README: comment about UDP via OpenSSH & README.html

README

@@ -55,7 +55,8 @@ Login/password authentication is supported for SOCKS5/HTTPS connections.
 SOCKS4 supports only username, password is ignored. for HTTPS, currently
 only Basic and Digest scheme is supported.
 
-Redirect UDP packets via SOCKS5 proxy server.
+Redirect UDP packets via SOCKS5 proxy server. NB: UDP still goes via UDP, so
+you can't relay UDP via OpenSSH.
 
 Sends "truncated reply" as an answer to UDP DNS queries.
 
@@ -82,13 +83,13 @@ Compilation is as easy as running `make', there is no `./configure' magic.
 
 GNU Make works, other implementations of make were not tested.
 
-[5] http://www.monkey.org/~provos/libevent/
+[5] http://libevent.org/ || http://www.monkey.org/~provos/libevent/
 
 
 Running
 =======
 
-Program has only two command-line options:
+Program has following command-line options:
  -c   sets proper path to config file ("./redsocks.conf" is default one)
  -t   tests config file syntax
  -p   set a file to write the getpid() into
@@ -132,6 +133,10 @@ http://darkk.net.ru/redsocks/
 
 Mailing list: [email protected]
 
+Mailing list also has archives[1].
+
+[1] http://librelist.com/browser/redsocks/
+
 
