PageRenderTime 175ms CodeModel.GetById 169ms app.highlight 3ms RepoModel.GetById 1ms app.codeStats 0ms

/danted.conf

http://github.com/brinkman83/bashrc
Config | 271 lines | 226 code | 45 blank | 0 comment | 0 complexity | 7b2f9a7440f47676c6570ad7992d0572 MD5 | raw file
  1# $Id: sockd.conf,v 1.43 2005/12/26 16:35:26 michaels Exp $
  2#
  3# A sample danted.conf
  4#
  5#
  6# The configfile is divided into three parts; 
  7#    1) serversettings
  8#    2) rules
  9#    3) routes
 10#
 11# The recommended order is:
 12#   Serversettings:
 13#               logoutput
 14#               internal
 15#               external
 16#               method
 17#               clientmethod
 18#               users
 19#               compatibility
 20#               extension
 21#               connecttimeout
 22#               iotimeout
 23#		srchost
 24#
 25#  Rules:
 26#	client block/pass
 27#		from to
 28#		libwrap
 29#		log
 30#
 31#     block/pass
 32#		from to
 33#		method
 34#		command
 35#		libwrap
 36#		log
 37#		protocol
 38#		proxyprotocol
 39#
 40#  Routes: 
 41
 42# the server will log both via syslog, to stdout and to /var/log/lotsoflogs
 43#logoutput: syslog stdout /var/log/lotsoflogs
 44logoutput: stderr
 45
 46# The server will bind to the address 10.1.1.1, port 1080 and will only
 47# accept connections going to that address.
 48#internal: 10.1.1.1 port = 1080
 49# Alternatively, the interface name can be used instead of the address.
 50#internal: eth0 port = 1080
 51
 52# all outgoing connections from the server will use the IP address
 53# 195.168.1.1
 54#external: 192.168.1.1
 55
 56# list over acceptable methods, order of preference.
 57# A method not set here will never be selected.
 58#
 59# If the method field is not set in a rule, the global
 60# method is filled in for that rule.
 61#
 62
 63# methods for socks-rules.
 64#method: username none #rfc931
 65
 66# methods for client-rules.
 67#clientmethod: none
 68
 69#or if you want to allow rfc931 (ident) too
 70#method: username rfc931 none
 71
 72#or for PAM authentification
 73#method: pam
 74
 75#
 76# An important section, pay attention.
 77#
 78
 79# when doing something that can require privilege, it will use the
 80# userid:
 81user.privileged: proxy
 82
 83# when running as usual, it will use the unprivileged userid of:
 84user.notprivileged: nobody
 85
 86# If you compiled with libwrap support, what userid should it use
 87# when executing your libwrap commands?  "libwrap".
 88user.libwrap: nobody
 89
 90
 91#
 92# some options to help clients with compatibility:
 93#
 94
 95# when a client connection comes in the socksserver will try to use
 96# the same port as the client is using, when the socksserver
 97# goes out on the clients behalf (external: IP address).
 98# If this option is set, Dante will try to do it for reserved ports aswell.
 99# This will usually require user.privileged to be set to "root".
100#compatibility: sameport
101
102# If you are using the bind extension and have trouble running servers
103# via the server, you might try setting this.  The consequences of it
104# are unknown.
105#compatibility: reuseaddr
106
107#
108# The Dante server supports some extensions to the socks protocol.
109# These require that the socks client implements the same extension and
110# can be enabled using the "extension" keyword.
111#
112# enable the bind extension.
113#extension: bind
114
115
116#
117#
118# misc options.
119#
120
121# how many seconds can pass from when a client connects til it has
122# sent us it's request?  Adjust according to your network performance
123# and methods supported.
124#connecttimeout: 30   # on a lan, this should be enough if method is "none".
125
126# how many seconds can the client and it's peer idle without sending
127# any data before we dump it?  Unless you disable tcp keep-alive for
128# some reason, it's probably best to set this to 0, which is
129# "forever".
130#iotimeout: 0 # or perhaps 86400, for a day.
131
132# do you want to accept connections from addresses without
133# dns info?  what about addresses having a mismatch in dnsinfo?
134#srchost: nounknown nomismatch
135
136#
137# The actual rules.  There are two kinds and they work at different levels.
138#
139# The rules prefixed with "client" are checked first and say who is allowed
140# and who is not allowed to speak/connect to the server.  I.e the
141# ip range containing possibly valid clients.
