| |
danted.conf(5) - phpMan
DANTED.CONF(5) File Formats Manual DANTED.CONF(5)
NAME
danted.conf - Dante server configuration file syntax
DESCRIPTION
The configuration file for the Dante server controls both access controls and logging. It
is divided into three parts; server settings, rules, and routes. A line can be commented
using the standard comment character #.
SERVER SETTINGS
The server settings control the generic behaviour of the server. Each keyword is sepa‐
rated from it's value by a ':' character.
compatibility
With the sameport keyword, the server attempts to use the same port on the server
and the client. This functionality is the default, but when this option is given
it will also be done with privileged ports. The reuseaddr keyword might solve
problems when the bind extension is used but the effects of enabling reuseaddr is
currently unknown, do not enable it unless you understand the effects.
connecttimeout
The number of seconds a client has to send the request after a connect. Set it to
0 for forever.
external
The address to be used for outgoing connections. The address given may be either a
IP address or a interfacename. Can be given multiple times for different
addresses.
external.rotation
If more than one external address is given, this governs which address is selected.
Valid values are none (the default) and route. The latter might require you to set
user.privileged to root.
Note that route might create problems for ftp-clients using active ftp if the Dante
bind extension is enabled for the ftp-client.
internal
The internal addresses. Connections will only be accepted on these addresses. The
address given may be either a IP address or a interfacename.
iotimeout
The number of seconds an established connection can be idle. Set it to 0 for for‐
ever.
logoutput
This value controls where the server sends logoutput. It can be either sys‐
log[/facility], stdout, stderr, a filename, or a combination.
method A list of acceptable authentication methods for socks-rules, in order of prefer‐
ence. Supported values are username, none, rfc931 and pam. This list is used as
the default for all coming rules until changed. Then the changed list is used as
the default for the next rules.
If a method is not set in this list it will never be selected.
See the section on methods for a explanation of the different methods.
clientmethod
A list of acceptable authentication methods for client-rules, in order of prefer‐
ence. These are the authenticationmethods that can provide authentications based
on just the client's TCP connection. Supported values are none, rfc931 and pam.
This list is used as the default for all coming rules until changed. Then the
changed list is used as the default for the next rules. The default value is none.
If a method is not set in this list it will never be selected.
srchost
With the nomismatch keyword, the server will not accept connects from addresses
having a mismatch between DNS address and hostname. Default is to accept them.
With the nounknown keyword, the server will not accept connects from addresses
without a DNS record. Default is to accept them.
user.privileged
Username which will be used for doing privileged operations.
user.notprivileged
User which the server runs as most of the time.
user.libwrap
User used to execute libwrap commands.
MODULES
The following modules are supported by Dante. Modules are purchased separately from
Inferno Nettverk A/S. See the Dante homepage for more information.
bandwidth
The bandwidth module gives you control over how much bandwidth the Dante server
uses on behalf of different clients.
redirect
The redirect module gives you control over what addresses the server will use on
behalf of the client and allows you to both redirect client requests to a different
addresses aswell as control the range of addresses and ports to be used on behalf
of the client.
session
The session module gives you control over the number of sessions that can be cre‐
ated by different socks users.
METHODS
The Dante server supports the following methods. Some installations of Dante may support
only a subset of these.
none The method requires no form of authentication.
username
The method requires the client to provide a username and password. This must match
the username and password given in the system passwordfile.
rfc931 The method requires the client host to provide a rfc931 ("ident") reply for the
connecting client. The name given in the reply must be present in the password
database.
pam The method requires the available clientdata to match against the pam database.
ADDRESSES
Each address field can consist of a IP address (and where meaningful, a netmask, separated
from the IP address by a '/' sign.), a hostname, or a domainname (designated so by the
leading '.'). Each address can be followed by a optional port specifier.
RULES
There are two sets of rules and they work at different levels. Rules prefixed with client
are checked first and are used to see if the client is allowed to connect to the Dante
server. We will call them "client-rules". It is especially important that these do not
use hostnames but only IP addresses, both for security and performance reasons. These
rules work at the TCP/IP level.
The other rules, which we will call "socks-rules" are a level higher and are checked after
the client connection has been accepted by the client-rules. The socks-rules are used to
evaluate the socks request that the client sends. They thus work at the socks protocol
level.
