Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
stone(1)		    General Commands Manual		      stone(1)

NAME
       stone - Simple Repeater

SYNOPSIS
       stone [-C file] [-P command] [-Q	options] [-N] [-d] [-p]	[-n]
	     [-u max] [-f n] [-l] [-L file] [-a	file] [-i file]
	     [-X n] [-T	n] [-A <n>] [-r]
	     [-x port[,port][-port]... xhost...	--]
	     [-s send expect...	--]
	     [-b [var=val]... n	master:port backup:port]
	     [-B host:port host1:port1... --]
	     [-I host]
	     [-o n] [-g	n] [-t dir] [-D] [-c dir]
	     [-q SSL] [-z SSL]
	     [-M install name] [-M remove name]
	     st	[-- st]...

DESCRIPTION
       Stone is	a TCP &	UDP repeater in	the application	layer.	It repeats TCP
       and  UDP	 from  inside to outside of a firewall,	or from	outside	to in-
       side.

       Stone has following features:

       1. Stone	supports Win32.
	      Formerly,	UNIX machines are used as firewalls, but recently Win-
	      dowsNT machines are used,	too.  You can easily run stone on Win-
	      dowsNT and Windows95.  Of	course,	available on  Linux,  FreeBSD,
	      BSD/OS, SunOS, Solaris, HP-UX and	so on.

       2. Simple.
	      Stone's  source code is only 10000 lines long (written in	C lan-
	      guage), so you can minimize the risk of security holes.

       3. Stone	supports SSL.
	      Using OpenSSL (http://www.openssl.org/), stone  can  encrypt/de-
	      crypt.   Client verifications, and server	verifications are also
	      supported.  Stone	can send a substring of	 the  subject  of  the
	      certificate to the destination.

       4. Stone	is a http proxy.
	      Stone can	also be	a tiny http proxy.

       5. POP -> APOP conversion.
	      With  stone and a	mailer that does not support APOP, you can ac-
	      cess to an APOP server.

       6. Stone	supports IPv6.
	      Stone can	convert	IP and IPv6 each other.	 With stone,  you  can
	      use IP-only software on IPv6 network.

OPTIONS
       If  the	-C  file  flag is used,	the program read these options and sts
       from the	configuration file file.  If the -P command flag is used,  the
       program	executes  specified  pre-processor  to	read the configuration
       file.  -Q options can be	used to	pass options to	the pre-processor.  If
       the -N flag is used, stone will terminate  after	 parsing  options  and
       configuration file without opening the ports.

       If  the -d flag is used,	then increase the debug	level.	If the -p flag
       is used,	data repeated by stone are dumped.  If the -n is used, IP  ad-
       dresses	and  service  port numbers are shown instead of	host names and
       service names.

       If the -u max flag (max is integer) is used, the	program	 memorize  max
       UDP sources simultaneously.  The	default	value is 100. If the -f	n flag
       (n  is  integer)	 is used, the program spawn n child processes. The de-
       fault behavior is not to	spawn any child	processes.

       If the -l flag is used, the program sends error messages	to the	syslog
       instead	of stderr.  If the -L file (file is a file name) flag is used,
       the program writes error	messages to the	file.  If the -a file flag  is
       used,  the  program writes accounting to	the file.  If the -i file flag
       is used,	the program writes its process ID to the file.

       The -X n	flag alters the	buffer size  of	 the  repeater.	  The  default
       value  is  1000 bytes. If the -T	n is used, the timeout of TCP sessions
       can be specified	to n sec.  Default: 600	(10 min).  The -A flag	speci-
       fies  the  maximum length the queue of pending connections may grow to.
       Default:	50.  The -r flag is used, SO_REUSEADDR is set on the socket of
       st.

       Using the -x port[,port][-port]... xhost... --  flag,  the  http	 proxy
       (described  later) can only connect to xhost:port.  If more than	one -x
       ... -- flags are	designated, the	posterior one whose port list  matches
       the connecting port.  If	the -x -- is used, prior -x flags are ignored.

       The -b n	master:port backup:port	flag designates	the backup destination
       for  master:port.   The	program	 checks	 every	n seconds whether mas-
       ter:port	is connectable,	using the health check script  defined	by  -s
       flag described below.  If not, the backup is used instead.  Alternative
       host  can  be  checked,	using  host=host  and  alternative port, using
       port=port.

       The -s send expect... --	flag defines the health	check script.  Sending
       send, then checks whether the response match the	regular	expression ex-
       pect.

       The -B host:port	host1:port1... -- is for the  destination  group.   If
       the  destination	 of st is host:port, the program chooses a destination
       randomly	from the group.	 The destination host:port that	is  designated
       by -b flag and turned out unhealthy, is excluded	from the group.

       The  -I host designates the interface used as the source	address	of the
       connection to the desctination.

       If the -o n or -g n flag	is used, the program set its uid or gid	 to  n
       respectively.   If  the	-t  dir	flag (dir is a directory) is used, the
       program change its root to the directory.  If  the  -D  flag  is	 used,
       stone  runs  as	a daemon. The -c dir flag designates the directory for
       core dump.

