================================ dante:source=1.1.19-1 cvc rdiff dante -1 /weasel.rpath.org@wgl:3-devel/1.1.19-1 ================================ 1.1.19-1 Filip Brcic (brcha@xxxxxxx) Fri Jan 15 14:11:15 2010 dante 1.1.19 socks.conf: new --- /dev/null +++ socks.conf @@ -0,0 +127 @@ +# The configfile is divided into two parts; first misc. settings, +# then the routes. Objects in '[]' are optional. +# +# +# recommended order is: +# [debug] +# [logoutput] +# [resolveprotocol] +# +# routes: +# from to via +# [command] +# [extension] +# [protocol] +# [proxyprotocol] + + +#debug: 1 # uncomment to enable debugging + +#logoutput: stdout # users usually don't want to be bothered with that. + +# What protocol should be used for resolving hostnames? It's important +# to set this right. +#resolveprotocol: udp # default +#resolveprotocol: tcp # set this if your socksserver only supports socksv4. +#resolveprotocol: fake # set this if your clients can't access nameserver, + # neither directly nor proxied. + + + +# +# the routes +# + +# specifying routes for accepting remote connections (via bind()) is +# difficult since we can't know what the "to:" address is +# until we actually get the connection Since we support letting +# the client accept connections both via the proxyserver and +# "directly" at the same time, we have two options though: +# a) specify a route for bind (only) first going via the proxyserver. +# This will also handle "direct" connections. +# b) specify a route for bind (only) first going "direct". +# This means clients will only be able to accept "direct" +# connections. + +# we want to accept remote connections via the proxyserver. +#route { +# from: 0.0.0.0/0 to: 0.0.0.0/0 via: 10.1.1.1 port = 1080 +# command: bind +#} + +# we do not want to accept remote connections via the proxyserver. +#route { +# from: 0.0.0.0/0 to: 0.0.0.0/0 via: direct +# command: bind +#} + + +# if you don't route all local connections via direct, you should +# at least route nameserver connections via direct connections if you +# can. That can make for much better performance, depending on +# your setup. Make sure the nameserver line is the first. +# +# Assuming your nameserver runs on address 10.1.1.1, you can do it like this: +#route { +# from: 0.0.0.0/0 to: 10.1.1.1/32 port = domain via: direct +#} + + +# have a route making all connections to loopback addresses be direct. +#route { +# from: 0.0.0.0/0 to: 127.0.0.0/8 via: direct +# command: connect udpassociate # everything but bind, bind confuses us. +#} + +# Our net is the 10.0.0.0/8 net, let clients going to local address go +# direct, not via server. +#route { +# from: 0.0.0.0/0 to: 10.0.0.0/8 via: direct +#} + +# for poor souls trapped behind a msproxy server. +#route { +# from: 0.0.0.0/0 to: 0.0.0.0/0 via: 10.1.1.1 port = 1745 +# protocol: tcp # server supports tcp +# proxyprotocol: msproxy_v2 # server runs msproxy_v2 +#} + +# clients going anywhere else go via server listening at +# IP address 10.1.1.1, port 1080. Note that unless you have +# specified a direct connection for DNS, or the socksserver is resolvable +# without network traffic, you can't give a hostname for the socksserver, +# you must give a IP address. (the reasons for that are logical enough, +# you would create a loop otherwise.) +#route { +# from: 0.0.0.0/0 to: 0.0.0.0/0 via: 10.1.1.1 port = 1080 +# protocol: tcp udp # server supports tcp and udp. +# proxyprotocol: socks_v4 socks_v5 # server supports socks v4 and v5. +# method: none #username # we are willing to authenticate via +# # method "none", not "username". +#} + +# this is identical to the above, but it matches hostnames instead. +# This is if you have clients that are unable to resolve hostnames. +# It can be important that hostname routes come after address routes. +#route { +# from: 0.0.0.0/0 to: . via: 10.1.1.1 port = 1080 +# protocol: tcp udp # server supports tcp and udp. +# proxyprotocol: socks_v4 socks_v5 # server supports socks v4 and v5. +# method: none #username # we are willing to authenticate via +# # method "none", not "username". +#} + +# identical to above two routes, but using a httpproxy instead. +# + +#route { +# from: 0.0.0.0/0 to: 0.0.0.0/0 via: 10.1.1.1 port = 3128 +# command: connect # only thing a httproxy supports. +# proxyprotocol: http_v1.0 +#} + +#route { +# from: 0.0.0.0/0 to: . via: 10.1.1.1 port = 3128 +# command: connect # only thing a httproxy supports. +# proxyprotocol: http_v1.0 +#} dante-sockd-conf: new --- /dev/null +++ dante-sockd-conf @@ -0,0 +14 @@ +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-proxy/dante/files/dante-sockd-conf,v 1.1 2005/04/22 20:47:27 mrness Exp $ + +# Number of processes to fork off +# 1 is plenty for most users +# increment SLOWLY for bigger demand +SOCKD_FORKDEPTH=1 + +# set this to 1 to enable debug +SOCKD_DEBUG=0 + +# disable TCP keepalive for better resource usage +SOCKD_DISABLE_KEEPALIVE=1 dante-1.1.19.tar.gz: new dante.recipe: new --- /dev/null +++ dante.recipe @@ -0,0 +70 @@ +# +# Copyright (c) 2010 Filip Brcic <brcha@xxxxxxxxxxxx> +# Distributed under the terms of the GNU General Public License v3 +# + +class Dante(AutoPackageRecipe): + name = 'dante' + version = '1.1.19' + + buildRequires = [ + 'autoconf:runtime', 'automake:runtime', 'flex:runtime', + 'libtool:runtime', 'pam:devel', 'tcp_wrappers:devel', + ] + + shortDesc = 'A free socks4,5 and msproxy implementation' + longDesc = """ +Dante is a circuit-level firewall/proxy that can be used to provide +convenient and secure network connectivity to a wide range of hosts +while requiring only the server Dante runs on to have external network +connectivity. Once installed, Dante can in most cases be made +transparent to the clients while offering detailed access control and +logging facilities to the server administrator. +""" + url = 'http://www.inet.no/dante/' + licenses = [ 'BSD' ] + categories = [ 'Network/Proxy' ] + + def unpack(r): + r.addArchive(('ftp://ftp.inet.no/pub/socks/', + 'ftp://ftp.inet.no/pub/socks/old/')) + + r.addPatch('dante-1.1.19-socksify.patch') + r.addPatch('dante-1.1.19-libpam.patch') + + r.Replace(('/etc/socks\.conf', '%(sysconfdir)s/socks/socks.conf'), + ('/etc/sockd\.conf', '%(sysconfdir)s/socks/sockd.conf'), + 'doc/{faq.ps,faq.tex,sockd.8,sockd.conf.5,socks.conf.5}') + + r.Autoreconf() + + def configure(r): + r.Configure( + ' --enable-libwrap' + ' --with-pam' + ' --with-socks-conf=%(sysconfdir)s/socks/socks.conf' + ' --with-sockd-conf=%(sysconfdir)s/socks/sockd.conf' + ) + + # the comments in the source say this is only useful for 2.0 kernels ... + # well it may fix 2.0 but it breaks with 2.6 :) + r.Replace('if HAVE_LINUX_ECCENTRICITIES', 'if 0', + 'include/common.h') + + def policy(r): + r.Replace('libdl\.so', '', '%(bindir)s/socksify') + + r.addSource('socks.conf', + dest='%(sysconfdir)s/socks/') + r.addSource('sockd.conf', + dest='%(sysconfdir)s/socks/') + + r.addSource('dante-sockd-init', + dest='%(initdir)s/dante-sockd', + mode=0755) + r.addSource('dante-sockd-conf', + dest='%(sysconfdir)s/conf.d/dante-sockd') + + r.Doc('BUGS', 'CREDITS', 'NEWS', 'README', 'SUPPORT', 'TODO') + r.Doc('doc/{README*,*.txt,SOCKS4.*}', dir='txt') + r.Doc('example/*.conf', dir='example') dante-1.1.19-libpam.patch: new --- /dev/null +++ dante-1.1.19-libpam.patch @@ -0,0 +76 @@ +diff -Nru dante-1.1.19.orig/acinclude.m4 dante-1.1.19/acinclude.m4 +--- dante-1.1.19.orig/acinclude.m4 2005-12-18 21:57:57.000000000 +0100 ++++ dante-1.1.19/acinclude.m4 2008-06-25 22:24:16.000000000 +0200 +@@ -260,4 +260,4 @@ + + tproto($@)]) + +-# -- acinclude end -- +\ No newline at end of file ++# -- acinclude end -- +diff -Nru dante-1.1.19.orig/configure.ac dante-1.1.19/configure.ac +--- dante-1.1.19.orig/configure.ac 2006-01-15 16:33:37.000000000 +0100 ++++ dante-1.1.19/configure.ac 2008-06-25 22:25:09.000000000 +0200 +@@ -21,7 +21,7 @@ + #NOTE: save CFLAGS; wish to compile without -O2 when debugging + oCFLAGS=$CFLAGS + unset CFLAGS +-AC_AIX #evidently also modifies CFLAGS ++#AC_AIX #evidently