intro:
	I really need to write some proper docs, don't I :-)
	louis@steelbytes.com

support:
	http://forum.steelbytes.com


********** [ Main options ] **********
Enabled: enables/disables this port mapping

port in and bind address: is what PortTunnel will listen on.

port out and address out: is where valid connections will have the data tunneled
to.

add to total stats: add active connections, kb/s in and kb/s out of this entry
to total values of the title bar.
********** [ end Main options ] **********


********** [ IP Security options ] **********
main text window: enter the IPs you want to accept/block.

search for ip: allows you ask which line will decide the result of a connection
request from a choosen IP.

redirect bad IPs: allows you to redirect 'blocked' ips to a different ip/port.
if this is ticked and has 0 for the port or a blank address, the IP will be
blocked. if this is ticked and doesn't have 0 for the port and doesn't doesn't a
blank address, the IP will be redirected.
if this is unticked and you are using win2k/xp then the IP will be blocked, and
the port placed in stealth mode (the client doesn't receive any reply to the
attempted connection), they will just time out as though there was no server
 PC at the address/port at all.
if this is unticked and you are not using win2k/xp. the IP will be blocked.

advanced stuff ........
to use an external file for the ips, do something like the following
1. in the IP Security tab, enter
    i,c:\valid_ips.txt
2. create c:\valid_ips.txt, and use the same syntax inside it eg.
    y,127.0.0.1
    y,12.34.56.78
    n,*
    // etc
and then every time you modify c:\valid_ips.txt, porttunnel will notice, and
reload it. (it checks the date/time stamp every 30 seconds). so have your perl
script (or whatever method you choose) generate/update c:\valid_ips.txt whenever
you want. you can even 'nest' these files, ie have one c:\valid_ips.txt include
another file with the 'i' syntax. you can also have multiple includes, etc.
here's an example I just typed up, to show you the flexibility ....
----- [start example] -----
    ----- [in ftp port mapping IP security tab] -----
    i,c:\ftp_valid_ips.txt
    ----- [end] -----
    ----- [in irc port mapping IP security tab] -----
    i,c:\irc_valid_ips.txt
    ----- [end] -----
    ----- [in file c:\ftp_valid_ips.txt] -----
    i,c:\global_ban_list.txt
    y,34.56.78.99 // a friend I let use ftp
    i,c:\global_ok_list.txt
    n,*
    ----- [end] -----
    ----- [in file c:\irc_valid_ips.txt] -----
    i,c:\global_ban_list.txt
    y,12.45.12.45 // a friend I let use irc
    i,c:\global_ok_list.txt
    n,*
    ----- [end] -----
    ----- [in file c:\global_ok_list.txt] -----
    y,66.66.66.66 // a friend I let use every thing
    ----- [end] -----
    ----- [in file c:\global_ban_list.txt] -----
    n,33.44.66.77 // a lamer I hate
    ---- [end] -----
----- [end example] -----
try studying the default stuff in the IP Security tab, that has simple examples
showing the syntax.
********** [ end IP Security options ] **********


********** [ HTTP options ] **********
prefix http 1.1 connect: this is for tunneling out through a proxy.
eg. you are at work, and work only allows you to connect to the inet via a
proxy, but you want to use IRC.
	1.	create a port mapping on 127.0.0.1:6667 redirecting to the proxy 
		address (eg proxy.company.local:8080).
	2.	tick prefix http connect, and enter the details of the irc
		server eg ircserver.ircnetwork.net:6667
	3.	point your IRC client to 127.0.0.1:6667.
note: this wont work in all cases, as some times the proxy is configured to
disallow connections with this method to some ports.

Add ProxyAuthenticate: use this in the above example if the proxy server
requires a user/password (only works with 'basic' style proxy authentication)

Fix Port Numbers: this will change the port number in the http url request 
(including Header and Location). Why ? So if your are redirecting say from port
80 to 81, then without this, the http server would receive a request with port
80 in the url, which may confuse it since it thinks its on 81.  Note there is 
currently a side effect of this switch, if the http server replies with a
redirect (eg http 301, or 302) that points to a different server, then the port
may be incorrectly changed by PortTunnel.
eg (assuming that porttunnel is listening on 81, and the http server is on 82)
     client sends
         GET http://test.server:81/folder HTTP/1.1
         Host: test.server
     portTunnel changes it to
         GET http://test.server:82/folder HTTP/1.1
         Host: test.server:88
     and IIS will send back a
         HTTP/1.0 302 Moved Temporarily
         Location: http://test.server:82/folder/
     and PortTunnel chages it to
         HTTP/1.0 302 Moved Temporarily
         Location: http://test.server:81/folder/
note: if a port to be added/changed to the url is 80, then it is ommited, 
as port 80 is the default for http, and is therefore not required.

Add X-Client-Address to request header: adds a line to the request of the form
	X-Client-Address: aab.bbb.ccc.ddd
this maybe useful for some logging or scripting purposes.
********** [ end HTTP options ] **********


********** [ FTP options ] **********
translate ftp port and pasv: if you are redirecting a ftp connection, tick this
(this is also known as 'FTP Bouncing'). PortTunnel will create port mappings for
each data connection as needed when this is ticked.

use alternate address in pasv replys: this is for when your ftp server is behind 
a nat/router/etc.  tick this, and stick in the public ip of the nat/router.

