* James Hozier <guitars...@yahoo.com> [2011-01-28 16:56]: > I'm looking for a program that I can use to use SOCKS proxies for various > programs, such as different IRC clients (ircII, irssi, etc.) and SSH as well > (or other programs that don't have native SOCKS proxy support built-in). > > For SSH I Googled a lot of articles on how to run SSH as a proxy server, but > not how to SSH using a proxy. > > Since tsocks is very obsolete and dsocks is very limited in its support with > programs, is dante the only viable option I currently have? (Since dsocks and > dante conflict with trying to pkg_add I can only have one.)
i hacked up transproxy for that at one point for a customer with a weird setup. i have no idea wether this still works, and it isn't all work of mine, i used some bits i found somewhere, but don't remember where. looong time ago, at least 2 years. Index: Makefile =================================================================== RCS file: /cvs/ports/www/transproxy/Makefile,v retrieving revision 1.21 diff -u -p -r1.21 Makefile --- Makefile 19 Oct 2010 08:02:57 -0000 1.21 +++ Makefile 28 Jan 2011 16:37:18 -0000 @@ -2,7 +2,7 @@ COMMENT= transparent www proxy driver for pf -DISTNAME= transproxy-1.4 +DISTNAME= transproxy-1.6 CATEGORIES= www net MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=transproxy/} Index: distinfo =================================================================== RCS file: /cvs/ports/www/transproxy/distinfo,v retrieving revision 1.3 diff -u -p -r1.3 distinfo --- distinfo 5 Apr 2007 17:26:26 -0000 1.3 +++ distinfo 28 Jan 2011 16:37:18 -0000 @@ -1,5 +1,5 @@ -MD5 (transproxy-1.4.tgz) = kpXJPP9FHDLfJa6KmMvRrw== -RMD160 (transproxy-1.4.tgz) = WUs8xReiYbZpvFw0pDlURZUWxps= -SHA1 (transproxy-1.4.tgz) = ghdk5nBsoVQA8WsracGTF4OFDV8= -SHA256 (transproxy-1.4.tgz) = /L3AJeK3ZfB/S2DacOMtpTamTg4aL2mUTQJz0JqlgDs= -SIZE (transproxy-1.4.tgz) = 22569 +MD5 (transproxy-1.6.tgz) = AswRYKnbnEmkBJH4kAgwRA== +RMD160 (transproxy-1.6.tgz) = yk4w7sIrnQ67hBWyE6A6cx8eBa4= +SHA1 (transproxy-1.6.tgz) = JlIjKzUQgF5zI2Eihn7vlLBI1HY= +SHA256 (transproxy-1.6.tgz) = e8TOWrAWSNysolVV601MOmeu1ru0LhQyqqTpsgt12rM= +SIZE (transproxy-1.6.tgz) = 23592 Index: patches/patch-Makefile =================================================================== RCS file: /cvs/ports/www/transproxy/patches/patch-Makefile,v retrieving revision 1.2 diff -u -p -r1.2 patch-Makefile --- patches/patch-Makefile 6 Dec 2001 07:28:11 -0000 1.2 +++ patches/patch-Makefile 28 Jan 2011 16:37:18 -0000 @@ -1,6 +1,6 @@ ---- Makefile.orig Thu Aug 17 23:35:46 2000 -+++ Makefile Fri Nov 30 13:24:09 2001 -@@ -46,6 +46,9 @@ OPTIONS += -DLOG_TO_FILE_LINEBUFF +--- Makefile.orig Wed Mar 31 14:19:34 2004 ++++ Makefile Fri Oct 24 13:54:04 2008 +@@ -47,8 +47,11 @@ OPTIONS += -DLOG_TO_FILE_LINEBUFF # BSD IPFILTER mechanism for fetching intended destination address. #OPTIONS += -DIPFILTER @@ -8,12 +8,15 @@ +OPTIONS += -DOPENBSD_PF + # linux-2.4 iptables mechanism for fetching intended destination address. - #OPTIONS += -DIPTABLES +-OPTIONS += -DIPTABLES ++#OPTIONS += -DIPTABLES -@@ -53,8 +56,8 @@ OPTIONS += -DLOG_TO_FILE_LINEBUFF - #OPTIONS += -DDO_DOUBLE_FORK + # Double fork to make init(8) handle zombie processes. Some Unix variants + # simply don't let you ignore the death of child processes easily. +@@ -56,8 +59,8 @@ OPTIONS += -DIPTABLES - # Define these to enable tcp_wrappers. You can use the built-in ACLs instead though. + # Define these to enable tcp_wrappers. You can use the built-in ACLs + # instead though. -#OPTIONS += -DTCP_WRAPPERS -#LIBS += -lwrap +OPTIONS += -DTCP_WRAPPERS Index: patches/patch-tproxy.c =================================================================== RCS file: /cvs/ports/www/transproxy/patches/patch-tproxy.c,v retrieving revision 1.2 diff -u -p -r1.2 patch-tproxy.c --- patches/patch-tproxy.c 6 Dec 2001 07:28:11 -0000 1.2 +++ patches/patch-tproxy.c 28 Jan 2011 16:37:18 -0000 @@ -1,7 +1,7 @@ ---- tproxy.c.orig Sun Feb 4 05:13:48 2001 -+++ tproxy.c Fri Nov 30 13:39:20 2001 -@@ -49,6 +49,15 @@ - # include <netinet/ip_nat.h> +--- tproxy.c.orig Tue May 24 15:26:46 2005 ++++ tproxy.c Fri Oct 24 13:52:46 2008 +@@ -53,6 +53,15 @@ + # include <linux/netfilter_ipv4.h> #endif +#ifdef OPENBSD_PF @@ -13,10 +13,18 @@ +# include <net/pfvar.h> +#endif /* OPENBSD_PF */ + - #ifdef IPTABLES - # include <linux/netfilter_ipv4.h> + #ifdef TCP_WRAPPERS + # include <tcpd.h> #endif -@@ -188,6 +197,13 @@ static FILE *log_file = NULL; +@@ -175,6 +184,7 @@ static char *prog; + static int daemonize = 1; + static int fully_transparent = 0; + static int proxy_only = 0; ++static int socks_header = 0; + static char *force_url = NULL; + static int force_url_length; + #ifdef LOG_TO_FILE +@@ -190,6 +200,13 @@ static int ignore_alarm; static int natdev = -1; #endif @@ -30,13 +38,41 @@ #ifdef TCP_WRAPPERS /* * The syslog levels for tcp_wrapper checking. -@@ -370,6 +386,17 @@ int main(int argc, char **argv) +@@ -234,18 +251,26 @@ int main(int argc, char **argv) + /* + * Parse the command line arguments. + */ +- while ((arg = getopt(argc, argv, "dtps:r:b:f:l:a:")) != EOF) ++ while ((arg = getopt(argc, argv, "Sdtps:r:b:f:l:a:")) != EOF) + { + switch (arg) + { ++ case 'S': ++ proxy_only = 1; ++ socks_header = 1; ++ fully_transparent = 0; ++ break; ++ + case 't': + fully_transparent = 1; + proxy_only = 0; ++ socks_header = 0; + break; + + case 'p': + proxy_only = 1; + fully_transparent = 0; ++ socks_header = 0; + break; + + case 's': +@@ -372,6 +397,17 @@ int main(int argc, char **argv) } #endif +#ifdef OPENBSD_PF + /* -+ * Open /dev/pf before giving up our uid/gif. ++ * Open /dev/pf before giving up our uid/gid. + */ + if ((pfdev = open("/dev/pf", O_RDWR)) < 0) + { @@ -48,7 +84,7 @@ #ifdef LOG_TO_FILE /* * Open the log file for the first time. -@@ -1002,6 +1029,9 @@ static void trans_proxy(int sock, struct +@@ -1025,6 +1061,9 @@ static void trans_proxy(int sock, struct sockaddr_in * #ifdef IPFILTER natlookup_t natlook; #endif @@ -58,11 +94,10 @@ /* * Initialise the connection structure. -@@ -1078,6 +1108,34 @@ static void trans_proxy(int sock, struct - conn.dest_addr.sin_addr = natlook.nl_realip; +@@ -1099,6 +1138,34 @@ static void trans_proxy(int sock, struct sockaddr_in * conn.dest_addr.sin_port = natlook.nl_realport; #endif -+ + +#ifdef OPENBSD_PF + /* + * Build up the PF natlookup structure. @@ -90,6 +125,95 @@ + conn.dest_addr.sin_addr.s_addr = natlook.rdaddr.addr32[0]; + conn.dest_addr.sin_port = natlook.rdport; +#endif /* OPENBSD_PF */ - ++ #endif/*!IPTABLES*/ + /* +@@ -1148,6 +1215,60 @@ static void trans_proxy(int sock, struct sockaddr_in * + return; + } + ++ if (socks_header) ++ { ++ char socks4_header[64]; ++ const char *socks_user = "nobody"; ++ int socks4_len; ++ int socks_err = 0; ++ ++ socks4_header[0] = 4; /* Socks version */ ++ socks4_header[1] = 1; /* CONNECT=1 BIND=2 */ ++ memcpy(socks4_header + 2, &conn.dest_addr.sin_port, 2); ++ memcpy(socks4_header + 4, &conn.dest_addr.sin_addr.s_addr, 4); ++ strlcpy(socks4_header + 