home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Software Vault: The Gold Collection
/
Software Vault - The Gold Collection (American Databankers) (1993).ISO
/
cdr28
/
mwftpd.zip
/
MANUAL.TXT
< prev
next >
Wrap
Text File
|
1993-03-06
|
64KB
|
1,423 lines
FTPD
An FTP Daemon NLM for Novell Netware 386 3.11
Administrators Guide
Copyright (C) 1992 MurkWorks
All Rights Reserved
August 9, 1992
MurkWorks
P.O. Box 631
Potsdam, NY 13676 USA
info@murkworks.com
FTPD V1.31 Administrators Guide
Copyright 1992 MurkWorks
All Rights Reserved
This software is not shareware, freeware nor public domain. It has
been provided to you in a limited timed demo format. You may use this
software without obligation until the demonstration period expires.
When the demonstration period has expired, the software will no longer
function. If you wish to continue to use the software you must
register it with MurkWorks and pay a per server license fee. See the
accompanying order form for pricing and ordering information. Dis-
assembly or patching of the software to provide execution beyond the
end of the demonstration period is expressly forbidden.
Demo Version -- No Warranty
MurkWorks makes no warranty of fitness or suitability for a particular
purpose. Although we have made every effort to ensure the reliable and
satisfactory operation of this software, we do not warrant it in any
way. You the user assume all responsibility in its use and operation.
MurkWorks shall not be held liable for any loss of any kind.
Licensed Version -- Limited Warranty
If you have registered your copy of the software and paid a license
fee to MurkWorks, this software is covered by a limited warranty for
the first sixty (60) days from the date of receipt of the license fee.
Should the software fail or prove unsatisfactory during that time
period MurkWorks sole remedy to you will be the reimbursement of your
license fee. In no event will MurkWorks be held liable to you for any
damages, including lost profits, lost savings or other incidental or
consequential damages arising out of the use of this software or the
inability to use this software.
Trademarks
Novell and Netware are registered trademarks, and Netware NLM, and
Netware Loadable Module are trademarks of Novell, Inc. Other computer
and software names are registered trademarks of their respective
manufacturers.
This product was developed using Network C for NLMs , Novell 's
toolkit for developing server-based applications for the Netware 3.x
operating system.
Additional Information
For additional information, write to us via postal mail:
MurkWorks
P.O. Box 631
Potsdam, NY 13676 USA
Or send electronic mail to
info@MurkWorks.com
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . 1
Features . . . . . . . . . . . . . . . . . . . . . . . . 1
System Requirements . . . . . . . . . . . . . . . . . . 2
Installation . . . . . . . . . . . . . . . . . . . . . . . . 2
Quick Start . . . . . . . . . . . . . . . . . . . . . . 2
Standard Installation . . . . . . . . . . . . . . . . . 3
Configuration File . . . . . . . . . . . . . . . . . . . . . 3
Class Definitions . . . . . . . . . . . . . . . . . . . 3
Addresses . . . . . . . . . . . . . . . . . . . . . . . 4
Access Settings . . . . . . . . . . . . . . . . . . . . 4
log . . . . . . . . . . . . . . . . . . . . . . . . 5
logfile . . . . . . . . . . . . . . . . . . . . . . 5
connect . . . . . . . . . . . . . . . . . . . . . . 5
idle . . . . . . . . . . . . . . . . . . . . . . . 5
timerange . . . . . . . . . . . . . . . . . . . . . 6
Deny . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Allow . . . . . . . . . . . . . . . . . . . . . . . . . 7
Deny/Allow Ordering . . . . . . . . . . . . . . . . . . 7
MaxConnections . . . . . . . . . . . . . . . . . . . . . 8
ScreenDelay . . . . . . . . . . . . . . . . . . . . . . 8
LogFile . . . . . . . . . . . . . . . . . . . . . . . . 8
Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Command Line Options . . . . . . . . . . . . . . . . . . 10
Console Commands . . . . . . . . . . . . . . . . . . . . 10
Monitor Display . . . . . . . . . . . . . . . . . . . . 11
Home Directories . . . . . . . . . . . . . . . . . . . . 13
User Commands . . . . . . . . . . . . . . . . . . . . . 13
Anonymous Accounts . . . . . . . . . . . . . . . . . . . 14
Proxy Connections . . . . . . . . . . . . . . . . . . . 15
Security Considerations . . . . . . . . . . . . . . . . 15
Performance . . . . . . . . . . . . . . . . . . . . . . . . . 18
How We Test . . . . . . . . . . . . . . . . . . . . . . 18
Memory Requirements . . . . . . . . . . . . . . . . . . 18
Processor Utilization . . . . . . . . . . . . . . . . . 19
How to Get Support . . . . . . . . . . . . . . . . . . . . . 21
Appendix A
Sample Configuration File . . . . . . . . 22
Appendix B
Supported FTP Commands . . . . . . . . 24
1
Introduction
Welcome to MurkWorks FTP Daemon NLM for Netware 386.