142# It is especially important that these only use IP addresses, not hostnames,
143# for security reasons.
144#
145# The rules that do not have a "client" prefix are checked later, when the
146# client has sent its request and are used to evaluate the actual
147# request.
148#
149# The "to:" in the "client" context gives the address the connection
150# is accepted on, i.e the address the socksserver is listening on, or
151# just "0.0.0.0/0" for any address the server is listening on.
152#
153# The "to:" in the non-"client" context gives the destination of the clients
154# socksrequest.
155#
156# "from:" is the source address in both contexts.
157#
158
159
160# the "client" rules.  All our clients come from the net 10.0.0.0/8.
161#
162
163# Allow our clients, also provides an example of the port range command.
164#client pass {
165#	from: 10.0.0.0/8 port 1-65535 to: 0.0.0.0/0
166#	method: rfc931 # match all idented users that also are in passwordfile
167#}
168
169# This is identical to above, but allows clients without a rfc931 (ident)
170# too.  In practise this means the socksserver will try to get a rfc931
171# reply first (the above rule), if that fails, it tries this rule.
172#client pass {
173#	from: 10.0.0.0/8 port 1-65535 to: 0.0.0.0/0
174#}
175
176
177# drop everyone else as soon as we can and log the connect, they are not
178# on our net and have no business connecting to us.  This is the default
179# but if you give the rule yourself, you can specify details.
180#client block {
181#	from: 0.0.0.0/0 to: 0.0.0.0/0
182#	log: connect error
183#}
184
185
186# the rules controlling what clients are allowed what requests
187#
188
189# you probably don't want people connecting to loopback addresses,
190# who knows what could happen then.
191#block {
192#	from: 0.0.0.0/0 to: 127.0.0.0/8
193#	log: connect error
194#}
195
196# the people at the 172.16.0.0/12 are bad, no one should talk to them.
197# log the connect request and also provide an example on how to
198# interact with libwrap.
199#block {
200#	from: 0.0.0.0/0 to: 172.16.0.0/12
201#	libwrap: spawn finger @%a
202#	log: connect error
203#}
204
205# unless you need it, you could block any bind requests.
206#block {
207#	from: 0.0.0.0/0 to: 0.0.0.0/0
208#	command: bind
209#	log: connect error
210#}
211
212# or you might want to allow it, for instance "active" ftp uses it.
213# Note that a "bindreply" command must also be allowed, it
214# should usually by from "0.0.0.0/0", i.e if a client of yours
215# has permission to bind, it will also have permission to accept
216# the reply from anywhere.
217#pass {
218#	from: 10.0.0.0/8 to: 0.0.0.0/0
219#	command: bind
220#	log: connect error
221#}
222
223# some connections expect some sort of "reply", this might be
224# the reply to a bind request or it may be the reply to a
225# udppacket, since udp is packetbased.
226# Note that nothing is done to verify that it's a "genuine" reply,
227# that is in general not possible anyway.  The below will allow
228# all "replies" in to your clients at the 10.0.0.0/8 net.
229#pass {
230#	from: 0.0.0.0/0 to: 10.0.0.0/8
231#	command: bindreply udpreply
232#	log: connect error
233#}
234
235
236# pass any http connects to the example.com domain if they
237# authenticate with username.
238# This matches "example.com" itself and everything ending in ".example.com".
239#pass {
240#	from: 10.0.0.0/8 to: .example.com port = http
241#	log: connect error
242#	method: username
243#}
244
245
246
247
248# block any other http connects to the example.com domain.
249#block {
250#	from: 0.0.0.0/0 to: .example.com port = http
251#	log: connect error
252#}
253
254# everyone from our internal network, 10.0.0.0/8 is allowed to use
255# tcp and udp for everything else.
256#pass {
257#	from: 10.0.0.0/8 to: 0.0.0.0/0
258#	protocol: tcp udp
259#}
260
261# last line, block everyone else.  This is the default but if you provide
262# one  yourself you can specify your own logging/actions
263#block {
264#	from: 0.0.0.0/0 to: 0.0.0.0/0
265#	log: connect error
266#}
267
268# route all http connects via an upstream socks server, aka "server-chaining".
269#route {
270# from: 10.0.0.0/8 to: 0.0.0.0/0 port = http via: socks.example.net port = socks
271#}