* James Hozier <guitars...@yahoo.com> [2011-01-28 16:56]:
> I'm looking for a program that I can use to use SOCKS proxies for various
> programs, such as different IRC clients (ircII, irssi, etc.) and SSH as well
> (or other programs that don't have native SOCKS proxy support built-in).
>
> For SSH I Googled a lot of articles on how to run SSH as a proxy server, but
> not how to SSH using a proxy.
>
> Since tsocks is very obsolete and dsocks is very limited in its support with
> programs, is dante the only viable option I currently have? (Since dsocks and
> dante conflict with trying to pkg_add I can only have one.)
i hacked up transproxy for that at one point for a customer with a
weird setup.
i have no idea wether this still works, and it isn't all work of mine,
i used some bits i found somewhere, but don't remember where. looong
time ago, at least 2 years.
Index: Makefile
===================================================================
RCS file: /cvs/ports/www/transproxy/Makefile,v
retrieving revision 1.21
diff -u -p -r1.21 Makefile
--- Makefile 19 Oct 2010 08:02:57 -0000 1.21
+++ Makefile 28 Jan 2011 16:37:18 -0000
@@ -2,7 +2,7 @@
COMMENT= transparent www proxy driver for pf
-DISTNAME= transproxy-1.4
+DISTNAME= transproxy-1.6
CATEGORIES= www net
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=transproxy/}
Index: distinfo
===================================================================
RCS file: /cvs/ports/www/transproxy/distinfo,v
retrieving revision 1.3
diff -u -p -r1.3 distinfo
--- distinfo 5 Apr 2007 17:26:26 -0000 1.3
+++ distinfo 28 Jan 2011 16:37:18 -0000
@@ -1,5 +1,5 @@
-MD5 (transproxy-1.4.tgz) = kpXJPP9FHDLfJa6KmMvRrw==
-RMD160 (transproxy-1.4.tgz) = WUs8xReiYbZpvFw0pDlURZUWxps=
-SHA1 (transproxy-1.4.tgz) = ghdk5nBsoVQA8WsracGTF4OFDV8=
-SHA256 (transproxy-1.4.tgz) = /L3AJeK3ZfB/S2DacOMtpTamTg4aL2mUTQJz0JqlgDs=
-SIZE (transproxy-1.4.tgz) = 22569
+MD5 (transproxy-1.6.tgz) = AswRYKnbnEmkBJH4kAgwRA==
+RMD160 (transproxy-1.6.tgz) = yk4w7sIrnQ67hBWyE6A6cx8eBa4=
+SHA1 (transproxy-1.6.tgz) = JlIjKzUQgF5zI2Eihn7vlLBI1HY=
+SHA256 (transproxy-1.6.tgz) = e8TOWrAWSNysolVV601MOmeu1ru0LhQyqqTpsgt12rM=
+SIZE (transproxy-1.6.tgz) = 23592
Index: patches/patch-Makefile
===================================================================
RCS file: /cvs/ports/www/transproxy/patches/patch-Makefile,v
retrieving revision 1.2
diff -u -p -r1.2 patch-Makefile
--- patches/patch-Makefile 6 Dec 2001 07:28:11 -0000 1.2
+++ patches/patch-Makefile 28 Jan 2011 16:37:18 -0000
@@ -1,6 +1,6 @@
---- Makefile.orig Thu Aug 17 23:35:46 2000
-+++ Makefile Fri Nov 30 13:24:09 2001
-@@ -46,6 +46,9 @@ OPTIONS += -DLOG_TO_FILE_LINEBUFF
+--- Makefile.orig Wed Mar 31 14:19:34 2004
++++ Makefile Fri Oct 24 13:54:04 2008
+@@ -47,8 +47,11 @@ OPTIONS += -DLOG_TO_FILE_LINEBUFF
# BSD IPFILTER mechanism for fetching intended destination address.
#OPTIONS += -DIPFILTER
@@ -8,12 +8,15 @@
+OPTIONS += -DOPENBSD_PF
+
# linux-2.4 iptables mechanism for fetching intended destination address.
- #OPTIONS += -DIPTABLES
+-OPTIONS += -DIPTABLES
++#OPTIONS += -DIPTABLES
-@@ -53,8 +56,8 @@ OPTIONS += -DLOG_TO_FILE_LINEBUFF
- #OPTIONS += -DDO_DOUBLE_FORK
+ # Double fork to make init(8) handle zombie processes. Some Unix variants
+ # simply don't let you ignore the death of child processes easily.
+@@ -56,8 +59,8 @@ OPTIONS += -DIPTABLES
- # Define these to enable tcp_wrappers. You can use the built-in ACLs instead
though.
+ # Define these to enable tcp_wrappers. You can use the built-in ACLs
+ # instead though.