Only for clients in a different subnet (Class C): the alternated address will
only be used if the client is connecting from an IP that is not of the same
mask. (eg 192.168.0.1 and 192.168.0.10 are on the same class csubnet, but
192.168.0.1 and 192.168.1.1 are not)

Use the following port range for pasv: this is if you wish to restrict the port
range used for PASV mode transfers.

eg1, your ftp server is on a home lan behind a hardware router/nat (eg a
cable/xdsl sharing device from the likes of netgear).
do the following.
	1.	install porttunnel on a pc on the lan. and configure a mapping
		with the following settings
		a.	listen on port 0.0.0.0:21
		b.	redirect to ftp-server-lan-ip:1021
		c.	tick translate port & pasv
		d.	tick use alternate pasv address, and enter the public
			address of the nat/router (can be a dns name - eg
			myaddress.dyndns.org)
		e.	tick use the following port range, and enter 5001-5020
	2.	configure ftp-server to listen on port 1021
	3.	configure router/nat to redirect port 21 and ports 5001-5020 to
		the lan-ip of the pc with porttunnel.
if you have problems connecting to this server from other PCs on the same LAN,
then tick the only for clients on the same subnet option.

eg2, you ftp server is on a home lan behind a windows router/nat (eg ICS in a
recent version of windows, or wingate, etc)
	1.	install porttunnel on the router pc. and configure a mapping
		with the following settings
		a.	listen on port 0.0.0.0:21
		b.	redirect to ftp-server-lan-ip:1021
		c.	tick translate port & pasv
	2.	configure ftp-server to listen on port 1021

note1: port 1021 has been used here as an example. any port that does not clash
       with anything else is ok.
note2: some nat/routing devices may mess with the data stream if you use port 21.
       therefore, if you have problems try a different port like 1021

Add IDNT: if the target ftp server accepts or requires IDNT, tick this. Note with
RaidenFTPD to use IDNT, you have to add the IP of the PC running PortTunnel to
the BOUNCERIP= line in the .ftpd file.

********** [ end FTP options ] **********


********** [ SMTP options (licensed only)] **********
relay filtering ....
********** [ end SMTP options ] **********


********** [ SSL options (licensed only)] **********
read all the legal stuff about openssl on www.openssl.org, and make sure you are
allow to do this first .... :-)

[old] download http://www.modssl.org/contrib/openssl-0.9.6c-win32.zip
[old] and place libeay32.dll and ssleay32.dll in the same folder as
[old] porttunnel.exe. If the files are found the message 'OpenSSL not found'
[old] is replaced by the OpenSSL version found and its release date.

[new] openssl 0.9.7 dlls are now included in the standard msi of PortTunnel
[new] Note: the 0.9.6 dlls will not work with porttunnel anymore.

connection from client to porttunnel: the following values are for connections
between a client, e.g. a webbrowser, and porttunnel.

connection from porttunnel to server: the following values are for connections
between porttunnel and a server, e.g. a werbserver.

note: if the connection from the server is already encrypted and the client
should use the servers encryption and server certificates, you should choose the
encryption method none at this point, to keep the original encryption.

method: choose an encryption methode out of none, ssl v2, ssl v3, ssl v2/3, tls
v1.

ciphers: choose some ciphers out of EXPORT:@STRENGTH and ALL:@STRENGTH or enter
others by yourself (further information at www.openssl.org).

certificate: enter the FULL PATH to your certificate file and choose the
correspondending format from the listbox. Please make sure the security (under
NTFS) is set right.

key: enter the FULL PATH to your key file and choose the correspondending format
from the listbox. Please make sure the security (under NTFS) is set right. If
the key is stored in the certificate file, you can leave this field blank.

password: if the private key has a password, enter it here. you can also remove
the password out of the key file by entering "openssl rsa -in key.pem -out key.pem".
this process needs you to enter the password once.

how to make a "self signed" certificate:
	grab openssl.exe from the above zip or compile it from the source on
	www.openssl.org place it, and the two dlls in a folder along with
	openssl.cnf (grabbed from the source tar on openssl.org)

	openssl req -new -x509 -newkey rsa:1024 -nodes -days 9999 -config openssl.cnf -out steelbytes.pem -keyout steelbytes.pem
		Country Name (2 letter code) []: AU
		State or Province Name (full name) []: Victoria
		Locality Name (eg, city) []: Melbourne
		Organization Name (eg, company) []: www.SteelBytes.com
		Organizational Unit Name (eg, section) []:
		Common Name (eg, YOUR name) []: *.steelbytes.com
		Email Address []:

how to then test it:

	openssl s_server -accept 443 -cipher ALL:@STRENGTH -www -bugs -cert steelbytes.pem
	start https://www.steelbytes.com/

notes:
	* Internet Explorer seems to preffer SSL v2/3
	* I don't currently distribute compiled versions of the openssl dll
	  files for legal reasons (I've gotta look into if it's ok in Australia)
	* tested with, 0.9.6c dlls from modssl.org, and 0.9.6d (compiled with
	  VS.NET)
	* Refer to the following URL to learn how to get your MS IIS keys
	  working with openssl (replace ssleay through openssl there):
	  http://www.thawte.com/support/server/msiis4.html#iistossl
	* Refer to the following URL to learn more about the pem format in
	  conjunction with ssl certs bought from a CA:
	  http://www.thawte.com/support/server/apachessl.html#pemcert
********** [ end SSL options ] **********


