add tircproxy port; garath@ntplx.net

-
Transparent IRC proxy. Supports DCC CHAT, SEND, RESEND, and TSEND.
This commit is contained in:
brad 1999-06-21 00:33:58 +00:00
parent 6fe015bbeb
commit a5843cd140
8 changed files with 523 additions and 0 deletions

13
net/tircproxy/Makefile Normal file
View File

@ -0,0 +1,13 @@
# $OpenBSD: Makefile,v 1.1.1.1 1999/06/21 00:33:58 brad Exp $
DISTNAME= tircproxy-0.4.3
CATEGORIES= net
MASTER_SITES= http://www.mmedia.is/~bre/tircproxy/
MAINTAINER= garath@ntplx.net
WRKSRC= ${WRKDIR}/tircproxy-0.4
GNU_CONFIGURE= yes
.include <bsd.port.mk>

3
net/tircproxy/files/md5 Normal file
View File

@ -0,0 +1,3 @@
SHA1 (tircproxy-0.4.3.tar.gz) = ad21e879fc8fa91f792f708fd63b5043a0566ef3
RMD160 (tircproxy-0.4.3.tar.gz) = af2985203b459da53beff88a49b5e000d3f4613a
MD5 (tircproxy-0.4.3.tar.gz) = 94f508ed95cefc3e3d841c9c52b59e58