This product provides an efficient and useful FTP
daemon NLM for your Netware 386 server.
FTP (File Transfer Protocol) is described in RFC959. It
provides a mechanism for internet hosts to transfer
files in text or binary mode between cooperating
systems. FTPD V1.31 supports the most common commands
listed in RFC959. For a complete list of supported
commands see appendix B.
This manual assumes that you have a basic understanding
of the TCP/IP protocol and a thorough understanding of
the NW386 environment. If you do not currently have the
TCPIP.NLM module loaded on your Netware server, now
would be a good time to review the TCP/IP Transport
Supervisor's Guide provided with the NW386 3.11 manual
set.
Features
FTPD.NLM supports the following features:
Multiple simultaneous service connections
Real-time monitor display
Transaction logging
Access control by remote IP address, target
server and user
Supports NW2.15 servers through `proxy' ftp
service
Anonymous connections
Idle and connect timeouts, restricted access
times, etc
2
System Requirements
NLMS
The FTPD NLM uses both CLIB.NLM and the TCPIP.NLM. When
loading the TCPIP.NLM, CLIB will be automatically
loaded. Follow the procedures outlined in the TCP/IP
Transport Supervisor's Guide when installing and
configuring the TCPIP nlm. You will need to provide at
least one IP address for your Netware server.
MEMORY
A typical Netware 386 server with 4 megabytes of RAM is
quite sufficient to operate the FTPD NLM. A detailed
analysis of the memory required per connection is
described in the Performance section of this manual.
Installation
Quick Start
If you're impatient and don't want to read through this
manual, follow the instructions in this section to get
the NLM up and running as quickly as possible. Without
a configuration file, the FTPD NLM will not provide any
access control beyond standard Novell password
checking. This may be sufficient for your needs. You
can always follow the full installation instructions
later if you so desire.
This program is distributed with the file:
ftpd.nlm - The FTPD NLM
If you have licensed your copy of the FTPD NLM, you
will have also received the file:
ftpd.key - Security key file
To install the FTPD NLM on your Netware 386 server, log
into the server as supervisor and copy the ftpd.nlm
file to sys:system. If you have licensed your copy, you
should also copy the file ftpd.key to sys:system.
If you're in a hurry, load the FTPD NLM by issuing the
follow command on the NW386 console:
load ftpd
otherwise, create a configuration file as described in
the Configuration File section before loading the NLM
3
with the load command.
Standard Installation
If you wish to make use of the additional security
features of the FTPD NLM, you will have to create a
configuration file. The next section of this manual
describes how to create a configuration file.
After creating the configuration file, follow the
instructions described in the Quick Start section shown
above.
Configuration File
The file ftpd.cfg is provided in the distribution as an
example only. Do not copy this file into the sys:system
directory. Instead, you should print this file on a
printer and use it as a reference when creating your
own ftpd.cfg file. This sample file is also listed in
the appendix of this manual.
The configuration file uses a simple ASCII format with
one command per line. Lines which begin with the pound
symbol (#) are comment lines and are ignored.
