.\" tircproxy manual page. .\" baker hamilton .\" Bjarni R. Einarsson .\" .Dd May 4, 2000 .Os .Dt TIRCPROXY 8 .Sh NAME .Nm tircproxy .Nd transparent IRC proxy .Sh SYNOPSIS .Nm .Op Fl CDHIKLMNQRSUahp .Op Fl b Ar ipaddr .Op Fl d Ar level .Op Fl i Ar ipaddr .Op Fl o Ar ipaddr .Op Fl q Ar file .Op Fl r Ar user .Op Fl s Ar port .Op Fl t Ar seconds .Op irc-server Op port .Sh DESCRIPTION This man page describes .Nm 0.4.5. .Pp .Nm is a transparent IRC proxy, allowing DCC sessions to take place from behind a firewall or masquerading/NAT gateway. It can run from either .Xr inetd 8 , or by itself. .Pp .Nm can operate in the traditional sense, as specified by RFC 1919, where the destination appears to be directly reachable to the client system, which is in fact communicating only with the proxy server. This is where the illusion of transparency comes in, and the client programs can operate as normal. The proxy server then spawns a client, connects to the intended destination, and transfers data between the two ends seamlessly. .Pp Alternately, .Nm can be used as a traditional application layer proxy, accepting explicit connections from the clients and connecting them to a single IRC server as specified by the administrator. .Pp .Pa Note: For a more exhaustive discussion of .Nm consult the program's home page: http://bre.klaki.net/programs/tircproxy/. .Pp .Sh OPTIONS The following command line flags and options are recongized by the proxy: .Pp .Bl -tag -width indent .It Fl C Do not allow DCC CHAT sessions to take place. .It Fl D Do not log clients' nicknames in syslog. .It Fl H Ignore .Pa /etc/hosts.allow and .Pa /etc/hosts.deny . .It Fl I Do not interact with an ident daemon. When using a compatible ident daemon, .Nm may not need root privaleges to correctly identify users. This flag tells the proxy not to attempt such communication with the ident daemon, which on some systems involves creating multiple temporary files. .Pp .It Fl K Disable the kludge that allows DCC to work with mIRC. Some versions of mIRC retrieve their IP addresses from the IRC server, rather than from the system itself. The address returned is that of the proxy server, which breaks DCC transfers. The kludge circumvents this problem by ignoring addresses specified within the packets themselves, and substituting the address that it assumes is that of the client. .Pp .Pa Note: Leave this enabled unless it breaks functionality, since it also improves the proxy's security somewhat. .It Fl L Log to stderr instead of syslog. .It Fl M Disable DCC SEND mangling/censorship in incoming and outgoing requests. Normally, certain files offered will be either blocked, or have their names mangled, in the interest of security. These include: .Pp .Bd -unfilled -offset indent -compact script.ini dmsetup.exe dmsetup2.exe winhelper.exe mschv32.exe mirc.ini .Ed .Pp mirc.ini is changed to mirc.in-, while the rest are simply blocked. Beware when using this with older versions of mIRC, however, as DCC RESUME may fail if the proxy mangles the filename. .It Fl N Do not act as an IRC proxy. This allows the proxies ident communication features and access controls to be used for proxying other TCP/IP based protocols. .It Fl R Run with more relaxed behaviour. Allow users to irc in the event that no appropriate entry can be found in their respective ident file. .It Fl S Do not allow DCC SEND transmissions to take place. This affects DCC TSEND, DCC RESEND, and DCC TRESEND as well. .It Fl U Do not allow unknown DCC requests. .It Fl a Run in anonymizing mode. This makes the proxy attempt to hide as much information about it's clients as possible. This includes generating user-IDs for the ident daemon. Using this without strict access control (or a quiz file) is probalby a bad idea! .It Fl b Ar ipaddr Bind to the specified IP address when running in server mode. This is the address where the proxy listens for incoming connections. .It Fl d Ar level Set the debug level: .Pp .Bd -unfilled -offset indent -compact 0: No debugging information. 1: Minimal debugging information. 8: Maximum verbosity. 