View File

@ -0,0 +1,278 @@
--- tircproxy.c.orig Wed Dec 30 20:23:13 1998
+++ tircproxy.c Sun Jun 20 20:15:26 1999
@@ -107,7 +107,7 @@
# include <net/if.h>
# include <netinet/in_systm.h>
# include <netinet/tcp.h>
-# include <netinet/ip_compat.h>
+# include <netinet/ip_fil_compat.h>
# include <netinet/ip_fil.h>
# include <netinet/ip_proxy.h>
# include <netinet/ip_nat.h>
@@ -164,7 +164,7 @@
/* Macros & definitions.
*/
#define FD_MAX(a,b) ((a) > (b) ? (a) : (b))
-#define MIN 60
+#define MINUTE 60
#define DEBUG_FEATURES 1
#define DEBUG_BASIC 2
@@ -227,8 +227,8 @@
/* These make useful global variables..
*/
-char user_nick[LENGTH_NICKNAME * 2], user_name[512], alarm_in[64];
-char user_ident_file[64];
+char user_nick[LENGTH_NICKNAME * 2], user_name[MAXLOGNAME], alarm_in[64];
+char user_ident_file[PATH_MAX];
char server_tag[50];
ipaddr_t clients_ip = INADDR_NONE;
char clients_ip_s[64];
@@ -256,7 +256,7 @@
char **from_cli_last = NULL;
char *to_cli_first = NULL;
char **to_cli_last = NULL;
-char quizfile[64], quiz[512];
+char quizfile[PATH_MAX], quiz[512];
int use_unix_passwd = QUIZ_OFF;
int use_quiz_mode = QUIZ_OFF;
#endif
@@ -353,7 +353,7 @@
case 'q':
#ifdef QUIZ_MODE
use_quiz_mode = QUIZ_ON;
- sprintf(quizfile, "%.63s", optarg);
+ snprintf(quizfile, sizeof(quizfile), "%.63s", optarg);
#else
usage(argv[0],"Feature QUIZ_MODE not active.");
#endif
@@ -482,9 +482,9 @@
** loops, while allowing proxy-to-proxy operation.
*/
{
- char hostname[128];
- gethostname(hostname, 127);
- sprintf(server_tag,"X-tircproxy[%d/%.10s]\n",
+ char hostname[MAXHOSTNAMELEN];
+ gethostname(hostname, sizeof(hostname));
+ snprintf(server_tag, sizeof(server_tag), "X-tircproxy[%d/%.10s]\n",
getpid(), hostname );
}
@@ -1027,13 +1027,9 @@
/* Give this thing 10 minutes to get started (paranoia).
*/
signal(SIGALRM, alarm_signal);
- alarm(10*MIN);
+ alarm(10*MINUTE);
strcpy(alarm_in, "trans_proxy");
- /* Check who the client is, and drop root privs if we have them.
- */
- change_uid(from_addr);
-
#ifdef TCP_WRAPPERS
if (use_tcp_wrappers)
{
@@ -1132,6 +1128,10 @@
to_addr.sin_addr.s_addr = server_ip;
}
+ /* Check who the client is, and drop root privs if we have them.
+ */
+ change_uid(from_addr);
+
signal(SIGHUP, hup_signal);
debug_msg(0, LOG_DEBUG,
@@ -1171,7 +1171,7 @@
/* Allow 3 minutes for things to get properly started.
*/
signal(SIGALRM, alarm_signal);
- alarm(3*MIN);
+ alarm(3*MINUTE);
strcpy(alarm_in, "copy_loop: starting");
/* Lookup an ASCII representation of the host's IP address.
@@ -1268,7 +1268,7 @@
/* Allow 30 minutes for the loop to complete.
*/
signal(SIGALRM, alarm_signal);
- alarm(30*MIN);
+ alarm(30*MINUTE);
strcpy(alarm_in, "copy_loop: waiting");
#ifdef DEBUG
debug_msg(DEBUG_TRIVIA, LOG_DEBUG,"copy_loop: waiting");
@@ -1573,7 +1573,7 @@
{
if (!allow_dcc_chat)
#ifdef DISALLOW_DCC_CHAT
- sprintf(replace,
+ snprintf(replace, sizeof(replace),
DISALLOW_DCC_CHAT,
type, arg_1);
#else
@@ -1587,7 +1587,7 @@
{
if (!allow_dcc_send)
#ifdef DISALLOW_DCC_SEND
- sprintf(replace,
+ snprintf(replace, sizeof(replace),
DISALLOW_DCC_SEND,
type, arg_1);
#else
@@ -1595,7 +1595,7 @@
#endif
else if (!dcc_mangle_filename(arg_1))
#ifdef MANGLE_DCC_SEND
- sprintf(replace,
+ snprintf(replace, sizeof(replace),
MANGLE_DCC_SEND,
type, arg_1);
#else
@@ -1604,7 +1604,7 @@
}
else if (!strcasecmp(type, "RESUME"))
{
- sprintf(replace,
+ snprintf(replace, sizeof(replace),
"%cDCC %s %s %d %d%s%c",
CTRL_A,