8, socks_user, sizeof(socks4_header) - 8); ++ socks4_len = 8 + strlen(socks_user) + 1; ++ ++ if (write(conn.proxy_fd, socks4_header, socks4_len) != socks4_len) ++ socks_err = 1; ++ ++ if (socks_err == 0 && read(conn.proxy_fd, socks4_header, 8) != 8) ++ socks_err = 2; ++ ++ if (socks_err == 0 && socks4_header[0] != 0) ++ socks_err = 3; ++ ++ if (socks_err == 0 && socks4_header[1] < 90) ++ socks_err = 4; ++ ++ if (socks_err == 0 && socks4_header[1] > 90) ++ socks_err = socks4_header[1]; ++ ++ /* Check return value */ ++ if (socks_err != 0) { ++ switch(socks_err) { ++ default: ++ syslog(LOG_ERR, "Socks proxy \"%s\" returned error response.", server_hostname); ++ break; ++ case 1: ++ syslog(LOG_ERR, "Write failure connecting to socks proxy \"%s\"", server_hostname); ++ break; ++ case 2: ++ syslog(LOG_ERR, "Read failure connecting to socks proxy \"%s\"", server_hostname); ++ break; ++ case 91: ++ syslog(LOG_ERR, "Socks proxy \"%s\" rejected connection", server_hostname); ++ break; ++ case 92: case 93: ++ syslog(LOG_ERR, "Socks proxy \"%s\" requires ident match", server_hostname); ++ break; ++ } ++ close(conn.proxy_fd); ++ return; ++ } ++ conn.parse_state = PS_TRANSPARENT; ++ } ++ + /* + * This loop acts a bit like the guy in the middle of a "bucket brigade". + * When the client passes some data, it gets handed off to the server, +@@ -1835,7 +1956,7 @@ static int process_client_request(connection_t *conn, + (strchr(conn->host_header, ':') == NULL)) + #endif + { +- sprintf(request_port, ":%u", ntohs(conn->dest_addr.sin_port)); ++ snprintf(request_port, sizeof(request_port), ":%u", ntohs(conn->dest_addr.sin_port)); + memcpy(&request_buffer[send_size], request_port, strlen(request_port)); + send_size += strlen(request_port); + conn->url_end_offset += strlen(request_port); +@@ -2047,7 +2168,7 @@ static void write_pid(char *prog) + char filename[1024]; + FILE *fp; + +- sprintf(filename, "%s%s.pid", _PATH_VARRUN, prog); ++ snprintf(filename, sizeof(filename), "%s%s.pid", _PATH_VARRUN, prog); + if ((fp = fopen(filename, "w")) != NULL) + { + fprintf(fp, "%lu\n", (unsigned long)getpid()); +@@ -2074,7 +2195,7 @@ static void term_signal(int sig) + { + char filename[1024]; + +- sprintf(filename, "%s%s.pid", _PATH_VARRUN, prog); ++ snprintf(filename, sizeof(filename), "%s%s.pid", _PATH_VARRUN, prog); + unlink(filename); + + #ifdef LOG_TO_SYSLOG Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/www/transproxy/pkg/PLIST,v retrieving revision 1.3 diff -u -p -r1.3 PLIST --- pkg/PLIST 15 Sep 2004 18:49:53 -0000 1.3 +++ pkg/PLIST 28 Jan 2011 16:37:18 -0000 @@ -1,5 +1,5 @@ @comment $OpenBSD: PLIST,v 1.3 2004/09/15 18:49:53 espie Exp $ @man man/man8/tproxy.8 -sbin/tproxy +@bin sbin/tproxy sbin/tproxyrun sbin/tproxywatch --- /dev/null Fri Jan 28 17:39:30 2011 +++ patches/patch-tproxy_8 Fri Oct 24 13:56:39 2008 @@ -0,0 +1,23 @@ +$OpenBSD$ +--- tproxy.8.orig Fri Oct 24 13:54:13 2008 ++++ tproxy.8 Fri Oct 24 13:56:21 2008 +@@ -46,6 +46,9 @@ tproxy \- transparently re-direct HTTP requests to a H + .B \-p + ] + [ ++.B \-S ++] ++[ + .B \-f \fIforced-url + ] + [ +@@ -96,6 +99,9 @@ Operate in proxy only mode. Normally if the connection + will try and connect transparently to the intended destination. However + for some sites this will never work and it is better to simply fail + the connection. ++.TP ++.B \-S ++Use the socks4 protocol to connect to the destination host. + .TP + .B \-f \fIurl + Force all accesses to be sent to the specified URL. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting