PLUG(1)PLUG(1)NAMEplug-- Plug proxy daemon.
SYNOPSIS
/usr/local/sbin/plug -V <br> /usr/local/sbin/plug [-f] [-l] [-P pid‐
file] [-S sessionfile] [-k] [-d[d]] [-n] [-i sourceaddr] [-p proxyaddr]
[-h https-proxy[:port]] [-t timeout] [-a accept_rule] [-o] [-r retry]
[-V] sourceport destaddr[:destport] [destaddr[:destport]]...
DESCRIPTION
Plugdaemon acts as a "dumb proxy", forwarding a TCP/IP stream from a
port on one host to a possibly different port on a separate host. It
runs as a daemon to reduce latency in setting up a connection, and
optionally logs every connection via syslog.
OPTIONS-f Forces a given client address to continue to connect to the same
host on subsequent attempts, for proxying HTTP connections so
that subsequent hits will be on the same mirror.
-k Turns on SO_KEEPALIVE on the plug. You want to use this on fre‐
quent short term connections like HTTP requests where response
time is more important than reliability on flakey links, and
leave it off on long-term connections that may go a long time
without transferring data.
-l turns on connection logging.
-P pidfile
Maintains a file that contains the process ID of the master plug
daemon, followed by the process IDs of all the active children.
This can be used for cleanup or monitoring. The file is deleted
when the parent process exits.
-S sessionfile
Write session info to this file at the end of each connection:
[yyyy-mm-dd HH:MM:SS] plug[PID] FROM PEER TO IN OUT DURATION
Where "yyyy-mm-dd HH:MM:SS" is the time the connection closed,
PID is the process-id of the connection, PEER is the address of
the client that connected, FROM and TO are the listener port
(and address, if specified) and target address and port, IN and
OUT are the bytes read and written, and DURATION is the connec‐
tion duration in microseconds.
If the session file is "-", it writes the session to standard output
(implies -n).
-d turns on debugging output (implies -n). Additional -d options
add more output.
-n Stops
plug from running as a daemon or logging errors to syslog.
Errors in this mode are displayed on standard error.
-i interface
Bind the plug to the named interface, for use on multi-homed
hosts.
-p interface
Bind the source port of the proxied connection to the named
interface, for use on multi-homed hosts.
-h host:port
Connect via an HTTPS proxy on host:port. Note that when using -h
and -p, the -p option specifies the interface to bind to for the
connection to the HTTPS proxy, since there is no way to control
what the HTTPS proxy might do.
-a accept_rule
Accept connections that match the rule. Currently, the rule is
an ip address and an optional subnet, e.g. -a 192.168.2.0/24 to
accept connections from the Class-C subnet 192.168.2. All 4
octets of the address must be provided. If no rules are speci‐
fied connections are allowed from any address.
-t timeout
Timeout for forced connections, after no attempts in this period
it will connect to a new (pseudo-)randomly selected server. The
default is 1 hour.
-o Direct all connections to the first valid server instead of
load-balancing.
-r retry
Timeout for downed servers; if specified, then a dead server is
retried after this many seconds. If not specified, then a dead
server stays out of the pool until all have failed or plugdaemon
is restarted, then all are retried again.
-V Prints version and exits.
EXAMPLES
On a firewall at 192.168.0.14, to proxy an NNTP connection through to a
host at 10.0.3.15:
plug-i 192.168.0.14 119 10.0.3.15
On an client, to forward an SSH connection through an HTTP proxy at
192.168.0.101 port 8008
plug-i 127.0.0.1 2022 -h 192.168.0.101:8008 customer.example.com:22
To forward an AIM connection through the same proxy:
plug-h 192.168.0.101:8008 9898 toc.oscar.aol.com:9898
(then tell your AIM client to connect to localhost port 9898)
BUGS
Plugdaemon only accepts numeric IP addresses and services.
The syntax is rather clumsy, but I'm deferring cleanup until version
3.0. The main thing I'd like to do is get rid of the -i option and
allow any of the following forms for the source: port, :port, *:port,
address:port, or source/interface (to specify the outgoing interface).
As well as regularise the various flags other people have added that
I've kept to keep from breaking their scripts.
SECURITY FEATURES
Plugdaemon only accepts numeric IP addresses and services.
I don't call gethostbyname anywhere to keep someone from managing to
fake it out by spoofing the firewall, but I think that there's places
this would be a minor risk, so 3.0 will probably add that as a compile-
time option.
LICENSE
Plugdaemon is released under a "Berkeley" style license. See the file
LICENSE for details. (tip me if you like this program, e-gold account
172426)
AUTHOR
Peter da Silva <peter@taronga.com>
FIREWALL PLUG(1)