Use a suitable text editor to create a file called
ftpd.cfg in the sys:system directory. This file will
control how the FTPD NLM operates. Read this section
carefully to get the most out of your software.
If you create a new ftpd.cfg file or alter an existing
one, you will have to either reload the FTPD NLM or
issue the ftpd reconfig command before the changes will
take effect.
Class Definitions
When a remote client connects to the FTPD NLM for
service, its internet address (IP Address) or internet
name can be used to place it in an access class. This
allows connections to be grouped based on whether they
are `local' or `remote'. For example, a university may
wish to have one access class defined for on campus
clients, and a second one defined for off campus users.
Classes can have a list of valid servers and users, as
well as default settings for transaction logging, time
limits and so forth.
4
A new class is defined with the class command, as
follows
class classname
where classname is the name of the class. This name may
be anything meaningful to the supervisor. There is one
special class whose name is default. This class is used
whenever an incoming connection does not match any
other listed class.
Addresses
Following the class command is a list of access control
commands and the class definition command: address. The
address command controls which remote connections are
grouped into the specified class. The address command
takes one argument, an IP Address or IP Name:
address 129.134.*.*
address *.murkworks.com
The address command must follow a class command, and
may appear more than once in a given class. The asterix
(*) indicates a wild-card pattern, which means any
value may occupy its space. The address command is not
allowed in the default class.
When a client connects to the FTPD NLM, the class list
is searched for a match. The first class found which
has an address pattern that matches the client's IP
address or name is used for access control.
Novell Netware 386 keeps its IP Name to IP Address
mapping information in the file sys:etc/hosts This
file may not contain all internet names and addresses.
Therefore it is important to specify an IP address in
addition to the IP name. If the client's IP name is not
listed in the hosts file, the FTPD NLM will use the
client's IP address to match against.
Access Settings
Each class may have default access control settings.
The settings command determines how clients may access
the Netware server. The settings command has its own
sub-commands, which generally appear as follows:
settings [sub-commands]
5
Where [sub-commands] may be one or more of the
following:
Command Argument
log count
logfile log_file_name
connect connect_time_in_minutes
idle idle_timeout_in_minutes
timerange allowed_access_timerange
readonly
All sub-commands and their arguments should appear on
the same line as the settings command, however settings
can be continued on the next line by inserting a plus
symbol (+) at the end of each continued line. The plus
symbol may not appear between sub-commands and their
arguments. See the sample configuration file for an
example of setting continuations.
The log count setting indicates that client
transactions for this class should be logged to the
logfile. The number of transactions to be logged is not
to exceed count entries. When this setting is in
effect, transactions such as login, logout, read,
write, delete, rmdir and mkdir are recorded in the log
file sys:system\ftpd.log. If you only want a record of
login and logout times, use a log count of zero (0).
Example: log 0
The logfile setting specifies the name of the file in
which log entries should be stored for this class. This
setting over-rides the system-wide setting logfile (see
below) if specified. The file name must be a fully
specified name which includes the volume name.
Example: logfile vol1:usr/anon/logfile.log
The connect connect_time_limit command specifies the
maximum connect time for any client in this class.
After the time limit expires, the client will receive
an error message and be automatically disconnected by
the server at the completion of any pending command.
The time limit is specified in minutes. The limited
demo version of the NLM enforces a maximum connect time
of five minutes.
The idle idle_timeout_limit specifies the maximum idle
time allowed for any client in this class. If the
client does not issue a command within the idle time
limit, the client will receive an error message and be
6
automatically disconnected. This command is useful in
eliminating `dead' connections due to failed internet
connectivity. However, too short of an idle timeout may
cause unintended service disruption to the client. The
time limit is specified in minutes.
The timerange allowed_access_timerange controls when
clients within this class may access the Novell Netware
server. The format of allowed_access_timerange is:
timerange startday-endday/starthour-endhour
For example:
timerange mon-fri/8-17
In the above example, clients are allowed access monday
through friday from 8am to 5pm.
The timerange command may be specified multiple times
if desired.
