diff -c -r ./ftp-gw/ftp-gw.c ../../fwtk-2.1-violated/fwtk/ftp-gw/ftp-gw.c *** ./ftp-gw/ftp-gw.c Thu Feb 5 19:05:43 1998 --- ../../fwtk-2.1-violated/fwtk/ftp-gw/ftp-gw.c Thu May 21 17:36:09 1998 *************** *** 44,49 **** --- 44,51 ---- extern char *optarg; + char *getdsthost(); + #include "firewall.h" *************** *** 88,93 **** --- 90,97 ---- static int cmdcnt = 0; static int timeout = PROXY_TIMEOUT; + static int do_transparent = 0; + static int cmd_user(); static int cmd_authorize(); *************** *** 101,106 **** --- 105,111 ---- static int cmd_passthru(); static void saveline(); static void flushsaved(); + static int connectdest(); #define OP_CONN 001 /* only valid if connected */ #define OP_WCON 002 /* writethrough if connected */ *************** *** 173,178 **** --- 178,184 ---- char xuf[1024]; char huf[512]; char *passuser = (char *)0; /* passed user as av */ + char *psychic, *hotline; #ifndef LOG_DAEMON openlog("ftp-gw",LOG_PID); *************** *** 317,322 **** --- 323,332 ---- } else timeout = PROXY_TIMEOUT; + psychic = getdsthost(0, NULL); + if (psychic) + do_transparent++; + /* display a welcome file or message */ if(passuser == (char *)0) { if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) { *************** *** 324,329 **** --- 334,345 ---- syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln); exit(1); } + if (do_transparent) { + if (sayfile2(0, cf->argv[0], 220)) { + syslog(LLEV,"fwtksyserr: cannot display welcome %.512s: %m",cf->argv[0]); + exit(1); + } + } else if(sayfile(0,cf->argv[0],220)) { syslog(LLEV,"fwtksyserr: cannot display welcome %.512s: %m",cf->argv[0]); exit(1); *************** *** 336,341 **** --- 352,360 ---- if(say(0,"220-Proxy first requires authentication")) exit(1); + if (do_transparent) + sprintf(xuf, "220-%s FTP proxy (Version %s) ready.",huf, FWTK_VERSION_MINOR); + else sprintf(xuf, "220 %s FTP proxy (Version %s) ready.",huf, FWTK_VERSION_MINOR); if(say(0,xuf)) exit(1); *************** *** 357,362 **** --- 376,384 ---- exit(1); } + if (do_transparent) + connectdest(psychic, 21); + /* main loop */ while(1) { FD_ZERO(&rdy); *************** *** 653,658 **** --- 675,696 ---- return(sayn(0,noad,sizeof(noad)-1)); } + if (do_transparent) { + if((rfd == (-1)) && (x = connectdest(dest,port))) + return x; + + sprintf(buf,"USER %s",user); + + if (say(rfd, buf)) + return(1); + + x = getresp(rfd, buf, sizeof(buf), 1); + if (sendsaved(0, x)) + return(1); + + return(say(0, buf)); + } + if(*dest == '\0') dest = "localhost"; *************** *** 694,705 **** char ebuf[512]; strcpy(ebuf,buf); ! sprintf(buf,"521 %s: %s",dest,ebuf); rfd = -1; return(say(0,buf)); } ! sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest); ! saveline(buf); /* we are now connected and need to try the autologin thing */ x = getresp(rfd,buf,sizeof(buf),1); --- 732,748 ---- char ebuf[512]; strcpy(ebuf,buf); ! if (do_transparent) ! sprintf(buf, "521 %s,%d: %s", dest, ntohs(port), ebuf); ! else ! sprintf(buf,"521 %s: %s",dest,ebuf); rfd = -1; return(say(0,buf)); } ! if (!do_transparent) { ! sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest); ! saveline(buf); ! } /* we are now connected and need to try the autologin thing */ x = getresp(rfd,buf,sizeof(buf),1); *************** *** 1889,1891 **** --- 1932,2050 ---- dup(nread); } #endif + + static int connectdest(dest, port) + char *dest; + short port; + { + char buf[1024], mbuf[512]; + int msg_int, x; + + if(*dest == '\0') + dest = "localhost"; + + if(validests != (char **)0) { + char **xp; + int x; + + for(xp = validests; *xp != (char *)0; xp++) { + if(**xp == '!' && hostmatch(*xp + 1,dest)) { + return(baddest(0,dest)); + } else { + if(hostmatch(*xp,dest)) + break; + } + } + if(*xp == (char *)0) + return(baddest(0,dest)); + } + + /* Extended permissions