-
Notifications
You must be signed in to change notification settings - Fork 1
/
plug.1
161 lines (161 loc) · 4.9 KB
/
plug.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
.TH PLUG 1 FIREWALL
.SH NAME
plug -- Plug proxy daemon.
.SH SYNOPSIS
.B /usr/local/sbin/plug
.B -V
<br>
.B /usr/local/sbin/plug
.I [-f]
.I [-l]
.I [-P pidfile]
.I [-S sessionfile]
.I [-k]
.I [-d[d]]
.I [-n]
.I [-i sourceaddr]
.I [-p proxyaddr]
.I [-h https-proxy[:port]]
.I [-t timeout]
.I [-a accept_rule]
.I [-o]
.I [-r retry]
.I [-V]
.B sourceport
.BI destaddr [:destport]
.I [destaddr[:destport]]...
.SH DESCRIPTION
.B Plugdaemon
acts as a "dumb proxy", forwarding a TCP/IP stream from a port on one host
to a possibly different port on a separate host. It runs as a daemon to
reduce latency in setting up a connection, and optionally logs every
connection via
.I syslog.
.SH OPTIONS
.TP
-f
Forces a given client address to continue to connect to the same host on
subsequent attempts, for proxying HTTP connections so that subsequent hits
will be on the same mirror.
.TP
-k
Turns on SO_KEEPALIVE on the plug. You want to use this on frequent short
term connections like HTTP requests where response time is more important
than reliability on flakey links, and leave it off on long-term connections
that may go a long time without transferring data.
.TP
-l
turns on connection logging.
.TP
-P pidfile
Maintains a file that contains the process ID of the master plug daemon,
followed by the process IDs of all the active children. This can be used
for cleanup or monitoring. The file is deleted when the parent process
exits.
.TP
-S sessionfile
Write session info to this file at the end of each connection:
.IP
[yyyy-mm-dd HH:MM:SS] plug[PID] FROM PEER TO IN OUT DURATION
.IP
Where "yyyy-mm-dd HH:MM:SS" is the time the connection closed, PID
is the process-id of the connection, PEER is the address of the client
that connected, FROM and TO are the listener port (and address, if
specified) and target address and port, IN and OUT are the bytes read
and written, and DURATION is the connection duration in microseconds.
.P
If the session file is "-", it writes the session to standard output
(implies -n).
.TP
-d
turns on debugging output (implies -n).
Additional -d options add more output.
.TP
-n Stops
.B plug
from running as a daemon or logging errors to syslog. Errors in this mode
are displayed on standard error.
.TP
-i interface
Bind the plug to the named interface, for use on multi-homed hosts.
.TP
-p interface
Bind the source port of the proxied connection to the named interface,
for use on multi-homed hosts.
.TP
-h host:port
Connect via an HTTPS proxy on host:port. Note that when using -h
.I and
-p, the -p option specifies the interface to bind to for the connection
to the HTTPS proxy, since there is no way to control what the HTTPS proxy
might do.
.TP
-a accept_rule
Accept connections that match the rule. Currently, the rule is an ip
address and an optional subnet, e.g.
.I -a 192.168.2.0/24
to accept connections from the Class-C subnet 192.168.2. All 4 octets of
the address must be provided. If no rules are specified connections are
allowed from any address.
.TP
-t timeout
Timeout for forced connections, after no attempts in this period
it will connect to a new (pseudo-)randomly selected server. The
default is 1 hour.
.TP
-o
Direct all connections to the first valid server instead of load-balancing.
.TP
-r retry
Timeout for downed servers; if specified, then a dead server is retried
after this many seconds.
If not specified, then a dead server stays out of the pool until all have
failed or plugdaemon is restarted, then all are retried again.
.TP
-V
Prints version and exits.
.SH EXAMPLES
On a firewall at 192.168.0.14, to proxy an NNTP connection through to a
host at 10.0.3.15:
.P
plug -i 192.168.0.14 119 10.0.3.15
.P
On an client, to forward an SSH connection through an HTTP proxy at
192.168.0.101 port 8008
.P
plug -i 127.0.0.1 2022 -h 192.168.0.101:8008 customer.example.com:22
.P
To forward an AIM connection through the same proxy:
.P
plug -h 192.168.0.101:8008 9898 toc.oscar.aol.com:9898
.P
(then tell your AIM client to connect to localhost port 9898)
.SH BUGS
.B Plugdaemon
only accepts numeric IP addresses and services.
.P
The syntax is rather clumsy, but I'm deferring cleanup until version 3.0. The
main thing I'd like to do is get rid of the -i option and allow any of the
following forms for the source:
.IR port ,
.IR :port ,
.IR *:port ,
.IR address:port ,
or
.I source/interface
(to specify the outgoing interface).
As well as regularise the various flags other people have added that I've
kept to keep from breaking their scripts.
.SH "SECURITY FEATURES"
.B Plugdaemon
only accepts numeric IP addresses and services.
.P
I don't call gethostbyname anywhere to keep someone from managing to fake it
out by spoofing the firewall, but I think that there's places this would be
a minor risk, so 3.0 will probably add that as a compile-time option.
.SH LICENSE
.B Plugdaemon
is released under a "Berkeley" style license. See the file LICENSE for details.
(tip me if you like this program, e-gold account 172426)
.SH AUTHOR
Peter da Silva <[email protected]>