bzfrelay(6)bzfrelay(6)NAMEbzfrelay - BZFlag game server firewall relay
SYNOPSISbzfrelay [-a address mask] [-d] [-f] [-h] [-p port] [-r
address mask] [-s [address][:port]] address[:port]
DESCRIPTION
Bzfrelay relays communication between bzflag and bzfs.
It's primary purpose is to provide a tunnel to bzfs
through a firewall.
Because security is a prime concern on a firewall, users
are encouraged to read the source code and run it with
restricted permissions. Also bzfrelay rejects connections
from any clients not explicitly allowed and the default is
to reject all connections; you must use the options to
allow some connections for bzfrelay to be useful.
In the interests of security (and because there's no need
for it) bzfrelay provides no means to escape to a shell,
start executables, access the filesystem, report system
resources, etc.
Options
-a address mask
Allow addresses matching address and
mask. An address src matches iff
(src & mask) == (address & mask).
This option may appear any number of
times.
-d Increase debugging level. This
option may be specified multiple
times to increase logging.
-f Run in the foreground and log to
stderr. Default is to detach from
the terminal and log to syslog.
-h Print help information and exit.
The help information includes the
default connect and reconnect ports.
-p port Listen for reconnections on port
instead of the default. The BZFlag
protocol is broken in that it
requires clients to connect to the
server, get a port to reconnect to,
disconnect, and reconnect on the new
port (there's no reason for this
except backward compatibility).
This option overrides the default
reconnect port number. Packet fil-
ters on the firewall must be config-
ured to allow TCP packets to and
from this port; clients will be ini-
tiating the connection. Use -h to
get the default reconnection port
number.
-r address mask
Reject addresses matching address
and mask. An address src matches
iff (src & mask) == (address &
mask). This option may appear any
number of times.
-s [address][:port]
Listen for connections on port at
address. The default is to use the
standard bzfs port and to listen on
all interfaces. Either address or
port can be omitted, but not both;
the default is used for the omit
argument. Packet filters on the
firewall must be configured to allow
TCP packets to and from this port
and address; clients will be initi-
ating the connection. Use -h to get
the default connection port number.
address[:port] Relay packets to the bzfs server on
port port at address. If port is
not specified then the standard bzfs
port is used. Packet filters on the
firewall must be configured to allow
packets to and from this address and
port, but note that bzfrelay will be
initiating these TCP connections.
This argument is required.
Notes
Addresses are matched against -a and -r options in the
order they appear on the command line. An address is
accepted as soon as it matches an -a set and rejected as
soon as it matches an -r set, so you must list more spe-
cific sets before more general sets. An address not
matching any set is rejected.
Examples
To allow clients from any host in the 192.0.2 net only
use: "-a 192.0.2.0 255.255.255.0".
To allow clients from any host except those in the 192.0.2
subnet use: "-r 192.0.2.0 255.255.255.0 -a 0.0.0.0
0.0.0.0". To also allow host 192.0.2.1 use: "-a 192.0.2.1
255.255.255.255 -r 192.0.2.0 255.255.255.0 -a 0.0.0.0
0.0.0.0".
To allow clients from any host use: "-a 0.0.0.0 0.0.0.0".
This is not recommended.
BUGS
Bzfrelay uses IP addresses for authentication and is
therefore vulnerable to address spoofing attacks.
SEE ALSObzfs(6)bzfrelay(6)