The readonly command specifies that all clients within
this class have readonly access to the Novell Netware
server. Even if a particular user has trustee rights
which grant him write access, this setting disables all
commands which may alter data on the server.
Deny
The deny command lists those servers and/or users who
should be denied access within this class. The format
of the command is:
deny [server/]user
Where server/ is an optional server name. If the server
is not specified, it applies to the server on which the
FTPD NLM is operating. Both server and user may be the
wildcard (*), meaning all servers or all users
respectively.
For example, suppose you had defined a class for all
local clients. That class would have no restrictions of
any kind. You may then wish to add access restrictions
for the default class which would apply to any non-
local client. If you don't want to allow any non-local
clients to have access to any of your Novell Servers,
you could issue the following two commands in the
configuration file:
class default
deny */*
7
Allow
The allow command lists those servers and/or users
which should be allowed access within this class. This
command over-rides any previous deny command. The
format of the command is:
allow [server/]user optional
settings
Where server/ is an optional server name. If the server
is not specified, it applies to the server on which the
FTPD NLM is operating. Both server and user may be the
wildcard (*), meaning all servers or all users
respectively.
The optional settings argument is a list of
settings sub-commands which should be applied to this
server/user. If any optional settings sub-commands are
listed, then all settings for the class are ignored for
this user. Therefore any settings which apply to the
class, which should also apply to the server/user must
be repeated on this line.
For example, suppose a particular class had a setting
timerange of mon-fri/8-17 If you wanted to grant
readonly access for a particular user but maintain the
timerange, the class definition would look something
like the following:
class example
settings timerange mon-fri/8-17
allow FS1/guest readonly, timerange
mon-fri/8-17
If the timerange command were not repeated on the allow
line, then the user FS1/guest would not have any
timerange limit because any setting sub-command on the
allow command line overrides all setting sub-commands
for the class.
Deny/Allow Ordering
The order of the deny and allow commands within the
class is important. All class definitions begin with an
implied allow */*. Access checking follows the list of
deny/allow commands in the order in which they are
encountered within the configuration file. Deny
commands mask out access, where allow commands add in
access. The first deny command which explicitely
matches the target userid terminates the search.
Wildcard deny's do not terminate the search, instead
8
subsequent wildcard allows or explicit allows may over-
ride the previously encountered deny command.
When the last deny/allow command is encountered in the
class, the logical result determines whether or not
access is allowed and which settings are applied.
For example, if you wanted to grant all users access to
a particular server with readonly access, but you
wanted the supervisor to have full access, the
following would be a possible configuration file entry.
allow */* readonly
allow */supervisor
If the order of the above commands were reversed, the
supervisor would have readonly access because the */*
mask also applies to the supervisor.
MaxConnections
This command specifies the maximum number of
simultaneous client connections. For the limited timed
demo version of this program, the maximum number of
connections is silently forced to two (2) or less. In
the licensed version, the maximum number of connections
is thirty-two (32).
If this command is not specified, the default number of
connections is (2) in the limited timed demo version,
and (5) in the licensed version.
Example:
maxconnections 3
ScreenDelay
This command specifies the number of seconds between
monitor screen updates. If this command is not
specified, the default is (2) seconds between screen
refreshes. The minimum allowable value is (1). Too low
a value may increase server utilization if there are
many active connections. A value between (2) and (5) is
recommended.
Example:
screendelay 5
LogFile
9
This command specifies the name of the system-wide log
file. The system-wide logfile is where transactions
will be logged for those users or classes for which no
logfile command has been specified. The logfile name
must be the full-path name of the log file. If this
command is not specified, the default is
sys:system\ftpd.log
Example:
logfile sys:system\access.log
10
Operation
Command Line Options
The FTPD NLM recognizes several command line arguments
which can be provided during the load phase.
/config config_file Specifies the path to an
alternate configuration
file, instead of the
default
sys:system\ftpd.cfg
/keyfile key_file Specifies the path to an
alternate key file instead of
the default
sys:system\ftpd.key
/delay delay_time Specifies the
monitor screen
update delay in
seconds. Overrides
any value specified
in the configuration
file.
