openbsd-ports/net/tircproxy/patches/patch-ab

208 lines
6.8 KiB
Plaintext
Raw Normal View History

--- tircproxy.8 Sun Jun 20 13:42:42 1999
+++ /home/g/irc/tircproxy.8 Sun Jun 20 12:38:24 1999
@@ -0,0 +1,204 @@
+.\" tircproxy manual page.
+.\" baker hamilton <garath@ntplx.net>
+.\"
+.\" thanks to Bjarni R. Einarsson for writing such excellent documentation
+.\" to accompany his proxy.
+.Dd June 19, 1999
+.Os
+.Dt TIRCPROXY 8
+.Sh NAME
+.Nm tircproxy
+.Nd transparent IRC proxy
+.Sh SYNOPSIS
+.Nm
+.Op Fl CDHKLMNOQRSUahp
+.Op Fl b Ar ipaddr
+.Op Fl d Ar level
+.Op Fl i Ar ipaddr
+.Op Fl o Ar ipaddr
+.Op Fl q Ar file
+.Op Fl r Ar user
+.Op Fl s Ar port
+.Op Fl t Ar seconds
+.Sh DESCRIPTION
+.Nm
+is a transparent IRC proxy, allowing DCC sessions to take place from behind a
+firewall or NAT gateway. It can run from either
+.Xr inetd 8 ,
+or by itself.
+.Nm
+works in the traditional sense, as specified by RFC 1919, where
+the destination appears to be directly reachable to the client system, which
+is in fact communicating only with the proxy server. This is where the illusion
+of transparency comes in, and the client programs can operate as normal. The
+proxy server then spawns a client, connects to the intended destination, and
+transfers data between the two ends seamlessly.
+.Pp
+.Xr ipf 8
+should be configured to redirect packets destined for the IRC server to the
+proxy.
+.Nm
+does not add these rules dynamically, so they should be inserted into
+.Pa /etc/ipnat.rules .
+These rules should typically resemble:
+.Pp
+.Bd -unfilled -offset indent
+rdr xl0 10.0.0.0/8 port 6667 -> 127.0.0.1 port 7666 tcp
+.Ed
+.Pp
+This would redirect all IRC connection attempts from the internal network
+10.x.x.x to the proxy running on the localhost, port 7666, assuming your
+ethernet interface is xl0.
+.Pp
+.Nm
+will change it's runtime UID and GID based on the client that is connecting to
+it. This permits identd to authenticate the user with some accuracy. For every machine that you expect to connect through the proxy, create a file in
+.Pa /var/run
+with the name
+.Dq user-x.x.x.x ,
+where
+.Dq x.x.x.x
+is the IP address of that machine. Then, in that file, enter the name of the
+user that will be connecting to IRC from the specified address. That user must
+already have an account (shell, home directory, and password are not required) on the proxy. For example, if bob likes to IRC from 10.1.2.3, you would create
+.Dq /var/run/user-10.1.2.3
+on the proxy. Then simply
+.Dq echo bob >/var/run/user-10.1.2.3 ,
+and you're set.
+.Pp
+If the file
+.Pa /etc/motd.irc
+exists, its contents will be dumped, unformatted, to the user's socket when
+they connect to IRC. It is up to the proxy's administrator to format this
+file correctly, like so:
+.Pp
+.Bd -unfilled -offset indent -compact
+:admin@isp.net 999 * :You are connected to IRC via this network's
+:admin@isp.net 998 * :transparent proxy server.
+:admin@isp.net 997 * :Have a nice day.
+.Ed
+.Pp
+.Nm
+will also broadcast a message to each client's socket when the server catches
+a HUP signal.
+.Pa /tmp/ircbroadcast
+will be dumped, and will not interfere with DCC connections.
+.Pp
+The options are as follows:
+.Bl -tag -width indent
+.It Fl C
+Do not allow DCC CHAT sessions to take place.
+.It Fl D
+Do not log clients' nicknames in syslog.
+.It Fl H
+Ignore
+.Pa /etc/hosts.allow
+and
+.Pa /etc/hosts.deny .
