bionic (8) sockd.8.gz

Provided by: socks4-server_4.3.beta2-20_amd64 bug

NAME

       sockd - Internet firewall secure socket server (proxy server)

SYNOPSIS

       sockd [ -ver | -i | -I ]

DESCRIPTION

       sockd   is  an  internet  secure  socket  server,  often  referred  to as a proxy server. It was designed
       primarily to provide hosts within a firewall access to resources outside of the firewall.

       Normally, hosts inside a firewall has no IP-accessibility to the network outside of  the  firewall.  This
       reduces  the  risk of being intruded by unauthorized people from the Internet. Unfortunately, without IP-
       accessibility users on the inside hosts can no longer use many of the important  tools  such  as  telnet,
       ftp, xgopher, Mosaic, etc. to access the tremendous resources available in the Internet.

       With  sockd  installed  on  a  server  host,  users  on  the  other  inside  hosts can gain back the lost
       functionalities by using clients programs designed to work with sockd proxy server, e.g, rtelnet in place
       of  telnet,  rftp in place of ftp, rfinger in place of finger, etc. Since these client programs work like
       their normal counterparts without requiring direct IP-connectivity to the Internet,  convenience  to  the
       users  is  accomplished  without  breaching the security. The server host that runs sockd does have to be
       open to the Internet, and it therefore requires special attention to make sure that it is secure.

       A configuration file /etc/sockd.fc (or /etc/sockd.conf) is used  to  control  access  to  sockd  and  its
       services.  Permission and denial of a service request can be decided based on various combinations of the
       requesting host, the destination host, the type of service (destination port  number),  as  well  as  the
       requesting user. (See sockd.conf(5) and sockd.fc(5).)

       If  the  server  host  is  multi-homed,  i.e.,  having  more  than  one  network  interface  and with its
       IP_FORWARDING turned off, and the server support RBIND operation, then it must run a multi-homed  version
       of  sockd,  which  requires  another  control  file  /etc/sockd.fr  (or /etc/sockd.route) to decide which
       interface to use for connection to any given destination host.  See  sockd.route(5)  and  sockd.fr(5).  A
       multi-homed  sockd  can  be  run  on  a  single-homed  host as well if necessary; you just have to set up
       /etc/sockd.route to direct all traffic through the host's one and only network interface.

       sockd uses syslog with facility daemon and level notice to log its activities and errors.  Typical  lines
       look like

        Apr 11 08:51:29 eon sockd[636]: connected -- Connect from don(don)@abc.edu to wxy.com (telnet)
        Apr 11 09:24:59 eon sockd[636]: terminated -- Connect from don(don)@abc.edu to wxy.com (telnet)
        Apr 11 09:24:59 eon sockd[636]: 1048 bytes from abc.edu, 285143 bytes from wxy.com
        Jun 22 18:24:54 eon sockd[884]: refused -- Connect from sam(unknown)@big.com to small.com (ftp)

       In  these  lines, the first user-id is the one reported by the client program, the second one (within the
       parentheses) is what is reported by identd on the client host.  These log lines usually  appear  in  file
       /var/adm/messages  though  that  can  be  changed  by  modifying  /etc/syslog.conf.  (See  syslogd(8) and
       syslog.conf(5).)

       If you allow access to infosystems such as Gopher or WWW, you should be aware that they by  nature  would
       tend  to  get  connections  to  hosts  all over the world and would use not only Gopher and WWW ports but
       possibly also ports for finger, telnet, ftp, nntp, etc. as well as non-privileged ports ( > 1023).

       For a stand-alone sockd, /etc/sockd.fc (or /etc/sockd.conf) and /etc/sockd.fr (or  /etc/sockd.route),  if
       required, are only read and parsed once at the beginning of program execution. If you change the contents
       of either file and want to make the running sockd use the new contents, you must send a SIGHUP signal  to
       the  running  sockd  process. Sending a running stand-alone sockd a SIGUSR1 signal causes it to record on
       the systems's log file the effective contents of configuration and  route  files  that  it  is  currently
       using.  You can find the process id of the stand-alone sockd in /etc/sockd.pid.

       Rather  than  using  plain-text configuration file /etc/sockd.conf and route file /etc/sockd.route, sockd
       now looks for the corresponding frozen files /etc/sockd.fc and /etc/sockd.fr first. The plain-text  files
       are used only if the corresponding frozen files are not found. Use commands make_sockdfc and make_sockdfr
       to produce the frosen files. Use commands dump_sockdfc and dump_sockdfr to examine the contents of frozen
       files.  (See  make_sockdfc(8),  make_sockdfr(8),  dump_sockdfc(8),  and  dump_sockdfr(8).)  Using  frozen
       configuration and route files can save a lot of overhead at start-up of sockd.

OPTIONS

       The options are mutually exclusive and thus may only be used one at a time.

       -ver   With this option, sockd prints its own version number, the version number of the  SOCKS  protocol,
              whether it is SOCKSified, whether it is a standalone daemon or must be run under inetd, whether it
              support RBIND, and whether a route file is required.

       -I     Use identd (RFC 1413) to verify the requester's user-id. Deny access  if  connection  to  client's
              identd  fails  or  if the result does not match the user-id reported by the client program. Client
              hosts without a properly installed identd daemon will not be served.  User  verification  is  done
              before and in addition to the normal access control. This can be overridden in the sockd.conf file
              on a line by line basis.

       -i     Similar to -I but more lenient. Access is denied only if client's identd reports a user-id  that's
              different  from what the client program claims. This can be overridden in the sockd.conf file on a
              line by line basis.

       Log entries similar to the following are produced upon failure of user-id verification:

        Apr 15 14:42:51 eon sockd[729]: cannot connect to identd on big.edu
        Apr 15 14:42:51 eon sockd[729]: refused -- Connect from bob(unknown)@big.edu to xyz.com (ftp)
        Jul 15 12:23:06 eon sockd[832]: *Alert*: real user is sam, not jim
        Jul 15 12:23:06 eon sockd[832]: refused -- Connect from jim(sam)@abc.org to bad.place.com (WWW)

FILES

       /etc/sockd.fc,  /etc/sockd.conf,   /etc/sockd.fr,   /etc/sockd.route,   /etc/inetd.conf,   /etc/services,
       /var/adm/messages, /etc/syslog.conf

SEE ALSO

       socks_clients(1),   sockd.conf(5),   sockd.route(5),   socks.conf(5),  make_sockdfc(8),  make_sockdfr(8),
       dump_sockdfc(8), dump_sockdfr(8)

AUTHOR

       David Koblas, koblas@sgi.com
       Ying-Da Lee, ylee@syl.dl.nec.com
       David Mischel, dm@kansas.gene.com

                                                  June 6, 1996                                          SOCKD(8)