 TODO
 ====

README.html

@@ -0,0 +1,175 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+<link rel="stylesheet" type="text/css" href="../site.css" />
+<title>redsocks - transparent socks redirector</title>
+</head>
+<body>
+<!-- Intro -->
+<h1>redsocks - transparent socks redirector</h1>
+<div class="navi">
+	<a href="../">darkk's homepage</a>
+	<a href="http://github.com/darkk/redsocks/tree/master">download source code</a>
+</div>
+
+<hr/>
+
+<p>This tool allows you to redirect any TCP connection to SOCKS or HTTPS
+proxy using your firewall, so redirection is system-wide.</p>
+
+<p>Why is that useful? I can suggest following reasons:</p>
+<ul>
+	<li>you use <a href="http://www.torproject.org">tor</a> and don't want any TCP connection to leak</li>
+	<li>you use DVB ISP and this ISP provides internet connectivity with some
+  special daemon that may be also called "Internet accelerator" and this
+	accelerator acts as proxy. <a href="http://www.globax.biz">Globax</a> is example of such an accelerator</li>
+</ul>
+
+<p>Linux/iptables, OpenBSD/pf and FreeBSD/ipfw are supported.
+Linux/iptables is well-tested, other implementations may have bugs,
+your bugreports are welcome.</p>
+
+<p><a href="http://transocks.sourceforge.net/">Transocks</a> is alike project but it has noticable performance penality.</p>
+
+<p><a href="http://oss.tiggerswelt.net/transocks_ev/">Transsocks_ev</a> is alike project too, but it has no HTTPS-proxy support
+and does not support authentication.</p>
+
+<p>Another related issue is DNS over TCP. Redsocks includes `dnstc' that is fake
+and really dumb DNS server that returns "truncated answer" to every query via
+UDP. RFC-compliant resolver should repeat same query via TCP in this case - so
+the request can be redirected using usual redsocks facilities.</p>
+
+<p>Known compliant resolvers are:</p>
+<ul>
+	<li>bind9 (server)</li>
+	<li>dig, nslookup (tools based on bind9 code)</li>
+</ul>
+<p>Known non-compliant resolvers are:</p>
+<ul>
+	<li>eglibc resolver fails without any attempt to send request via TCP</li>
+	<li>powerdns-recursor can't properly startup without UDP connectivity as it
+   can't load root hints</li>
+</ul>
+
+<p>On the other hand, DNS via TCP using bind9 may be painfully slow. If your bind9
+setup is really slow, you have at least two options: <a href="http://www.phys.uu.nl/~rombouts/pdnsd.html">pdnsd</a> caching server
+can run in TCP-only mode, <a href="http://www.mulliner.org/collin/ttdnsd.php">ttdnsd</a> (<a href="https://gitweb.torproject.org/ioerror/ttdnsd.git">git repo</a>) has no cache but can be useful for same
+purpose.</p>
+
+<h2>Features</h2>
+
+<p>Redirect any TCP connection to SOCKS4, SOCKS5 or HTTPS (HTTP/CONNECT)
+proxy server.</p>
+
+<p>Login/password authentication is supported for SOCKS5/HTTPS connections.
+SOCKS4 supports only username, password is ignored. for HTTPS, currently
+only Basic and Digest scheme is supported.</p>
+
+<p>Redirect UDP packets via SOCKS5 proxy server. NB: UDP still goes via UDP, so
+you can't relay UDP via OpenSSH.</p>
+
+<p>Sends "truncated reply" as an answer to UDP DNS queries.</p>
+
+<p>Redirect any HTTP connection to proxy that does not support transparent
+proxying (e.g. old SQUID had broken `acl myport' for such connections).</p>
+
+
+<h2>License</h2>
+
+<p>All source code is licensed under Apache 2.0 license.</p>
+<p>You can get a copy at <a href="http://www.apache.org/licenses/LICENSE-2.0.html">http://www.apache.org/licenses/LICENSE-2.0.html</a></p>
+
+
+<h2>Compilation</h2>
+
+<p><a href="http://libevent.org/">libevent</a> is required.</p>
+
+<p>gcc is only supported compiler right now, other compilers can be used
+but may require some code changes.</p>
+
+<p>Compilation is as easy as running `make', there is no `./configure' magic.</p>
+
+<p>GNU Make works, other implementations of make were not tested.</p>
+
+
+<h2>Running</h2>
+
+<p>Program has following command-line options:<br/>
+-c   sets proper path to config file ("./redsocks.conf" is default one)<br/>
+-t   tests config file syntax<br/>
+-p   set a file to write the getpid() into</p>
+
+<p>Following signals are understood:<br/>
+SIGUSR1 dumps list of connected clients to log<br/>
+SIGTERM and SIGINT terminates daemon, all active connections are closed</p>
+
+<p>You can see configuration file example in redsocks.conf.example</p>
+
+
+<h2>iptables example</h2>
+
+<p>You have to build iptables with connection tracking and REDIRECT target.</p>
+
+<pre># Create new chain
+<code>iptables -t nat -N REDSOCKS</code>
+
+# Ignore LANs and some other reserved addresses.
+<code>iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
+iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
+iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
+iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
+iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
+iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
+iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
+iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN</code>
+
+# Anything else should be redirected to port 12345
+<code>iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345</code>
+
+# Any tcp connection made by `darkk' should be redirected.
+<code>iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner darkk -j REDSOCKS</code></pre>
+
+
+<h2>Homepage</h2>
+
+<p>Homepage: <a href="http://darkk.net.ru/redsocks/">http://darkk.net.ru/redsocks/</a></p>
+
+<p>Mailing list: <a href="mailto:[email protected]">[email protected]</a></p>
+
+<p>Mailing list also has <a href="http://librelist.com/browser/redsocks/">archives</a>.</p>
+
+
+<h2>TODO</h2>
+
+<ul>
+	<li>Test OpenBSD (pf) and FreeBSD (ipfw) and write setup examples for those
+	firewall types.</li>
+</ul>
+
+
+<h2>Author</h2>
+This program was written by Leonid Evdokimov.
+
+
+<!-- Outro -->
+<a name="address"></a>
+<pre>
+ (~~~~~~~~~~\   __
+ | jabber:  )  /  \
+ | mailto: (  /|oo \
+  \_________\(_|  /_)
+              _ @/_ \
+             |     | \   \\
+      leon   | (*) |  \   ))  darkk.net.ru
+             |__U__| /  \//
+              _//|| _\   /
+             (_/(_|(____/
+                         <a href="http://jigsaw.w3.org/css-validator/check/referer">Valid CSS!</a>
+                         <a href="http://validator.w3.org/check?uri=referer">Valid XHTML 1.0 Transitional</a>
+</pre>
+<!-- /Outro -->
+<!-- vim:set tabstop=2 softtabstop=2 shiftwidth=2: -->
+</body>
+</html>