also modifies CFLAGS + AC_PROG_LIBTOOL + autoconf_compflags=$CFLAGS + CFLAGS=$oCFLAGS +@@ -30,18 +30,6 @@ + + AM_CONDITIONAL(PRERELEASE, test x$prerelease != x) + +-#known keywords for --enable/disable-foo(=yes/no)? +-LTINTERNAL="dlopen|dlopen_self|dlopen_self_static|fast_install|libtool_lock|win32_dll|shared_with_static_runtimes|shared_with_static_runtimes_CXX|shared_with_static_runtimes_F77" +-KNOWN_KEYWORDS="$LTINTERNAL|shared|static|debug|warnings|diagnostic|profiling|linting|libwrap|preload|serverdl|clientdl|internal|pidfile" +-for keyword in `set | egrep '^enable_' | sed -e 's/^enable_\(.*\)=.*/\1/'`; +-do +- echo $keyword | egrep "^(${KNOWN_KEYWORDS})$" > /dev/null +- if test $? -ne 0; then +- AC_MSG_WARN([unknown option '$keyword', ignoring ...]) +- sleep 10; +- fi +-done +- + #Solaris 2.5.1 is broken in many places + case $host in + *-*-solaris2.5.1) +@@ -1288,15 +1288,18 @@ + [ --without-pam disable pam support @<:@default=detect@:>@], + [PAM=$withval]) + ++LIBPAM= + if test "${PAM}" != no; then + #look for PAM header and lib + AC_CHECK_HEADERS(security/pam_appl.h, [have_pam_header=t]) +- AC_SEARCH_LIBS(pam_start, pam, [have_libpam=t]) ++ AC_CHECK_LIB(pam, pam_start, [have_libpam=t]) + + if test x"${have_pam_header}" != x -a x"${have_libpam}" != x; then + AC_DEFINE(HAVE_PAM, 1, [PAM support]) ++ LIBPAM=-lpam + fi + fi ++AC_SUBST(LIBPAM) + + #expected select behaviour? + unset nb_select_err +diff -Nru dante-1.1.19.orig/sockd/Makefile.am dante-1.1.19/sockd/Makefile.am +--- dante-1.1.19.orig/sockd/Makefile.am 2005-11-06 18:37:14.000000000 +0100 ++++ dante-1.1.19/sockd/Makefile.am 2008-06-25 22:24:16.000000000 +0200 +@@ -35,9 +35,9 @@ + + #XXXhack + if STATIC_SOCKD +-sockd_LDADD = ../libscompat/sockatmark.o ${LIBWRAP} ++sockd_LDADD = ../libscompat/sockatmark.o ${LIBWRAP} ${LIBPAM} + else +-sockd_LDADD = ../libscompat/libscompat.la ${LIBWRAP} ++sockd_LDADD = ../libscompat/libscompat.la ${LIBWRAP} ${LIBPAM} + endif + + INCLUDES = -I$(top_srcdir)/include -I$(top_srcdir)/libscompat dante-1.1.19-socksify.patch: new --- /dev/null +++ dante-1.1.19-socksify.patch @@ -0,0 +16 @@ +--- dante-1.1.15-pre1/bin/socksify.in.agriffis 2004-11-04 16:07:04.000000000 -0500 ++++ dante-1.1.15-pre1/bin/socksify.in 2004-11-04 16:07:08.977460049 -0500 +@@ -60,7 +60,11 @@ + @PRELOAD_VARIABLE@="${LIBRARY}${SOCKSIFY_PRELOAD_LIBS:+${PRELOAD_SEPERATOR}}${SOCKSIFY_PRELOAD_LIBS}${PRELOAD_POSTFIX:+${PRELOAD_SEPERATOR}}${PRELOAD_POSTFIX}" + export @PRELOAD_VARIABLE@ + +-LD_LIBRARY_PATH="${LD_LIBRARY_PATH}${LD_LIBRARY_PATH:+:}${LIBDIR}" +-export LD_LIBRARY_PATH ++# There is no reason to set LD_LIBRARY_PATH, at least on Linux, where ++# LD_PRELOAD can contain a full path to the library. Setting the ++# following breaks socksify on Linux/Alpha at least with ++# binutils-2.14.90.0.7-r3 (08 Dec 2003 agriffis) ++#LD_LIBRARY_PATH="${LD_LIBRARY_PATH}${LD_LIBRARY_PATH:+:}${LIBDIR}" ++#export LD_LIBRARY_PATH + + exec "$@" sockd.conf: new --- /dev/null +++ sockd.conf @@ -0,0 +254 @@ +# The configfile is divided into two parts; first serversettings, +# then the rules. +# +# The recommended order is: +# Serversettings: +# logoutput +# internal +# external +# method +# clientmethod +# users +# compatibility +# extension +# connecttimeout +# iotimeout +# srchost +# +# Rules: +# client block/pass +# from to +# libwrap +# log +# +# block/pass +# from to +# method +# command +# libwrap +# log +# protocol +# proxyprotocol + +# the server will log both via syslog, to stdout and to /var/log/lotsoflogs +#logoutput: syslog stdout /var/log/lotsoflogs +logoutput: syslog + +# The server will bind to the address 10.1.1.1, port 1080 and will only +# accept connections going to that address. +#internal: 10.1.1.1 port = 1080 +# Alternatively, the interface name can be used instead of the address. +#internal: eth0 port = 1080 + +# all outgoing connections from the server will use the IP address +# 195.168.1.1 +#external: 192.168.1.1 + +# list over acceptable methods, order of preference. +# A