1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
|
.\" From: /3a/socks/man/RCS/socks.conf.4,v 2.11 1995/05/05 18:05:26 lamont Exp
.Dd May 5, 1995
.Os FreeBSD
.Dt M3SOCKS.CONF 5
.Sh NAME
.Nm m3socks.conf
.Nd configuration file for Modula-3 socks clients
.Sh DESCRIPTION
The Modula-3 SOCKS library reads its configuration information from
.Pa /usr/local/etc/m3socks.conf
when
.Fn bind
or
.Fn connect
is called.
If the file does not exist, then the environment variable
.Ev SOCKS_CONF
is expected to give the name of the configuration file.
.Pp
Each non-blank, non-comment line in the file contains a direction on how
to process requests that match certain criteria.
Comments are denoted by a
.Ql #
at any point in the line prior to the
.Ic : Ns Ar shellcmd ,
if present.
Non-comment lines take the form:
.Pp
.Bl -item -compact
.It
.Ic bind default Ns \*(Ba Ns Ic wild
.It
.Ic domain Ar domain
.It
.Ic nameserver Ar nameserver
.It
.Ic findserver Ar findserver
.It
.Ic sockd
.Op Ic @= Ns Ar server
.Op Ic *= Ns Ar users
.Ar destspec
.Op Ar op Ar dport Op Ar dport2
.Op Ic : Ns Ar shellcmd
.It
.Ic direct
.Op Ic *= Ns Ar users
.Ar destspec
.Op Ar op Ar dport Op Ar dport2
.Op Ic : Ns Ar shellcmd
.It
.Ic deny
.Op Ic *= Ns Ar users
.Ar destspec
.Op Ar op Ar dport Op Ar dport2
.Op Ic : Ns Ar shellcmd
.El
.Pp
Fields are constructed as follows:
.Bl -tag -width Fl
.It Ar domain
The
.Dq local
domain: the default name resolver is assumed to have
information for all hosts in
.Ar domain .
The user can override this field using the
.Ev SOCKS_LOCAL_DOMAIN
environment variable.
To indicate that the default server is able to resolve all addresses,
use the command:
.Ql domain \&. .
.It Ar nameserver
A comma separated list of name servers that are able to resolve addresses
outside of
.Ar domain .
The user can override this field using the
.Ev SOCKS_NS
environment variable.
.It Ar findserver
One of
.Ic Yes
or
.Ic \&No .
The default is
.Ic Yes .
If set, the client will attempt to find the
.Dq best
SOCKS server, based
on the results of looking up
.Ar destnet Ns Ic .socks-addr
(note that this is not an FQDN).
.Ar destnet
consists of the first one, two, or three octets of the destination network,
depending on whether the destination network is class A, B, or C. The octets
are used in reverse order, just like
.Ic IN-ADDR.ARPA .
For example, if the destination address is 129.105.69.100, then a search for
TXT records for '105.129.socks-addr' would be made. If any TXT records are
found, the record is prepended
to the list of servers from the config file. There is no environment
variable to override this.
.Pp
If clear
.Pq Ic findserver Ic \&No ,
then the lookup is not performed.
.It Ar server
A comma separated list of SOCKS servers that can
be used as proxy for this destination. No spaces or tabs are allowed
inside the list. Names beginning with a
.Ql $
are expanded from the users
environment. Each server in the list is tried until a successful
connection is established. When a server has multiple addresses, it
is assumed to be a group of hosts: the address list is randomized and
each address is tried before proceeding to the next name in the list.
The user can override this field using the
.Ev SOCKS_SERVER
environment variable.
.It Ar users
Specifies the users on the requesting host (not the destination host
or server host) to whom this line should apply. This is a comma
separated list of names and/or filenames, with no spaces or tabs.
Filenames must be fully qualified with a leading
.Ql / .
Inside the file, user names may be listed one or several
per line, with spaces, tabs, and commas being valid separators.
The appearance of
.Ql #
marks the remainder of the line as a comment. Each line in a file
is limited to 1023 characters. If
.Ar users
is omitted, the line applies to all users.
.It Ar destspec
The destination specification, which is either
.Ar daddr dmask
or
.Ic *. Ns Ar some.domain ,
which indicates that the line applies to all IP addresses
whose reverse lookup, using
.Fn gethostbyaddr ,
produces a name ending in
.Ql Cm . Ns Ar some.domain .
.It Ar daddr
The destination address to which this line applies. This is
usually specified in dotted form (e.g., 15.28.96.137).
If a hostname is used, then the first address returned by
.Fn gethostbyname
is used.
.It Ar dmask
Mask for
.Ar daddr ,
in dotted form. Bits in
.Ar dmask
which are 0 are ignored in
.Ar daddr .
Specifying 255.255.255.255 requires an exact match, while 0.0.0.0 matches
regardless of the value of
.Ar daddr .
This is the same way netmasks are specified, and is the opposite
of the interpretation used in older versions of SOCKS.
.It Ar op dport Op Ar dport2
A constraint on the destination TCP port.
If
.Ar op
is
.Ic eq ,
.Ic neq ,
.Ic \< ,
.Ic gt ,
.Ic le ,
or
.Ic ge ,
the destination port must have the corresponding relation to
.Ar dport .
If
.Ar op
is
.Ic btw ,
the destination port must be between
.Ar dport
and
.Ar dport2 ,
inclusive.
.It Ic : Ns Ar shellcmd
When the line is matched,
.Ar shellcmd
is passed to
.Pa /bin/sh ,
with stdin, stdout, and stderr redirected to
.Pa /dev/null .
The following substitutions occur before the string
is presented to the shell:
.Bl -tag -width \&%Xxx
.It Cm \&%A
replaced by the client host's domainname if known,
by its IP address otherwise.
.It Cm \&%a
replaced by the client host's IP address.
.It Cm \&%c
replaced by
.Ql connect
or
.Ql bind .
.It Cm \&%p
replaced by the process id of the client program.
.It Cm \&%S
replaced by the service name (e.g., ftp) if known,
by the destination port number otherwise.
.It Cm \&%s
replaced by the destination port number.
.It Cm \&%U
replaced by the user-id at login.
.It Cm \&%u
replaced by the effective user-id.
.It Cm \&%Z
replaced by the destination host's domainname if known,
by its IP address otherwise.
.It Cm \&%z
replaced by the destination host's IP address.
.It Cm \&%%
replaced by a single
.Ql \&% .
.El
.El
.Sh EXAMPLES
All connections to net 15 are local:
.Dl Ic direct 15.0.0.0 255.0.0.0
.Pp
Deny all requests destined for hosts on network 23:
.Dl Ic deny 23.0.0.0 255.0.0.0
.Pp
Use the server my-server for hosts on network 36:
.Dl Ic sockd @=my-server 36.0.0.0 255.0.0.0
.Pp
A typical complete configuration file:
.Bd -literal -offset indent
# The default name server is used for addresses inside
# the FreeBSD.org domain.
domain FreeBSD.org
# ns.FreeBSD.org is used as the name server for addresses
# outside FreeBSD.org.
nameserver ns.FreeBSD.org
# Don't find socks servers automatically.
findserver No
# All local connections are direct.
direct *.FreeBSD.org
# All other connections use the SOCKS server
# on socks.FreeBSD.org.
sockd @=socks.FreeBSD.org 0.0.0.0 0.0.0.0
.Ed
.Sh SEE ALSO
.Xr m3socks 1
.Sh AUTHORS
SOCKS was developed by David Koblas and Ying-Da Lee.
The HP enhancements were done by LaMont Jones.
|
