Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

redir(1) [debian man page]

REDIR(1)						      General Commands Manual							  REDIR(1)

redir - redirect tcp connections SYNOPSIS
redir [--laddr=incoming.ip.address] [--caddr=host] [--debug] [--syslog] [--name=str] [--timeout=n] [--bind_addr=my.other.ip.address] [--ftp=type] [--transproxy] [--connect=host:port] --lport=port --cport=port [--bufsize=n] [--max_bandwidth=n] [--random_wait=n] [--wait_in_out=n] redir --inetd [--caddr=host] [--debug] [--syslog] [--name=str] [--timeout=n] [--ftp=type] [--transproxy] [--connect=host:port] --cport=port [--bufsize=n] [--max_bandwidth=n] [--random_wait=n] [--wait_in_out=n] DESCRIPTION
Redir redirects tcp connections coming in to a local port to a specified address/port combination. It may be run either from inetd or as a standalone daemon. Depending on how redir was compiled, not all options may be available. OPTIONS
--lport Specifies port to listen for connections on (when not running from inetd) --laddr IP address to bind to when listening for connections (when not running from inetd) --cport Specifies port to connect to. --caddr Specifies remote host to connect to. (localhost if omitted) --inetd Run as a process started from inetd, with the connection passed as stdin and stdout on startup. --debug Write debug output to stderr or syslog. --name Specify program name to be used for TCP wrapper checks and syslog logging. --timeout Timeout and close the connection after n seconds of inactivity. --syslog Log information to syslog. --bind_addr Forces redir to pick a specific address/interface to bind to when it listens for incoming connections. --ftp When using redir for an FTP server, this will cause redir to also redirect ftp connections. Type should be specified as either "port", "pasv", or "both", to specify what type of FTP connection to handle. Note that --transproxy often makes one or the other (generally port) undesirable. --transproxy On a linux system with transparent proxying enabled, causes redir to make connections appear as if they had come from their true origin. (see /usr/share/doc/redir/transproxy.txt) --connect Redirects connections through an HTTP proxy which supports the CONNECT command. Specify the address and port of the proxy using --caddr and --cport. --connect requires the hostname and port which the HTTP proxy will be asked to connect to. --bufsize n Set the bufsize (defaut 4096) in bytes. Can be used combined with --max_bandwidth or --random_wait to simulate a slow con- nection. --max_bandwidth n Reduce the bandwidth to be no more than n bits/sec. The algorithme is basic, the goal is to simulate a slow connection, so there is no pic acceptance. --random_wait n Wait between 0 and 2 x n milliseconds before each "packet". A "packet" is a bloc of data read in one time by redir. A "packet" size is always less than the bufsize (see also --bufsize). --wait_in_out n Apply --max_bandwidth and --random_wait for input if n=1, output if n=2 and both if n=3. SEE ALSO
inetd(1) local REDIR(1)

Check Out this Related Man Page

FTP-PROXY(8)						    BSD System Manager's Manual 					      FTP-PROXY(8)