/max count Specifies the maximum
number of connections.
Overrides any value
specified in the
configuration file.
/display Enables the monitor display.
By default the monitor display
is not shown. Using this
switch causes the display to
appear when the NLM is loaded.
Example:
load ftpd /display /delay 5 /max 3
This command line loads the FTPD NLM, enables the
monitor display with an update frequency of 5 seconds
and a maximum of 3 connections.
Console Commands
The FTPD NLM provides an additional set of console
commands which can be entered at the NW386 console
prompt. All of the following commands are prefixed with
11
the keyword ftpd, which indicates that the command is
for the FTPD NLM.
ftpd disable This console command
disables new incoming
connections. Current
connections are not
effected.
ftpd enable This console command
enables the FTPD,
allowing additional
incoming connections.
ftpd serialnum This console command displays
serial number and application
information required to
register your copy of the FTPD
NLM.
ftpd displayon This console command enables
the monitor display.
ftpd displayoff This console command
disables the monitor
display.
ftpd delay delay_time This console command
sets the monitor
display delay time
to delay_time
seconds.
ftpd reconfig config_file This console command
causes the NLM to
reload the
configuration file.
If an optional
configuration file
name is provided
after the command,
then that file is
used instead of the
default
sys:system\ftpd.cfg
This command is only allowed
when there are no active
connections.
Monitor Display
12
The FTPD NLM provides a near real-time display of
current connections. To make use of the display you
must enable it either by using the /display command
line option or the ftpd displayon console command.
The monitor display shows the first eleven (11)
connections. Each connection occupies two lines of the
display. The format of the display is as follows:
client_host_name | last_command | username
files | bytes | Kb/sec | connect | idle_time | last arg
client_host_name Displays the client host
name, if known, otherwise
it displays the client IP
address.
last_command Displays the last FTP command
issued by the client.
username Displays the SERVER/USERNAME
under which the client has
logged in. If the username
corresponds to a no-password
anonymous account, the symbol
*A* also appears in this
field.
files Displays the count of
files transferred by the
client during this
session.
bytes Displays the total byte
count transferred by the
client during this
session.
KB/sec Displays the average KB/Sec
for all files transferred by
the client.
connect Displays the total client
connect time in HH:MM:SS
format.
idle_time Displays the current client
idle time in HH:MM:SS format.
13
last_arg Displays the argument for the
last FTP protocol command
issued by the client.
Home Directories
When a client logs in to a Netware server, the FTPD NLM
examines the bindery information for that userid. The
NLM looks for a bindery property of the name HOME_DIR.
If this bindery property is found, it executes an
automatic chdir to value of that property. This
provides a means to specify a `home directory' for each
user. There are several freeware utilities which
provide the tools required to set this value, including
David Harris' SETHOME package available from most
Novell oriented FTP sites and BBSs.
If the HOME_DIR property is not found, the FTPD NLM
scans the Trustee Paths for that userid. If any Trustee
Path has a trailing directory component which matches
the userid (or nearly matches) then that Trustee Path
is chosen as a home directory.
For example, given the account anonymous with the
following Trustee Paths:
sys:mail/0023023
sys:usr/anony
The FTPD NLM would select the Trustee Path
sys:usr/anony as the home directory for the anonymous
userid.
User Commands
The FTPD NLM provides the usual FTP command services.
This version offers one additional site specific
command:
site tp
This site specific command causes the NLM to list the
trustee paths available to the user. A typical unix
client can issue this command by using the FTP client
quote command:
quote site tp
Additionally, the user can return to their
HOME_DIRECTORY by issuing the command:
14
cwd ~
The FTPD NLM recognizes the token (~) as meaning the
home directory chosen for this user during the login
sequence. An error message is returned if no suitable
home directory could be found.
Anonymous Accounts
The FTPD NLM fully supports so-called `anonymous'
client connections. A typical anonymous client accesses
the server with the username of `anonymous', at which
point the server prompts the user for an email address
or other identifier instead of requesting a password.
