# $Id: danted.conf 736 2010-02-16 09:45:35Z rolf $ # # A sample sockd.conf # # # The configfile is divided into two parts; first serversettings, # then the rules. # # The recommended order is: # Serversettings: # logoutput # internal # external # method # clientmethod # users # compatibility # extension # connecttimeout # iotimeout # srchost # # Rules: # client block/pass # from to # libwrap # log # # block/pass # from to # method # command # libwrap # log # protocol # proxyprotocol # the server will log both via syslog, to stdout and to /var/log/lotsoflogs #logoutput: syslog stdout /var/log/lotsoflogs #logoutput: stderr logoutput: /var/log/sockd/sockd # The server will bind to the address 10.1.1.1, port 1080 and will only # accept connections going to that address. #internal: 10.1.1.1 port = 1080 # Alternatively, the interface name can be used instead of the address. #internal: eth0 port = 1080 internal: 127.0.0.1 port = 1080 # all outgoing connections from the server will use the IP address # 195.168.1.1 #external: 192.168.1.1 external: 87.230.20.185 # list over acceptable methods, order of preference. # A method not set here will never be selected. # # If the method field is not set in a rule, the global # method is filled in for that rule. # # methods for socks-rules. #method: username none #rfc931 #method: none username pam method: none # methods for client-rules. clientmethod: none #or if you want to allow rfc931 (ident) too #method: username rfc931 none #or for PAM authentification #method: pam # # An important section, pay attention. # # when doing something that can require privilege, it will use the # userid: user.privileged: proxy # when running as usual, it will use the unprivileged userid of: user.notprivileged: nobody # If you compiled with libwrap support, what userid should it use # when executing your libwrap commands? "libwrap". user.libwrap: nobody # # some options to help clients with compatibility: # # when a client connection comes in the socksserver will try to use # the same port as the client is using, when the socksserver # goes out on the clients behalf (external: IP address). # If this option is set, Dante will try to do it for reserved ports aswell. # This will usually require user.privileged to be set to "root". #compatibility: sameport # If you are using the bind extension and have trouble running servers # via the server, you might try setting this. The consequences of it # are unknown. #compatibility: reuseaddr # # The Dante server supports some extensions to the socks protocol. # These require that the socks client implements the same extension and # can be enabled using the "extension" keyword. # # enable the bind extension. #extension: bind # # # misc options. # # how many seconds can pass from when a client connects til it has # sent us it's request? Adjust according to your network performance # and methods supported. #connecttimeout: 30 # on a lan, this should be enough if method is "none". # how many seconds can the client and it's peer idle without sending # any data before we dump it? Unless you disable tcp keep-alive for # some reason, it's probably best to set this to 0, which is # "forever". #iotimeout: 0 # or perhaps 86400, for a day. # do you want to accept connections from addresses without # dns info? what about addresses having a mismatch in dnsinfo? #srchost: nounknown nomismatch # # The actual rules. There are two kinds and they work at different levels. # # The rules prefixed with "client" are checked first and say who is allowed # and who is not allowed to speak/connect to the server. I.e the # ip range containing possibly valid clients. # It is especially important that these only use IP addresses, not hostnames, # for security reasons. # # The rules that do not have a "client" prefix are checked later, when the # client has sent its request and are used to evaluate the actual # request. # # The "to:" in the "client" context gives the address the connection # is accepted on, i.e the address the socksserver is listening on, or # just "0.0.0.0/0" for any address the server is listening on. # # The "to:" in the non-"client" context gives the destination of the clients # socksrequest. # # "from:" is the source address in both contexts. # # the "client" rules. All our clients come from the localhost 127.0.0.1. # client pass { from: 127.0.0.1/32 port 1-65535 to: 0.0.0.0/0 } # drop everyone else as soon as we can and log the connect, they are not # on our net and have no business connecting to us. This is the default # but if you give the rule yourself, you can specify details. client block { from: 0.0.0.0/0 to: 0.0.0.0/0 log: connect