telnet Proxy Operation

When the telnet proxy starts, it reads its policy files and listens on the standard telnet port (23) for connections. When a connection is made, the telnet proxy starts a new thread to handle the connection, and the main thread returns to listening.

The child thread generates a proxy login banner and waits to read the user name and password. The format for user names consists of a login ID and a destination host separated by an @ symbol; for example, lionel@manduck.bafb.af.mil. The telnet proxy validates the user name/password. If an invalid user name/password are sent, the telnet proxy sends an error to the user and closes the connection. If the user name/password are valid, then the source and destination addresses are checked against the Screens policy rules. If a match is found, the flags associated with that policy rule are checked. If the connection is permitted, the telnet proxy opens a connection to the actual destination server and relays data between the source host and the destination host.

The hostname (backend server) given in the user prompt, after the @ character, is translated to its IP address(es) using the hostname-to-address translation mechanism configured for and in the context of the telnet proxy. The resulting addresses provide the values to use as matching criteria for the destination addresses in the proxy rules.

The standard proxy rule matching (shown in the section, "Policy Rule Matching") is employed. If a match is found, a connection is established to the telnet server of the user-requested destination (if multiple addresses result from the translation of the user-specified backend server, they are each tried in the order yielded by the name translation mechanism (for example, DNS)). Once a connection to the backend server is established, all data is relayed (uninspected) by the thread in both directions until either end terminates.