This allows users to access the server without having
to know a special password. The FTPD NLM will record
the user supplied address/password to the log file if
logging is enabled for the anonymous account.
The FTPD NLM considers any account which has no
password to be an anonymous account. Therefore the
actual account name `anonymous' has no special
signifigance to the FTPD NLM.
The following steps are recommended when setting up an
anonymous account:
A. Use syscon to create a user account named
`anonymous'
B. Remove the user from all groups (including
EVERYONE)
C. Create a station restriction for the account
which will inhibit any workstation from
logging into the account.
D. Make the password for the account be empty,
and do not require a password for the
account.
E. Make the account a trustee for a secure
directory with [R F] rights only.
F. Remote the account's access rights to it's
sys:mail directory.
G. Use the SETHOME freeware utility to set the
home directory for this account to match the
secure directory.
When a remote user logs into the server by specifying a
userid of `anonymous', they will be prompted for an
email address because the FTPD NLM will realize that
the account has no password. After the user provides
an email address the default current directory will be
set to the secure directory.
15
Proxy Connections
The FTPD NLM provides `proxy' FTP service to older,
non-Netware 386 servers.
Security Considerations
The FTPD NLM does not inherently make your Novell
server less secure. It does, however, add another
avenue of attack into your server. Prudent use of the
FTPD.CFG file will ensure that remote users do not
violate the integrity of your system.
The FTPD NLM attempts to resist password cracking
schemes by disconnecting any connection which enters an
incorrect password three times in a row. ie:, after the
third incorrectly entered password the user is
disconnected and a warning message is written to the
server console. Also, on the second and third login
attempts (after the first incorrect password) the FTPD
NLM delays the login process by three and six seconds
respectively in an effort to slow down any password
cracking program.
If fifteen incorrect passwords are entered without an
intervening correct login (on any server, for any
account), then the FTPD NLM also broadcasts a warning
message to all users attached to the file server. This
serves to alert the supervisor or another responsible
party that the file server is under attack from a
password cracking program.
Finally, accounts whose password has expired are denied
access to the server (whereas the Netware shell would
normally allow access and prompt for a new password).
Following are some suggestions to improve security on
your server.
A. The NLM environment does not recognize
station restrictions on the local server. If
you have accounts that have station
restrictions, and you do not wish those
accounts to be able to access the server via
FTP, you must explicitely deny those accounts
access because the NLM can not recognize
station restrictions on the local server.
Station restrictions are recognized on remote
servers. If a remote server specifies a
station restriction for an account which
should have FTP access, you must add the
16
network address of the local server to the
station restriction list of the remote
server. You can obtain the station address of
the local server by executing the slist
command from the DOS prompt and noting the
address for the local server.
B. Intruder detection lockout may disable an
account if excessive invalid passwords are
entered. The FTPD NLM attempts to access an
account twice for each login, the first time
with no password (to see if the account is an
`anonymous' account) and the second time to
actually log in the user (if a password was
required). On remote servers there is no
other way to determine if a password is
required for an account.
Therefore, for each attempted login where an
invalid password is specified the NLM
actually attempts two logins to the specified
account. If the intruder lockout detection
count value is set too low, accounts may get
locked prematurely.
Additionally, malicous users may
intentionally issue invalid passwords in an
attempt to lock an account. This problem is
not specific to the FTPD NLM, as any user on
a workstation may do the same thing.
To avoid locking the supervisor's account or
other important accounts, you should
explicitely deny access to those accounts in
the ftpd.cfg file. Accounts which are
`denied' are immediately rejected without a
login attempt.
C. Be sure that users granted access via FTP
have the appropriate rights to directories on
the server. This is especially important with
`anonymous' accounts which might accidentally
be left in the EVERYONE group. Judicious use
of the readonly attribute will ensure that
data is not lost if password secrecy is
compromised.
