Bzfrelay relays communication between bzflag and bzfs. It's
primary purpose is to provide a tunnel to bzfs through a firewall.
Because security is a prime concern on a firewall, users are
encouraged to read the source code and run it with restricted
permissions. Also bzfrelay rejects connections from any clients not
explicitly allowed and the default is to reject all connections;
you must use the options to allow some connections for bzfrelay to
be useful.
In the interests of security (and because there's no need for it)
bzfrelay provides no means to escape to a shell, start executables,
access the filesystem, report system resources, etc.
Options
-a addressmask
Allow addresses matching address and mask. An address
src matches iff (src & mask) == (address &
mask). This option may appear any number of times.
-d
Increase debugging level. This option may be specified multiple
times to increase logging.
-f
Run in the foreground and log to stderr. Default is to detach
from the terminal and log to syslog.
-h
Print help information and exit. The help information includes
the default connect and reconnect ports.
-p port
Listen for reconnections on port instead of the default.
The BZFlag protocol is broken in that it requires clients to
connect to the server, get a port to reconnect to, disconnect,
and reconnect on the new port (there's no reason for this
except backward compatibility). This option overrides the
default reconnect port number. Packet filters on the firewall
must be configured to allow TCP packets to and from this port;
clients will be initiating the connection. Use -h to get
the default reconnection port number.
-r addressmask
Reject addresses matching address and mask. An address
src matches iff (src & mask) == (address &
mask). This option may appear any number of times.
-s [address][:port]
Listen for connections on port at address. The default
is to use the standard bzfs port and to listen on all interfaces.
Either address or port can be omitted, but not both;
the default is used for the omit argument.
Packet filters on the firewall must be configured to allow TCP
packets to and from this port and address; clients will be
initiating the connection. Use -h to get the default
connection port number.
address[:port]
Relay packets to the bzfs server on port port at address.
If port is not specified then the standard bzfs port is used.
Packet filters on the firewall must be configured to allow packets
to and from this address and port, but note that bzfrelay will be
initiating these TCP connections. This argument is required.
Notes
Addresses are matched against -a and -r options in the
order they appear on the command line. An address is accepted as
soon as it matches an -a set and rejected as soon as it matches
an -r set, so you must list more specific sets before more
general sets. An address not matching any set is rejected.
Examples
To allow clients from any host in the 192.0.2 net only use: "-a
192.0.2.0 255.255.255.0".
To allow clients from any host except those in the 192.0.2 subnet
use: "-r 192.0.2.0 255.255.255.0 -a 0.0.0.0 0.0.0.0". To also
allow host 192.0.2.1 use: "-a 192.0.2.1 255.255.255.255 -r
192.0.2.0 255.255.255.0 -a 0.0.0.0 0.0.0.0".
To allow clients from any host use: "-a 0.0.0.0 0.0.0.0". This is
not recommended.
BUGS
Bzfrelay uses IP addresses for authentication and is therefore
vulnerable to address spoofing attacks.