processing goes in here for destination */ + if(extendperm) { + msg_int = auth_perm(confp, authuser, "ftp-gw", dest,(char *)0); + if(msg_int == 1) { + sprintf(mbuf,"Permission denied for user %s to connect to %s",authuser,dest); + syslog(LLEV,"deny host=%s/%s connect to %s user=%s",rladdr,riaddr,dest,authuser); + say(0,mbuf); + return(1); + } else { + if(msg_int == -1) { + sprintf(mbuf,"No match in netperm-table for %s to ftp to %s",authuser,dest); + say(0,mbuf); + return(1); + } + } + } + + syslog(LLEV,"permit host=%s/%s connect to %s",rladdr,riaddr,dest); + + if((rfd = conn_server(dest,port,0,buf)) < 0) { + char ebuf[512]; + + strcpy(ebuf,buf); + if (do_transparent) + sprintf(buf,"521 %s,%d: %s",dest,ntohs(port),ebuf); + else + sprintf(buf,"521 %s: %s",dest,ebuf); + rfd = -1; + return(say(0,buf)); + } + if (!do_transparent) { + sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest); + saveline(buf); + } + + /* we are now connected and need to try the autologin thing */ + x = getresp(rfd,buf,sizeof(buf),1); + if(x / 100 != COMPLETE) { + sendsaved(0,-1); + return(say(0,buf)); + } + saveline(buf); + + sendsaved(0,-1); + return 0; + } + + /* quick hack */ + sayfile2(fd,fn,code) + int fd; + char *fn; + int code; + { + FILE *f; + char buf[BUFSIZ]; + char yuf[BUFSIZ]; + char *c; + int x; + int saidsomething = 0; + + if((f = fopen(fn,"r")) == (FILE *)0) + return(1); + while(fgets(buf,sizeof(buf),f) != (char *)0) { + if((c = index(buf,'\n')) != (char *)0) + *c = '\0'; + x = fgetc(f); + if(feof(f)) + sprintf(yuf,"%3.3d-%s",code,buf); + else { + sprintf(yuf,"%3.3d-%s",code,buf); + ungetc(x,f); + } + if(say(fd,yuf)) { + fclose(f); + return(1); + } + saidsomething++; + } + fclose(f); + if (!saidsomething) { + syslog(LLEV,"fwtkcfgerr: sayfile for %d is empty",code); + sprintf(yuf, "%3.3d The file to display is empty",code); + if(say(fd,yuf)) { + fclose(f); + return(1); + } + } + return(0); + } diff -c -r ./http-gw/http-gw.c ../../fwtk-2.1-violated/fwtk/http-gw/http-gw.c *** ./http-gw/http-gw.c Fri Feb 6 18:32:25 1998 --- ../../fwtk-2.1-violated/fwtk/http-gw/http-gw.c Thu May 21 17:00:47 1998 *************** *** 27,32 **** --- 27,35 ---- static char http_buffer[8192]; static char reason[8192]; static int checkBrowserType = 1; + static int do_transparent = 0; + + char * getdsthost(); static void do_logging() { char *proto = "GOPHER"; *************** *** 473,478 **** --- 476,490 ---- /*(NOT A SPECIAL FORM)*/ if((rem_type & TYPE_LOCAL)== 0){ + char * psychic = getdsthost(sockfd, &def_port); + if (psychic) { + if (strlen(psychic) <= MAXHOSTNAMELEN) { + do_transparent ++; + strncpy(def_httpd, psychic, strlen(psychic)); + strncpy(def_server, psychic, strlen(psychic)); + } + } + /* See if it can be forwarded */ if( can_forward(buf)){ *************** *** 1564,1570 **** parse_vec[0], parse_vec[1], ourname, ourport); ! }else{ sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u", parse_vec[0], parse_vec[2], parse_vec[3], chk_type_ch, --- 1576,1589 ---- parse_vec[0], parse_vec[1], ourname, ourport); ! } ! else ! if (do_transparent) { ! sprintf(new_reply, "%s\t%s\t%s\t%s", ! parse_vec[0], parse_vec[1], ! parse_vec[2],parse_vec[3]); ! } ! else { sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u", parse_vec[0], parse_vec[2], parse_vec[3], chk_type_ch, diff -c -r ./lib/hnam.c ../../fwtk-2.1-violated/fwtk/lib/hnam.c *** ./lib/hnam.c Tue Dec 10 13:08:48 1996 --- ../../fwtk-2.1-violated/fwtk/lib/hnam.c Thu May 21 17:10:00 1998 *************** *** 23,28 **** --- 23,33 ---- #include "firewall.h" + #ifdef __FreeBSD__ /* or OpenBSD, NetBSD, BSDI, etc. Fix this for your system. */ + #include + #include "ip_nat.h" + #endif /* __FreeBSD__ */ + char * maphostname(name) *************** *** 49,52 **** --- 54,132 ---- } bcopy(hp->h_addr,&sin.sin_addr,hp->h_length); return(inet_ntoa(sin.sin_addr)); + } + + char *getdsthost(fd, ptr) + int fd; + int *ptr; + { + struct sockaddr_in sin; + struct hostent * hp; + int sl = sizeof(struct sockaddr_in), err = 0, local_h = 0, i = 0; + char buf[255], hostbuf[255]; + #ifdef __FreeBSD__ + struct sockaddr_in rsin; + struct natlookup natlookup; + #endif + + #ifdef linux + if (!