X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/fwd/blobdiff_plain/1c2054c7558f523dec9d7c1f243a2ceddd81c781..69c8e834124b3fb1b96c5c3a7935645be0f2224f:/fw.1 diff --git a/fw.1 b/fw.1 index 251aa5a..d1f42cd 100644 --- a/fw.1 +++ b/fw.1 @@ -1,6 +1,6 @@ .\" -*-nroff-*- .\" -.\" $Id: fw.1,v 1.16 2003/11/25 14:46:50 mdw Exp $ +.\" $Id: fw.1,v 1.18 2003/11/29 23:03:19 mdw Exp $ .\" .\" Manual page for fw .\" @@ -28,6 +28,12 @@ .\" ---- Revision history --------------------------------------------------- .\" .\" $Log: fw.1,v $ +.\" Revision 1.18 2003/11/29 23:03:19 mdw +.\" Little formatting fixes. +.\" +.\" Revision 1.17 2003/11/29 20:36:07 mdw +.\" Privileged outgoing connections. +.\" .\" Revision 1.16 2003/11/25 14:46:50 mdw .\" Update docco for new options. .\" @@ -1129,6 +1135,36 @@ which means to use whichever address the kernel thinks is most convenient. This option is useful if the destination is doing host-based access control and your server is multi-homed. .OE +.OS "Socket options" +.B socket.inet.dest.priv-port +.RB [=] +.BR yes | no +.OD +Make a privileged connection (i.e., from a low-numbered port) to the +target. This only works if +.B fw +was started with root privileges. However, it still works if +.B fw +has +.I dropped +privileges after initialization (the +.B \-s +option). Before dropping privileges, +.B fw +forks off a separate process which continues to run with root +privileges, and on demand passes sockets bound to privileged ports and +connected to the appropriate peer back to the main program. The +privileged child only passes back sockets connected to peer addresses +named in the configuration; even if the +.B fw +process is compromised, it can't make privileged connections to other +addresses. Note that because of this privilege separation, it's also +not possible to reconfigure +.B fw +to make privileged connections to different peer addresses later by +changing configuration files and sending the daemon a +.BR SIGHUP . +.OE .PP The access control rules are examined in the order: local entries first, then global ones, each in the order given in the configuration file. @@ -1191,6 +1227,7 @@ To emulate .VS from file stdin, null to file null, stdout .VE +.sp -1 \" undo final space . .\"-------------------------------------------------------------------------- .SH "SIGNAL HANDLING" @@ -1233,7 +1270,6 @@ to reload its configuration. Any existing connections are allowed to run their course. If no such configuration files are available, .B fw just logs a message about the signal and continues. -.PP . .\"-------------------------------------------------------------------------- .SH "GRAMMAR SUMMARY" @@ -1555,6 +1591,10 @@ exec .RB [ = ] .BR any | \c .I addr +.br +.B socket.inet.dest.priv-port +.RB [=] +.BR yes | no .PP .BR socket.unix.fattr. * .