From 32aff2b27ccc3b3e51fb6f0bd77fe0073827c527 Mon Sep 17 00:00:00 2001 From: Jakub Sławiński Date: Tue, 7 Jun 2005 12:06:18 +0200 Subject: v0.7 - Added: http proxy tunnels between afserver and afclient - Fixed: sigint interception with threads enabled (in http proxy mode) - Fixed: FATAL ERROR in afclient in some situations after close of afserver when http proxy mode is enabled - Added: afclients can connect directly to afserver with enabled proxy mode - Fixed: timeout routine in http proxy tunnels - Added: 'rshow' command in ra mode displays 'tunneltype' - Fixed: printing IP of clients when http proxy mode is enabled - Added: 'tunneltype' per client in ra mode after 'cshow' command - Fixed: closing connection when http proxy mode is enabled - Fixed: threads initialization - Fixed: afserver closing after sigint - Fixed: afclient threads initialization - Added: 'version' option to display program version number - Modified: establishing afclient<->afserver connection - Added: 'keep-alive' option - Fixed: using 'proxyport' without 'proxyname' - Added: auto-reconnect feature to afclient - Added: 'ar-tries' and 'ar-delay' options - Modified: http proxy logging - Fixed: closing connection with afclient after receiving id - Fixed: thread closing due to wrong initialization sequence - Fixed: small bug in initialization process - Heavily Modified: logging routines - Added: audit option - Modified: default dateformat is now ISO 8601 - Modified: printing usage - Fixed: bug in threads' initialization in afclient - Added: 'timeout' and 'dateformat' options in ra mode - Modified: empty dateformat disables printing '[] ' - Added: 'audit' and 'dnslookups' options in ra mode - Fixed: afserver freeze bug - Added: 'kuser' and 'kclient' options in ra mode - Fixed: bug in starting afclient in ra mode - Added: audit log printed also after kicking the client --- doc/afclient.1 | 81 +++++++++++++++++++++----- doc/afserver.1 | 85 +++++++++++++++++++++++---- doc/afserver.conf.5 | 25 ++++---- doc/afserver_example.conf | 12 ++-- doc/en/README | 143 ++++++++++++++++++++++++++++++++++++---------- 5 files changed, 270 insertions(+), 76 deletions(-) (limited to 'doc') diff --git a/doc/afclient.1 b/doc/afclient.1 index 5cdd770..7fd5a1c 100644 --- a/doc/afclient.1 +++ b/doc/afclient.1 @@ -1,4 +1,4 @@ -.TH afclient 1 "apf 0.6" Jeremian +.TH afclient 1 "apf 0.7" Jeremian .SH NAME afclient \- active port forwarder client .SH SYNOPSIS @@ -41,6 +41,9 @@ is running (required) .B -p, --portnum PORT the port we are forwarding connection to (required) +.B -V, --version + display version number + .B -h, --help prints help screen @@ -60,6 +63,15 @@ is running (required) .B -D, --dateformat FORMAT format of the date printed in logs (see 'man strftime' for details) (default: %d.%m.%Y %H:%M:%S) +.B -K, --keep-alive N + send keepalive packets every N seconds (default: not send keepalive packets) + +.B -A, --ar-tries N + try N times to reconnect to afserver after its premature quit (default: unlimited) + +.B -T, --ar-delay N + wait N seconds between reconnect tries (default: 5) + .I Modes .B -u, --udpmode @@ -69,21 +81,12 @@ is running (required) reverse udp forwarding. Udp packets will be forwarded from hostname:portnum (-p) to the server name:portnum (-m) .B -r, --remoteadmin - remote administration mode. (using '-p PORT' will force afclient to use port rather then stdin-stdout) + remote administration mode. (using '-p PORT' will force afclient to use port rather than stdin-stdout) .I Logging -.B -O, --heavylog - logging everything to a logfile - -.B -o, --lightlog - logging some data to a logfile - -.B -S, --heavysocklog - logging everything to a localport - -.B -s, --lightsocklog - logging some data to a localport +.B -o, --log LOGCMD + log choosen information to file/socket .B -v, --verbose to be verbose - program won't enter the daemon mode (use several times for greater effect) @@ -104,6 +107,14 @@ is running (required) .B -L, --Load load a module for service's packets filtering +.I HTTP PROXY + +.B -P, --proxyname + the name of the machine with proxy server + +.B -X, --proxyport + the port used by proxy server (default: 8080) + .SH "REMOTE ADMINISTRATION" Remote administration mode is enabled by @@ -141,6 +152,50 @@ command), .B afclient exits. +.SH "LOGCMD FORMAT" + +.B LOGCMD +has the following synopsis: +.B target,description,msgdesc + +Where +.B target +is +.B file +or +.B sock + +.B description +is +.B filename +or +.B host,port + +and +.B msgdesc +is the