forked from hiro-dSn/stone
-
Notifications
You must be signed in to change notification settings - Fork 0
xoox/stone
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
Simple Repeater stone version 2.3e Copyright(c)1995-2008 by Hiroaki Sengoku [email protected] Stone is a TCP/IP repeater in the application layer. It repeats TCP and UDP from inside to outside of a firewall, or from outside to inside. Stone has following features: 1. Stone supports Win32. Formerly, UNIX machines are used as firewalls, but recently WindowsNT machines are used, too. You can easily run stone on WindowsNT and Windows95. Of course, available on Linux, FreeBSD, BSD/OS, SunOS, Solaris, HP-UX and so on. 2. Simple. Stone's source code is only 10000 lines long (written in C language), so you can minimize the risk of security holes. 3. Stone supports SSL. Using OpenSSL (http://www.openssl.org/), stone can encrypt/decrypt. Client verifications, and server verifications are also supported. Stone can send a substring of the subject of the certificate to the destination. 4. Stone is a http proxy. Stone can also be a tiny http proxy. 5. POP -> APOP conversion. With stone and a mailer that does not support APOP, you can access to an APOP server. 6. Stone supports IPv6. Stone can convert IP and IPv6 each other. With stone, you can use IP-only software on IPv6 network. HOWTO USE stone [-C <file>] [-P <command>] [-Q <options>] [-N] [-d] [-p] [-n] [-u <max>] [-f <n>] [-l] [-L <file>] [-a <file>] [-i <file>] [-X <n>] [-T <n>] [-A <n>] [-r] [-x <port>[,<port>][-<port>]... <xhost>... --] [-s <send> <expect>... --] [-b [<var>=<val>]... <n> <master>:<port> <backup>:<port>] [-B <host>:<port> <host1>:<port1>... --] [-I <host>] [-o <n>] [-g <n>] [-t <dir>] [-D] [-c <dir>] [-q <SSL>] [-z <SSL>] [-M install <name>] [-M remove <name>] <st> [-- <st>]... If the ``-C <file>'' flag is used, the program read these options and ``<st>''s from the configuration file ``<file>''. If the ``-P <command>'' flag is used, the program executes pre-processor to read the configuration file. ``-Q <options>'' can be used to pass options to the pre-processor. If the ``-N'' flag is used, stone will terminate after parsing options without opening the ports. If the ``-d'' flag is used, then increase the debug level. If the ``-p'' flag is used, data repeated by stone are dumped. If the ``-n'' is used, IP addresses and service port numbers are shown instead of host names and service names. If the ``-u <max>[:div_d:div_s] | [max]<:div_d:div_s>'' flag (Both ``<max>'', ``<div_d>'' and ``<div_s>'' are integers) is used, the program memorize ``<max>'' UDP sources simultaneously. The default value is 100. ``div_d'' and ``div_s'' are the maximum number of diverse sockets per UDP source. The suffix ``_d'' is for destination, ``_s'' for source diversity respectively. The default diverse value is 1. **About UDP diversity:** The UDP diversity is similar to MIMO diversity in wireless communication. It's purpose is to allow UDP packets tranversing some powerful DPI firewalls hopefully. UDP repeater will randomly choose outbound socket (up to ``div_s'' choices per source) for each packet. The destination port is randomly chose from a range of [port, port + div_d - 1]. There should be some NAT tricks on remote host to converge all packets to the real receiver and vice versa. *DO AVOID ABUSE* If the ``-f <n>'' flag (``<n>'' is integer) is used, the program spawn ``<n>'' child processes. The default behavior is not to spawn any child processes. If the ``-l'' flag is used, the program sends error messages to the syslog instead of stderr. If the ``-L <file>'' (``<file>'' is a file name) flag is used, the program writes error messages to the file. If the ``-a <file>'' flag is used, the program writes accounting to the file. If the ``-i <file>'' flag is used, the program writes its process ID to the file. The ``-X <n>'' flag alters the buffer size of the repeater. The default value is 1000 bytes. If the ``-T <n>'' is used, the timeout of TCP sessions can be specified to ``<n>'' sec. Default: 600. The ``-A'' flag specifies the maximum length the queue of pending connections may grow to. Default: 50. The ``-r'' flag is used, SO_REUSEADDR is set on the socket of <st> . Using the ``-x <port>[,<port>][-<port>]... <xhost>... --'' flag, the http proxy (described later) can only connect to <xhost>:<port>. If more than one ``-x ... --'' flags are designated, the posterior one whose <port> list matches the connecting port. If the ``-x --'' is used, prior ``-x'' flags are ignored. The ``-b <n> <master>:<port> <backup>:<port>'' flag designates the backup destination for <master>:<port>. The program checks every <n> seconds whether <master>:<port> is connectable, using the health check script defined by ``-s'' flag described below. If not, the backup is used instead. Alternative <host> can be checked, using ``host=<host>'' and alternative <port>, using ``port=<port>''. The ``-s <send> <expect>... --'' flag defines the health check script. Sending <send>, then checks whether the response match the regular expression <expect>. The ``-B <host>:<port> <host1>:<port1>... --'' is