Little formatting fixes.

[fwd] / fw.1

diff --git a/fw.1 b/fw.1
index 878ad3a15279b031287166f49aeeb0780f013dd4..d1f42cd5b18db373d21a95669b4913b2be493aab 100644 (file)
--- a/fw.1
+++ b/fw.1
@@ -1,6 +1,6 @@
 .\" -*-nroff-*-
 .\"
 .\" -*-nroff-*-
 .\"

-.\" $Id: fw.1,v 1.10 2001/02/03 20:30:03 mdw Exp $
+.\" $Id: fw.1,v 1.18 2003/11/29 23:03:19 mdw Exp $

 .\"
 .\" Manual page for fw
 .\"
 .\"
 .\" Manual page for fw
 .\"


@@ -28,6 +28,30 @@
 .\" ---- Revision history ---------------------------------------------------
 .\" 
 .\" $Log: fw.1,v $
 .\" ---- Revision history ---------------------------------------------------
 .\" 
 .\" $Log: fw.1,v $

+.\" Revision 1.18  2003/11/29 23:03:19  mdw
+.\" Little formatting fixes.
+.\"
+.\" Revision 1.17  2003/11/29 20:36:07  mdw
+.\" Privileged outgoing connections.
+.\"
+.\" Revision 1.16  2003/11/25 14:46:50  mdw
+.\" Update docco for new options.
+.\"
+.\" Revision 1.15  2003/01/24 20:13:04  mdw
+.\" Fix bogus examples.  Explain quoting rules for `exec' endpoints.
+.\"
+.\" Revision 1.14  2002/02/23 00:05:12  mdw
+.\" Fix spacing around full stops (at last!).
+.\"
+.\" Revision 1.13  2002/02/22 23:45:01  mdw
+.\" Add option to change the listen(2) parameter.
+.\"
+.\" Revision 1.12  2001/02/23 09:11:29  mdw
+.\" Update manual style.
+.\"
+.\" Revision 1.11  2001/02/05 19:47:11  mdw
+.\" Minor fixings to wording.
+.\"

 .\" Revision 1.10  2001/02/03 20:30:03  mdw
 .\" Support re-reading config files on SIGHUP.
 .\"
 .\" Revision 1.10  2001/02/03 20:30:03  mdw
 .\" Support re-reading config files on SIGHUP.
 .\"


@@ -122,7 +146,7 @@
 .
 .\"--------------------------------------------------------------------------
 .
 .
 .\"--------------------------------------------------------------------------
 .

-.TH fw 1 "1 July 1999" fw
+.TH fw 1 "1 July 1999" "Straylight/Edgeware" "fw port forwarder"

 .
 .\"--------------------------------------------------------------------------
 .SH NAME
 .
 .\"--------------------------------------------------------------------------
 .SH NAME


@@ -404,8 +428,8 @@ on the
 A global option, outside of a
 .I fw-stmt
 has no context unless it is explicitly qualified, and affects global
 A global option, outside of a
 .I fw-stmt
 has no context unless it is explicitly qualified, and affects global

-behaviour.  Local options, applied to a source or target in a
-.I fw-stmt
+behaviour.  A local option, applied to a source or target in a
+.IR fw-stmt ,

 has the context of the type of source or target to which it is applied,
 and affects only that source or target.
 .PP
 has the context of the type of source or target to which it is applied,
 and affects only that source or target.
 .PP


@@ -427,7 +451,7 @@ The syntax for qualifying options is like this:
 .br
        |
 .I prefix
 .br
        |
 .I prefix

-.B .
+.B .\&

 .I q-option
 .br
        |
 .I q-option
 .br
        |


@@ -448,7 +472,7 @@ exec.rlimit {
   cpu = 60;
 }
 .VE
   cpu = 60;
 }
 .VE

-is equivalent to
+means the same as

 .VS
 exec.rlimit.core = 0;
 exec.rlimit.cpu = 0;
 .VS
 exec.rlimit.core = 0;
 exec.rlimit.cpu = 0;


@@ -577,7 +601,7 @@ sources and targets is like this:
 .I file
 ::=
 .B file
 .I file
 ::=
 .B file

-.RB  [ . ]
+.RB  [ .\& ]

 .I fspec
 .RB [ ,
 .IR fspec ]
 .I fspec
 .RB [ ,
 .IR fspec ]


@@ -734,7 +758,7 @@ exec
 .I exec
 ::=
 .BR exec
 .I exec
 ::=
 .BR exec

-.RB [ . ]
+.RB [ .\& ]

 .I cmd-spec
 .br
 .I cmd-spec
 .I cmd-spec
 .br
 .I cmd-spec


@@ -773,6 +797,15 @@ otherwise the file named by the first argument
 .RI ( argv0 )
 is used.
 .PP
 .RI ( argv0 )
 is used.
 .PP