-#OPTIONS += -DTCP_WRAPPERS
-#LIBS += -lwrap
+OPTIONS += -DTCP_WRAPPERS
Index: patches/patch-tproxy.c
===================================================================
RCS file: /cvs/ports/www/transproxy/patches/patch-tproxy.c,v
retrieving revision 1.2
diff -u -p -r1.2 patch-tproxy.c
--- patches/patch-tproxy.c 6 Dec 2001 07:28:11 -0000 1.2
+++ patches/patch-tproxy.c 28 Jan 2011 16:37:18 -0000
@@ -1,7 +1,7 @@
---- tproxy.c.orig Sun Feb 4 05:13:48 2001
-+++ tproxy.c Fri Nov 30 13:39:20 2001
-@@ -49,6 +49,15 @@
- # include <netinet/ip_nat.h>
+--- tproxy.c.orig Tue May 24 15:26:46 2005
++++ tproxy.c Fri Oct 24 13:52:46 2008
+@@ -53,6 +53,15 @@
+ # include <linux/netfilter_ipv4.h>
#endif
+#ifdef OPENBSD_PF
@@ -13,10 +13,18 @@
+# include <net/pfvar.h>
+#endif /* OPENBSD_PF */
+
- #ifdef IPTABLES
- # include <linux/netfilter_ipv4.h>
+ #ifdef TCP_WRAPPERS
+ # include <tcpd.h>
#endif
-@@ -188,6 +197,13 @@ static FILE *log_file =
NULL;
+@@ -175,6 +184,7 @@ static char *prog;
+ static int daemonize = 1;
+ static int fully_transparent = 0;
+ static int proxy_only = 0;
++static int socks_header = 0;
+ static char *force_url = NULL;
+ static int force_url_length;
+ #ifdef LOG_TO_FILE
+@@ -190,6 +200,13 @@ static int ignore_alarm;
static int natdev = -1;
#endif
@@ -30,13 +38,41 @@
#ifdef TCP_WRAPPERS
/*
* The syslog levels for tcp_wrapper checking.
-@@ -370,6 +386,17 @@ int main(int argc, char **argv)
+@@ -234,18 +251,26 @@ int main(int argc, char **argv)
+ /*
+ * Parse the command line arguments.
+ */
+- while ((arg = getopt(argc, argv, "dtps:r:b:f:l:a:")) != EOF)
++ while ((arg = getopt(argc, argv, "Sdtps:r:b:f:l:a:")) != EOF)
+ {
+ switch (arg)
+ {
++ case 'S':
++ proxy_only = 1;
++ socks_header = 1;
++ fully_transparent = 0;
++ break;
++
+ case 't':
+ fully_transparent = 1;
+ proxy_only = 0;
++ socks_header = 0;
+ break;
+
+ case 'p':
+ proxy_only = 1;
+ fully_transparent = 0;
++ socks_header = 0;
+ break;
+
+ case 's':
+@@ -372,6 +397,17 @@ int main(int argc, char **argv)
}
#endif
+#ifdef OPENBSD_PF
+ /*
-+ * Open /dev/pf before giving up our uid/gif.
++ * Open /dev/pf before giving up our uid/gid.
+ */
+ if ((pfdev = open("/dev/pf", O_RDWR)) < 0)
+ {
@@ -48,7 +84,7 @@
#ifdef LOG_TO_FILE
/*
* Open the log file for the first time.
-@@ -1002,6 +1029,9 @@ static void trans_proxy(int sock, struct
+@@ -1025,6 +1061,9 @@ static void trans_proxy(int sock, struct sockaddr_in *
#ifdef IPFILTER
natlookup_t natlook;
#endif
@@ -58,11 +94,10 @@
/*
* Initialise the connection structure.
-@@ -1078,6 +1108,34 @@ static void trans_proxy(int sock, struct
- conn.dest_addr.sin_addr = natlook.nl_realip;
+@@ -1099,6 +1138,34 @@ static void trans_proxy(int sock, struct sockaddr_in *
conn.dest_addr.sin_port = natlook.nl_realport;
#endif
-+
+
+#ifdef OPENBSD_PF
+ /*
+ * Build up the PF natlookup structure.
