Provided by: socks4-clients_4.3.beta2-18_amd64 bug

NAME

       socks.conf - SOCKS clients configuration file

SYNOPSIS

       /etc/socks.conf

DESCRIPTION

       All  SOCKS  client  programs  use  this  file  to determine whether to use direct or proxy
       connection to a given  destination  host,  and  to  exert  access  control  based  on  the
       destination  host,  the  requested  service (port number on the destination host), and the
       effective user-id of the requesting local user. If this file is absent, SOCKS clients will
       only try direct connections, making them behave like their regular counterparts.

       Each  line  in  the  file  may be up to 1024 characters long.  Lines starting with a # are
       comments. Non-comment lines must be of one of the three forms:

       deny [*=userlist]   dst_addr  dst_mask  [op dst_port]  [: shell_cmd]
       direct    [*=userlist]   dst_addr  dst_mask  [op dst_port]  [: shell_cmd]
       sockd     [@=serverlist] [*=userlist]  dst_addr  dst_mask  [op dst_port]  [: shell_cmd]

       A deny line tells the SOCKS clients when to reject a request.  A direct lines  tells  when
       to  use  a  direct  connection. A sockd line indicates when to use a proxy connection and,
       optionally, which SOCKS proxy server or servers it should try.

       Spaces and tabs separate the fields. Fields enclosed in square brackets are optional.

       The userlist field, when present, consists of one or  more  user-ids  or  filenames,  with
       comma  as separator. No spaces or tabs are allowed in the list. The user-ids should be ids
       of users on the local host, not those on the destination host or the  SOCKS  server  host.
       The filenames must be full pathnames with the leading /. Inside the specified files, user-
       ids may be listed one or several per line, with  any  combination  of  blanks,  tabs,  and
       commas as separators. The appearance of # marks the remainder of the line as comment. Each
       line in the files may be up to 1023 characters long.  If the *=userlist field is  omitted,
       the line applies to all user-ids.

       The  dst_addr  field  specifies either the IP address of a host, a network, or a subnet in
       the usual dotted form, e.g., 129.201.4.0, or a doamin name, e.g.,  internic.net.  dst_mask
       specifies  mask  for  the IP address used in dst_addr.  Bits in dst_mask that are set to 0
       indicate the bit positions to be ignored during comparison of IP addresses. So, specifying
       255.255.255.255  in  dst_mask  demands  an  exact  match with dst_addr, whereas 0.0.0.0 in
       dst_mask causes a matching with any  given  destination  address  regardless  of  what  is
       specified  for  dst_addr.  If a domain name is used for dst_addr, the contents of dst_mask
       are ignored, though it must still be supplied (simply use 0.0.0.0).  If  the  domain  name
       starts  with  a period, it specifies a zone and matches all domain names within that zone,
       otherwise it matches only the domain  name  itself.  For  example,  xyz.com  matches  only
       xyz.comP,   while   .xyz.com   macthes   not   only  xyz.com,  but  also  abc.xyz.com  and
       this.and.that.xyz.com, among others.  The special symbol ALL (which must  be  entirely  in
       uppercase) matches everything. Domain names are otherwise case-insentive.

       When  using  a  domain  name in dst_addr, you have be very careful in maintaining your DNS
       setup. See the last few paragraphs in sockd.conf(5).

       The op field must be eq, neq, lt, gt, le, or ge, for the condition of  equal,  not  equal,
       less than, greater than, less than or equal, and greater than or equal, respectively.  The
       dst_port field can be either a port number, e.g., 23, or the equivalent  service  name  as
       specified in file /etc/services, e.g., telnet for port number 23. If this pair is omitted,
       the line applies to all services.

       The serverlist, which may only be used in a sockd line, consists  of  one  or  more  SOCKS
       proxy  servers,  which  the  client program should try to use (in the indicated order) for
       establishing a proxy connection.  Only commas can be used as separator, no spaces or  tabs
       are allowed in the list. Domain names of the servers may be used in the list, though it is
       probably more prudent to specify IP addresses.  If  this  field  is  omitted,  the  client
       program  will  use  the default SOCKS proxy server, which is determined by the environment
       variable SOCKS_SERVER if it exists, or the name compiled into  the  SOCKS  client  program
       otherwise.

       Consider

       sockd  @=1.2.3.4  *=boss,root 11.12.13.14 255.255.255.255 eq telnet

       To match the condition indicated in this line, a request must come from a local user whose
       effective id is either boss or root,  the  destination  IP  address  must  be  11.12.13.14
       exactly,  and  the  service  requested  must  be  telnet. In that case, connection to host
       11.12.13.14 should be done via a SOCKS proxy server on host 1.2.3.4.

       Every time a SOCKS client has to make a network connection, it checks the pending  request
       against the file /etc/socks.conf, one line at a time. Once it finds a line with conditions
       that are matched by the request, the action specified on that line is taken. The remaining
       lines  of  file  /etc/socks.conf  are  skipped.  So  the order of the lines in the file is
       extremely important; switch two lines and you may have entirely different results.  If  no
       matching line is found throughout the file, the request is denied.

       The  shell_cmd  field  specifies  a command string that is executed when the conditions on
       that line are satisfied. The following substitutions occur before the string is  presented
       to the Borne shell for execution:

        %A -- replaced by the client host's domainname if known, by its IP address otherwise
        %a -- replaced by the client host's IP address
        %c -- replaced by "connect" or "bind"
        %p -- replaced by the process id of the client program
        %S -- replaced by the service name (e.g., ftp) if known, by the destination port number otherwise
        %s -- replaced by the destination port number
        %U -- replaced by the user-id at login
        %u -- replaced by the effective user-id
        %Z -- replaced by the destination host's domainname if known, by its IP address otherwise
        %z -- replaced by the destination host's IP address
        %% -- replaced by a single %

       Several shell commands can be strung together in the usual way with `|', `;', etc.

       Although there is an implied 'deny all' at the end of the control file, you may supply one
       explicitly so as to take some specific action when requests are so rejected, e.g.,

        deny 0.0.0.0 0.0.0.0 : /usr/ucb/mail -s 'SOCKS: rejected %S from %u to %Z' root

       Unlike the previous version, connection to address 127.0.0.1 or  0.0.0.0  is  always  done
       directly to localhost, so there is no need to specify either of them in /etc/socks.conf.

       You have the option of using the frozen file /etc/socks.fc instead of /etc/socks.conf. The
       frozen file is produced by make_socksfc and is essentially the memory image of the  parsed
       configuration  file.  using it can reduced the start-up delay of SOCKS client applications
       since  no  parsing  is  needed.  Because  SOCKS  client  applications  always   look   for
       /etc/socks.fc  first, be sure that you always run make_socksfc every time after you modify
       /etc/socks.conf.

ENVIRONMENT

       SOCKS_SERVER, if defined, specifies the name or IP address of the SOCKS proxy server  host
       to use, overriding the default server compiled into the programs.

SEE ALSO

       dump_socksfc(8), make_socksfc(8), sockd(8), sockd.conf(5), socks_clients(1), socks.fc(5)

                                           May 6, 1996                              SOCKS.CONF(5)