type, arg_1,
@@ -1613,7 +1613,7 @@
}
else if (!strcasecmp(type, "ACCEPT"))
{
- sprintf(replace,
+ snprintf(replace, sizeof(replace),
"%cDCC %s %s %d %d%s%c",
CTRL_A,
type, arg_1,
@@ -1624,7 +1624,7 @@
*/
else if (!allow_dcc_unknown)
#ifdef DISALLOW_DCC_SEND
- sprintf(replace,
+ snprintf(replace, sizeof(replace),
DISALLOW_DCC_FUNK,
type, arg_1);
#else
@@ -1636,7 +1636,7 @@
/* No replacement has been set, so
** proxy this connection. :-)
*/
- sprintf(replace,
+ snprintf(replace, sizeof(replace),
"%c%s %s %s %s%s%c",
CTRL_A, ctcp_type,
type, arg_1,
@@ -1730,7 +1730,7 @@
else if (!strncasecmp(line, "USER", 4))
{
int cip = ANON_USERID;
- sprintf(line, "USER t%x anon anon :%s\n", cip, ANON_IRCNAME);
+ snprintf(line, sizeof(line), "USER t%x anon anon :%s\n", cip, ANON_IRCNAME);
}
}
else if (!strncasecmp(line, "NOTICE", 6)) /* Fix mIRC junk */
@@ -1782,9 +1782,9 @@
*/
case 1: quiz_delay_line(line, QUIZ_S);
fuid = getpid() * visible_ip_o;
- sprintf(user_nick, "}%x", fuid);
- sprintf(line, "NICK :%s\n", user_nick);
- sprintf(out, ":%.32s %.256s", r, line);
+ snprintf(user_nick, sizeof(user_nick), "}%x", fuid);
+ snprintf(line, sizeof(line), "NICK :%s\n", user_nick);
+ snprintf(out, sizeof(out), ":%.32s %.256s", r, line);
quiz_delay_line(out, QUIZ_C);
quiz_greet();
@@ -2007,7 +2007,7 @@
sprintf(retvalue,"%lu %u",
(unsigned long int) ntohl(vip), ntohs(to_addr.sin_port));
#else
- sprintf(retvalue,"%u %u",
+ snprintf(retvalue, sizeof(retvalue), "%u %u",
(unsigned int) ntohl(vip), ntohs(to_addr.sin_port));
#endif
return(retvalue);
@@ -2016,7 +2016,7 @@
/* Give people five minutes to accept the call..
*/
signal(SIGALRM, alarm_signal);
- alarm(5*MIN);
+ alarm(5*MINUTE);
strcpy(alarm_in,"proxy_dcc: accept");
/* No silly broadcasts shall mess up our DCC stuff!
@@ -2075,17 +2075,17 @@
#ifdef IP_TO_UID_PREFIX
int fd;
int tries;
- char ipfile[512];
+ char ipfile[PATH_MAX];
char *cp;
struct passwd *pw;
#ifdef CDIR
if (use_cdir)
- sprintf(ipfile, "%s%s-%s", CDIR, CDIR_MAP,
+ snprintf(ipfile, sizeof(ipfile), "%s%s-%s", CDIR, CDIR_MAP,
inet_ntoa(addr->sin_addr));
else
#endif
- sprintf(ipfile, "%s%s", IP_TO_UID_PREFIX,
+ snprintf(ipfile, sizeof(ipfile), "%s%s", IP_TO_UID_PREFIX,
inet_ntoa(addr->sin_addr));
/* Repeat until whe lose the ident race.. :-)
@@ -2154,7 +2154,7 @@
*/
if ((!*user_name) && (!use_anonymity)) return;
- sprintf(user_ident_file, "%s%s:%d-%s:%d", CDIR, CDIR_IDENT,
+ snprintf(user_ident_file, sizeof(user_ident_file), "%s%s:%d-%s:%d", CDIR, CDIR_IDENT,
ntohs(us->sin_port),
inet_ntoa(them->sin_addr),
ntohs(them->sin_port));
@@ -2172,7 +2172,7 @@
{
int cip = ANON_USERID;
- sprintf(fakeid, "t%x", cip);
+ snprintf(fakeid, sizeof(fakeid), "t%x", cip);
debug_msg(0, LOG_INFO, "Anonymized connection as %s", fakeid);
u = fakeid;
@@ -2451,7 +2451,7 @@
{
char out[512];
- sprintf(out,":%.32s!irc@proxy PRIVMSG %.32s :%.256s\n",
+ snprintf(out, sizeof(out), ":%.32s!irc@proxy PRIVMSG %.32s :%.256s\n",
QUIZ_NICK, user_nick, message);
quiz_delay_line(out, QUIZ_C);
@@ -2461,8 +2461,8 @@
*/
static void quiz_greet(void)
{
- FILE *fd;
- int i, r;
+ FILE *fd;
+ int i, r, d;
char question[512], buff[512], *p;
if (use_unix_passwd)
@@ -2475,7 +2475,8 @@
srand(time((time_t) NULL));
- if ((fd = fopen(quizfile,"r")) == NULL)
+ d = open(quizfile, O_RDONLY|O_CREAT|O_EXCL, 0400);
+ if ((fd = fdopen(d,"r")) == NULL)
{
debug_msg(0, LOG_DEBUG,
"Error (%.128s) reading quiz-file: %.128s",

