UDP packet relayer -- Tom Fitzgerald <fitz@wang.com>

This package consists of 2 components.  udprelay is a daemon process which
runs on a bastion system and forwards UDP packets in and out of a
firewalled network, as directed by a configuration file.  Rsendto.c
provides routines Rsendto and Rrecvfrom, which allow tunnelling through the
bastion to arbitrary outside hosts.  (Rsendto and Rrecvfrom are used like
socks's Rconnect and company, of course).  Rsendto/Rrecvfrom communicate
with udprelay using UDP packets encapsulated in a wrapper that includes the
address of the remote host/port to transfter traffic to.

Un-encapsulated traffic (from programs which were not built with Rsendto)
can be forwarded in and out, but only between specific pairs of inside/
outside systems, with some flexibility added by using distinct local ports
on the bastion host.

  udprelay [ -f configfile ] [ & ]

udprelay should be started at boot time, since it wants to listen on many
ports simultaneously.  It is not inetd-compatible.  It does not background
itself, so it should be started with '&' unless you're debugging or
something.

If the config file refers to any reserved ports (< 1024), udprelay should
be started as root.  If it is, it will setuid itself to a powerless user-id
specified in the Makefile as soon as it has finished processing the
configuration file.

The configfile (default: /etc/udprelay.conf) contains a list of hosts and
ports which packets should be relayed between, and descriptions of
encapsulated ports.

Associations between hosts are described with:

  "relay" host1 remoteport1 localport1 host2 remoteport2 localport2 ["oneway"]

UDP packets from host1:remoteport1 arriving on the local localport1 are to
be forwarded to host2:remoteport2 from local localport2, and vice versa.
If "oneway" is specified, return traffic will NOT be forwarded.

host1 may be wildcarded; *.dom.ain for domain, or * for any host at all.
It may also be an IP address optionally with following ["mask" <addrmask>]
to allow all traffic from that masked IP address.

remoteport1 may be "*" for any remote port. localport2 may be "any",
meaning udprelay can use any available local port.  If host1 and/or
remoteport1 are wildcarded, and localport2 is "any", then udprelay will use
a separate localport2 for each outgoing "session", and will pass
back-traffic that arrives on the appropriate localport2 to the appropriate
host1 (unless oneway is set).  These instances of wildcarded ports are
deleted after 30 minutes with no traffic.

Examples are:

	# Relay traffic back and forth between two NTP servers
	relay clock1.local.domain   ntp ntp clock.outer.domain ntp ntp

	# Send queries from any local ntp query client in the local domain
	# to the ntp server outside, and return responses.
	relay *.local.domain	    ntp ntp clock.outer.domain ntp any

	# Send queries from any outside ntp client to our local ntp server,
	# and return responses.  (This must come after example 2 or example 2
	# will never be utilized).
	relay *			    *   123 clock.local.domain 123 any

	# Forward archie queries from a specific local host to rutgers.
	# Many archie queries can be going on simultaneously from different
	# ports on the local host, using different local ports on the bastion.
	relay host.local.com * 1525 archie.rutgers.edu 1525 any
	relay host.local.com * 191 archie.rutgers.edu 191 any

Encapsulated ports only specify where traffic can come from; each packet
received on an encaps port has a wrapper which specifies where it should be
forwarded to.  They are specified with:

   "encapsulate" hostname localport

Like "relay" lines in the config file, return traffic is passed back (if
the client asks for it) for 30 minutes.  Programs which utilize
encapsulated ports should be built with Rsendto.o.  Clients which want to
take advantage of encapsulated ports will need to be able to get DNS info
from the full Internet, because name-to-address resolution happens on the
client, and only an IP address is passed to udprelay.

Example:

   encapsulate   *.local.domain   1093


NOTES:

Hosts may be specified by name or IP address; host1 fields may be
wildcarded as *.dom.ain or as masked IP addr: "123.45.67.0 mask
255.255.255.0".  1-bits in mask specify bits which must match in sender's
IP address.

Ports may be specified numerically, or as a UDP service listed in
/etc/services.

Multiple "relay" lines may share the same local port.  The destination used
for any packet is the one on the first config line which gives a matching
source host1/remoteport1.  Multiple "encapsulate" lines may also share the
same port; traffic is accepted if any of the (possibly wildcarded) source-
host specifications match the sender.  "relay" lines and "encapsulate"
lines may NOT share the same local port.

No packets will be forwarded from host2 to host1 until at least one has
gone from host1 to host2.  If you want traffic to be initiated from either
side, you'll need 2 "relay" lines.