********** [ logging and stats options ] **********
logging: this will log info about connections and disconnections and errors etc.
errors will log only errors (eg can't connect to target), warnings will log
errors+warnings (eg dropped connections), connections will log
errors+warnings+connections (eg connection from client has been succesfuly
redirected to target), full will log everthing.

all data: useful for debugging problems - will dump all data to numbered files
in this folder (new number for each connection). note, this is the data received 
by porttunnel, but may not be what is transmitted by porttunnel. (eg if
porttunnel is translating ftp port/pasv, then this is a dump of the untranslated 
data)

write stats: exports connections stats (number connects, blocks, KB through put
etc) to a file.

date format:
	d     Day of month as digits with no leading zero for single-digit days 
	dd    Day of month as digits with leading zero for single-digit days. 
	ddd   Day of week as a three-letter abbreviation.
	dddd  Day of week as its full name.
	M     Month as digits with no leading zero for single-digit months. 
	MM    Month as digits with leading zero for single-digit months. 
	MMM   Month as a three-letter abbreviation.
	MMMM  Month as its full name.
	y     Year as last two digits, but with no leading zero for years less
	      than 10. 
	yy    Year as last two digits, but with leading zero for years less
              than 10. 
	yyyy  Year represented by full four digits. 
	gg    Period/era string. This element is ignored if the date to be
              formatted does not have an associated era or period string. 
	For example, to the following 
		Wed, Aug 31 94
	use the following string 
		dd',' MMM dd yy

time format:
	h     Hours with no leading zero for single-digit hours; 12-hour clock 
	hh    Hours with leading zero for single-digit hours; 12-hour clock 
	H     Hours with no leading zero for single-digit hours; 24-hour clock 
	HH    Hours with leading zero for single-digit hours; 24-hour clock 
	m     Minutes with no leading zero for single-digit minutes 
	mm    Minutes with leading zero for single-digit minutes 
	s     Seconds with no leading zero for single-digit seconds 
	ss    Seconds with leading zero for single-digit seconds 
	t     One character time marker string, such as A or P 
	tt    Multicharacter time marker string, such as AM or PM 
	For example, to get the following
		11:29:40 PM
	use the following string
		hh':'mm':'ss tt
********** [ end logging and stats options ] **********


********** [ Misc options ] **********
idle disconnect: allows you to set the number of seconds until automatical
disconnect at inactivity to the value entered at number of seconds until
disconnect.

limit bandwidth in: allows you to limit the bandwidth which is provided per
incoming connection to the value entered at bandwidth limit.

limit bandwidth out: same per outgoing connection

buf size: if you feel porttunnel is slowing down you throughput, try increasing
this value. (only likely to be necessary on very high volume connections)

limit simultaneous connections: allows you to define how many connections can be
using the mapping at once (connections attempts above this will be blocked).

Force OOB inline: fixes a few issues with some ftp clients (I've only seen it
needed with Bullet Proof FTP client)
********** [ end Misc options ] **********


********** [ TIPS / FAQ ] **********

1. if using IIS for either FTP or HTTP services, IIS will by default 
(on win2000 and winxp) bind to 0.0.0.0 regardless of what IP you specify.
this can be disabled by:
	cd c:\inetpub\adminscripts
	cscript adsutil.vbs set w3svc/disablesocketpooling true
	cscript adsutil.vbs set msftpsvc/disablesocketpooling true
see MS KB article Q238131 for more info or do a google

for win2003/iis6, read Microsoft Knowledge Base Article - 813368 
'IIS 6.0: Setting Metabase Property DisableSocketPooling Has No Effect'

2. I get "ServiceStart(NT) returned: Overlapped I/O operation in progress"
I have seen this error when you are trying to using it from a location that is
 not availble to the system at boot time.  eg a network drive. (Don't ask me it
 returns such an error code, blame MS). 
If that is not the case, check the NT service list to see if PortTunnel is
listed (running or not). If it is, you can remove it from the list by pressing
stop (this will stop it if it is running, and remove it from the NT service
list). This can be a problem, because if you say use "net stop PortTunnel" to
stop PortTunnel, then copy in a new one at a different location, and delete the
old one, when you press start in PortTunnel, it sees the service in the nt list,
and just does a "net start PortTunnel" which fails, because the entry in the
service list, points to the old location of porttunnel.exe, where as if
porttunnel doesn't see it when you press start, it adds then does a 
"net start PortTunnel".
NOTE: PortTunnel doesn't actually do a "net start/stop", it instead does the
equivalent through the win32 service api.  I just refered to it like that above,
so as to hopefully make it clear.

********** [ end TIPS / FAQ ] **********