subset of: + +.B LOG_T_ALL, +.B LOG_T_USER, +.B LOG_T_CLIENT, +.B LOG_T_INIT, +.B LOG_T_MANAGE, +.B LOG_T_MAIN, +.B LOG_I_ALL, +.B LOG_I_CRIT, +.B LOG_I_DEBUG, +.B LOG_I_DDEBUG, +.B LOG_I_INFO, +.B LOG_I_NOTICE, +.B LOG_I_WARNING, +.B LOG_I_ERR + +written without spaces. + + Example: + + file,logfile,LOG_T_USER,LOG_T_CLIENT,LOG_I_INFO,LOG_I_NOTICE + .SH MODULES .B Afclient diff --git a/doc/afserver.1 b/doc/afserver.1 index 0a39c2c..cf17b49 100644 --- a/doc/afserver.1 +++ b/doc/afserver.1 @@ -1,4 +1,4 @@ -.TH afserver 1 "apf 0.6" Jeremian +.TH afserver 1 "apf 0.7" Jeremian .SH NAME afserver \- active port forwarder server .SH SYNOPSIS @@ -89,6 +89,9 @@ connects to it (default: 50126) .B -b, --baseport listenports are temporary and differ for each client +.B -a, --audit + additional information about connections are logged + .B --nossl ssl is not used to transfer data (but it's still used to establish a connection) (default: ssl is used) @@ -100,17 +103,8 @@ connects to it (default: 50126) .I Logging -.B -O, --heavylog - logging everything to a logfile - -.B -o, --lightlog - logging some data to a logfile - -.B -S, --heavysocklog - logging everything to a localport - -.B -s, --lightsocklog - logging some data to a localport +.B -o, --log LOGCMD + log choosen information to file/socket .B -v, --verbose to be verbose - program won't enter the daemon mode (use several times for greater effect) @@ -123,6 +117,11 @@ connects to it (default: 50126) .B -6, --ipv6 use ipv6 only +.I HTTP PROXY + +.B -P, --enableproxy + enable http proxy mode + .SH "REMOTE ADMINISTRATION" Currently available commands are: @@ -148,6 +147,68 @@ Currently available commands are: .B quit quit connection +.B timeout N X + set timeout value in X realm + +.B audit {0|1} X + set audit mode in X realm + +.B dnslookups {0|1} X + set dnslookups mode in X realm + +.B dateformat S + set dateformat + +.B kuser S + kick user named S + +.B kclient N + kick client with number N + +.SH "LOGCMD FORMAT" + +.B LOGCMD +has the following synopsis: +.B target,description,msgdesc + +Where +.B target +is +.B file +or +.B sock + +.B description +is +.B filename +or +.B host,port + +and +.B msgdesc +is the subset of: + +.B LOG_T_ALL, +.B LOG_T_USER, +.B LOG_T_CLIENT, +.B LOG_T_INIT, +.B LOG_T_MANAGE, +.B LOG_T_MAIN, +.B LOG_I_ALL, +.B LOG_I_CRIT, +.B LOG_I_DEBUG, +.B LOG_I_DDEBUG, +.B LOG_I_INFO, +.B LOG_I_NOTICE, +.B LOG_I_WARNING, +.B LOG_I_ERR + +written without spaces. + + Example: + + file,filename,LOG_T_ALL,LOG_I_CRIT,LOG_I_ERR,LOG_I_WARNING + .SH "SEE ALSO" .BR afclient (1), diff --git a/doc/afserver.conf.5 b/doc/afserver.conf.5 index b15bf2d..18d1b2a 100644 --- a/doc/afserver.conf.5 +++ b/doc/afserver.conf.5 @@ -1,4 +1,4 @@ -.TH afserver.conf 5 "apf 0.6" Jeremian +.TH afserver.conf 5 "apf 0.7" Jeremian .SH NAME afserver.conf \- Configuration File for afserver .SH INTRODUCTION @@ -22,9 +22,9 @@ uses configuration file, which name is supplied by the option. The .B afserver.conf file is composed of two sections which have to be in fixed order. In first section global values like certificates, keys and logging options are set. The second section starts with first -.B newrealm +.B realm command and includes options describing specific realms. There may be several -.B newrealm +.B realm commands. .SH "GLOBAL OPTIONS" @@ -35,17 +35,8 @@ commands. .B key FILE the name of the file with RSA key (default: server.rsa) -.B lightlog FILE - logging some data to a logfile - -.B heavylog FILE - logging everything to a logfile - -.B heavysocklog PORT - logging everything to a localport - -.B lightsocklog PORT - logging some data to a localport +.B log LOGCMD + log choosen information to file/socket .B dateformat FORMAT format of the date printed in logs (see 'man strftime' for details) (default: %d.%m.%Y %H:%M:%S). Format string is trimmed. In order to include white characters into format string, use dots to mark beginning and end of the text. If the dot is first or last character, it's removed. Only one character from the beginning and one from the end can be removed. @@ -98,6 +89,9 @@ commands. .B baseport listenports are temporary and differ for each client + +.B audit + additional information about connections are logged .B dnslookups try to obtain dns names of the computers rather than their numeric IP @@ -108,6 +102,9 @@ commands. .B ipv6 use ipv6 only +.B enableproxy + enable http proxy mode + .SH "SEE ALSO" .BR afclient (1), diff --git a/doc/afserver_example.conf b/doc/afserver_example.conf index 2046b03..f7c0be8 100644 --- a/doc/afserver_example.conf +++ b/doc/afserver_example.conf @@ -12,17 +12,13 @@ key server.rsa # type name of file -lightlog logfile -#heavylog logfile +log file,logfile,LOG_T_ALL,LOG_I_CRIT,LOG_I_ERR,LOG_I_WARNING # we we could also want to use sockets instead of files -# type port (on localhost) +#log sock,localhost,LOG_T_ALL,LOG_I_ALL -#lightsocklog 12345 -#heavysocklog 12345 - -#dateformat %d.