|
Index of /ru/projects/firepass
|
Name Last modified Size Description
![[DIR]](/icons/back.gif)
Parent Directory 04-Sep-2007 18:52 -
![[ ]](/icons/unknown.gif)
CHANGELOG 08-Oct-2003 15:35 1k
![[ ]](/icons/compressed.gif)
firepass-1.0.1a.tar.gz 16-May-2003 12:44 21k
firepass-1.0.2a.tar.gz 31-May-2003 12:46 21k
firepass-1.1.0a.tar.gz 24-Jun-2003 12:58 23k
firepass-1.1.1a.tar.gz 03-Jul-2003 10:39 25k
firepass-1.1.2a.tar.gz 26-Sep-2003 11:19 24k
![[ ]](/icons/hand.right.gif)
fr_README 26-Sep-2003 11:15 10k
FIREPASS VERSION 1.1.2a
=======================
================================================================================
GRAY-WORLD.NET / FIREPASS
=========================
The FIREPASS program is part of the Gray-World.net projects.
Our Team presents at the http://gray-world.net website the projects and
publications, we are working on, which are related to the NACS (Network
Access Control System) bypassing research field as well as to the computer and
network security area.
================================================================================
ABOUT
=====
FIREPASS is a tunneling tool that can encapsulate TCP or UDP based
protocols within legal HTTP POST requests, therefore bypassing firewall
restrictions. For now, the client and server is written in Perl, the server
script running as a CGI program.
To run FIREPASS you'll need the following:
* A box located inside your local network, with Perl and the ability to
send HTTP messages to the external network (Internet), either directly or
indirectly through a HTTP proxy
* A HTTPd server located on the external network (with Perl also) where you
can place / run CGI scripts and establish outgoing connections (Most
commercial hosting providers and some public ones allow this)
FIREPASS' key feature is that you can chain several installations of the
server and they never need to bind to a port; therefore, it is
undetectable by most Administrators. There is only an unusual HTTP dialog
between the client and server ; aswell, the HTTP messages are send fairly
often. But this is configurable in the FIREPASS client with a special delay
option between HTTP requests, and can be used for any non-time-critical
protocols.
This FIREPASS version is alpha, so there still may be some bugs... including
SECURITY bugs! Please read the section "HOW IT WORKS" carefully to understand
all the possible risks you may be exposed to. I do not provide any guarantees
that this program works properly.
HOW IT WORKS
============
TCP/UDP clients TCP/UDP services
\\\ ^^^
(5)\\\(1) (3)|||
\\\ |||
|----------| (2) |----------| (2) |----------|
| HOST "A" | --- HTTP POST --> | Host "B" | --- HTTP POST --> | Host "C" |
| | <---------------- |HTTP proxy| <---------------- | httpd |
|----------| (4) |----------| (4) |----------|
FIREPASS client (optional) FIREPASS server
fpclient.pl /cgi-bin/fpserver.cgi
(1) The TCP/UDP client connects to Host "A", where the FIREPASS client is
running and listening on a TCP/UDP port as a daemon;
(2) The FIREPASS client accepts the connection, reads the data, builds a
connection to Host "C" directly or via a HTTP proxy and then sends the
data to our HTTPd (to the default port 80/TCP) as an HTTP post request
to the FIREPASS server script; If this is the first request for the
current session, then the FIREPASS client attaches additional HTTP header
lines that contain our redirect rule.
(3) The FIREPASS server reads the data from STDIN, as specified by the CGI
protocol. Then, if this is the first HTTP message for the current session
it forks a Connection Manager, otherwise it transfers the data to our
existing Connection Manager through a file sitting in a local directory
on Host "C" . The Connection manager reads this file's data and builds a
TCP/UDP connection to the target service and sends data. If there is data
to be read from the target service, it reads it and transfers it to the
FIREPASS server CGI script through another local file on Host "C".
(4) On each run, the FIREPASS server CGI script checks a local file for
incoming data and if present - sends it to the FIREPASS client as a HTTP
response message.
(5) The FIREPASS client receives data from the target service inside of a HTTP
message, extracts it and then sends it to its client.