9: Don't fork(); run in the foreground. Redirects log to stderr. .Ed .Pp .It Fl i Ar ipaddr The internal IP address of the proxy. When using NAT or IP masquerading, this typically falls under one of the address blocks reserved by the IANA (see RFC 1597). .It Fl o Ar ipaddr The external IP address of the proxy. This is the address used to connect to the IRC server. .It Fl p Require the user to supply a valid username and password before allowing him to use the proxy. The username and password may be sent to the proxy either with a .Dq PASS username%password command (a variant on the standard way to send IRC passwords), or as a simple message responding to the proxy's challange. .It Fl q Ar file Ask the user a simple question from the named file. This is meant to keep bots from connecting though the proxy, or to limit use to people who know a secret password. An example illustrating the quiz file's format is given below. .It Fl r Ar user Run as the specified user in server mode. .It Fl s Ar port Run as a server bound to the specified port. .It Fl t Ar seconds Force a .Xr sleep 1 between multiple connections initiated under the number of seconds specified. .Sh ACCESS CONTROLS .Nm makes use of Wietse Venema's TCP wrapper library (libwrap), if it is present on your system. This allows the administrator to configure access to the proxy using the files .Pa /etc/hosts.allow and .Pa /etc/hosts.deny. .Pp See .Xr hosts_access 5 for information about the syntax of these files. .Nm checks for the presence of the following daemon tags: .Pp .Bl -tag -width tircproxy_dcc_files -compact .It Pa tircproxy This is checked whenever a client attempts to connect to IRC through the proxy. .It Pa tircproxy_dcc_files This is checked against the filename of files offered for DCC SEND. This allows the admin to update the DCC blacklist without restarting (or recompiling) the proxy. .It Pa tircproxy_dcc_in This is checked against the client's IP address and username whenever a DCC connection is requested. .It Pa tircproxy_dcc_out This is checked against the IP addresses of external users who request a DCC connection to one of the proxy's clients. .El .Pp The username used in these checks is not fetched by querying the client's ident daemon, but is looked up in the same tables as are used by the ident communication support. .Pp Another method for access control is to use a quiz file. If activated the quiz mechanism will suppress all output from the client to the server until the client successfully answers a question selected at random from the quiz file. A simple quiz file might look like this: .Pp .Bd -unfilled -offset indent -compact # This is a comment, ignored by the proxy # !This is a generic message, sent to all users no matter which !question is selected. This is a question?:yes:no:maybe Are elephants big?:yes Is IRC a waste of time?:yes:no:maybe:of course not! .Ed .Pp .Sh IDENT COMMUNICATION When started as root .Nm will attempt to change it's runtime UID and GID based on the client that is connecting to it. This is one way to get identd to authenticate the user with some accuracy. Other methods, which may allow the proxy to run without root privaleges, involve direct communication between .Nm and the local ident daemon. The best way is to use .Xr UDB 8 shared memory tables for configuration and communication. This requires that you use an UDB-aware ident daemon. .Pp If .Nm doesn't support UDB on your platform, then you must use the old filesystem based method to configure the IP-to-user mappings. For every machine you expect to connect through the proxy, create a file containing the user's username in .Pa /var/run with the name .Dq user-x.x.x.x , where .Dq x.x.x.x is the IP address of that machine. For example, if bob likes to IRC from 10.1.2.3, then the command .Dq echo bob >/var/run/user-10.1.2.3 , should suffice. .Pp If you are using UDB, use the .Xr udb_ipuser 8 utility to add users to the shared memory tables, like this: .Dq udb_ipuser 10.1.2.3 bob .Pp Note that if you want the proxy to change UID and GID then the