method not set here will never be selected. +# +# If the method field is not set in a rule, the global +# method is filled in for that rule. +# + +# methods for socks-rules. +#method: username none #rfc931 + +# methods for client-rules. +#clientmethod: none + +#or if you want to allow rfc931 (ident) too +#method: username rfc931 none + +#or for PAM authentification +#method: pam + +# +# An important section, pay attention. +# + +# when doing something that can require privilege, +# it will use the userid "sockd". +user.privileged: sockd + +# when running as usual, +# it will use the unprivileged userid of "sockd". +user.notprivileged: sockd + +# when running libwrap commands, +# it will use the userid "sockd". +user.libwrap: sockd + +# +# some options to help clients with compatibility: +# + +# when a client connection comes in the socksserver will try to use +# the same port as the client is using, when the socksserver +# goes out on the clients behalf (external: IP address). +# If this option is set, Dante will try to do it for reserved ports aswell. +# This will usually require user.privileged to be set to "root". +#compatibility: sameport + +# If you are using the bind extension and have trouble running servers +# via the server, you might try setting this. The consequences of it +# are unknown. +#compatibility: reuseaddr + +# +# The Dante server supports some extensions to the socks protocol. +# These require that the socks client implements the same extension and +# can be enabled using the "extension" keyword. +# +# enable the bind extension. +#extension: bind + + +# +# +# misc options. +# + +# how many seconds can pass from when a client connects til it has +# sent us it's request? Adjust according to your network performance +# and methods supported. +#connecttimeout: 30 # on a lan, this should be enough if method is "none". + +# how many seconds can the client and it's peer idle without sending +# any data before we dump it? Unless you disable tcp keep-alive for +# some reason, it's probably best to set this to 0, which is +# "forever". +#iotimeout: 0 # or perhaps 86400, for a day. + +# do you want to accept connections from addresses without +# dns info? what about addresses having a mismatch in dnsinfo? +#srchost: nounknown nomismatch + +# +# The actual rules. There are two kinds and they work at different levels. +# +# The rules prefixed with "client" are checked first and say who is allowed +# and who is not allowed to speak/connect to the server. I.e the +# ip range containing possibly valid clients. +# It is especially important that these only use IP addresses, not hostnames, +# for security reasons. +# +# The rules that do not have a "client" prefix are checked later, when the +# client has sent its request and are used to evaluate the actual +# request. +# +# The "to:" in the "client" context gives the address the connection +# is accepted on, i.e the address the socksserver is listening on, or +# just "0.0.0.0/0" for any address the server is listening on. +# +# The "to:" in the non-"client" context gives the destination of the clients +# socksrequest. +# +# "from:" is the source address in both contexts. +# + + +# the "client" rules. All our clients come from the net 10.0.0.0/8. +# + +# Allow our clients, also provides an example of the port range command. +#client pass { +# from: 10.0.0.0/8 port 1-65535 to: 0.0.0.0/0 +# method: rfc931 # match all idented users that also are in passwordfile +#} + +# This is identical to above, but allows clients without a rfc931 (ident) +# too. In practise this means the socksserver will try to get a rfc931 +# reply first (the above rule), if that fails, it tries this rule. +#client pass { +# from: 10.0.0.0/8 port 1-65535 to: 0.0.0.0/0 +#} + + +# drop everyone else as soon as we can and log the connect, they are not +# on our net and have no business connecting to us. This is the default +# but if you give the rule yourself, you can specify details. +#client block { +# from: 0.0.0.0/0 