Both set of rules start with a pass/deny keyword (the client-rules have "client" prefixed
to the pass/deny keyword) which determines if connections matching the rule are to pass or
be blocked. Both set of rules also specify a from/to address pair which gives the
addresses the rule will match.
In both contexts, from means the clients address.
In the client-rule context, to means the address the request is accepted on, i.e. the
address the Dante server listens on.
In the socks-rule context, to means the client's destination address, as formulated in the
client's proxy request.
In addition to the addresses there is a set of optional keywords which can be given.
There are two forms of keywords, conditions and actions. For each rule, all conditions
are checked and if they match the request, the actions are executed.
The list of condition keywords is: from, to, command, method, protocol, proxyprotocol,
user.
The list of actions keywords is: bandwidth, libwrap, log and redirect.
The format and content of the rules is identical, but client-rules may contain only a sub‐
set of the socks-rules. More concrete, they may not contain any keywords related to the
socks protocol.
The contents of a client-rule is:
from The rule applies to requests coming from the address given as value.
to The rule applies to requests going to the address given as value.
port Parameter to from, to and via. Accepts the keywords eq/=, neq/!=, ge/>=, le/<=,
gt/>, lt/< followed by a number. A portrange can also be given as "port <start #>
- <end #>", which will match all port numbers within the range <start #> and <end
#>.
libwrap
The server will pass the line to libwrap for execution.
log Used to control logging. Accepted keywords are connect, disconnect, data, error
and iooperation.
user The server will only accept connections from users matching one of the names given
as value. If no user value is given, everyone in the passwordfile will be matched.
The rule must also allow usernamebased methods.
method Require that the connection be "authenticated" using one of the given methods.
pam.servicename
Which servicename to use when involving pam. Default is "sockd".
The contents of a socks-rule is:
from The rule applies to requests coming from the address given as value.
to The rule applies to requests going to or using the address given as value. Note
that the meaning of this address is affected by command.
port Parameter to from, to and via. Accepts the keywords eq/=, neq/!=, ge/>=, le/<=,
gt/>, lt/< followed by a number. A portrange can also be given as "port <start #>
- <end #>", which will match all port numbers within the range <start #> and <end
#>.
bandwidth
The clients matching this rule will all share this amount of bandwidth.
command
The rule applies to the given commands. Valid commands are bind, bindreply, con‐
nect, udpassociate and udpreply. Can be used instead of, or to complement, proto‐
col.
libwrap
The server will pass the line to libwrap for execution.
log Used to control logging. Accepted keywords are connect, disconnect, data and ioop‐
eration.
method Require that the connection be established using one of the given methods. method
always refers to the source part of the rule. Valid values are the same as in the
global method line.
pam.servicename
What servicename to use when involving pam. Default is "sockd".
protocol
The rule applies to the given protocols. Valid values are tcp and udp. It is rec‐
ommended that the command form is used since it provides more accuracy in defining
rules.
proxyprotocol
The rule applies to requests using the given proxyprotocol. Valid proxyprotocols
are socks_v4 and socks_v5.
redirect
The source and/or destination can be redirected using the redirect statement. The
syntax of the statement is as follows:
redirect from: ADDRESS
redirect to: ADDRESS
The semantics of from and to vary according to command and should be intuitive
enough.
user The server will accept connections from users matching one of the names given as
value. If no user value is given, everyone in the passwordfile will be matched.
The rule must in this case also allow usernamebased methods.
ROUTES
The routes are specified with a route keyword. Inside a pair of parens ({}) a set of key‐
words control the behavior of the route. See dante.conf(5) for a description. This is
used to perform so-called "server-chaining", where one socks-server connects to another
socks-server futher upstream.
EXAMPLES
See the example directory in the distribution.
FILES
/etc/danted.conf Dante server configuration file.
/etc/passwd file used when checking username/passwords.
AUTHORS
For Inferno Nettverk A/S, Norway:
Michael Shuldman <michaels AT inet.no>: Design and implementation.
Karl-Andre' Skevik <karls AT inet.no>: Autoconf and porting.
SEE ALSO
danted(8), dante.conf(5), hosts_access(5)
Information about new releases and other related issues can be found on the Dante WWW home
page at http://www.inet.no/dante.
May 11, 2001 DANTED.CONF(5)
|
