tis.com> or by telephone to
(301) 854-6889.


DISCLAIMER

Please read the docment "DISCLAIMER" which describes TIS' support
policy with respect to use of this software by other parties.



Toolkit Roadmap:
----------------
Makefile	- toplevel Makefile
README		- this file
auth		- authentication server and libraries (optional)
config		- sample configuration/permissions tables
doc		- documentation
firewall.h	- compile-time configuration
ftp-gw		- sources for FTP proxy server
http-gw		- http/gopher proxy
lib		- sources for library routines
netacl		- sources for TCP/IP access control "wrapper"
plug-gw		- sources for plug-board proxy server
rlogin-gw	- sources for rlogin proxy server
smap		- sources for sendmail wrapper client
smapd		- sources for sendmail wrapper daemon
tn-gw		- sources for TELNET proxy server
tools		- miscellaneous/unsupported tools
x-gw		- X11 proxy



Building this software:
-----------------------

	As packaged, the Makefiles included in this kit
will attempt to build the firewall components and miscellaneous
tools. We have supplied example configuration files (Makefile.config)
for platforms that have known requirements - look for a Makefile.config.<name>
that corresponds to your operating system. For other systems, you may need
to edit firewall.h to tailor to the local operating system and environment.
On some platforms (such as those with dynamically linked executables) you
may wish to edit some of the individual Makefiles to tailor
the compilation options such as compiler/linker flags and
installation directories. The firewall toolkit is written
in K&R C. If you are using a compiler that assumes ANSI C
you may need to add a global compiler flag to cause it to
accept K&R syntax.

	Global compilation options and flags are configured
in a master Makefile called "Makefile.config"   You should
examine and edit this Makefile to reflect your system,
before attempting to build the toolkit. Not all versions
of make may support this syntax (most notably, the BSD
derived versions which use ".include" instead) -- if your
system is in the latter category, you have the choice of
either obtaining GNU make or modifying the Makefiles.
There is a program called "fixmake" which will rebuild
the Makefiles for you. Simply edit Makefile.config and
when you're happy with it, run "fixmake" and it will
manually perform the equivalent of the "include"
directive. Repeatedly running "fixmake" is OK.

	If your system does not have X11 libraries with
X11 include files installed on it, you will not be able
to build X-gw. X-gw relies on the athena widget set
(Xaw and Xmu) which must also be present on the system.
To set the paths for X libraries, see Makefile.config.
If you do not wish to build the X-gw, simply comment out
the entry for x-gw in the
DIRS=	smap smapd netacl plug-gw ftp-gw tn-gw rlogin-gw http-gw x-gw
	entry in the top-level Makefile.


	Once firewall.h has been configured, typing "make"
should build the basic firewall components. "make install"
will install the components in a default location. A second
directory of tools contains support software and modified
client software. Many of the programs in the "tools" directory
are from the BSD Net2 sources, and may be more or less difficult
to get running, depending on the operating system platform.
Rather than attempting to shadow the BSD distribution, they
are provided "as is" with a README file in each tool's
directory describing what platforms it is known to work on.

	If you plan to build/use the authentication server,
you may wish to examine and edit "auth.h" to set the types
of authentication you wish to support, and where the databases
will reside. If you wish to use the authentication server with
DES encryption for protecting transactions, you will need to
obtain the DES communication library, which is packaged separately
from the rest of the toolkit, and which is only available to US
citizens. The Digital Pathways SecureNet Key software also
requires a compatible DES library. See the README in the "auth"
directory for details.

General Building Notes:
-----------------------

	Many of the components can be configured to perform
a chroot(2) and run in a restricted environment. Generally,
they should be linked against a resolver library [if you care
about name resolution] that can be configured to work under
chroot. Wherever possible, all required information is read
before performing a chroot, so password files, etc, need not
be provided.


Support:
--------
Legend:
	"tested" -- TIS has independently verified correct operation
			of toolkit components
	"builds" -- TIS has either ported and compiled, but not verified
			correct operation, or has second-hand reports from
			third parties that the software builds and works

SunOS4.1.X	- tested
Solaris		- Builds (not tested)
HP/UX A.10.01	- builds (not tested)
CMU MACH	- builds (not tested)
ULTRIX		- builds (not tested)
			undefine USE_UDPSYSLOG in firewall.h
BSDI		- tested
BSD/386		- tested by other party
IBM/AIX		- tested by other party 
			ftp-gw, tn-gw, rlogin-gw require including
			#include <sys/select.h>
SCO XENIX	- tested
			requires -lsocket to lots of Makefiles and
			change of SIGOOB handling to SIGUSR1

LINUX		- Builds (not tested)

	Systems that do not have a bcopy/bzero library routine will
need to have one provided for them.


	User support, bugs, comments, mail, etc, should be directed to
fwtk-support@tis.com and fwtk-users.tis.com.

