--- tircproxy.8 Sun Jun 20 13:42:42 1999 +++ /home/g/irc/tircproxy.8 Sun Jun 20 12:38:24 1999 @@ -0,0 +1,204 @@ +.\" tircproxy manual page. +.\" baker hamilton +.\" +.\" thanks to Bjarni R. Einarsson for writing such excellent documentation +.\" to accompany his proxy. +.Dd June 19, 1999 +.Os +.Dt TIRCPROXY 8 +.Sh NAME +.Nm tircproxy +.Nd transparent IRC proxy +.Sh SYNOPSIS +.Nm +.Op Fl CDHKLMNOQRSUahp +.Op Fl b Ar ipaddr +.Op Fl d Ar level +.Op Fl i Ar ipaddr +.Op Fl o Ar ipaddr +.Op Fl q Ar file +.Op Fl r Ar user +.Op Fl s Ar port +.Op Fl t Ar seconds +.Sh DESCRIPTION +.Nm +is a transparent IRC proxy, allowing DCC sessions to take place from behind a +firewall or NAT gateway. It can run from either +.Xr inetd 8 , +or by itself. +.Nm +works in the traditional sense, as specified by RFC 1919, where +the destination appears to be directly reachable to the client system, which +is in fact communicating only with the proxy server. This is where the illusion +of transparency comes in, and the client programs can operate as normal. The +proxy server then spawns a client, connects to the intended destination, and +transfers data between the two ends seamlessly. +.Pp +.Xr ipf 8 +should be configured to redirect packets destined for the IRC server to the +proxy. +.Nm +does not add these rules dynamically, so they should be inserted into +.Pa /etc/ipnat.rules . +These rules should typically resemble: +.Pp +.Bd -unfilled -offset indent +rdr xl0 10.0.0.0/8 port 6667 -> 127.0.0.1 port 7666 tcp +.Ed +.Pp +This would redirect all IRC connection attempts from the internal network +10.x.x.x to the proxy running on the localhost, port 7666, assuming your +ethernet interface is xl0. +.Pp +.Nm +will change it's runtime UID and GID based on the client that is connecting to +it. This permits identd to authenticate the user with some accuracy. For every machine that you expect to connect through the proxy, create a file in +.Pa /var/run +with the name +.Dq user-x.x.x.x , +where +.Dq x.x.x.x +is the IP address of that machine. Then, in that file, enter the name of the +user that will be connecting to IRC from the specified address. That user must +already have an account (shell, home directory, and password are not required) on the proxy. For example, if bob likes to IRC from 10.1.2.3, you would create +.Dq /var/run/user-10.1.2.3 +on the proxy. Then simply +.Dq echo bob >/var/run/user-10.1.2.3 , +and you're set. +.Pp +If the file +.Pa /etc/motd.irc +exists, its contents will be dumped, unformatted, to the user's socket when +they connect to IRC. It is up to the proxy's administrator to format this +file correctly, like so: +.Pp +.Bd -unfilled -offset indent -compact +:admin@isp.net 999 * :You are connected to IRC via this network's +:admin@isp.net 998 * :transparent proxy server. +:admin@isp.net 997 * :Have a nice day. +.Ed +.Pp +.Nm +will also broadcast a message to each client's socket when the server catches +a HUP signal. +.Pa /tmp/ircbroadcast +will be dumped, and will not interfere with DCC connections. +.Pp +The options are as follows: +.Bl -tag -width indent +.It Fl C +Do not allow DCC CHAT sessions to take place. +.It Fl D +Do not log clients' nicknames in syslog. +.It Fl H +Ignore +.Pa /etc/hosts.allow +and +.Pa /etc/hosts.deny . +.It Fl K +Disable the kludge that allows DCC to work with mIRC. Some versions of mIRC +retrieve their IP addresses from the IRC server, rather than from the system +itself. The address returned is that of the proxy server, which breaks DCC +transfers. The kludge circumvents this problem by ignoring addresses specified +within the packets themselves, and substituting the address that it assumes is +that of the client. +.It Fl L +Log to stderr instead of syslog. +.It Fl M +Disable DCC SEND mangling/censorship in incoming and outgoing requests. +Normally, certain files offered will be either blocked, or have their names mangled, in the interest of security. These include: +.Pp +.Bd -unfilled -offset indent -compact +script.ini +dmsetup.exe +dmsetup2.exe +winhelper.exe +mschv32.exe +mirc.ini +.Ed +.Pp +mirc.ini is changed to mirc.in-, while the rest are simply blocked. A list of +troublesome files is kept at www.irchelp.org/irchelp/security/. Beware when +using this with older versions of mIRC, however, as DCC RESUME may fail if the +proxy mangles the filename. +.It Fl N +Do not act as an IRC proxy. +.It Fl O +Do not interact with oident. When using oident, +.Nm +can be run as non-root in Linux. Unfortunately, when using IPFilter it must +open +.Pa /dev/ipnat , +which can only be done by root. +.It Fl R +Run with more relaxed behaviour. Allow users to irc in the event that no +appropriate entry can be found in their respective ident file. +.It Fl S +Do not allow DCC SEND transmissions to take place. This affects DCC TSEND, +DCC RESEND, and DCC TRESEND as well. +.It Fl U +Do not allow unknown DCC requests. +.It Fl b Ar ipaddr +Bind to the specified IP address when running in server mode. +.It Fl d Ar level +Set the debug level: +.Pp +.Bd -unfilled -offset indent -compact +0: No debugging information. +8: Maximum verbosity. +9: Don't fork(); run in the foreground. +.Ed +.Pp +.It Fl i Ar ipaddr +The internal IP address of the proxy. When using NAT, this typically falls under +one of the address blocks reserved by the IANA (see RFC 1597). +.It Fl o Ar ipaddr +The external IP address of the proxy. This is the address used to connect to +the IRC server. +.It Fl q Ar file +Ask the user a simple question from the named file. This is meant to keep bots from connecting though the proxy. See +.Pa quizzes.txt +for more information. +.It Fl r Ar user +Run as the specified user in server mode. +.It Fl s Ar port +Run as a server bound to the specified port. +.It Fl t Ar seconds +Force a +.Xr sleep 1 +between multiple connections initiated under the number seconds specified. +.Sh EXAMPLES +The following are examples of starting tircproxy from inetd and in server mode +(standalone), respectively: +.Pp +.Bd -unfilled -offset indent -compact +tircproxy stream tcp nowait root /usr/sbin/tircproxy tircproxy + -OK -o 204.213.180.106 -i 192.168.1.1 +.Ed +.Pp +and +.Pp +.Bd -unfilled -offset indent -compact +tircproxy -OK -s 7666 -o 204.213.180.106 -i 192.168.1.1 +.Ed +.Pp +.Sh FILES +.Bl -tag -width /tmp/ircbroadcast -compact +.It Pa /dev/ipnat +Device that performs packet redirection. +.It Pa /etc/motd.irc +File dumped to clients' sockets when connecting to IRC. +.It Pa /tmp/ircbroadcast +File dumped to clients' sockets when server receives SIGHUP. +.It Pa quizzes.txt +Quiz file. +.Sh SEE ALSO +.Xr inetd 8 +.Pp +http://www.mmedia.is/~bre/tircproxy +.Sh BUGS +Redirect rules are not added dynamically, which may pose a problem for some +firewalled environments. +.Pp +Authentication can only take place at a 1:1 (one user for each machine) ratio. +This can result in users being incorrectly authenticated when connecting to IRC.