208 lines
6.8 KiB
Plaintext
208 lines
6.8 KiB
Plaintext
|
--- tircproxy.8 Sun Jun 20 13:42:42 1999
|
||
|
+++ /home/g/irc/tircproxy.8 Sun Jun 20 12:38:24 1999
|
||
|
@@ -0,0 +1,204 @@
|
||
|
+.\" tircproxy manual page.
|
||
|
+.\" baker hamilton <garath@ntplx.net>
|
||
|
+.\"
|
||
|
+.\" thanks to Bjarni R. Einarsson for writing such excellent documentation
|
||
|
+.\" to accompany his proxy.
|
||
|
+.Dd June 19, 1999
|
||
|
+.Os
|
||
|
+.Dt TIRCPROXY 8
|
||
|
+.Sh NAME
|
||
|
+.Nm tircproxy
|
||
|
+.Nd transparent IRC proxy
|
||
|
+.Sh SYNOPSIS
|
||
|
+.Nm
|
||
|
+.Op Fl CDHKLMNOQRSUahp
|
||
|
+.Op Fl b Ar ipaddr
|
||
|
+.Op Fl d Ar level
|
||
|
+.Op Fl i Ar ipaddr
|
||
|
+.Op Fl o Ar ipaddr
|
||
|
+.Op Fl q Ar file
|
||
|
+.Op Fl r Ar user
|
||
|
+.Op Fl s Ar port
|
||
|
+.Op Fl t Ar seconds
|
||
|
+.Sh DESCRIPTION
|
||
|
+.Nm
|
||
|
+is a transparent IRC proxy, allowing DCC sessions to take place from behind a
|
||
|
+firewall or NAT gateway. It can run from either
|
||
|
+.Xr inetd 8 ,
|
||
|
+or by itself.
|
||
|
+.Nm
|
||
|
+works in the traditional sense, as specified by RFC 1919, where
|
||
|
+the destination appears to be directly reachable to the client system, which
|
||
|
+is in fact communicating only with the proxy server. This is where the illusion
|
||
|
+of transparency comes in, and the client programs can operate as normal. The
|
||
|
+proxy server then spawns a client, connects to the intended destination, and
|
||
|
+transfers data between the two ends seamlessly.
|
||
|
+.Pp
|
||
|
+.Xr ipf 8
|
||
|
+should be configured to redirect packets destined for the IRC server to the
|
||
|
+proxy.
|
||
|
+.Nm
|
||
|
+does not add these rules dynamically, so they should be inserted into
|
||
|
+.Pa /etc/ipnat.rules .
|
||
|
+These rules should typically resemble:
|
||
|
+.Pp
|
||
|
+.Bd -unfilled -offset indent
|
||
|
+rdr xl0 10.0.0.0/8 port 6667 -> 127.0.0.1 port 7666 tcp
|
||
|
+.Ed
|
||
|
+.Pp
|
||
|
+This would redirect all IRC connection attempts from the internal network
|
||
|
+10.x.x.x to the proxy running on the localhost, port 7666, assuming your
|
||
|
+ethernet interface is xl0.
|
||
|
+.Pp
|
||
|
+.Nm
|
||
|
+will change it's runtime UID and GID based on the client that is connecting to
|
||
|
+it. This permits identd to authenticate the user with some accuracy. For every machine that you expect to connect through the proxy, create a file in
|
||
|
+.Pa /var/run
|
||
|
+with the name
|
||
|
+.Dq user-x.x.x.x ,
|
||
|
+where
|
||
|
+.Dq x.x.x.x
|
||
|
+is the IP address of that machine. Then, in that file, enter the name of the
|
||
|
+user that will be connecting to IRC from the specified address. That user must
|
||
|
+already have an account (shell, home directory, and password are not required) on the proxy. For example, if bob likes to IRC from 10.1.2.3, you would create
|
||
|
+.Dq /var/run/user-10.1.2.3
|
||
|
+on the proxy. Then simply
|
||
|
+.Dq echo bob >/var/run/user-10.1.2.3 ,
|
||
|
+and you're set.
|
||
|
+.Pp
|
||
|
+If the file
|
||
|
+.Pa /etc/motd.irc
|
||
|
+exists, its contents will be dumped, unformatted, to the user's socket when
|
||
|
+they connect to IRC. It is up to the proxy's administrator to format this
|
||
|
+file correctly, like so:
|
||
|
+.Pp
|
||
|
+.Bd -unfilled -offset indent -compact
|
||
|
+:admin@isp.net 999 * :You are connected to IRC via this network's
|
||
|
+:admin@isp.net 998 * :transparent proxy server.
|
||
|
+:admin@isp.net 997 * :Have a nice day.
|
||
|
+.Ed
|
||
|
+.Pp
|
||
|
+.Nm
|
||
|
+will also broadcast a message to each client's socket when the server catches
|
||
|
+a HUP signal.
|
||
|
+.Pa /tmp/ircbroadcast
|
||
|
+will be dumped, and will not interfere with DCC connections.
|
||
|
+.Pp
|
||
|
+The options are as follows:
|
||
|
+.Bl -tag -width indent
|
||
|
+.It Fl C
|
||
|
+Do not allow DCC CHAT sessions to take place.
|
||
|
+.It Fl D
|
||
|
+Do not log clients' nicknames in syslog.
|
||
|
+.It Fl H
|
||
|
+Ignore
|
||
|
+.Pa /etc/hosts.allow
|
||
|
+and
|
||
|
+.Pa /etc/hosts.deny .