+.It Fl K
+Disable the kludge that allows DCC to work with mIRC. Some versions of mIRC
+retrieve their IP addresses from the IRC server, rather than from the system
+itself. The address returned is that of the proxy server, which breaks DCC
+transfers. The kludge circumvents this problem by ignoring addresses specified
+within the packets themselves, and substituting the address that it assumes is
+that of the client.
+.It Fl L
+Log to stderr instead of syslog.
+.It Fl M
+Disable DCC SEND mangling/censorship in incoming and outgoing requests.
+Normally, certain files offered will be either blocked, or have their names mangled, in the interest of security. These include:
+.Pp
+.Bd -unfilled -offset indent -compact
+script.ini
+dmsetup.exe
+dmsetup2.exe
+winhelper.exe
+mschv32.exe
+mirc.ini
+.Ed
+.Pp
+mirc.ini is changed to mirc.in-, while the rest are simply blocked. A list of
+troublesome files is kept at www.irchelp.org/irchelp/security/. Beware when
+using this with older versions of mIRC, however, as DCC RESUME may fail if the
+proxy mangles the filename.
+.It Fl N
+Do not act as an IRC proxy.
+.It Fl O
+Do not interact with oident. When using oident,
+.Nm
+can be run as non-root in Linux. Unfortunately, when using IPFilter it must
+open
+.Pa /dev/ipnat ,
+which can only be done by root.
+.It Fl R
+Run with more relaxed behaviour. Allow users to irc in the event that no
+appropriate entry can be found in their respective ident file.
+.It Fl S
+Do not allow DCC SEND transmissions to take place. This affects DCC TSEND,
+DCC RESEND, and DCC TRESEND as well.
+.It Fl U
+Do not allow unknown DCC requests.
+.It Fl b Ar ipaddr
+Bind to the specified IP address when running in server mode.
+.It Fl d Ar level
+Set the debug level:
+.Pp
+.Bd -unfilled -offset indent -compact
+0: No debugging information.
+8: Maximum verbosity.
+9: Don't fork(); run in the foreground.
+.Ed
+.Pp
+.It Fl i Ar ipaddr
+The internal IP address of the proxy. When using NAT, this typically falls under
+one of the address blocks reserved by the IANA (see RFC 1597).
+.It Fl o Ar ipaddr
+The external IP address of the proxy. This is the address used to connect to
+the IRC server.
+.It Fl q Ar file
+Ask the user a simple question from the named file. This is meant to keep bots from connecting though the proxy. See
+.Pa quizzes.txt
+for more information.
+.It Fl r Ar user
+Run as the specified user in server mode.
+.It Fl s Ar port
+Run as a server bound to the specified port.
+.It Fl t Ar seconds
+Force a
+.Xr sleep 1
+between multiple connections initiated under the number seconds specified.
+.Sh EXAMPLES
+The following are examples of starting tircproxy from inetd and in server mode
+(standalone), respectively:
+.Pp
+.Bd -unfilled -offset indent -compact
+tircproxy stream tcp nowait root /usr/sbin/tircproxy tircproxy
+ -OK -o 204.213.180.106 -i 192.168.1.1
+.Ed
+.Pp
+and
+.Pp
+.Bd -unfilled -offset indent -compact
+tircproxy -OK -s 7666 -o 204.213.180.106 -i 192.168.1.1
+.Ed
+.Pp
+.Sh FILES
+.Bl -tag -width /tmp/ircbroadcast -compact
+.It Pa /dev/ipnat
+Device that performs packet redirection.
+.It Pa /etc/motd.irc
+File dumped to clients' sockets when connecting to IRC.
+.It Pa /tmp/ircbroadcast
+File dumped to clients' sockets when server receives SIGHUP.
+.It Pa quizzes.txt
+Quiz file.
+.Sh SEE ALSO
+.Xr inetd 8
+.Pp
+http://www.mmedia.is/~bre/tircproxy
+.Sh BUGS
+Redirect rules are not added dynamically, which may pose a problem for some
+firewalled environments.
+.Pp
+Authentication can only take place at a 1:1 (one user for each machine) ratio.
+This can result in users being incorrectly authenticated when connecting to IRC.