@@ -90,6 +125,95 @@
+ conn.dest_addr.sin_addr.s_addr = natlook.rdaddr.addr32[0];
+ conn.dest_addr.sin_port = natlook.rdport;
+#endif /* OPENBSD_PF */
-
++
#endif/*!IPTABLES*/
+ /*
+@@ -1148,6 +1215,60 @@ static void trans_proxy(int sock, struct sockaddr_in *
+ return;
+ }
+
++ if (socks_header)
++ {
++ char socks4_header[64];
++ const char *socks_user = "nobody";
++ int socks4_len;
++ int socks_err = 0;
++
++ socks4_header[0] = 4; /* Socks version */
++ socks4_header[1] = 1; /* CONNECT=1 BIND=2 */
++ memcpy(socks4_header + 2, &conn.dest_addr.sin_port, 2);
++ memcpy(socks4_header + 4, &conn.dest_addr.sin_addr.s_addr, 4);
++ strlcpy(socks4_header + 8, socks_user, sizeof(socks4_header) -
8);
++ socks4_len = 8 + strlen(socks_user) + 1;
++
++ if (write(conn.proxy_fd, socks4_header, socks4_len) !=
socks4_len)
++ socks_err = 1;
++
++ if (socks_err == 0 && read(conn.proxy_fd, socks4_header, 8) !=
8)
++ socks_err = 2;
++
++ if (socks_err == 0 && socks4_header[0] != 0)
++ socks_err = 3;
++
++ if (socks_err == 0 && socks4_header[1] < 90)
++ socks_err = 4;
++
++ if (socks_err == 0 && socks4_header[1] > 90)
++ socks_err = socks4_header[1];
++
++ /* Check return value */
++ if (socks_err != 0) {
++ switch(socks_err) {
++ default:
++ syslog(LOG_ERR, "Socks proxy \"%s\" returned
error response.", server_hostname);
++ break;
++ case 1:
++ syslog(LOG_ERR, "Write failure connecting to
socks proxy \"%s\"", server_hostname);
++ break;
++ case 2:
++ syslog(LOG_ERR, "Read failure connecting to
socks proxy \"%s\"", server_hostname);
++ break;
++ case 91:
++ syslog(LOG_ERR, "Socks proxy \"%s\" rejected
connection", server_hostname);
++ break;
++ case 92: case 93:
++ syslog(LOG_ERR, "Socks proxy \"%s\" requires
ident match", server_hostname);
++ break;
++ }
++ close(conn.proxy_fd);
++ return;
++ }
++ conn.parse_state = PS_TRANSPARENT;
++ }
++
+ /*
+ * This loop acts a bit like the guy in the middle of a "bucket
brigade".
+ * When the client passes some data, it gets handed off to the server,
+@@ -1835,7 +1956,7 @@ static int process_client_request(connection_t *conn,
+ (strchr(conn->host_header, ':')
== NULL))
+ #endif
+ {
+- sprintf(request_port, ":%u",
ntohs(conn->dest_addr.sin_port));
++ snprintf(request_port,
sizeof(request_port), ":%u", ntohs(conn->dest_addr.sin_port));
+
memcpy(&request_buffer[send_size], request_port, strlen(request_port));
+ send_size +=
strlen(request_port);
+ conn->url_end_offset +=
strlen(request_port);
+@@ -2047,7 +2168,7 @@ static void write_pid(char *prog)
+ char filename[1024];
+ FILE *fp;
+
+- sprintf(filename, "%s%s.pid", _PATH_VARRUN, prog);
++ snprintf(filename, sizeof(filename), "%s%s.pid", _PATH_VARRUN, prog);
+ if ((fp = fopen(filename, "w")) != NULL)
+ {
+ fprintf(fp, "%lu\n", (unsigned long)getpid());
+@@ -2074,7 +2195,7 @@ static void term_signal(int sig)
+ {
+ char filename[1024];
+
+- sprintf(filename, "%s%s.pid", _PATH_VARRUN, prog);
++ snprintf(filename, sizeof(filename), "%s%s.pid", _PATH_VARRUN, prog);
+ unlink(filename);
+
+ #ifdef LOG_TO_SYSLOG
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/www/transproxy/pkg/PLIST,v
retrieving revision 1.3
diff -u -p -r1.3 PLIST
--- pkg/PLIST 15 Sep 2004 18:49:53 -0000 1.3
+++ pkg/PLIST 28 Jan 2011 16:37:18 -0000
@@ -1,5 +1,5 @@
@comment $OpenBSD: PLIST,v 1.3 2004/09/15 18:49:53 espie Exp $
@man man/man8/tproxy.8
-sbin/tproxy
+@bin sbin/tproxy
sbin/tproxyrun
sbin/tproxywatch
--- /dev/null Fri Jan 28 17:39:30 2011
+++ patches/patch-tproxy_8 Fri Oct 24 13:56:39 2008
@@ -0,0 +1,23 @@
+$OpenBSD$
+--- tproxy.8.orig Fri Oct 24 13:54:13 2008
++++ tproxy.8 Fri Oct 24 13:56:21 2008
+@@ -46,6 +46,9 @@ tproxy \- transparently re-direct HTTP requests to a H
+ .B \-p
+ ]
+ [
++.B \-S
++]
++[
+ .B \-f \fIforced-url
+ ]
+ [
+@@ -96,6 +99,9 @@ Operate in proxy only mode. Normally if the connection
+ will try and connect transparently to the intended destination. However
+ for some sites this will never work and it is better to simply fail
+ the connection.
++.TP
++.B \-S
++Use the socks4 protocol to connect to the destination host.
+ .TP
+ .B \-f \fIurl
+ Force all accesses to be sent to the specified URL.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