configured users must all have accounts (shell, home directory, and password are not required) on the proxy. If no valid user is found, and the proxy is running as root, then the connection will be dropped (the .Pa -R flag avoids this). .Pp .Sh BROADCASTS If the file .Pa /etc/motd.irc exists, its contents will be dumped, unformatted, to the user's socket when they connect to IRC. It is up to the proxy's administrator to format this file correctly, like so: .Pp .Bd -unfilled -offset indent -compact :admin@isp.net 999 * :You are connected to IRC via this network's :admin@isp.net 998 * :transparent proxy server. :admin@isp.net 997 * :Have a nice day. .Ed .Pp .Nm will also broadcast a message to each client's socket when the server catches a HUP signal. .Pa /tmp/ircbroadcast will be dumped, and will not interfere with DCC connections. .Pp .Sh DEDICATED MODE In non-transparent mode (dedicated mode) the proxy will alwas connect it's clients to the same IRC server. This is activated by specifying the server name, and optionally it's port number last on the .Nm command line. .Pp Example: .Bd -unfilled -offset indent -compact tircproxy -s 6667 -IH irc.undernet.org 6667 .Ed .Pp To give access to multiple IRC servers, you can run many stand-alone instances of the proxy (on different ports) or do the same thing using inetd. If no server is specified on the command line, .Nm assumes it is operating in transparent mode. .Pp .Sh STARTING FROM INETD .Nm will automatically detect if it is being run from inetd, no additional command line arguements are required, configure it just like you would configure any other TCP/IP service. .Pp Transparent proxying on does not work on Linux, when the proxy is run from inetd. .Pp .Sh IPF TRANSPARENT PROXYING For transparent operation .Xr ipf 8 should be configured to redirect packets destined for remote IRC servers to the proxy. Unfortunately, when using IPFilter for transparancy the proxy must open .Pa /dev/ipnat , which can only be done by root - so for this to work you must run the proxy with full root privaleges. .Nm does not add redirection rules dynamically, so they should be inserted into .Pa /etc/ipnat.rules . These rules should typically resemble: .Pp .Bd -unfilled -offset indent rdr xl0 10.0.0.0/8 port 6667 -> 127.0.0.1 port 7666 tcp .Ed .Pp This would redirect all IRC connection attempts from the internal network 10.x.x.x to the proxy running on the localhost, port 7666, assuming your ethernet interface is xl0. .Pp .Sh LINUX TRANSPARENT PROXYING Under Linux 2.2 transparent proxying would be activated with commands something like this: .Pp .Bd -unfilled -offset indent tircproxy -s 7666 -i 10.1.2.3 ... ipchains -A input -j REDIRECT 7666 -p tcp -s 10.0.0.0/8 -d 0.0.0.0/0 6667 .Ed .Pp Under Linux 2.0 you must use ipfwadm instead of ipchains: .Bd -unfilled -offset indent ipfwadm -I -i accept -P tcp -S 10.0.0.0/8 -D 0.0.0.0/0 6667 -r 7666 .Ed .Pp This would bot redirect all IRC connection attempts from the internal network 10.x.x.x to the proxy running on the localhost, port 7666. .Pp .Sh FILES .Bl -tag -width /tmp/ircbroadcast -compact .It Pa /etc/hosts.allow Access control: allowed connections .It Pa /etc/hosts.deny Access control: denied connections .It Pa /dev/ipnat Device that performs packet ipf redirection. .It Pa /etc/ipnat.rules Configuration of IPF forwarding rules (if any). .It Pa /etc/motd.irc File dumped to clients' sockets when connecting to IRC. .It Pa /tmp/ircbroadcast File dumped to clients' sockets when server receives SIGHUP. .It Pa quizzes.txt Quiz file. .El .Sh SEE ALSO .Xr inetd 8 , .Xr hosts_access 5 , .Xr oidentd 8 , .Xr identd 8 .Pp /usr/doc/tircproxy-0.4.5/ .Pp http://bre.klaki.net/programs/tircproxy/ .Pp .Sh BUGS Redirect rules are not added dynamically, which may pose a problem for some firewalled environments. .Pp Authentication can only take place at a 1:1 (one user for each client machine) ratio. This can result in users being incorrectly authenticated when connecting to IRC. .Sh THANKS Thanks to Baker Hamilton for writing the first version of this man page.