/etc/socks.conf

SOCKS clients configuration file

Name:

/etc/socks.conf

Description:

All SOCKS client programs use this file to:

• determine whether to use direct or proxy connection to a given destination host
• exert access control based on the destination host, the requested service (port number on the destination host), and the effective userid of the requesting local user.

Each line in the file may be up to 1024 characters long. Lines starting with a number sign (#) are comments. Lines that aren't comments must be of one of the three forms:

deny [*=userlist] dst_addr dst_mask [op dst_port] [: shell_cmd]

direct [*=userlist] dst_addr dst_mask [op dst_port] [: shell_cmd]

sockd [@=serverlist] [*=userlist] dst_addr dst_mask [op dst_port] [: shell_cmd]

A deny line tells the SOCKS clients when to reject a request.

A direct line tells when to use a direct connection.

A sockd line tells when to use a proxy connection and, optionally, which SOCKS proxy server or servers to try.

Spaces and tabs separate the fields. Fields enclosed in square brackets are optional. The fields are:

userlist

One or more userids or filenames, separated by commas. No spaces or tabs are allowed in the list. The userids should be of users on the local host, not those on the destination host or the SOCKS server host.

The filenames must be full pathnames with the leading /. Inside the specified files, userids may be listed one or several per line, with any combination of blanks, tabs, and commas as separators.

A # at the beginning of a line marks the remainder of the line as a comment. Each line in these files may be up to 1023 characters long. If the *= userlist field is omitted, the line applies to all userids.

dst_addr dst_mask

These fields together specify the destination IP address or the range of destination IP addresses. Both are given in the usual dotted form (e.g. 129.1.2.3).

Bits in dst_mask that are set to 0 indicate the bit positions to be masked off (i.e. ignored) during comparison of dst_addr and the actual destination IP address.

For example, specifying 255.255.255.255 in dst_mask demands an exact match with dst_addr, whereas 0.0.0.0 is an address match no matter what is specified for dst_addr. (Note that this is the same way netmasks are interpreted, but is the direct opposite of how the address masks are used in Cisco router access lists.)

op

One of the following:

eq

Equal.

neq

Not equal.

lt

Less than.

gt

Greater than.

le

Less than or equal.

ge

Greater than or equal.

dst_port

Either a port number (e.g. 23) or the equivalent service name as specified in the /etc/services file (e.g. telnet for port number 23). If this pair is omitted, the line applies to all services.

serverlist

Used only in a sockd line. It consists of one or more SOCKS proxy servers that the client program should try to use (in the indicated order) for establishing a proxy connection.

You can use only commas as separator — no spaces or tabs are allowed in the list. Although domain names of the servers may be used in the list, it's probably more prudent to specify IP addresses.

If the serverlist field is omitted, the client program uses the default SOCKS proxy server, which is determined by the environment variable SOCKS_SERVER or by the name compiled into the SOCKS client program.

Consider this sockd line:

sockd @=1.2.3.4 *=boss,root 11.12.13.14 255.255.255.255 eq telnet

To match the condition indicated in this line, a request must come from a local user whose effective id is either boss or root, the destination IP address must be 11.12.13.14 exactly, and the service requested must be telnet. In that case, connection to host 11.12.13.14 should be done via a SOCKS proxy server on host 1.2.3.4.

Every time a SOCKS client has to make a network connection, it checks the pending request against the /etc/socks.conf file, one line at a time. Once the client finds a line with conditions that are matched by the request, the action specified on that line is taken. The remaining lines of /etc/socks.conf are skipped. If no matching line is found throughout the file, the request is denied.

---

The order of the lines in the file is extremely important — switch two lines and you may have entirely different results!

---

shell_cmd

A command string that's executed when the conditions on that line are satisfied. The following substitutions occur before the string is presented to the Borne shell for execution:

These characters:	Are replaced by:
%A	The client host's domain name if known; by its IP address otherwise
%a	The client host's IP address
%c	“connect” or “bind”
%p	The client program's process ID
%S	The service name (e.g. ftp) if known; by the destination port number otherwise
%s	The destination port number
%U	The userid at login
%u	The effective userid
%Z	The destination host's domain name if known; by its IP address otherwise
%z	The destination host's IP address
%%	A single %

You can string several shell commands together in the usual way with |, ;, etc.

Although there's an implied “deny all” at the end of the control file, you may supply one explicitly to take some specific action when requests are so rejected. For example:

deny 0.0.0.0 0.0.0.0 : /usr/bin/mail -s `SOCKS: rejected %S from %u to %Z' root

Unlike the previous version, connection to address 127.0.0.1 (localhost) is always done directly, so there's no need to specify that in /etc/socks.conf.

Environment variables:

SOCKS_SERVER

If defined, this environment variable specifies the name or IP address of the SOCKS proxy server host to use, overriding the default server compiled into the programs.

See also:

rftp, rtelnet