       The -M install name and the -M remove name flags	are  for  NT  service.
       name  is	 the  service  name.  Start the	service	using the command: net
       start name.  To install stone service as	the name repeater,  for	 exam-
       ple:

	      C:\>stone	-M install repeater -C C:\stone.cfg
	      C:\>net start repeater

       The  -q SSL and the -z SSL flags	are for	SSL encryption.	 The -q	SSL is
       for the client mode, that is, when stone	 connects  to  the  other  SSL
       server  as  a  SSL client.  The -z SSL if for the server	mode, that is,
       when other SSL clients connect to the stone.

       SSL is one of the following.

       default	      reset SSL	options	to the default.	  Using	 multiple  st,
		      different	SSL options can	be designated for each st.
       verbose	      verbose mode.
       verify	      require SSL certificate to the peer.
       verify,once    request  a  client  certificate  on  the initial TLS/SSL
		      handshake. (-z only)
       verify,ifany   The certificate returned (if any)	is checked. (-z	only)
       verify,none    never request SSL	certificate to the peer.
       crl_check      lookup CRLs.
       crl_check_all  lookup CRLs for whole chain.
       uniq	      if the serial number of peer's SSL certificate  is  dif-
		      ferent from the previous session,	deny it.
       ren=regex      The  certificate	of the peer must satisfy the regex.  n
		      is the depth.  re0 means the subject of the certificate,
		      and re1 means the	issure.	 The maximum of	n is 9.	 if  n
		      is  negative,  re-1 means	the root CA and	re-2 means its
		      child CA.
       depth=n	      The maximum of the certificate  chain.   If  the	peer's
		      certificate exceeds n, the verification fails.  The max-
		      imum of n	is 9.
       tls1	      Just use TLSv1 protocol.
       ssl3	      Just use SSLv3 protocol.
       ssl2	      Just use SSLv2 protocol.
       no_tls1	      Turn off TLSv1 protocol.
       no_ssl3	      Turn off SSLv3 protocol.
       no_ssl2	      Turn off SSLv2 protocol.
       sni	      Server Name Indication (SNI).
       servername=str The name of the server indicated by SNI.
       bugs	      Switch on	all SSL	implementation bug workarounds.
       serverpref     Use server's cipher preferences (only SSLv2).
       sid_ctx=str    Set session ID context.
       passfile=file  The filename of the file containing password of the key.
       passfilepat=file
		      The pattern of the filename.
       key=file	      The filename of the secret key of	the certificate.
       keypat=file    The pattern of the filename.
       cert=file      The filename of the certificate.
       certpat=file   The pattern of the filename.
       certkey=file   The filename of the certificate with the secret key.
       certkeypat=file
		      The pattern of the filename.
       CAfile=file    The filename of the certificate of the CA.
       CApath=dir     The directory of the certificate files.
       pfx=file	      The filename of the PKCS#12 bag.
       pfxpat=file    The pattern of the filename.
       store=prop     [Windows]	 Use the secret	key in the Cert	Store.	desig-
		      nate by "SUBJ:<substr>" or "THUMB:<hex>".
       storeCA	      [Windows]	Use CA certificates in the Cert	Store.
       cipher=list    The list of ciphers.
       lbn=m	      change the destination according to the  certificate  of
		      the peer.	 The number calculated from the	matched	string
		      to  the nth ( ...	) in the ``regex'' of SSL options (mod
		      m) is used to select the destination from	 the  destina-
		      tion group defined by -B flag.

       st  is  one of the following.  Multiple st can be designated, separated
       by --.

       (1)    host:port	sport [xhost...]
       (2)    host:port	shost:sport [xhost...]
       (3)    proxy sport [xhost...]
       (4)    host:port/http sport request [xhost...]
       (5)    host:port/proxy sport header [xhost...]
       (6)    health sport [xhost...]

       The program repeats the connection on port sport	to the	other  machine
       host  port port.	 If the	machine, on which the program runs, has	two or
       more interfaces,	type (2) can be	used to	repeat the connection  on  the
       specified  interface shost.  You	can also specify path name that	begins
       with ``/'' or ``./'', instead of	host:port so that the program  handles
       a unix domain socket.

       Type  (3)  is  a	http proxy.  Specify the machine, on which the program
       runs, and port sport in the http	proxy settings of  your	 WWW  browser.
       Extentions can be added to the ``proxy''	like xhost/ext.	 ext is:

       v4only limit the	destination within IP addresses.

       v6only limit the	destination within IPv6	addresses.

       Type (4)	relays stream over http	request.  request is the request spec-
       ified  in  HTTP 1.0.  In	the request,  is the escape character, and the
       following substitution occurs.

	       \n      newline	(0x0A)
	       \r      return	(0x0D)
	       \t      tab	(0x09)
	       \\	itself (0x5C)
	       \a      the IP address of the client connecting to the stone.
	       \A      IP address of the client:port number
	       \d      the destination IP address
	       \D      dst IP address:port number (for transparent proxy)
	       \u      uid (number) of the client
	       \U      user name of the	client
	       \g      gid (number) of the client
	       \G      group name of the client
		       \u \U \g	\G are valid in	the case of unix domain	socket
	       \0      the serial number of peer's SSL certificate.
	       \1 - \9 the matched string in the ``regex'' of SSL options.
	       \?1then\:else\/
		       if 1 (2 - 9 in a	similar	way) is	not null, then,	other-
		       wise else.