%m.%Y %H:%M:%S +#dateformat %Y-%m-%d %H:%M:%S # And it's time to create forwarding targets (named realms here) @@ -46,9 +42,11 @@ manage 50126 #portnumber on which server is listening for afclient #nossl #don't use ssl for data transfer #nozlib #don't use zlib #baseport #listenports are temporary and differ for each client +#audit #additional information about connections are logged #dnslookups #try to obtain dns names of the computers #ipv4 #use ipv4 only #ipv6 #use ipv6 only +#enableproxy #enable http proxy mode # and now the second realm diff --git a/doc/en/README b/doc/en/README index 0e49c3e..d676098 100644 --- a/doc/en/README +++ b/doc/en/README @@ -1,4 +1,4 @@ -AF - Active Port Forwarder 0.6 - README +AF - Active Port Forwarder 0.7 - README Copyright (C) 2003,2004,2005 jeremian - ================================================================= @@ -30,11 +30,13 @@ INTRO 2.1 afserver 2.2 afclient 3. REMOTE ADMINISTRATION -4. MODULES -5. EXAMPLES - 5.1 tcp mode - 5.2 reverse udp mode -6. BUGS/PROBLEMS +4. HTTP PROXY TUNNELS +5. LOGGING +6. MODULES +7. EXAMPLES + 7.1 tcp mode + 7.2 reverse udp mode +8. BUGS/PROBLEMS NOTES @@ -110,6 +112,7 @@ Multiple clients allow to create more sophisticated tunneling scheme. to it (default: 50127) -m, --manageport - manage port number - second part of the active port forwarder connects to it (default: 50126) + -V, --version - display version number -h, --help - prints this help Authorization: @@ -137,27 +140,24 @@ Multiple clients allow to create more sophisticated tunneling scheme. -R, --raclients - the number of allowed clients in remote administration mode to use this server (default: 1) -U, --usrpcli - the number of allowed users per client (default: $users) - -M, --climode - strategy used for connecting users with clients - (default: 1) + -M, --climode - strategy used to connect users with clients (default: 1) Available strategies: 1. fill first client before go to next - -p, --proto - type of server (tcp|udp) - for which protocol it will - be operating (default: tcp) + -p, --proto - type of server (tcp|udp) - what protocol it will be + operating for (default: tcp) -b, --baseport - listenports are temporary and differ for each client - --nossl - ssl is not used for transferring data (but it's still - used to establish a connection) (default: ssl is used) - --nozlib - zlib is not used for compressing data (default: - zlib is used) + -a, --audit - additional information about connections are logged + --nossl - ssl is not used to transfer data (but it's still used + to establish a connection) (default: ssl is used) + --nozlib - zlib is not used to compress data (default: zlib is + used) --dnslookups - try to obtain dns names of the computers rather than their numeric IP Logging: - -O, --heavylog - logging everything to a logfile - -o, --lightlog - logging some data to a logfile - -S, --heavysocklog - logging everything to a localport - -s, --lightsocklog - logging some data to a localport + -o, --log - log choosen information to file/socket -v, --verbose - to be verbose - program won't enter the daemon mode (use several times for greater effect) @@ -166,6 +166,11 @@ Multiple clients allow to create more sophisticated tunneling scheme. -4, --ipv4 - use ipv4 only -6, --ipv6 - use ipv6 only + HTTP PROXY: + + -P, --enableproxy - enable http proxy mode + + 2.2 afclient ------------ @@ -179,11 +184,12 @@ Multiple clients allow to create more sophisticated tunneling scheme. destination of the packets (default: the name returned by hostname function) -p, --portnum - the port we are forwarding connection to (required) + -V, --version - display version number -h, --help - prints this help Authorization: - -i, --id - send the id string to afserver + -i, --id - sends the id string to afserver --pass - set the password used for client identification (default: no password) @@ -192,23 +198,25 @@ Multiple clients allow to create more sophisticated tunneling scheme. -k, --keyfile - the name of the file with RSA key (default: client.rsa) -D, --dateformat - format of the date printed in logs (see 'man strftime' for details) (default: %d.