View File

@ -0,0 +1,207 @@
--- tircproxy.8 Sun Jun 20 13:42:42 1999
+++ /home/g/irc/tircproxy.8 Sun Jun 20 12:38:24 1999
@@ -0,0 +1,204 @@
+.\" tircproxy manual page.
+.\" baker hamilton <garath@ntplx.net>
+.\"
+.\" thanks to Bjarni R. Einarsson for writing such excellent documentation
+.\" to accompany his proxy.
+.Dd June 19, 1999
+.Os
+.Dt TIRCPROXY 8
+.Sh NAME
+.Nm tircproxy
+.Nd transparent IRC proxy
+.Sh SYNOPSIS
+.Nm
+.Op Fl CDHKLMNOQRSUahp
+.Op Fl b Ar ipaddr
+.Op Fl d Ar level
+.Op Fl i Ar ipaddr
+.Op Fl o Ar ipaddr
+.Op Fl q Ar file
+.Op Fl r Ar user
+.Op Fl s Ar port
+.Op Fl t Ar seconds
+.Sh DESCRIPTION
+.Nm
+is a transparent IRC proxy, allowing DCC sessions to take place from behind a
+firewall or NAT gateway. It can run from either
+.Xr inetd 8 ,
+or by itself.
+.Nm
+works in the traditional sense, as specified by RFC 1919, where
+the destination appears to be directly reachable to the client system, which
+is in fact communicating only with the proxy server. This is where the illusion
+of transparency comes in, and the client programs can operate as normal. The
+proxy server then spawns a client, connects to the intended destination, and
+transfers data between the two ends seamlessly.
+.Pp
+.Xr ipf 8
+should be configured to redirect packets destined for the IRC server to the
+proxy.
+.Nm
+does not add these rules dynamically, so they should be inserted into
+.Pa /etc/ipnat.rules .
+These rules should typically resemble:
+.Pp
+.Bd -unfilled -offset indent
+rdr xl0 10.0.0.0/8 port 6667 -> 127.0.0.1 port 7666 tcp
+.Ed
+.Pp
+This would redirect all IRC connection attempts from the internal network
+10.x.x.x to the proxy running on the localhost, port 7666, assuming your
+ethernet interface is xl0.
+.Pp
+.Nm
+will change it's runtime UID and GID based on the client that is connecting to
+it. This permits identd to authenticate the user with some accuracy. For every machine that you expect to connect through the proxy, create a file in
+.Pa /var/run
+with the name
+.Dq user-x.x.x.x ,
+where
+.Dq x.x.x.x
+is the IP address of that machine. Then, in that file, enter the name of the
+user that will be connecting to IRC from the specified address. That user must
+already have an account (shell, home directory, and password are not required) on the proxy. For example, if bob likes to IRC from 10.1.2.3, you would create
+.Dq /var/run/user-10.1.2.3
+on the proxy. Then simply
+.Dq echo bob >/var/run/user-10.1.2.3 ,
+and you're set.
+.Pp
+If the file
+.Pa /etc/motd.irc
+exists, its contents will be dumped, unformatted, to the user's socket when
+they connect to IRC. It is up to the proxy's administrator to format this
+file correctly, like so:
+.Pp
+.Bd -unfilled -offset indent -compact
+:admin@isp.net 999 * :You are connected to IRC via this network's
+:admin@isp.net 998 * :transparent proxy server.
+:admin@isp.net 997 * :Have a nice day.
+.Ed
+.Pp
+.Nm
+will also broadcast a message to each client's socket when the server catches
+a HUP signal.
+.Pa /tmp/ircbroadcast
+will be dumped, and will not interfere with DCC connections.
+.Pp
+The options are as follows:
+.Bl -tag -width indent
+.It Fl C
+Do not allow DCC CHAT sessions to take place.
+.It Fl D
+Do not log clients' nicknames in syslog.
+.It Fl H
+Ignore
+.Pa /etc/hosts.allow
+and
+.Pa /etc/hosts.deny .
+.It Fl K
+Disable the kludge that allows DCC to work with mIRC. Some versions of mIRC
+retrieve their IP addresses from the IRC server, rather than from the system
+itself. The address returned is that of the proxy server, which breaks DCC
+transfers. The kludge circumvents this problem by ignoring addresses specified
+within the packets themselves, and substituting the address that it assumes is
+that of the client.
+.It Fl L
+Log to stderr instead of syslog.
+.It Fl M
+Disable DCC SEND mangling/censorship in incoming and outgoing requests.