       Type (5)	repeats	http request with header in the	top of	request	 head-
       ers.  The above escapes can be also used.  If /mproxy is	designated in-
       stead of	/proxy,	header is added	to each	request	headers.

       Type  (6) designates the	port that other	programs can check whether the
       stone runs `healthy' or not.  Following commands	are available to check
       the stone.

	       HELO any	string	       returns the status of the stone
	       STAT		       # of threads, mutex conflicts
	       FREE		       length of free lists
	       CLOCK		       seconds passed
	       CVS_ID		       CVS ID
	       CONFIG		       content of the configuration file
	       STONE		       configuration of	each stones
	       LIMIT var n	       check the value of var is less than n

       var is one of the following:

	       PAIR	       the number of ``pair''
	       CONN	       the number of ``conn''
	       ESTABLISHED     seconds passed since the	last conn established
	       READWRITE       seconds passed since the	last read/write
	       ASYNC	       the number of threads

       The response of the stone is 2xx	when normal, or	5xx when  abnormal  on
       the top of line.

       If  the	xhost  are  used,  only	machines or its	IP addresses listed in
       xhost separated by space	character can connect to the program and to be
       repeated.

       Extentions can be added to the xhost like xhost/ex,ex....  ex is:

       m      You can designate	the length of prefix bits of the  netmask,  so
	      that only	machines on specified.	In the case of class C network
	      192.168.1.0, for example,	use ``192.168.1.0/24''.

       v4     xhost is resolved	as the IP address.

       v6     xhost is resolved	as the IPv6 address.

       pm     the data repeated	by the program are dumped, only	if it was con-
	      nected  by the machines specified	by xhost.  m is	the dump mode,
	      equivalent to the	number of -p options.

       Use ``!'' instead of ``xhost'', to deny machines	by following xhost.

       Extentions can be added to the port like	port/ext,ext....  ext is:

       udp    repeats UDP instead of TCP.

       ssl    forwards with encryption.

       v6     connects to the destination using	IPv6.

       base   forwards with MIME base64	encoding.

       Extentions can be added to the sport like sport/ext,ext....  ext	is:

       udp    repeats UDP instead of TCP.

       apop   converts POP to APOP.  The conversion is derived	from  the  RSA
	      Data Security, Inc. MD5 Message-Digest Algorithm.

       ssl    forwards with decryption.

       v6     accepts connection using IPv6.  If shost is omitted like (1), IP
	      is also acceptable.

       v6only accepts  connection  using  IPv6 only.  Even if shost is omitted
	      like (1),	IP is not acceptable.

       base   forwards with MIME base64	decoding.

       http   relays stream over http.

       ident  identifies the owner of the incoming connection on the peer  us-
	      ing ident	protocol (RFC1413).

EXAMPLES
       outer: a	machine	in the outside of the firewall
       inner: a	machine	in the inside of the firewall
       fwall: the firewall on which the	stone is executed

       stone outer:telnet 10023
	      Repeats the telnet protocol to outer.
	      Run telnet fwall 10023 on	inner.

       stone outer:domain/udp domain/udp
	      Repeats the DNS query to outer.
	      Run nslookup - fwall on inner.

       stone outer:ntp/udp ntp/udp
	      Repeats the NTP to outer.
	      Run ntpdate fwall	on inner.

       stone localhost:http 443/ssl
	      Make WWW server that supports https.
	      Access https://fwall/ using a WWW	browser.

       stone localhost:telnet 10023/ssl
	      Make telnet server that supports SSL.
	      Run SSLtelnet -z ssl fwall 10023 on inner.

       stone proxy 8080
	      http proxy

       stone outer:110/apop 110
	      connect to inner:pop using a mailer that does not	support	APOP.

       Where fwall is a	http proxy (port 8080):

       stone fwall:8080/http 10023 'POST http://outer:8023 HTTP/1.0'
       stone localhost:telnet 8023/http
	      Run stones on inner and outer respectively.
	      Relays stream over http.

       stone fwall:8080/proxy 9080 'Proxy-Authorization: Basic c2VuZ29rdTpoaXJvYWtp'
	      for browser that does not	support	proxy authorization.

HOMEPAGE
       The official homepage of	stone is:
       http://www.gcd.org/sengoku/stone/

COPYRIGHT
       All  rights  about  this	program	stone are reserved by the original au-
       thor, Hiroaki Sengoku.  The program is free software;  you  can	redis-
       tribute	it  and/or modify it under the terms of	the GNU	General	Public
       License (GPL).  Furthermore you can link	it with	openssl.

NO WARRANTY
       This program is distributed in the hope that it	will  be  useful,  but
       WITHOUT ANY WARRANTY.

AUTHOR
       Hiroaki Sengoku
       sengoku@gcd.org
       http://www.gcd.org/sengoku/

				 version 2.3e			      stone(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=stone&sektion=1&manpath=FreeBSD+Ports+15.0>

home | help