bzfrelay(y) bzfrelay(y) NAME bzfrelay - BZFlag game server firewall relay SYNOPSIS bzfrelay [-a address mask] [-d] [-f] [-h] [-p port] [-r address mask] [-s [address][:port]] address[:port] DESCRIPTION Bzfrelay relays communication between bzflag and bzfs. It's primary purpose is to provide a tunnel to bzfs through a firewall. Because security is a prime concern on a firewall, users are encouraged to read the source code and run it with restricted permissions. Also bzfrelay rejects connections from any clients not explicitly allowed and the default is to reject all connections; you must use the options to allow some connections for bzfrelay to be useful. In the interests of security (and because there's no need for it) bzfrelay provides no means to escape to a shell, start executables, access the filesystem, report system resources, etc. Options -a address mask Allow addresses matching address and mask. An address src matches iff (src & mask) == (address & mask). This option may appear any number of times. -d Increase debugging level. This option may be specified multiple times to increase logging. -f Run in the foreground and log to stderr. Default is to detach from the terminal and log to syslog. -h Print help information and exit. The help information includes the default connect and reconnect ports. -p port Listen for reconnections on port instead of the default. The BZFlag protocol is broken in that it requires clients to connect to the server, get a port to reconnect to, disconnect, and reconnect on the new port (there's no reason for this except backward compatibility). This option overrides the default reconnect port number. Packet fil- ters on the firewall must be config- ured to allow TCP packets to and from this port; clients will be ini- tiating the connection. Use -h to get the default reconnection port number. -r address mask Reject addresses matching address and mask. An address src matches iff (src & mask) == (address & mask). This option may appear any number of times. -s [address][:port] Listen for connections on port at address. The default is to use the standard bzfs port and to listen on all interfaces. Either address or port can be omitted, but not both; the default is used for the omit argument. Packet filters on the firewall must be configured to allow TCP packets to and from this port and address; clients will be initi- ating the connection. Use -h to get the default connection port number. address[:port] Relay packets to the bzfs server on port port at address. If port is not specified then the standard bzfs port is used. Packet filters on the firewall must be configured to allow packets to and from this address and port, but note that bzfrelay will be initiating these TCP connections. This argument is required. Notes Addresses are matched against -a and -r options in the order they appear on the command line. An address is accepted as soon as it matches an -a set and rejected as soon as it matches an -r set, so you must list more spe- cific sets before more general sets. An address not matching any set is rejected. Examples To allow clients from any host in the 192.0.2 net only use: "-a 192.0.2.0 255.255.255.0". To allow clients from any host except those in the 192.0.2 subnet use: "-r 192.0.2.0 255.255.255.0 -a 0.0.0.0 0.0.0.0". To also allow host 192.0.2.1 use: "-a 192.0.2.1 255.255.255.255 -r 192.0.2.0 255.255.255.0 -a 0.0.0.0 0.0.0.0". To allow clients from any host use: "-a 0.0.0.0 0.0.0.0". This is not recommended. BUGS Bzfrelay uses IP addresses for authentication and is therefore vulnerable to address spoofing attacks. SEE ALSO bzfs(s) bzfrelay(y)