ftp-proxy -- Internet File Transfer Protocol proxy server SYNOPSIS
ftp-proxy -i [-AnrVw] [-a address] [-D debuglevel] [-g group] [-M maxport] [-m minport] [-R address[:port]] [-S address] [-t timeout] [-u user] ftp-proxy -p [-AnrVw] [-a address] [-D debuglevel] [-g group] [-M maxport] [-m minport] [-R address[:port]] [-S address] [-t timeout] [-u user] DESCRIPTION
ftp-proxy is a proxy for the Internet File Transfer Protocol. The proxy uses pf(4) and expects to have the FTP control connection as described in services(5) redirected to it via a pf(4) rdr command. An example of how to do that is further down in this document. The options are as follows: -A Permit only anonymous FTP connections. The proxy will allow connections to log in to other sites as the user "ftp" or "anonymous" only. Any attempt to log in as another user will be blocked by the proxy. -a address Specify the local IP address to use in bind(2) as the source for connections made by ftp-proxy when connecting to destination FTP servers. This may be necessary if the interface address of your default route is not reachable from the destinations ftp-proxy is attempting connections to, or this address is different from the one connections are being NATed to. In the usual case this means that address should be a publicly visible IP address assigned to one of the interfaces on the machine running ftp-proxy and should be the same address to which you are translating traffic if you are using the -n option. -D debuglevel Specify a debug level, where the proxy emits verbose debug output into syslogd(8) at level LOG_DEBUG. Meaningful values of debu- glevel are 0-3, where 0 is no debug output and 3 is lots of debug output, the default being 0. -g group Specify the named group to drop group privileges to, after doing pf(4) lookups which require root. By default, ftp-proxy uses the default group of the user it drops privilege to. -i Set ftp-proxy for use with IP-Filter. -M maxport Specify the upper end of the port range the proxy will use for the data connections it establishes. The default is IPPORT_HILASTAUTO defined in <netinet/in.h> as 65535. -m minport Specify the lower end of the port range the proxy will use for all data connections it establishes. The default is IPPORT_HIFIRSTAUTO defined in <netinet/in.h> as 49152. -n Activate network address translation (NAT) mode. In this mode, the proxy will not attempt to proxy passive mode (PASV or EPSV) data connections. In order for this to work, the machine running the proxy will need to be forwarding packets and doing network address translation to allow the outbound passive connections from the client to reach the server. See pf.conf(5) for more details on NAT. The proxy only ignores passive mode data connections when using this flag; it will still proxy PORT and EPRT mode data connections. Without this flag, ftp-proxy does not require any IP forwarding or NAT beyond the rdr necessary to capture the FTP control connec- tion. -p Set ftp-proxy for use with pf. -R address:[port] Reverse proxy mode for FTP servers running behind a NAT gateway. In this mode, no redirection is needed. The proxy is run from inetd(8) on the port that external clients connect to (usually 21). Control connections and passive data connections are forwarded to the server. -r Use reverse host (reverse DNS) lookups for logging and libwrap use. By default, the proxy does not look up hostnames for libwrap or logging purposes. -S address Source address to use for data connections made by the proxy. Useful when there are multiple addresses (aliases) available to the proxy. Clients may expect data connections to have the same source address as the control connections, and reject or drop other con- nections. -t timeout Specifies a timeout, in seconds. The proxy will exit and close open connections if it sees no data for the duration of the timeout. The default is 0, which means the proxy will not time out. -u user Specify the named user to drop privilege to, after doing pf(4) lookups which require root privilege. By default, ftp-proxy drops privilege to the user proxy. Running as root means that the source of data connections the proxy makes for PORT and EPRT will be the RFC mandated port 20. When running as a non-root user, the source of the data connections from ftp-proxy will be chosen randomly from the range minport to maxport as described above. -V Be verbose. With this option the proxy logs the control commands sent by clients and the replies sent by the servers to syslogd(8). -w Use the tcp wrapper access control library hosts_access(3), allowing connections to be allowed or denied based on the tcp wrapper's hosts.allow(5) and hosts.deny(5) files. The proxy does libwrap operations after determining the destination of the captured control connection, so that tcp wrapper rules may be written based on the destination as well as the source of FTP connections. ftp-proxy is run from inetd(8) and requires that FTP connections are redirected to it using a rdr rule. A typical way to do this would be to use either an ipnat rule such as int_if = "xl0"; rdr $int_if 0/0 port 21 -> port 8021 tcp or a pf.conf(5) rule such as int_if = "xl0" rdr pass on $int_if proto tcp from any to any port 21 -> port 8021 inetd(8) must then be configured to run ftp-proxy on the port from above using stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -[ip] in inetd.conf(5). ftp-proxy accepts the redirected control connections and forwards them to the server. The proxy replaces the address and port number that the client sends through the control connection to the server with its own address and proxy port, where it listens for the data connection. When the server opens the data connection back to this port, the proxy forwards it to the client. If you're using IP-Filter, the ipf.conf(5) rules need to let pass connections to these proxy ports (see options -u, -m, and -M above) in on the external interface. The following exam- ple allows only ports 49152 to 65535 to pass in statefully: block in on $ext_if proto tcp all pass in on $ext_if inet proto tcp from any to $ext_if port > 49151 keep state If you're using pf, then the pf.conf(5) rules need to let pass connections to these proxy ports (see options -u, -m, and -M above) in on the external interface. The following example allows only ports 49152 to 65535 to pass in statefully: block in on $ext_if proto tcp all pass in on $ext_if inet proto tcp from any to $ext_if port > 49151 keep state Alternatively, pf.conf(5) rules can make use of the fact that by default, ftp-proxy runs as user "proxy" to allow the backchannel connec- tions, as in the following example: block in on $ext_if proto tcp all pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state These examples do not cover the connections from the proxy to the foreign FTP server. If one does not pass outgoing connections by default additional rules are needed. NOTES PF anchor is required for this daemon to correctly function. SEE ALSO
ftp(1), pf(4), hosts.allow(5), hosts.deny(5), inetd.conf(5), ipf.conf(5), ipnat.conf(5), pf.conf(5), inetd(8), ipf(8), ipnat(8), pfctl(8), syslogd(8) BUGS
Extended Passive mode (EPSV) is not supported by the proxy and will not work unless the proxy is run in network address translation mode. When not in network address translation mode, the proxy returns an error to the client, hopefully forcing the client to revert to passive mode (PASV) which is supported. EPSV will work in network address translation mode, assuming a configuration setup which allows the EPSV connections through to their destinations. IPv6 is not yet supported. BSD
March 16, 2011 BSD
Man Page

Featured Tech Videos