(err = getsockname(0, &sin, &sl))) { + if(ptr) + * ptr = ntohs(sin.sin_port); + + sprintf(buf, "%s", inet_ntoa(sin.sin_addr)); + gethostname(hostbuf, 254); + hp = gethostbyname(hostbuf); + while (hp->h_addr_list[i]) { + bzero(&sin, &sl); + memcpy(&sin.sin_addr, hp->h_addr_list[i++], + sizeof(hp->h_addr_list[i++])); + + if (!strcmp(buf, inet_ntoa(sin.sin_addr))) + local_h++; + } + + if(local_h) + return(NULL); + else + return(buf); + } + #endif + + #ifdef __FreeBSD__ + /* The basis for this block of code is Darren Reed's + * patches to the TIS ftwk's ftp-gw. + */ + bzero((char*)&sin, sizeof(sin)); + bzero((char*)&rsin, sizeof(rsin)); + + if (getsockname(fd, (struct sockaddr*)&sin, &sl) < 0) + return NULL; + + sl = sizeof(rsin); + + if(getpeername(fd, (struct sockaddr*)&rsin, &sl) < 0) + return NULL; + + natlookup.nl_inport=sin.sin_port; + natlookup.nl_outport=rsin.sin_port; + natlookup.nl_inip=sin.sin_addr; + natlookup.nl_outip=rsin.sin_addr; + + if ((natfd = open("/dev/ipl",O_RDONLY)) < 0) + return NULL; + + if (ioctl(natfd, SIOCGNATL,&natlookup) == (-1)) + return NULL; + + close(natfd); + + if (ptr) + *ptr = ntohs(natlookup.nl_inport); + + sprintf(buf, "%s", inet_ntoa(natlookup.nl_inip)); + #endif + + /* No transparent proxy support */ + return(NULL); } diff -c -r ./plug-gw/plug-gw.c ../../fwtk-2.1-violated/fwtk/plug-gw/plug-gw.c *** ./plug-gw/plug-gw.c Thu Feb 5 19:07:35 1998 --- ../../fwtk-2.1-violated/fwtk/plug-gw/plug-gw.c Thu May 21 17:29:01 1998 *************** *** 43,48 **** --- 43,50 ---- static char **validdests = (char **)0; static int net_write(); + static int do_transparent = 0; + main(ac,av) int ac; char *av[]; *************** *** 198,206 **** --- 200,220 ---- char *ptr; int state = 0; int ssl_plug = 0; + char * getdsthost(); + int pport = 0; struct timeval timo; + /* Transparent plug-gw is probably a bad idea, but then, plug-gw is a bad + * idea .. + */ + dhost = getdsthost(0, &pport); + if (dhost) { + do_transparent++; + portid = pport; + } + + if(c->flags & PERM_DENY) { if (p == -1) syslog(LLEV,"deny host=%.512s/%.20s port=any",rhost,raddr); *************** *** 220,226 **** syslog(LLEV,"fwtkcfgerr: -plug-to takes an argument, line %d",c->ln); exit (1); } ! dhost = av[x]; continue; } --- 234,241 ---- syslog(LLEV,"fwtkcfgerr: -plug-to takes an argument, line %d",c->ln); exit (1); } ! if (!dhost) ! dhost = av[x]; continue; } diff -c -r ./rlogin-gw/rlogin-gw.c ../../fwtk-2.1-violated/fwtk/rlogin-gw/rlogin-gw.c *** ./rlogin-gw/rlogin-gw.c Thu Feb 5 19:08:38 1998 --- ../../fwtk-2.1-violated/fwtk/rlogin-gw/rlogin-gw.c Thu May 21 17:20:25 1998 *************** *** 103,108 **** --- 103,111 ---- static int trusted = 0; static int doX = 0; static char *prompt; + static int do_transparent = 0; + + char * getdsthost(); main(ac,av) int ac; *************** *** 123,128 **** --- 126,132 ---- static char *tokav[56]; int tokac; struct timeval timo; + char * psychic; #ifndef LOG_NDELAY openlog("rlogin-gw",LOG_PID); *************** *** 188,194 **** xforwarder = cf->argv[0]; } ! if((cf = cfg_get("directory",confp)) != (Cfg *)0) { if(cf->argc != 1) { --- 192,203 ---- xforwarder = cf->argv[0]; } ! psychic = getdsthost(0, NULL); ! if (psychic) { ! do_transparent++; ! strncpy(dest, psychic, 511); ! dest[511] = '\0'; ! } if((cf = cfg_get("directory",confp)) != (Cfg *)0) { if(cf->argc != 1) { *************** *** 266,271 **** --- 275,281 ---- if((p = index(rusername,'@')) != (char *)0) { char *namp; + dest[0] = '\0'; *p++ = '\0'; if(*p == '\0') p = "localhost"; *************** *** 297,302 **** --- 307,326 ---- if(dest[0] != '\0') { /* Setup connection directly to remote machine */ + if ((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) { + if (cf->argc != 1) { + syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln); + exit(1); + } + + if (sayfile(0, cf->argv[0])) { + syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]); + exit(1); + } + } + + /* Hey fwtk developer people -- this connect_dest thing is *nasty!