to: 0.0.0.0/0 +# log: connect error +#} + + +# the rules controlling what clients are allowed what requests +# + +# you probably don't want people connecting to loopback addresses, +# who knows what could happen then. +#block { +# from: 0.0.0.0/0 to: 127.0.0.0/8 +# log: connect error +#} + +# the people at the 172.16.0.0/12 are bad, no one should talk to them. +# log the connect request and also provide an example on how to +# interact with libwrap. +#block { +# from: 0.0.0.0/0 to: 172.16.0.0/12 +# libwrap: spawn finger @%a +# log: connect error +#} + +# unless you need it, you could block any bind requests. +#block { +# from: 0.0.0.0/0 to: 0.0.0.0/0 +# command: bind +# log: connect error +#} + +# or you might want to allow it, for instance "active" ftp uses it. +# Note that a "bindreply" command must also be allowed, it +# should usually by from "0.0.0.0/0", i.e if a client of yours +# has permission to bind, it will also have permission to accept +# the reply from anywhere. +#pass { +# from: 10.0.0.0/8 to: 0.0.0.0/0 +# command: bind +# log: connect error +#} + +# some connections expect some sort of "reply", this might be +# the reply to a bind request or it may be the reply to a +# udppacket, since udp is packetbased. +# Note that nothing is done to verify that it's a "genuine" reply, +# that is in general not possible anyway. The below will allow +# all "replies" in to your clients at the 10.0.0.0/8 net. +#pass { +# from: 0.0.0.0/0 to: 10.0.0.0/8 +# command: bindreply udpreply +# log: connect error +#} + + +# pass any http connects to the example.com domain if they +# authenticate with username. +# This matches "example.com" itself and everything ending in ".example.com". +#pass { +# from: 10.0.0.0/8 to: .example.com port = http +# log: connect error +# method: username +#} + +# block any other http connects to the example.com domain. +#block { +# from: 0.0.0.0/0 to: .example.com port = http +# log: connect error +#} + +# everyone from our internal network, 10.0.0.0/8 is allowed to use +# tcp and udp for everything else. +#pass { +# from: 10.0.0.0/8 to: 0.0.0.0/0 +# protocol: tcp udp +#} + +# last line, block everyone else. This is the default but if you provide +# one yourself you can specify your own logging/actions +#block { +# from: 0.0.0.0/0 to: 0.0.0.0/0 +# log: connect error +#} dante-sockd-init: new --- /dev/null +++ dante-sockd-init @@ -0,0 +55 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-proxy/dante/files/dante-sockd-init,v 1.6 2009/03/05 19:31:13 mrness Exp $ + +SOCKD_OPT="-D" +[ "${SOCKD_FORKDEPTH:-1}" -gt 1 ] && SOCKD_OPT="${SOCKD_OPT} -N ${SOCKD_FORKDEPTH}" +[ "${SOCKD_DEBUG:-0}" -eq 1 ] && SOCKD_OPT="${SOCKD_OPT} -d" +[ "${SOCKD_DISABLE_KEEPALIVE:-0}" -eq 1 ] && SOCKD_OPT="${SOCKD_OPT} -n" +PIDFILE=/var/run/sockd.pid + +depend() { + need net +} + +checkconfig() { + # first check that it exists + if [ ! -f /etc/socks/sockd.conf ] ; then + eerror "You need to setup /etc/socks/sockd.conf first" + eerror "Examples are in /usr/share/doc/dante[version]/example" + eerror "for more info, see: man sockd.conf" + return 1 + fi + + /usr/sbin/sockd -V >/tmp/dante-sockd.checkconf 2>&1 + if [ $? -ne 0 ]; then + cat /tmp/dante-sockd.checkconf + eerror "Something is wrong with your configuration file" + eerror "for more info, see: man sockd.conf" + return 1 + fi + rm /tmp/dante-sockd.checkconf + + #Create pidfile with owner set to daemon's uid + DAEMON_UID=`sed -e '/^[ \t]*user[.]notprivileged[ \t]*:/{s/.*:[ \t]*//;q};d' /etc/socks/sockd.conf` + if [ -n "$DAEMON_UID" ]; then + touch $PIDFILE && chown $DAEMON_UID $PIDFILE + fi + + return 0 +} + +start() { + checkconfig || return 1 + ebegin "Starting dante sockd" + start-stop-daemon --start --quiet --pidfile $PIDFILE \ + --make-pidfile --exec /usr/sbin/sockd -- ${SOCKD_OPT} >/dev/null 2>&1 + eend $? "Failed to start sockd" +} + +stop() { + ebegin "Stopping dante sockd" + start-stop-daemon --stop --quiet --pidfile $PIDFILE + eend $? "Failed to stop sockd" +} Committed by: brcha