DANTED.CONF(5) | File Formats Manual | DANTED.CONF(5) |
NAME¶
danted.conf - Dante server configuration file syntaxDESCRIPTION¶
The configuration file for the Dante server controls both access controls and logging. It is divided into three parts; server settings, rules, and routes. A line can be commented using the standard comment character #.SERVER SETTINGS¶
The server settings control the generic behaviour of the server. Each keyword is separated from it's value by a ':' character.- compatibility
- With the sameport keyword, the server attempts to use the same port on the server and the client. This functionality is the default, but when this option is given it will also be done with privileged ports. The reuseaddr keyword might solve problems when the bind extension is used but the effects of enabling reuseaddr is currently unknown, do not enable it unless you understand the effects.
- connecttimeout
- The number of seconds a client has to send the request after a connect. Set it to 0 for forever.
- external
- The address to be used for outgoing connections. The address given may be either a IP address or a interfacename. Can be given multiple times for different addresses.
- external.rotation
- If more than one external address is given, this governs
which address is selected. Valid values are none (the default) and
route. The latter might require you to set user.privileged
to root.
- internal
- The internal addresses. Connections will only be accepted on these addresses. The address given may be either a IP address or a interfacename.
- iotimeout
- The number of seconds an established connection can be idle. Set it to 0 for forever.
- logoutput
- This value controls where the server sends logoutput. It can be either syslog[/facility], stdout, stderr, a filename, or a combination.
- method
- A list of acceptable authentication methods for
socks-rules, in order of preference. Supported values are username,
none, rfc931 and pam. This list is used as the
default for all coming rules until changed. Then the changed list is used
as the default for the next rules.
- clientmethod
- A list of acceptable authentication methods for
client-rules, in order of preference. These are the authenticationmethods
that can provide authentications based on just the client's TCP
connection. Supported values are none, rfc931 and
pam. This list is used as the default for all coming rules until
changed. Then the changed list is used as the default for the next rules.
The default value is none.
- srchost
- With the nomismatch keyword, the server will not
accept connects from addresses having a mismatch between DNS address and
hostname. Default is to accept them. With the nounknown keyword,
the server will not accept connects from addresses without a DNS record.
Default is to accept them.
- user.privileged
- Username which will be used for doing privileged operations.
- user.notprivileged
- User which the server runs as most of the time.
- user.libwrap
- User used to execute libwrap commands.
MODULES¶
The following modules are supported by Dante. Modules are purchased separately from Inferno Nettverk A/S. See the Dante homepage for more information.- bandwidth
- The bandwidth module gives you control over how much
bandwidth the Dante server uses on behalf of different clients.
- redirect
- The redirect module gives you control over what
addresses the server will use on behalf of the client and allows you to
both redirect client requests to a different addresses aswell as control
the range of addresses and ports to be used on behalf of the client.
- session
- The session module gives you control over the number
of sessions that can be created by different socks users.
METHODS¶
The Dante server supports the following methods. Some installations of Dante may support only a subset of these.- none
- The method requires no form of authentication.
- username
- The method requires the client to provide a username and password. This must match the username and password given in the system passwordfile.
- rfc931
- The method requires the client host to provide a rfc931 ("ident") reply for the connecting client. The name given in the reply must be present in the password database.
- pam
- The method requires the available clientdata to match
against the pam database.
ADDRESSES¶
Each address field can consist of a IP address (and where meaningful, a netmask, separated from the IP address by a ' /' sign.), a hostname, or a domainname (designated so by the leading ' .'). Each address can be followed by a optional port specifier.RULES¶
There are two sets of rules and they work at different levels. Rules prefixed with client are checked first and are used to see if the client is allowed to connect to the Dante server. We will call them "client-rules". It is especially important that these do not use hostnames but only IP addresses, both for security and performance reasons. These rules work at the TCP/IP level.- The contents of a client-rule is:
- from
- The rule applies to requests coming from the address given as value.
- to
- The rule applies to requests going to the address given as value.
- port
- Parameter to from, to and via. Accepts the keywords eq/=, neq/!=, ge/>=, le/<=, gt/>, lt/< followed by a number. A portrange can also be given as "port <start #> - <end #>", which will match all port numbers within the range <start #> and <end #>.
- libwrap
- The server will pass the line to libwrap for execution.
- log
- Used to control logging. Accepted keywords are connect, disconnect, data, error and iooperation.
- user
- The server will only accept connections from users matching one of the names given as value. If no user value is given, everyone in the passwordfile will be matched. The rule must also allow usernamebased methods.
- method
- Require that the connection be "authenticated" using one of the given methods.
- pam.servicename
- Which servicename to use when involving pam. Default is
"sockd".
- The contents of a socks-rule is:
- from
- The rule applies to requests coming from the address given as value.
- to
- The rule applies to requests going to or using the address given as value. Note that the meaning of this address is affected by command.
- port
- Parameter to from, to and via. Accepts
the keywords eq/=, neq/!=, ge/>=, le/<=, gt/>, lt/<
followed by a number. A portrange can also be given as "port
<start #> - <end #>", which will match all port numbers
within the range <start #> and <end #>.
- bandwidth
- The clients matching this rule will all share this amount of bandwidth.
- command
- The rule applies to the given commands. Valid commands are bind, bindreply, connect, udpassociate and udpreply. Can be used instead of, or to complement, protocol.
- libwrap
- The server will pass the line to libwrap for execution.
- log
- Used to control logging. Accepted keywords are connect, disconnect, data and iooperation.
- method
- Require that the connection be established using one of the given methods. method always refers to the source part of the rule. Valid values are the same as in the global method line.
- pam.servicename
- What servicename to use when involving pam. Default is "sockd".
- protocol
- The rule applies to the given protocols. Valid values are tcp and udp. It is recommended that the command form is used since it provides more accuracy in defining rules.
- proxyprotocol
- The rule applies to requests using the given proxyprotocol. Valid proxyprotocols are socks_v4 and socks_v5.
- redirect
- The source and/or destination can be redirected using the
redirect statement. The syntax of the statement is as follows:
- redirect from: ADDRESS
- redirect to: ADDRESS
- user
- The server will accept connections from users matching one of the names given as value. If no user value is given, everyone in the passwordfile will be matched. The rule must in this case also allow usernamebased methods.
ROUTES¶
The routes are specified with a route keyword. Inside a pair of parens ({}) a set of keywords control the behavior of the route. See dante.conf(5) for a description. This is used to perform so-called "server-chaining", where one socks-server connects to another socks-server futher upstream.EXAMPLES¶
See the example directory in the distribution.FILES¶
/etc/danted.conf Dante server configuration file. /etc/passwd file used when checking username/passwords.
AUTHORS¶
For Inferno Nettverk A/S, Norway:Michael Shuldman <michaels@inet.no>: Design and implementation.
Karl-Andre' Skevik <karls@inet.no>: Autoconf and porting.
SEE ALSO¶
danted(8), dante.conf(5), hosts_access(5) Information about new releases and other related issues can be found on the Dante WWW home page at http://www.inet.no/dante.May 11, 2001 |