%m.%Y %H:%M:%S) + -K, --keep-alive N - send keepalive packets every N seconds + (default: not send keepalive packets) + -A, --ar-tries N - try N times to reconnect to afserver after + its premature quit (default: unlimited) + -T, --ar-delay N - wait N seconds between reconnect tries (default: 5) Modes: -u, --udpmode - udp mode - client will use udp protocol to - communicate with the hostname + communicate with the hostname:portnum (-p) -U, --reverseudp - reverse udp forwarding. Udp packets will be forwarded from hostname:portnum (-p) to the server name:portnum (-m) -r, --remoteadmin - remote administration mode. (using '-p #port' will - force afclient to use port rather then stdin-stdout) + force afclient to use port rather than stdin-stdout) Logging: - -O, --heavylog - logging everything to a logfile - -o, --lightlog - logging some data to a logfile - -S, --heavysocklog - logging everything to a localport - -s, --lightsocklog - logging some data to a localport + -o, --log - log choosen information to file/socket -v, --verbose - to be verbose - program won't enter the daemon mode (use several times for greater effect) @@ -222,6 +230,12 @@ Multiple clients allow to create more sophisticated tunneling scheme. -l, --load - load a module for user's packets filtering -L, --Load - load a module for service's packets filtering + HTTP PROXY: + + -P, --proxyname - the name of the machine with proxy server + -X, --proxyport - the port used by proxy server (default: 8080) + + ================================================================================ ======================== @@ -257,6 +271,25 @@ Currently available commands are: quit quit connection + timeout N X + set timeout value in X realm + + audit {0|1} X + set audit mode in X realm + + dnslookups {0|1} X + set dnslookups mode in X realm + + dateformat S + set dateformat + + kuser S + kick user named S + + kclient N + kick client with number N + + Afclient with '-p, --portnum PORT' option listens for connection from user at NAME:PORT. NAME is set by '-d, --hostname' option or hostname() function, when the option is missing. @@ -265,8 +298,58 @@ When user quits (close the connection or send 'quit' command), afclient exits. ================================================================================ +===================== +4. HTTP PROXY TUNNELS +===================== + +Afclient can communicate with afserver via HTTP proxy. In order to use this +feature, afserver must be started with '-P, --enableproxy' option. Afclient must +specify the proxy host ('-P, --proxyname' option) and port ('-X, --proxyport' +option). + +Afclient with HTTP proxy mode enabled can still accept connections from +afclients, which don't use HTTP proxy mode. + +================================================================================ + +========== +5. LOGGING +========== + +Logging can be enabled by '-o, --log' option. The argument to this option must +be in the form: + target,description,msgdesc + +Where + target is file or sock + description is filename or host,port + msgdesc is the subset of: + LOG_T_ALL, + LOG_T_USER, + LOG_T_CLIENT, + LOG_T_INIT, + LOG_T_MANAGE, + LOG_T_MAIN, + LOG_I_ALL, + LOG_I_CRIT, + LOG_I_DEBUG, + LOG_I_DDEBUG, + LOG_I_INFO, + LOG_I_NOTICE, + LOG_I_WARNING, + LOG_I_ERR + + written without spaces. + + + Example: + + file,filename,LOG_T_MANAGE,LOG_I_ALL + +================================================================================ + ========== -4. MODULES +6. MODULES ========== Afclient can use external modules for user's packets filtering ('-l, --load') @@ -343,10 +426,10 @@ Modules have to be compiled with '-fPIC -shared' options. ================================================================================ =========== -5. EXAMPLES +7. EXAMPLES =========== - 5.1 tcp mode + 7.1 tcp mode ------------ local network |FireWall| Internet @@ -395,7 +478,7 @@ on our computer and we are behind a masquerade or a firewall: 6) We can now enter with a web-browser to: :50127 and we will enter to our computer in the fact. - 5.2 reverse udp mode + 7.2 reverse udp mode -------------------- local network |FireWall| Internet @@ -434,7 +517,7 @@ server on our computer (udp port 27960 on our machine): ================================================================================ ================ -6. BUGS/PROBLEMS +8. BUGS/PROBLEMS ================ There are no known/open bugs at the moment. -- cgit v1.1