for the destination group. If the destination of <st> is <host>:<port>, the program chooses a destination randomly from the group. The destination <host>:<port> that is designated by ``-b'' flag and turned out unhealthy, is excluded from the group. The ``-I <host>'' designates the interface used as the source address of the connection to the desctination. If the ``-o <n>'' or ``-g <n>'' flag is used, the program set its uid or gid to ``<n>'' respectively. If the ``-t <dir>'' flag (``<dir>'' is a directory) is used, the program change its root to the directory. If the ``-D'' flag is used, stone runs as a daemon. The ``-c <dir>'' flag designates the directory for core dump. The ``-M install <name>'' and the ``-M remove <name>'' flags are for NT service. ``<name>'' is the service name. Start the service using the command: net start <name>. To install stone service as the name ``repeater'', for example: C:\>stone -M install repeater -C C:\stone.cfg C:\>net start repeater The ``-q <SSL>'' and the ``-z <SSL>'' flags are for SSL encryption. The ``-q <SSL>'' is for the client mode, that is, when stone connects to the other SSL server as a SSL client. The ``-z <SSL>'' if for the server mode, that is, when other SSL clients connect to the stone. ``<SSL>'' is one of the following. default reset SSL options to the default. Using multiple <st>, different SSL options can be designated for each <st>. verbose verbose mode. verify require SSL certificate to the peer. verify,once request a client certificate on the initial TLS/SSL handshake. (-z only) verify,ifany The certificate returned (if any) is checked. (-z only) verify,none never request SSL certificate to the peer. crl_check lookup CRLs. crl_check_all lookup CRLs for whole chain. uniq if the serial number of peer's SSL certificate is different from the previous session, deny it. re<n>=<regex> The certificate of the peer must satisfy the <regex>. <n> is the depth. re0 means the subject of the certificate, and re1 means the issure. The maximum of <n> is 9. if <n> is negative, re-1 means the root CA and re-2 means its child CA. depth=<n> The maximum of the certificate chain. If the peer's certificate exceeds <n>, the verification fails. The maximum of <n> is 9. tls1 Just use TLSv1 protocol. ssl3 Just use SSLv3 protocol. ssl2 Just use SSLv2 protocol. no_tls1 Turn off TLSv1 protocol. no_ssl3 Turn off SSLv3 protocol. no_ssl2 Turn off SSLv2 protocol. sni Server Name Indication (SNI). servername=<str> The name of the server indicated by SNI. bugs Switch on all SSL implementation bug workarounds. serverpref Use server's cipher preferences (only SSLv2). sid_ctx=<str> Set session ID context. passfile=<file> The filename of the file containing password of the key passfilepat=<file> The pattern of the filename key=<file> The filename of the secret key of the certificate. keypat=<file> The pattern of the filename cert=<file> The filename of the certificate. certpat=<file> The pattern of the filename certkey=<file> The filename of the certificate with the secret key. certkeypat=<file> The pattern of the filename CAfile=<file> The filename of the certificate of the CA. CApath=<dir> The directory of the certificate files. pfx=<file> The filename of the PKCS#12 bag. pfxpat=<file> The pattern of the filename store=<prop> [Windows] Use the secret key in the Cert Store. designate by "SUBJ:<substr>" or "THUMB:<hex>" storeCA [Windows] Use CA certificates in the Cert Store. cipher=<list> The list of ciphers. lb<n>=<m> change the destination according to the certificate of the peer. The number calculated from the matched string to the <n>th ( ... ) in the ``regex'' of SSL options (mod <m>) is used to select the destination from the destination group defined by ``-B'' flag. ``<st>'' is one of the following. Multiple ``<st>'' can be designated, separated by ``--''. (1) <host>:<port> <sport> [<xhost>...] (2) <host>:<port> <shost>:<sport> [<xhost>...] (3) proxy <sport> [<xhost>...] (4) <host>:<port>/http <sport> <request> [<xhost>...] (5) <host>:<port>/proxy <sport> <header> [<xhost>...] (6) health <sport> [<xhost>...] The program repeats the connection on port ``<sport>'' to the other machine ``<host>'' port ``<port>''. If the machine, on which the program runs, has two or more interfaces, type (2) can be used to repeat the connection on the specified interface ``<shost>''. You can also specify path name that begins with ``/'' or ``./'', instead of ``<host>:<port>'' so that the program handles a unix domain socket. Type (3) is a http proxy. Specify the machine, on which the program runs, and port ``<sport>'' in the http proxy settings of your WWW browser. Extentions can be added to the ``proxy'' like ``<xhost>/<ext>''. <ext> is: v4only limit the destination within IP addresses. v6only limit the destination within IPv6 addresses. Type (4) relays stream over http request. ``<request>'' is the request specified in HTTP 1.0. In the ``<request>'', ``\'' is the escape character, and the following substitution occurs. \n newline (0x0A) \r return (0x0D) \t tab (0x09) \\ \ itself (0x5C) \a the IP address of the client connecting to the stone. \A <IP address