+Normally, certain files offered will be either blocked, or have their names mangled, in the interest of security. These include:
+.Pp
+.Bd -unfilled -offset indent -compact
+script.ini
+dmsetup.exe
+dmsetup2.exe
+winhelper.exe
+mschv32.exe
+mirc.ini
+.Ed
+.Pp
+mirc.ini is changed to mirc.in-, while the rest are simply blocked. A list of
+troublesome files is kept at www.irchelp.org/irchelp/security/. Beware when
+using this with older versions of mIRC, however, as DCC RESUME may fail if the
+proxy mangles the filename.
+.It Fl N
+Do not act as an IRC proxy.
+.It Fl O
+Do not interact with oident. When using oident,
+.Nm
+can be run as non-root in Linux. Unfortunately, when using IPFilter it must
+open
+.Pa /dev/ipnat ,
+which can only be done by root.
+.It Fl R
+Run with more relaxed behaviour. Allow users to irc in the event that no
+appropriate entry can be found in their respective ident file.
+.It Fl S
+Do not allow DCC SEND transmissions to take place. This affects DCC TSEND,
+DCC RESEND, and DCC TRESEND as well.
+.It Fl U
+Do not allow unknown DCC requests.
+.It Fl b Ar ipaddr
+Bind to the specified IP address when running in server mode.
+.It Fl d Ar level
+Set the debug level:
+.Pp
+.Bd -unfilled -offset indent -compact
+0: No debugging information.
+8: Maximum verbosity.
+9: Don't fork(); run in the foreground.
+.Ed
+.Pp
+.It Fl i Ar ipaddr
+The internal IP address of the proxy. When using NAT, this typically falls under
+one of the address blocks reserved by the IANA (see RFC 1597).
+.It Fl o Ar ipaddr
+The external IP address of the proxy. This is the address used to connect to
+the IRC server.
+.It Fl q Ar file
+Ask the user a simple question from the named file. This is meant to keep bots from connecting though the proxy. See
+.Pa quizzes.txt
+for more information.
+.It Fl r Ar user
+Run as the specified user in server mode.
+.It Fl s Ar port
+Run as a server bound to the specified port.
+.It Fl t Ar seconds
+Force a
+.Xr sleep 1
+between multiple connections initiated under the number seconds specified.
+.Sh EXAMPLES
+The following are examples of starting tircproxy from inetd and in server mode
+(standalone), respectively:
+.Pp
+.Bd -unfilled -offset indent -compact
+tircproxy stream tcp nowait root /usr/sbin/tircproxy tircproxy
+ -OK -o 204.213.180.106 -i 192.168.1.1
+.Ed
+.Pp
+and
+.Pp
+.Bd -unfilled -offset indent -compact
+tircproxy -OK -s 7666 -o 204.213.180.106 -i 192.168.1.1
+.Ed
+.Pp
+.Sh FILES
+.Bl -tag -width /tmp/ircbroadcast -compact
+.It Pa /dev/ipnat
+Device that performs packet redirection.
+.It Pa /etc/motd.irc
+File dumped to clients' sockets when connecting to IRC.
+.It Pa /tmp/ircbroadcast
+File dumped to clients' sockets when server receives SIGHUP.
+.It Pa quizzes.txt
+Quiz file.
+.Sh SEE ALSO
+.Xr inetd 8
+.Pp
+http://www.mmedia.is/~bre/tircproxy
+.Sh BUGS
+Redirect rules are not added dynamically, which may pose a problem for some
+firewalled environments.
+.Pp
+Authentication can only take place at a 1:1 (one user for each machine) ratio.
+This can result in users being incorrectly authenticated when connecting to IRC.

View File

@ -0,0 +1,18 @@
--- Makefile.in.orig Thu Dec 17 21:21:55 1998
+++ Makefile.in Sun Jun 20 20:15:27 1999
@@ -11,6 +11,7 @@
exec_prefix=@exec_prefix@
TARGETNAME=@sbindir@/tircproxy
STRIP=@STRIP@
+mandir=@mandir@
ALL_CFLAGS=-Wall -I. -I@srcdir@ $(CFLAGS)
@@ -27,6 +28,7 @@
install: tircproxy
$(INSTALL) -o bin -g bin -m 555 tircproxy $(TARGETNAME)
+ $(INSTALL) -c -m 0644 tircproxy.8 @mandir@/man8
install-strip: install
$(STRIP) $(TARGETNAME)

View File

@ -0,0 +1 @@
transparent irc proxy

1
net/tircproxy/pkg/DESCR Normal file
View File

@ -0,0 +1 @@
Transparent IRC proxy. Supports DCC CHAT, SEND, RESEND, and TSEND.

2
net/tircproxy/pkg/PLIST Normal file
View File

@ -0,0 +1,2 @@
man/man8/tircproxy.8
sbin/tircproxy