|
||
|
+.It Fl K
|
||
|
+Disable the kludge that allows DCC to work with mIRC. Some versions of mIRC
|
||
|
+retrieve their IP addresses from the IRC server, rather than from the system
|
||
|
+itself. The address returned is that of the proxy server, which breaks DCC
|
||
|
+transfers. The kludge circumvents this problem by ignoring addresses specified
|
||
|
+within the packets themselves, and substituting the address that it assumes is
|
||
|
+that of the client.
|
||
|
+.It Fl L
|
||
|
+Log to stderr instead of syslog.
|
||
|
+.It Fl M
|
||
|
+Disable DCC SEND mangling/censorship in incoming and outgoing requests.
|
||
|
+Normally, certain files offered will be either blocked, or have their names mangled, in the interest of security. These include:
|
||
|
+.Pp
|
||
|
+.Bd -unfilled -offset indent -compact
|
||
|
+script.ini
|
||
|
+dmsetup.exe
|
||
|
+dmsetup2.exe
|
||
|
+winhelper.exe
|
||
|
+mschv32.exe
|
||
|
+mirc.ini
|
||
|
+.Ed
|
||
|
+.Pp
|
||
|
+mirc.ini is changed to mirc.in-, while the rest are simply blocked. A list of
|
||
|
+troublesome files is kept at www.irchelp.org/irchelp/security/. Beware when
|
||
|
+using this with older versions of mIRC, however, as DCC RESUME may fail if the
|
||
|
+proxy mangles the filename.
|
||
|
+.It Fl N
|
||
|
+Do not act as an IRC proxy.
|
||
|
+.It Fl O
|
||
|
+Do not interact with oident. When using oident,
|
||
|
+.Nm
|
||
|
+can be run as non-root in Linux. Unfortunately, when using IPFilter it must
|
||
|
+open
|
||
|
+.Pa /dev/ipnat ,
|
||
|
+which can only be done by root.
|
||
|
+.It Fl R
|
||
|
+Run with more relaxed behaviour. Allow users to irc in the event that no
|
||
|
+appropriate entry can be found in their respective ident file.
|
||
|
+.It Fl S
|
||
|
+Do not allow DCC SEND transmissions to take place. This affects DCC TSEND,
|
||
|
+DCC RESEND, and DCC TRESEND as well.
|
||
|
+.It Fl U
|
||
|
+Do not allow unknown DCC requests.
|
||
|
+.It Fl b Ar ipaddr
|
||
|
+Bind to the specified IP address when running in server mode.
|
||
|
+.It Fl d Ar level
|
||
|
+Set the debug level:
|
||
|
+.Pp
|
||
|
+.Bd -unfilled -offset indent -compact
|
||
|
+0: No debugging information.
|
||
|
+8: Maximum verbosity.
|
||
|
+9: Don't fork(); run in the foreground.
|
||
|
+.Ed
|
||
|
+.Pp
|
||
|
+.It Fl i Ar ipaddr
|
||
|
+The internal IP address of the proxy. When using NAT, this typically falls under
|
||
|
+one of the address blocks reserved by the IANA (see RFC 1597).
|
||
|
+.It Fl o Ar ipaddr
|
||
|
+The external IP address of the proxy. This is the address used to connect to
|
||
|
+the IRC server.
|
||
|
+.It Fl q Ar file
|
||
|
+Ask the user a simple question from the named file. This is meant to keep bots from connecting though the proxy. See
|
||
|
+.Pa quizzes.txt
|
||
|
+for more information.
|
||
|
+.It Fl r Ar user
|
||
|
+Run as the specified user in server mode.
|
||
|
+.It Fl s Ar port
|
||
|
+Run as a server bound to the specified port.
|
||
|
+.It Fl t Ar seconds
|
||
|
+Force a
|
||
|
+.Xr sleep 1
|
||
|
+between multiple connections initiated under the number seconds specified.
|
||
|
+.Sh EXAMPLES
|
||
|
+The following are examples of starting tircproxy from inetd and in server mode
|
||
|
+(standalone), respectively:
|
||
|
+.Pp
|
||
|
+.Bd -unfilled -offset indent -compact
|
||
|
+tircproxy stream tcp nowait root /usr/sbin/tircproxy tircproxy
|
||
|
+ -OK -o 204.213.180.106 -i 192.168.1.1
|
||
|
+.Ed
|
||
|
+.Pp
|
||
|
+and
|
||
|
+.Pp
|
||
|
+.Bd -unfilled -offset indent -compact
|
||
|
+tircproxy -OK -s 7666 -o 204.213.180.106 -i 192.168.1.1
|
||
|
+.Ed
|
||
|
+.Pp
|
||
|
+.Sh FILES
|
||
|
+.Bl -tag -width /tmp/ircbroadcast -compact
|
||
|
+.It Pa /dev/ipnat
|
||
|
+Device that performs packet redirection.
|
||
|
+.It Pa /etc/motd.irc
|
||
|
+File dumped to clients' sockets when connecting to IRC.
|
||
|
+.It Pa /tmp/ircbroadcast
|
||
|
+File dumped to clients' sockets when server receives SIGHUP.
|
||
|
+.It Pa quizzes.txt
|
||
|
+Quiz file.
|
||
|
+.Sh SEE ALSO
|
||
|
+.Xr inetd 8
|
||
|
+.Pp
|
||
|
+http://www.mmedia.is/~bre/tircproxy
|
||
|
+.Sh BUGS
|
||
|
+Redirect rules are not added dynamically, which may pose a problem for some
|
||
|
+firewalled environments.
|
||
|
+.Pp
|
||
|
+Authentication can only take place at a 1:1 (one user for each machine) ratio.
|
||
|
+This can result in users being incorrectly authenticated when connecting to IRC.
|