That's it! If there is no incoming/outgoing data, FIREPASS client / server
just sends empty HTTP request/response messages.
INSTALL
=======
Inside `` - shell commands.
SERVER HOST (httpd)
-------------------
* Place the FIREPASS server script 'fpserver/fpserver.cgi' and the
'fpserver/conf' directory under your target host's 'cgi-bin' directory,
check the path to Perl inside of fpserver.cgi. (default /bin/perl);
* Create 2 directories - 'inout' and 'log' (for example into /var/tmp)
`chmod 777 inout log` or
`chown <httpd_user>:<httpd_group> inout log && chmod 700 inout log`
fpserver.cgi should be able to read/write files inside these directories;
* Update FIREPASS server configuration files:
conf/fpserver.conf : Configuration file;
conf/fpserver.allow : Access list file.
* Run fpserver.cgi with 'configure' option and path to fpserver.conf file:
`./fpserver.cgi configure conf/fpserver.conf`
After configure, the fpcnf.cache file will be created in the same
directory as fpserver.cgi.
CLIENT HOST
-----------
* Check path to perl in the FIREPASS client script fpclient.pl;
* Update FIREPASS client configuration files:
conf/fpclient.conf : Configuration directives;
conf/fpclient.rules : Redirect rules;
conf/fpserver.allow : Access list file.
All pathes in the '.conf' files should be absolute or relative to the script's
location.
-NOTE-------------------------------------------------------------------------
Some HTTPds (Russian Apache for example) may modify data before it gets
passed to the CGI script, this is done to support the server's default
cyrillic encoding. Data flow will get corrupted because of this, and you'll
need to turn off this web server "feature".
For Russian Apache add next lines to httpd.conf file:
<Location /cgi-bin/fpserver.cgi>
CharsetDisable On
</Location>
..and restart HTTPd
----------------------------------------------------------------------------
USAGE
=====
Run FIREPASS client:
./fpclient.pl conf/fpclient.conf [SERVER]/cgi-bin/fpserver.cgi
PLATFORMS
=========
I've tested it with:
* SunOS 5.8 + Perl 5.005_03;
* Mandrake Linux (kernel version 2.4.19) + Perl 5.8.0;
* Windows 2000 / XP + ActivePerl 5.8.0.806;
If you could run FIREPASS on other platforms, let me know :)
EXAMPLES
========
I've successfully used FIREPASS to tunnel the following protocols:
* TELNET; not too fast ;)
* HTTP; Seems to work for me. I recommend you use HTTP/1.0 + a non
"Keep-Alive" connection from your favourite browser to prevent
unnecessary FIREPASS traffic.
* ICQ; Found some problems here... mainly during the application-level,
handshake procedure when ICQ tries to establish more than 12 TCP
connections at the same time. Some HTTP proxies (including one I play
with) may not allow such a great number of connections from one IP.
That's why the proxy will answer with a HTTP "Forbidden" message on the
next connection attempt. I have found a work-around: while keeping your
connection to the ICQ client alive, the FIREPASS client will attempt to
build a connection through the HTTP proxy, until it gets HTTP/200
response. Actually, ICQ sometimes works and sometimes not... because of
HTTP/404 "Not found" errors from login.icq.com server without any reason
(from my point of view). If anyone is familiar with the ICQ protocol then
please write me an email to discuss the problem.
LICENSE
=======
Firepass is distributed under the terms of the GNU General Public License v2.0
See the file COPYING for details.
AUTHOR
======
Alex Dyatlov <alex@gray-world.net>
Project homepage: http://gray-world.net
Firepass Message board is also available at http://gray-world.net/board/
Feature requests and bug reports are welcome!
THANKS
======
Simon Castro <scastro@entreelibre.com>
French README. FIREPASS testing. English spelling mistakes checking.
Hadi El-Khoury <helkhoury@entreelibre.com>
English spelling mistakes checking.
Brian Otto <b.otto@runbox.com>
He help me to run FIREPASS in the WIN environment and to fix spelling
mistakes in this file.