D. Be careful if your server is reachable from
the Internet or other wide-area networks. If
you have, until recently, counted on the non-
routed aspect of IPX for security, be aware
that once connected to the Internet your
17
server becomes reachable from places you've
probably never heard of. The best course of
action when first enabling FTP is to deny all
users, then expressly allow only those
accounts which require FTP access. Of those
accounts requiring access, grant
readonly access to those accounts which do
not need to write to the file server.
E. You should maintain a logfile of all
transactions, or at the very least log all
login/logout activity. Examine this logfile
on a periodic basis and note accesses from
address which seem inappropriate.
F. If you want to totally inhibit all `non-
local' ftp connections, create a class for
`local' addresses. In the `local' class,
configure the deny/allow settings as
described previously. Then create a default
class which deny's all users on all servers.
Example:
class default
deny */*
class local
addresses *.mydomain.com
addresses 129.136.*.*
deny */*
allow bill
allow tom
settings log 10
18
Performance
This section of the manual describes the memory
requirements and expected performance of the FTPD NLM.
It describes how we tested and developed the NLM. You
do not have to read this section to make use of the
FTPD NLM.
How We Test
The FTPD NLM was tested `in-house' on two NW386 file
servers, one a 386/33 with 4 megabytes of ram, the
other a 486/33 with 8 megabytes of ram. In all cases
the client was a 486/33 running Dell Computer
Corporation's OEM version of USL SYSVR4 Unix .
A series of test `scripts' were used (the
expect package for Unix implemented the scripts) which
exercised all functions within the NLM, the expected
return codes and the file transfer operations.
These scripts were executed multiple times, simulating
simultaneous clients. The scripts also repeatedly used
the mget and mput operation in an effort to place the
maximum load on the Netware server.
All scripts were executed with the FTPD NLM running
with and without protect.nlm1 Additionally, a select
group of beta testers have tested this NLM in several
different environments.
Memory Requirements
This version has the following memory requirements
(values are approximate). This information was gleaned
from monitor.nlm under the Resource Utilization
section.
Base Memory NLM size 13 K bytes
Base Socket 9.5 K bytes
Each Client 13 K bytes additional
Monitor Screen 8 K bytes additional
Each Transaction 32 bytes plus filename size
Using the above information, the maximum amount of
memory used by the NLM can be determined.
1Protect.nlm is provided with the Netware C for NLMS kit.
This NLM detects memory accesses outside the area set aside for
the NLM.
19
For example, suppose a maximum of two connections was
allowed. If every client connection was to be logged
with a maximum of 100 transactions each, and if the
average filename size was 40 bytes, then the memory
usage would be as follows:
22.5 K Base Memory
26 K Two client connections
(32 + 40) * 200 Maximum log entries stored in
memory
-------------
64 K bytes Total memory used
The transaction entries are stored in memory until the
client logs out, at which time the client thread gains
back its supervisor privileges, allowing it to write to
the log file in sys:system.
Processor Utilization
Processor utilization information was obtained by
loading monitor.nlm with the -p command line option
load monitor -p
The test process used a 5 megabyte PostScript file for
transfer. The file was read multiple times, noting the
maximum utilization figure ever shown on the monitor
display, along with the maximum percentage utilization
per process. The Netware server was a 486/33 with 8
megabytes of Ram and an ESDI disk running through an
Ultrastor 12F controller.
The test file was transferred in both directions using
binary and ascii mode. As expected, ascii transfer had
a higher utilization due to the extra processing
involved.
The test was executed on a private ethernet connection,
the server used a Racal-Interlan NI6510 lan card, the
client (SYSVR4 Unix on 486/33) used a Western Digital
(SMC) WD8003EBT lan card.
Utilization is proportional to throughput. The FTPD NLM
contains no throttling component, therefore it will use
maximum server resources during transfers in an effort
to supply the client as quickly as possible.
Idle connections cause zero server utilization.
However, if the monitor display is enabled and the
screen update delay is low (less than 3 seconds) and
20
there are several connections, then the utilization
from that component will be approximately 2 - 5
depending on screen update delay.