+Note that the shell command or program name string must, if present,
+have any delimiter characters (including
+.RB ` / '
+and 
+.RB ` . ')
+quoted; this is not required in the
+.RB ` [ '-enclosed
+argument list.
+.PP

 The standard input and output of the program are forwarded to the other
 end of the connection.  The standard error stream is caught by
 .B fw
 The standard input and output of the program are forwarded to the other
 end of the connection.  The standard error stream is caught by
 .B fw


@@ -940,7 +973,7 @@ The syntax for socket sources and targets is:
 .br
 .I socket-source
 ::=
 .br
 .I socket-source
 ::=

-.RB [ socket [ . ]]
+.RB [ socket [ .\& ]]

 .RB [[ : ] \c
 .IR addr-type \c
 .RB [ : ]]
 .RB [[ : ] \c
 .IR addr-type \c
 .RB [ : ]]


@@ -948,7 +981,7 @@ The syntax for socket sources and targets is:
 .br
 .I socket-target
 ::=
 .br
 .I socket-target
 ::=

-.RB [ socket [ . ]]
+.RB [ socket [ .\& ]]

 .RB [[ : ] \c
 .IR addr-type \c
 .RB [ : ]]
 .RB [[ : ] \c
 .IR addr-type \c
 .RB [ : ]]


@@ -985,6 +1018,16 @@ the
 option is not recommended.
 .OE
 .OS "Socket options"
 option is not recommended.
 .OE
 .OS "Socket options"

+.B socket.listen
+.RB [ = ]
+.I number
+.OD
+Sets the maximum of the kernel incoming connection queue for this socket
+source.  This is the number given to the
+.BR listen (2)
+system call.  The default is 5.
+.OE
+.OS "Socket options"

 .B socket.logging
 .RB [ = ]
 .BR yes | no
 .B socket.logging
 .RB [ = ]
 .BR yes | no


@@ -1027,7 +1070,7 @@ source and target addresses have the following syntax:
 .br
 .I addr-elt
 ::=
 .br
 .I addr-elt
 ::=

-.B .
+.B .\&

 |
 .I word
 .GE
 |
 .I word
 .GE


@@ -1043,11 +1086,23 @@ The
 .B inet
 source address accepts the following options:
 .OS "Socket options"
 .B inet
 source address accepts the following options:
 .OS "Socket options"

-.BR socket.inet. [ allow | deny ]
-.RB [ from ]
-.I address
+.B socket.inet.source.addr
+.RB [ = ]
+.RR any | \c
+.I addr
+.OD
+Specify the IP address on which to listen for incoming connections.  The
+default is
+.BR any ,
+which means to listen on all addresses, though it may be useful to
+specify this explicitly, if the global setting is different.
+.OE
+.OS "Socket options"
+.BR socket.inet.source. [ allow | deny ]
+.RB [ host ]
+.I addr

 .RB [ /
 .RB [ /

-.IR address ]
+.IR addr ]

 .OD
 Adds an entry to the source's access control list.  If only one
 .I address
 .OD
 Adds an entry to the source's access control list.  If only one
 .I address


@@ -1060,6 +1115,56 @@ and
 mean the same), and the entry applies to any address which, when masked
 by the netmask, is equal to the masked network address.
 .OE
 mean the same), and the entry applies to any address which, when masked
 by the netmask, is equal to the masked network address.
 .OE

+.OS "Socket options"
+.BR socket.inet.source. [ allow | deny ]
+.B priv-port
+.OD
+Accept or reject connections from low-numbered `privileged' ports, in
+the range 0--1023.
+.OE
+.OS "Socket options"
+.B socket.inet.dest.addr
+.RB [ = ]
+.RR any | \c
+.I addr
+.OD
+Specify the IP address to bind the local socket to when making an
+outbound connection.  The default is
+.BR any ,
+which means to use whichever address the kernel thinks is most
+convenient.  This option is useful if the destination is doing
+host-based access control and your server is multi-homed.
+.OE
+.OS "Socket options"
+.B socket.inet.dest.priv-port
+.RB [=]
+.BR yes | no
+.OD
+Make a privileged connection (i.e., from a low-numbered port) to the
+target.  This only works if
+.B fw
+was started with root privileges.  However, it still works if
+.B fw
+has
+.I dropped
+privileges after initialization (the
+.B \-s
+option).  Before dropping privileges, 
+.B fw
+forks off a separate process which continues to run with root
+privileges, and on demand passes sockets bound to privileged ports and
+connected to the appropriate peer back to the main program.  The
+privileged child only passes back sockets connected to peer addresses
+named in the configuration; even if the
+.B fw
+process is compromised, it can't make privileged connections to other
+addresses.  Note that because of this privilege separation, it's also
+not possible to reconfigure
+.B fw
+to make privileged connections to different peer addresses later by
+changing configuration files and sending the daemon a
+.BR SIGHUP .
+.OE

 .PP
 The access control rules are examined in the order: local entries first,
 then global ones, each in the order given in the configuration file.
 .PP
 The access control rules are examined in the order: local entries first,
 then global ones, each in the order given in the configuration file.


