SOCKS clients configuration file
/etc/socks.conf
All SOCKS client programs use this file to:
Each line in the file may be up to 1024 characters long. Lines starting with a number sign (#) are comments. Lines that aren't comments must be of one of the three forms:
deny [*=userlist] dst_addr dst_mask [op dst_port] [: shell_cmd] direct [*=userlist] dst_addr dst_mask [op dst_port] [: shell_cmd] sockd [@=serverlist] [*=userlist] dst_addr dst_mask [op dst_port] [: shell_cmd]
A deny line tells the SOCKS clients when to reject a request.
A direct line tells when to use a direct connection.
A sockd line tells when to use a proxy connection and, optionally, which SOCKS proxy server or servers to try.
Spaces and tabs separate the fields. Fields enclosed in square brackets are optional. The fields are:
The filenames must be full pathnames with the leading /. Inside the specified files, userids may be listed one or several per line, with any combination of blanks, tabs, and commas as separators.
A # at the beginning of a line marks the remainder of the line as a comment. Each line in these files may be up to 1023 characters long. If the *= userlist field is omitted, the line applies to all userids.
Bits in dst_mask that are set to 0 indicate the bit positions to be masked off (i.e. ignored) during comparison of dst_addr and the actual destination IP address.
For example, specifying 255.255.255.255 in dst_mask demands an exact match with dst_addr, whereas 0.0.0.0 is an address match no matter what is specified for dst_addr. (Note that this is the same way netmasks are interpreted, but is the direct opposite of how the address masks are used in Cisco router access lists.)
You can use only commas as separator -- no spaces or tabs are allowed in the list. Although domain names of the servers may be used in the list, it's probably more prudent to specify IP addresses.
If the serverlist field is omitted, the client program uses the default SOCKS proxy server, which is determined by the environment variable SOCKS_SERVER or by the name compiled into the SOCKS client program.
Consider this sockd line:
sockd @=1.2.3.4 *=boss,root 11.12.13.14 255.255.255.255 eq telnet
To match the condition indicated in this line, a request must come from a local user whose effective id is either boss or root, the destination IP address must be 11.12.13.14 exactly, and the service requested must be telnet. In that case, connection to host 11.12.13.14 should be done via a SOCKS proxy server on host 1.2.3.4.
Every time a SOCKS client has to make a network connection, it checks the pending request against the /etc/socks.conf file, one line at a time. Once the client finds a line with conditions that are matched by the request, the action specified on that line is taken. The remaining lines of /etc/socks.conf are skipped. If no matching line is found throughout the file, the request is denied.
The order of the lines in the file is extremely important -- switch two lines and you may have entirely different results! |
These characters: | Are replaced by: |
---|---|
%A | The client host's domain name if known; by its IP address otherwise |
%a | The client host's IP address |
%c | "connect" or "bind" |
%p | The client program's process ID |
%S | The service name (e.g. ftp) if known; by the destination port number otherwise |
%s | The destination port number |
%U | The userid at login |
%u | The effective userid |
%Z | The destination host's domain name if known; by its IP address otherwise |
%z | The destination host's IP address |
%% | A single % |
You can string several shell commands together in the usual way with |, ;, etc.
Although there's an implied "deny all" at the end of the control file, you may supply one explicitly to take some specific action when requests are so rejected. For example:
deny 0.0.0.0 0.0.0.0 : /usr/bin/mail -s `SOCKS: rejected %S from %u to %Z' root
Unlike the previous version, connection to address 127.0.0.1 (localhost) is always done directly, so there's no need to specify that in /etc/socks.conf.