% % %
Utilizat % Client Server Utilizat Utilizat
Operatio ion Utilizat Throughp Utilizat ion from ion from
n from ion from ut ion LAN Card DISK
FTPD TCP NLM Ints Ints
Binary 330
82 13% 4% 9% 51% Put KB/sec
Ascii 220
90 48% 3% 6% 30% Put KB/sec
Binary 400 50 30% 4% 12% --2
Get KB/sec
Ascii 190
63 58% 2% 5% -- Get KB/sec
2Get operations had negligible disk interrupts because the
file had been cached in memory.
21
How to Get Support
At this point in time MurkWorks is unable to provide
telephone support. We are keeping our product costs
down by reducing the manpower that would be required to
man a telephone. Hopefully this will change in the
future.
In the meantime, the best method for obtaining support
is by sending us electronic mail to our Internet
address:
support@murkworks.com
If you are on compuserve, you can send us mail using
the address:
internet:support@murkworks.com
If you are not a licensed user, we may not be able to
answer questions pertaining to installation problems or
configuration issues. If you have found what you
consider to be a problem with the FTPD NLM, please feel
free to write to us with detailed information about the
problem, your environment, and the commands issued
which caused the problem. Be sure to include the
current version number of the NLM when you write.
You can always write to us:
MurkWorks
P.O. Box 631
Potsdam, NY 13676-0631 USA
22
Appendix A
Sample Configuration File
# Sample FTPD.CFG file for FTPD.NLM
#
# lines beginning with # are comments.
maxconnections 5 # specify max # connections
# forced to 2 or less in DEMO mode
screendelay 2 # set delay in seconds between status
# screen updates
logfile sys:system\logfile.ftp
# specify alternate logfile
# The following lines are examples. Modify to
# suite your needs and delete any remaining lines
# that do not apply
#####################################################
# DEFAULT CLASS
#
# The following class conditions will be used if
# the incoming IP address (or name) doesn't match
# any other class
#####################################################
# The following class allows access to all users on
# all servers accept for bkc (on any server). Once
# connected, users may be idle up to 2 minutes, and
# connected for at most 10 minutes. They can only login
# mon-fri and they are only allowed readonly access
class default
deny */bkc
settings connect 10, idle 2 +
timerange mon-fri/0-23 +
readonly
23
#########################################################
# CLASS DOM.MURK.COM
#
# The following class is used if the client IP address
# is in subnet 20
# or any name ending in dom.murk.com
#########################################################
# Access to all servers is denied, accept for access to
# server GIMP, which allows all users. However users can
# only login mon-fri between 10PM and 5AM, or
# any time saturday and sunday
class dom_murk_com
address *.dom.murk.com
address 113.121.20.*
deny */*
allow gimp/*
settings timerange mon-fri/22-5 +
timerange sat-sun/0-23
##########################################################
# CLASS MURKWORKS
#
# This class is used if the client IP address is in class
# B network 113.121 or its IP name ends in murk.com
# NOTE: Class dom.murk.com has precidence over this class as
# appropriate since it is more specific
##########################################################
# This class allows access to any user on THIS SERVER ONLY
# All users except for bkc have readonly access and can only login
# on weekends between 10am and 9pm
# User bkc has access only on the weekends
# In either case, all read/write operations will be logged to
# the file vol1:usr\fred\logfile.ftp
class murkworks
address 113.121.*.*
address *.murk.com
deny */*
allow * readonly timerange sun-sat/10-21
allow bkc timerange sat-sun/0-23
settings log 25 +
logfile vol1:usr\fred\logfile.ftp
24
Appendix B
Supported FTP Commands
The following FTP commands are supported. Be aware that
these are protocol level commands and are not necessarily
the commands that a user would type at the command line of
their client.
USER PORT RETR ALLO PASS STOR CWD XCWD XPWD
LIST NLST HELP QUIT MODE TYPE STRU ACCT NOOP
RMD MKD DELE SITE
The site specific command supported in this version is:
SITE TP
This command returns a list of trustee paths.