error } # the rules controlling what clients are allowed what requests # # you probably don't want people connecting to loopback addresses, # who knows what could happen then. block { from: 0.0.0.0/0 to: 127.0.0.0/8 log: connect error } # unless you need it, you could block any bind requests. block { from: 0.0.0.0/0 to: 0.0.0.0/0 command: bind log: connect error } block { from: 127.0.0.1/32 to: 0.0.0.0/0 command: bind log: connect error } # rules for blocking those sites specified by the block-list at: # http://anon.inf.tu-dresden.de/operators/help/adminscripts/squid-block.acl # further site-blocking-rules can be append below. block { from: 127.0.0.1/32 to: .amikit.amiga.sk log: connect error } block { from: 127.0.0.1/32 to: .organische-chemie.ch log: connect error } block { from: 127.0.0.1/32 to: .organic-chemistry.org log: connect error } block { from: 127.0.0.1/32 to: .hgh07.de log: connect error } block { from: 127.0.0.1/32 to: .diekatzenbande.de log: connect error } block { from: 127.0.0.1/32 to: .guestbook.onetwomax.de log: connect error } block { from: 127.0.0.1/32 to: .avdge.de log: connect error } block { from: 127.0.0.1/32 to: .avd-ge.de log: connect error } block { from: 127.0.0.1/32 to: .absinth-guide.de log: connect error } block { from: 127.0.0.1/32 to: .theflock.info log: connect error } block { from: 127.0.0.1/32 to: .lunarpages.com log: connect error } block { from: 127.0.0.1/32 to: .iphpbb.com log: connect error } block { from: 127.0.0.1/32 to: .bboard.de log: connect error } block { from: 127.0.0.1/32 to: .forenfuchs.de log: connect error } block { from: 127.0.0.1/32 to: .xa-board.com log: connect error } block { from: 127.0.0.1/32 to: .propeller-forum.de log: connect error } block { from: 127.0.0.1/32 to: .printymyposter.de log: connect error } block { from: 127.0.0.1/32 to: .gv-2.de log: connect error } block { from: 127.0.0.1/32 to: .galaxy-vision.de log: connect error } block { from: 127.0.0.1/32 to: .galaxy-vision.org log: connect error } block { from: 127.0.0.1/32 to: .galaxy-vision.net log: connect error } block { from: 127.0.0.1/32 to: .galaxy-vision.eu log: connect error } block { from: 127.0.0.1/32 to: .gm-data.de log: connect error } block { from: 127.0.0.1/32 to: .sn00pnet.de log: connect error } block { from: 127.0.0.1/32 to: .snoopnet.org log: connect error } block { from: 127.0.0.1/32 to: .adhype.de log: connect error } block { from: 127.0.0.1/32 to: .detlef-bosau.de log: connect error } block { from: 127.0.0.1/32 to: .certix.de log: connect error } block { from: 127.0.0.1/32 to: .certix.eu log: connect error } block { from: 127.0.0.1/32 to: .penscan.de log: connect error } block { from: 127.0.0.1/32 to: .penscan.eu log: connect error } block { from: 127.0.0.1/32 to: .haubner.com log: connect error } block { from: 127.0.0.1/32 to: .dus.net log: connect error } block { from: 127.0.0.1/32 to: .bitte-einmal-anders.de log: connect error } block { from: 127.0.0.1/32 to: .silbengebilde.de log: connect error } block { from: 127.0.0.1/32 to: .blaue-flecken-auf-der-seele.de log: connect error } block { from: 127.0.0.1/32 to: .suizidchat.mainchat.de log: connect error } block { from: 127.0.0.1/32 to: .biesterberg35.de log: connect error } block { from: 127.0.0.1/32 to: .webmail.iu.edu log: connect error } block { from: 127.0.0.1/32 to: .antswar.at log: connect error } block { from: 127.0.0.1/32 to: .antswar.de log: connect error } block { from: 127.0.0.1/32 to: .antswar.eu log: connect error } block { from: 127.0.0.1/32 to: .antswar.org log: connect error } block { from: 127.0.0.1/32 to: .antswar.net log: connect error } block { from: 127.0.0.1/32 to: .galgo-in-not.de log: connect error } block { from: 127.0.0.1/32 to: .radio-flashlight.net log: connect error } block { from: 127.0.0.1/32 to: .webanzeigen.frankenpost.de log: connect error } block { from: 127.0.0.1/32 to: .webanzeigen.freies-wort.de log: connect error } block { from: 127.0.0.1/32 to: .webanzeigen.stz-online.de log: connect error } block { from: 127.0.0.1/32 to: .webanzeigen.np-coburg.de log: connect error } #to avoid spam block typical smtp ports block { from: 127.0.0.1/32 to: 0.0.0.0/0 port = 25 log: connect error } #block { # from: 127.0.0.1/32 to: 0.0.0.0/0 port = 465 # log: connect error #} #block { # from: 127.0.0.1/32 to: 0.0.0.0/0 port = 587 # log: connect error #} #everyone from localhost 127.0.0.1/32 is allowed to use # tcp for everything else. pass { from: 127.0.0.1/32 to: 0.0.0.0/0 protocol: tcp } # last line, block everyone else. This is the default but if you provide # one yourself you can specify your own logging/actions block { from: 0.0.0.0/0 to: 0.0.0.0/0 log: connect error }