@@ -1120,8 +1225,9 @@ from file stdin, stdout to unix:/tmp/fortunes
 To emulate
 .BR cat (1):
 .VS
 To emulate
 .BR cat (1):
 .VS

-from stdin, null to null, stdout
+from file stdin, null to file null, stdout

 .VE
 .VE

+.sp -1 \" undo final space

 .
 .\"--------------------------------------------------------------------------
 .SH "SIGNAL HANDLING"
 .
 .\"--------------------------------------------------------------------------
 .SH "SIGNAL HANDLING"


@@ -1164,7 +1270,6 @@ to reload its configuration.  Any existing connections are allowed to
 run their course.  If no such configuration files are available,
 .B fw
 just logs a message about the signal and continues.
 run their course.  If no such configuration files are available,
 .B fw
 just logs a message about the signal and continues.

-.PP

 .
 .\"--------------------------------------------------------------------------
 .SH "GRAMMAR SUMMARY"
 .
 .\"--------------------------------------------------------------------------
 .SH "GRAMMAR SUMMARY"


@@ -1218,7 +1323,7 @@ just logs a message about the signal and continues.
 .br
        |
 .I prefix
 .br
        |
 .I prefix

-.B .
+.B .\&

 .I q-option
 .br
        |
 .I q-option
 .br
        |


@@ -1243,7 +1348,7 @@ just logs a message about the signal and continues.
 .I file
 ::=
 .B file
 .I file
 ::=
 .B file

-.RB  [ . ]
+.RB  [ .\& ]

 .I fspec
 .RB [ ,
 .IR fspec ]
 .I fspec
 .RB [ ,
 .IR fspec ]


@@ -1304,7 +1409,7 @@ exec
 .I exec
 ::=
 .BR exec
 .I exec
 ::=
 .BR exec

-.RB [ . ]
+.RB [ .\& ]

 .I cmd-spec
 .br
 .I cmd-spec
 .I cmd-spec
 .br
 .I cmd-spec


@@ -1344,7 +1449,7 @@ exec
 .br
 .I socket-source
 ::=
 .br
 .I socket-source
 ::=

-.RB [ socket [ . ]]
+.RB [ socket [ .\& ]]

 .RB [[ : ] \c
 .IR addr-type \c
 .RB [ : ]]
 .RB [[ : ] \c
 .IR addr-type \c
 .RB [ : ]]


@@ -1352,7 +1457,7 @@ exec
 .br
 .I socket-target
 ::=
 .br
 .I socket-target
 ::=

-.RB [ socket [ . ]]
+.RB [ socket [ .\& ]]

 .RB [[ : ] \c
 .IR addr-type \c
 .RB [ : ]]
 .RB [[ : ] \c
 .IR addr-type \c
 .RB [ : ]]


@@ -1379,7 +1484,7 @@ exec
 .br
 .I addr-elt
 ::=
 .br
 .I addr-elt
 ::=

-.B .
+.B .\&

 |
 .I word
 .PP
 |
 .I word
 .PP


@@ -1460,15 +1565,36 @@ exec
 .IR number | \c
 .BR unlimited | one-shot
 .br
 .IR number | \c
 .BR unlimited | one-shot
 .br

+.B socket.listen
+.RB [ = ]
+.I number
+.br

 .B socket.logging
 .RB [ = ]
 .BR yes | no
 .PP
 .B socket.logging
 .RB [ = ]
 .BR yes | no
 .PP

-.BR socket.inet. [ allow | deny ]
-.RB [ from ]
-.I address
+.BR socket.inet.source. [ allow | deny ]
+.RB [ host ]
+.I addr

 .RB [ /
 .RB [ /

-.IR address ]
+.IR addr ]
+.br
+.BR socket.inet.source. [ allow | deny ]
+.B priv-port
+.br
+.B socket.inet.source.addr
+.RB [ = ]
+.BR any | \c
+.I addr
+.br
+.B socket.inet.dest.addr
+.RB [ = ]
+.BR any | \c
+.I addr
+.br
+.B socket.inet.dest.priv-port
+.RB [=]
+.BR yes | no

 .PP
 .BR socket.unix.fattr. *
 .
 .PP
 .BR socket.unix.fattr. *
 .


@@ -1487,6 +1613,8 @@ this program.  I take security very seriously, and I will fix security
 holes as a matter of priority when I find out about them.  I will be
 annoyed if I have to read about problems on Bugtraq because they weren't
 mailed to me first.
 holes as a matter of priority when I find out about them.  I will be
 annoyed if I have to read about problems on Bugtraq because they weren't
 mailed to me first.

+.PP
+The program is too complicated, and this manual page is too long.

 .
 .\"--------------------------------------------------------------------------
 .SH "AUTHOR"
 .
 .\"--------------------------------------------------------------------------
 .SH "AUTHOR"