of the client>:<port number> \d the destination IP address \D <dst IP address>:<port number> (for transparent proxy) \u uid (number) of the client \U user name of the client \g gid (number) of the client \G group name of the client \u \U \g \G are valid in the case of unix domain socket \0 the serial number of peer's SSL certificate. \1 - \9 the matched string in the ``regex'' of SSL options. \?1<then>\:<else>\/ if \1 (\2 - \9 in a similar way) is not null, <then>, otherwise <else>. Type (5) repeats http request with ``<header>'' in the top of request headers. The above escapes can be also used. If ``/mproxy'' is designated instead of ``/proxy'', ``<header>'' is added to each request headers. Type (6) designates the port that other programs can check whether the stone runs `healthy' or not. Following commands are available to check the stone. HELO <any string> returns the status of the stone STAT # of threads, mutex conflicts FREE length of free lists CLOCK seconds passed CVS_ID CVS ID CONFIG content of the configuration file STONE configuration of each stones LIMIT <var> <n> check the value of <var> is less than <n> ``<var>'' is one of the following: PAIR the number of ``pair'' CONN the number of ``conn'' ESTABLISHED seconds passed since the last conn established READWRITE seconds passed since the last read/write ASYNC the number of threads The response of the stone is 2xx when normal, or 5xx when abnormal on the top of line. If the ``<xhost>'' are used, only machines or its IP addresses listed in ``<xhost>'' separated by space character can connect to the program and to be repeated. Extentions can be added to the ``<xhost>'' like ``<xhost>/<ex>,<ex>...''. <ex> is: <m> You can designate the length of prefix bits of the netmask, so that only machines on specified. In the case of class C network 192.168.1.0, for example, use ``192.168.1.0/24''. v4 <xhost> is resolved as the IP address. v6 <xhost> is resolved as the IPv6 address. p<m> the data repeated by the program are dumped, only if it was connected by the machines specified by <xhost>. <m> is the dump mode, equivalent to the number of ``-p'' options. Use ``!'' instead of ``<xhost>'', to deny machines by following ``<xhost>''. Extentions can be added to the ``<port>'' like ``<port>/<ext>,<ext>...''. <ext> is: udp repeats UDP instead of TCP. obf obfuscating UDP packets with variable size extra random bytes. *No encryption applied. It's the peers' choice. Or DTLS support should be added to stone.* ssl forwards with encryption. v6 connects to the destination using IPv6. base forwards with MIME base64 encoding. Extentions can be added to the ``<sport>'' like ``<sport>/<ext>,<ext>...''. <ext> is: udp repeats UDP instead of TCP. obf obfuscating UDP packets with variable size extra random bytes. *No encryption applied. It's the peers' choice. Or DTLS support should be added to stone.* apop converts POP to APOP. The conversion is derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm. ssl forwards with decryption. v6 accepts connection using IPv6. If <shost> is omitted like (1), IP is also acceptable. v6only accepts connection using IPv6 only. Even if <shost> is omitted like (1), IP is not acceptable. base forwards with MIME base64 decoding. http relays stream over http. ident identifies the owner of the incoming connection on the peer using ident protocol (RFC1413). EXAMPLES outer: a machine in the outside of the firewall inner: a machine in the inside of the firewall fwall: the firewall on which the stone is executed stone outer:telnet 10023 Repeats the telnet protocol to ``outer''. Run ``telnet fwall 10023'' on ``inner''. stone outer:domain/udp domain/udp Repeats the DNS query to ``outer''. Run ``nslookup - fwall'' on ``inner''. stone outer:ntp/udp ntp/udp Repeats the NTP to ``outer''. Run ``ntpdate fwall'' on ``inner''. stone localhost:http 443/ssl Make WWW server that supports ``https''. Access ``https://fwall/'' using a WWW browser. stone localhost:telnet 10023/ssl Make telnet server that supports SSL. Run ``SSLtelnet -z ssl fwall 10023'' on ``inner''. stone proxy 8080 http proxy. stone outer:110/apop 110 connect to inner:pop using a mailer that does not support APOP. Where fwall is a http proxy (port 8080): stone fwall:8080/http 10023 'POST http://outer:8023 HTTP/1.0' stone localhost:telnet 8023/http Run stones on ``inner'' and ``outer'' respectively. Relays stream over http. stone fwall:8080/proxy 9080 'Proxy-Authorization: Basic c2VuZ29rdTpoaXJvYWtp' for browser that does not support proxy authorization. HOMEPAGE The official homepage of stone is: http://www.gcd.org/sengoku/stone/ COPYRIGHT All rights about this program ``stone'' are reserved by the original author, Hiroaki Sengoku. The program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License (GPL). Furthermore you can link it with openssl. NO WARRANTY This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY. #2939 http://www.gcd.org/sengoku/ Hiroaki Sengoku <[email protected]>
About
Simple repeater "stone". Forked from gcd.org. TODO: Add DTLS support for UDP.
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published
Languages
- C 100.0%