"Perry E. Metzger" <perry@imsi.com> writes:
I'd say run socks or something similar; its a generalized port proxying facility for firewalls, but it should work fine for this.
I was reading about socks last night, and it does seem to be very close to what is needed for this. In fact, if you sat down to write a TCP connection redirector protocol for anonymous connections, socks is pretty close to what you would come up with. Socks V5 even has some encryption specified for it, although it has the deficiency that the "forwarding" connection address is sent in the clear. The basis idea of socks is very simple. A socks server runs on port 1080 on a gateway machine. If you want to make a connection through the server, connect to it on port 1080, then send a 1-byte version number, 4, a 1-byte request code, 1, the 2-byte port number you want to connect to, the 4-byte IP address you want to connect to, and then a null-terminated string which is supposed to be your user name (to help the server decide whether to allow the connection). It returns an 8-byte response message: 1 byte of version number, 4, 1 byte of result, where 0x5a means success, 2 bytes of outgoing port number and 4 bytes of server IP address. From then on, assuming success, it just forwards messages and you can talk directly to the remote machine. This lends itself nicely to chaining; simply make a socks request to the first machine, requesting it to connect to another socks machine; then send another socks request which will be interpreted by the 2nd machine, etc. You could build up chains of any size in this way, even responding dynamically to failed or refused connections. In fact, as with the CERN httpd proxy server, where existing implementations might actually be useful already for laundering web connections, it is possible that some socks implementations could be used as well. If the socks server did not check that requests came from the local site (as the httpd proxy server sometimes does not), then you could set your client to make socks connections to such a server and get anonymous web connections already. This also would mean that it might be politically easier to run a socks server than to run an anarchistic http redirector. Socks is pretty well understood by security-conscious network people so might appear to be less of a threat. Plus, if it does turn out that existing socks servers are useful for this purpose then this is something we could start using right away. Does anybody know of any sites running socks servers? I would like to experiment with whether they would accept connections and requests from remote sites. Thanks - Hal P.S. I found information about socks by searching the Internet Drafts archive at ISI. This California server is a mirror of the main one in Virginia, but is http based so is faster. Use URL http://info.internet.isi.edu/in-drafts, select "Locate internet drafts by file name", and then do a keyword search for socks. There are 3 of them, V4, V5, and one about using pem for encryption.