* */ + sprintf(buf,"connect %.1000s",dest); tokac = enargv(buf, tokav, 56, tokbuf, sizeof(tokbuf)); if (cmd_connect(tokac, tokav, buf) != 2) *************** *** 535,548 **** char ebuf[512]; syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,namp); ! if(strlen(namp) > 20) ! namp[20] = '\0'; ! if(rusername[0] != '\0') ! sprintf(ebuf,"Trying %s@%s...",rusername,namp); ! else ! sprintf(ebuf,"Trying %s...",namp); ! if(say(0,ebuf)) ! return(1); } else syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,av[1]); if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) { --- 559,574 ---- char ebuf[512]; syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,namp); ! if (!do_transparent) { ! if(strlen(namp) > 20) ! namp[20] = '\0'; ! if(rusername[0] != '\0') ! sprintf(ebuf,"Trying %s@%s...",rusername,namp); ! else ! sprintf(ebuf,"Trying %s...",namp); ! if(say(0,ebuf)) ! return(1); ! } } else syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,av[1]); if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) { diff -c -r ./tn-gw/tn-gw.c ../../fwtk-2.1-violated/fwtk/tn-gw/tn-gw.c *** ./tn-gw/tn-gw.c Thu Feb 5 19:11:36 1998 --- ../../fwtk-2.1-violated/fwtk/tn-gw/tn-gw.c Thu May 21 17:25:06 1998 *************** *** 91,96 **** --- 91,100 ---- static int cmd_xforward(); static int cmd_timeout(); + char * getdsthost(); + + static int do_transparent = 0; + static int tn3270 = 1; /* don't do tn3270 stuff */ static int doX; *************** *** 144,149 **** --- 148,155 ---- char tokbuf[BSIZ]; char *tokav[56]; int tokac; + int port; + char * psychic; #ifndef LOG_DAEMON openlog("tn-gw",LOG_PID); *************** *** 325,330 **** --- 331,362 ---- } } + psychic = getdsthost(0, &port); + if (psychic) { + if ((strlen(psychic) + 10) < 510) { + do_transparent++; + if (port) + sprintf(dest, "%s:%d", psychic, port); + else + sprintf(dest, "%s", psychic); + + if (!welcomedone) + if ((cf = cfg_get("welcome-msg", confp)) != (Cfg *)0) { + if (cf->argc != 1) { + syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln); + exit(1); + } + + if (sayfile(0, cf->argv[0])) { + syslog(LLEV,"fwtksyserr: cannot display welcome %s:%m",cf->argv[0]); + exit(1); + } + + welcomedone = 1; + } + } + } + while (argc > 1) { argc--; argv++; *************** *** 947,955 **** char ebuf[512]; syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,namp); ! sprintf(ebuf,"Trying %.100s port %d...",namp,port); ! if(say(0,ebuf)) ! return(1); } else syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]); --- 979,989 ---- char ebuf[512]; syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,namp); ! if (!do_transparent) { ! sprintf(ebuf,"Trying %.100s port %d...",namp,port); ! if(say(0,ebuf)) ! return(1); ! } } else syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]); *************** *** 991,998 **** syslog(LLEV,"connected host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]); strncpy(dest,av[1], 511); ! sprintf(buf, "Connected to %.512s.", dest); ! say(0, buf); return(2); } --- 1025,1034 ---- syslog(LLEV,"connected host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]); strncpy(dest,av[1], 511); ! if (!do_transparent) { ! sprintf(buf, "Connected to %.512s.", dest); ! say(0, buf); ! } return(2); }