From 3eaa9a376c756b0b8f836c4a78c3cf4012d6ffd7 Mon Sep 17 00:00:00 2001 From: Jacob Appelbaum Date: Fri, 24 Sep 2010 12:52:07 -0700 Subject: Changes to tor-fw-helper, some based on Nick's review * MINIUPNPC rather than the generic UPNP * Nick suggested a better abstraction model for tor-fw-helper * Fix autoconf to build with either natpmp or miniupnpc * Add AM_PROG_CC_C_O to fix automake complaint * update spec to address nickm's concern * refactor nat-pmp to match upnp state * we prefer tor_snprintf to snprintf * link properlty for tor_snprintf * rename test_commandline_options to log_commandline_options * cast this uint as an int * detect possible FD_SETSIZE errors * make note about future enhancements for natpmp * add upnp enhancement note * ChangeLog entry * doxygen and check-spaces cleanup * create tor-fw-helper.1.txt --- doc/spec/tor-fw-helper-spec.txt | 17 +++++++++-- doc/tor-fw-helper.1.txt | 68 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 83 insertions(+), 2 deletions(-) create mode 100644 doc/tor-fw-helper.1.txt (limited to 'doc') diff --git a/doc/spec/tor-fw-helper-spec.txt b/doc/spec/tor-fw-helper-spec.txt index 684f50fb1a..0068b26556 100644 --- a/doc/spec/tor-fw-helper-spec.txt +++ b/doc/spec/tor-fw-helper-spec.txt @@ -33,12 +33,25 @@ tor-fw-helper: FAILURE All informational messages are printed to standard output; all error messages - are printed to standard error. + are printed to standard error. Messages other than SUCCESS and FAILURE + may be printed by any compliant tor-fw-helper. + +2.2 Output format stability + + The above SUCCESS and FAILURE messages are the only stable output formats + provided by this specification. tor-fw-helper-spec compliant implementations + must return SUCCESS or FAILURE as defined above. 3. Security Concerns It is probably best to hand configure port forwarding and in the process, we - suggest disabling NAT-PMP and/or UPnP. + suggest disabling NAT-PMP and/or UPnP. This is of course absolutely confusing + to users and so we support automatic, non-authenticated NAT port mapping + protocols with compliant tor-fw-helper applications. + + NAT should not be considered a security boundary. NAT-PMP and UPnP are hacks + to deal with the shortcomings of user education about TCP/IP, IPv4 shortages, + and of course, NAT devices that suffer from horrible user interface design. [0] http://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol [1] http://en.wikipedia.org/wiki/Universal_Plug_and_Play diff --git a/doc/tor-fw-helper.1.txt b/doc/tor-fw-helper.1.txt new file mode 100644 index 0000000000..87607afb8a --- /dev/null +++ b/doc/tor-fw-helper.1.txt @@ -0,0 +1,68 @@ +// Copyright (c) The Tor Project, Inc. +// See LICENSE for licensing information +// This is an asciidoc file used to generate the manpage/html reference. +// Learn asciidoc on http://www.methods.co.nz/asciidoc/userguide.html +tor-fw-helper(1) +============== +Jacob Appelbaum + +NAME +---- +tor-fw-helper - Manage upstream firewall/NAT devices + +SYNOPSIS +-------- +**tor-fw-helper** [-h|--help] [-T|--test] [-v|--verbose] [-g|--fetch-public-ip] +-i|--internal-or-port __TCP port__ [-e|--external-or-port _TCP port_] +[-d|--internal-dir-port _TCP port_] [-p|--external-dir-port _TCP port_] + +DESCRIPTION +----------- +**tor-fw-helper** currently supports Apple's NAT-PMP protocol and the UPnP +standard for TCP port mapping. It is written as the reference implementation of +tor-fw-helper-spec.txt and conforms to that loose plugin API. If your network +supports either NAT-PMP or UPnP, tor-fw-helper will attempt to automatically +map the required TCP ports for Tor's Or and Dir ports. + + +OPTIONS +------- +**-h** or **--help**:: + Display help text and exit. + +**-v**:: + Display verbose output. + +**-T** or **--test**:: + Display test information and print the test information in + tor-fw-helper.log + +**-g** or **--fetch-public-ip**:: + Fetch the the public ip address for each supported NAT helper method. + +**-i** or **--internal-or-port** __port__:: + Inform **tor-fw-helper** of your internal OR port. This is the only + required argument. + +**-e** or **--external-or-port** __port__:: + Inform **tor-fw-helper** of your external OR port. + +**-d** or **--internal-dir-port** __port__:: + Inform **tor-fw-helper** of your internal Dir port. + +**-p** or **--external-dir-port** __port__:: + Inform **tor-fw-helper** of your external Dir port. + +BUGS +---- +This probably doesn't run on Windows. That's not a big issue, since we don't +really want to deal with Windows before October 2010 anyway. + +SEE ALSO +-------- +**tor**(1) + + +See also the "tor-fw-helper-spec.txt" file, distributed with Tor. + +AUTHORS +------- + Jacob Appelbaum , Steven J. Murdoch -- cgit v1.2.3-54-g00ecf