redirect.tex

socket4 socket5 client

%@(#)$Id: redirect.tex,v 1.11 2001/12/12 13:17:28 karls Exp $
%/*
% * Copyright (c) 2001
% *      Inferno Nettverk A/S, Norway.  All rights reserved.
% *
% * Redistribution and use in source and binary forms, with or without
% * modification, are permitted provided that the following conditions
% * are met:
% * 1. The above copyright notice, this list of conditions and the following
% *    disclaimer must appear in all copies of the software, derivative works
% *    or modified versions, and any portions thereof, aswell as in all
% *    supporting documentation.
% * 2. All advertising materials mentioning features or use of this software
% *    must display the following acknowledgement:
% *      This product includes software developed by
% *      Inferno Nettverk A/S, Norway.
% * 3. The name of the author may not be used to endorse or promote products
% *    derived from this software without specific prior written permission.
% *
% * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
% * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
% * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
% * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
% * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
% * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
% * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
% * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
% * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
% * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
% *
% * Inferno Nettverk A/S requests users of this software to return to
% *
% *  Software Distribution Coordinator  or  sdc@inet.no
% *  Inferno Nettverk A/S
% *  Oslo Research Park
% *  Gaustadall閑n 21
% *  NO-0349 Oslo
% *  Norway
% *
% * any improvements or extensions that they make and grant Inferno Nettverk A/S
% * the rights to redistribute these changes.
% *
% */

\documentclass[a4paper, final, twoside, english]{article}
\usepackage[latin1]{inputenc}
\usepackage[T1]{fontenc}
\usepackage{babel}
\usepackage{html}

\title{\emph{Dante}, Module \emph{Redirect}}
\author{
	Inferno Nettverk A/S \\
	Oslo Research Park   \\
	Gaustadall閑n 21	\\
	NO-0349 Oslo          \\
	Norway}
\date{$$$$Date: 2001/12/12 13:17:28 $$$$}

\makeindex

\begin{document}
\maketitle
\thispagestyle{empty}

\clearpage
\setcounter{page}{1}

\section{Description}
 The \emph{Redirect} module gives you control over both
 where clients requests and replies will end up, and
 what addresses and portranges the Dante server will use on behalf
 of the clients for outgoing connections.

 It can be used to redirect clients connections from one address to
 another, useful for cases where you for instance want clients
 to go via a local web-proxy instead of directly to the webserver.

 It can be used to restrict the portranges used by the Dante server,
 useful for cases where a firewall needs to know what portranges
 the Dante server will use.

 A stranger but also possible use is to limit the number of sessions
 clients can establish.

\section{Syntax}
 The syntax of the \texttt{redirect} statement is as follows:

 \verb"redirect from: <address> to: <address>"

 Either \texttt{from} or \texttt{to} are optional, but at least one
 must be given.

 \texttt{address} are addresses in the usual Dante format.

\section{Semantics}
 The \texttt{redirect} statement integrates as a part of socks-rules.

 The meaning of \texttt{to} and \texttt{from} varies considerably
 depending on what socks \texttt{command} the \texttt{redirect}
 statement applies to.  The next section will detail the semantics
 of each \emph{redirect} application based on the \texttt{command}
 used (with the corresponding \texttt{protocol} in parenthesis, for
 those preferring that).

 \subsection{\texttt{bind} (\texttt{protocol: tcp})}
  \texttt{from} is the address to bind on behalf of the client. \\
  \texttt{to} is ignored.

 \subsection{\texttt{bindreply} (\texttt{protocol: tcp})}
  \texttt{from} is the address to tell the client the bindreply (connection)
	is from. \\
  \texttt{to} is the address to send the bindreply (connection) to.

 \subsection{\texttt{connect} (\texttt{protocol: tcp})}
  \texttt{from} is the address to use on behalf of the client for making
	the connection. \\
  \texttt{to} is the address to connect the client to.

 \subsection{\texttt{udpassociate} (\texttt{protocol: udp})}
  \texttt{from} is the address to use on behalf of the client
	for sending udp packets. \\
  \texttt{to} is the address to send packets from the client to.

 \subsection{\texttt{udpreply} (\texttt{protocol: udp})}
  \texttt{from} is the address to tell the client the reply is from. \\
  \texttt{to} is the address to send the reply to.

\section{Examples}
 This section shows several examples of how one could use the
 \emph{redirect} module.

 \subsection{Redirecting web-requests to a web proxy}
  The below rule redirects clients from the \texttt{10.0.0.0/24} net who
  want to connect to the http port of any address to the address
  \texttt{squid.example.com}, port \texttt{3128}.

  \begin{verbatim}
pass {
   from: 10.0.0.0/24 to: 0.0.0.0/0 port = http
   command: connect
   redirect to: squid.example.com port = 3128
}
  \end{verbatim}

 \subsection{Limiting the portranges used by the \emph{Dante} server}
  The next rule says that the server should limit itself to
  using portranges above \texttt{32768} on the interface
  \texttt{de1} when sending packets out on behalf of the
  clients on the \texttt{10.1.1.0/24} net.

  \begin{verbatim}
pass {
   from: 10.0.0.0/24
   redirect from: de1 port > 32768}
}
  \end{verbatim}

 \subsection{Limiting concurrent user sessions}
  A more novel use of the \texttt{redirect} statement allows one,
  in a rather ad-hoc way, to limit the number of concurrent
  user sessions.

  The next rule says the server should limit itself to using
  the portrange \texttt{2048 - 2051} on the interface
  \texttt{de1}, a range of four portnumbers, for the client 10.0.0.1.

  \begin{verbatim}
pass {
   from: 10.0.0.1/32
   redirect from: de1 port 2048 - 2051
}
  \end{verbatim}

	When the client 10.1.1.1 reaches four concurrent sessions, it will not
	be able to create new ones until it closes one of the previously
	established sessions.

   For this to work correctly it is however required that no other
   client accidently ends up using the same portrange.  One
	way to accomplish this is to make the interfacename \texttt{de1}
	be used uniquely for this sort of thing, or to make sure
	all other rules use a different portrange by way of having
	their own \texttt{redirect} statement.  The former is greatly
	preferred.

	As can probably be guessed, this is a new usage of the \texttt{redirect}
	statement that was not intended in the design, but was discovered
	by accident and is mentioned here since it could be useful.

\end{document}