                         TIS Firewall Toolkit

		  Trusted Information Systems, Inc.
		          February 26, 1998


WHAT IS THE TIS FIREWALL TOOLKIT?
---------------------------------
Trusted Information Systems, Inc. (TIS) is pleased to provide the TIS
Firewall Toolkit, a software kit for building and maintaining
internetwork Firewalls.  It is distributed in source code form, with
all modules written in the C programming language and runs on many
BSD UNIX derived platforms. The Toolkit is being made available for
use as specified in the license agreement (LICENSE).


USERS' GROUP
------------
TIS maintains the electronic-mail users' group <fwtk-users@tis.com>
for discussion of the toolkit.  To join, send electronic mail to
<majordomo@tis.com>.

TIS Firewall Toolkit technical questions, license issues, bug reports,
etc. should be addressed to <fwtk-support@tis.com>.

The frequently asked questions (FAQ) document for FWTK is maintained
by Keith Young and is available from at the following URL:
	http://www.erols.com/avenger/
further information on FWTK is also available from the TIS web site
at
	http://www.tis.com/docs/products/fwtk/
Information about other TIS network security products or commercial
licensing requests should be sent to <netsec@tis.com> or by telephone to
(301) 527-9500.

DISCLAIMER
----------
Please read the docment "DISCLAIMER" which describes TIS' support
policy with respect to use of this software by other parties.

WHAT IS HERE?
-------------
README			- This file
fwtk-doc-only.tar.Z	- Toolkit documentation
fwtk-2.1.tar.Z		- Toolkit sources and Makefiles (no documentation)

Toolkit Roadmap:
----------------
Makefile		- toplevel Makefile
README			- this file
auth			- authentication server and libraries (optional)
config			- sample configuration/permissions tables
doc			- documentation
firewall.h		- compile-time configuration
ftp-gw			- sources for FTP proxy server
http-gw			- http/gopher proxy
lib			- sources for library routines
netacl			- sources for TCP/IP access control "wrapper"
plug-gw			- sources for plug-board proxy server
rlogin-gw		- sources for rlogin proxy server
smap			- sources for sendmail wrapper client
smapd			- sources for sendmail wrapper daemon
tn-gw			- sources for TELNET proxy server
tools			- miscellaneous/unsupported tools
x-gw			- X11 proxy



Building this software:
-----------------------

	As packaged, the Makefiles included in this kit will attempt to build
the firewall components and miscellaneous tools. We have supplied example
configuration files (Makefile.config) for platforms that have known
requirements - look for a Makefile.config.<name> that corresponds to your
operating system. If you find one, save the original Makefile.config and
move the OS-specific version into Makefile.config. 

	You may need to edit firewall.h to tailor to the local operating
system and environment.

	On some platforms (such as those with dynamically linked executables)
you may wish to edit some of the individual Makefiles to tailor the compilation
options such as compiler/linker flags and installation directories. The
firewall toolkit is written in K&R C. If you are using a compiler that
assumes ANSI C you may need to add a global compiler flag to cause it
to accept K&R syntax.

	Global compilation options and flags are configured
in a master Makefile called "Makefile.config"   You should
examine and edit this Makefile to reflect your system,
before attempting to build the toolkit. Not all versions
of make may support this syntax (most notably, the BSD
derived versions which use ".include" instead) -- if your
system is in the latter category, you have the choice of
either obtaining GNU make or modifying the Makefiles.
There is a program called "fixmake" which will rebuild
the Makefiles for you. Simply edit Makefile.config and
when you're happy with it, run "fixmake" and it will
update the "include" directives to the BSD format.
Repeatedly running "fixmake" is OK.

	If your system does not have X11 libraries with
X11 include files installed on it, you will not be able
to build X-gw. X-gw relies on the athena widget set
(Xaw and Xmu) which must also be present on the system.
To set the paths for X libraries, see Makefile.config.
If you do not wish to build the X-gw, simply comment out
the entry for x-gw in the
DIRS=	smap smapd netacl plug-gw ftp-gw tn-gw rlogin-gw http-gw x-gw
	entry in the top-level Makefile.


	Once firewall.h has been configured, typing "make"
should build the basic firewall components. "make install"
will install the components in a default location. A second
directory of tools contains support software and modified
client software. Many of the programs in the "tools" directory
are from the BSD Net2 sources, and may be more or less difficult
to get running, depending on the operating system platform.
Rather than attempting to shadow the BSD distribution, they
are provided "as is" with a README file in each tool's
directory describing what platforms it is known to work on.

	If you plan to build/use the authentication server,
you may wish to examine and edit "auth.h" to set the types
of authentication you wish to support, and where the databases
will reside. If you wish to use the authentication server with
DES encryption for protecting transactions, you will need to
obtain a DES encryption library, which is not supplied
with the rest of the toolkit, and which must be obtained
separately. The Digital Pathways SecureNet Key software also
requires a compatible DES library. See the README in the "auth"
directory for details.

General Building Notes:
-----------------------

	Many of the components can be configured to perform
a chroot(2) and run in a restricted environment. Generally,
they should be linked against a resolver library [if you care
about name resolution] that can be configured to work under
chroot. Wherever possible, all required information is read
before performing a chroot, so password files, etc, need not
be provided.


Support:
--------
Legend:
	"tested" -- TIS has independently verified correct operation
			of toolkit components
	"builds" -- TIS has either ported and compiled, but not verified
			correct operation, or has second-hand reports from
			third parties that the software builds and works

SunOS4.1.X	- tested
Solaris		- Builds (not tested)
HP/UX A.10.01	- builds (not tested)
CMU MACH	- builds (not tested)
ULTRIX		- builds (not tested)
			undefine USE_UDPSYSLOG in firewall.h
BSDI		- tested
BSD/386		- tested by other party
IBM/AIX		- tested by other party 
			ftp-gw, tn-gw, rlogin-gw require including
			#include <sys/select.h>
SCO XENIX	- tested
			requires -lsocket to lots of Makefiles and
			change of SIGOOB handling to SIGUSR1

LINUX		- Builds (not tested)

	Systems that do not have a bcopy/bzero library routine will
need to have one provided for them.


	User support, bugs, comments, mail, etc, should be directed to
fwtk-support@tis.com and fwtk-users@tis.com.

