Man Linux: Main Page and Category List


       sockd - Internet firewall secure socket server (proxy server)


       sockd [ -ver | -i | -I ]


       sockd   is  an  internet  secure  socket server, often referred to as a
       proxy server. It was designed  primarily  to  provide  hosts  within  a
       firewall access to resources outside of the firewall.

       Normally,  hosts  inside  a  firewall  has  no  IP-accessibility to the
       network outside of  the  firewall.  This  reduces  the  risk  of  being
       intruded  by  unauthorized  people  from  the  Internet. Unfortunately,
       without IP-accessibility users on the inside hosts can  no  longer  use
       many  of the important tools such as telnet, ftp, xgopher, Mosaic, etc.
       to access the tremendous resources available in the Internet.

       With sockd installed on a server host, users on the other inside  hosts
       can  gain  back  the  lost  functionalities  by  using clients programs
       designed to work with sockd proxy server,  e.g,  rtelnet  in  place  of
       telnet,  rftp  in  place of ftp, rfinger in place of finger, etc. Since
       these client programs  work  like  their  normal  counterparts  without
       requiring  direct  IP-connectivity  to the Internet, convenience to the
       users is accomplished without breaching the security. The  server  host
       that  runs sockd does have to be open to the Internet, and it therefore
       requires special attention to make sure that it is secure.

       A configuration file /etc/sockd.fc  (or  /etc/sockd.conf)  is  used  to
       control  access  to  sockd and its services. Permission and denial of a
       service request can be decided based on  various  combinations  of  the
       requesting host, the destination host, the type of service (destination
       port number), as well as the requesting user.  (See  sockd.conf(5)  and

       If  the  server host is multi-homed, i.e., having more than one network
       interface and with its IP_FORWARDING turned off, and the server support
       RBIND operation, then it must run a multi-homed version of sockd, which
       requires another control file /etc/  (or  /etc/sockd.route)  to
       decide  which  interface to use for connection to any given destination
       host. See sockd.route(5) and A multi-homed  sockd  can  be
       run  on  a single-homed host as well if necessary; you just have to set
       up /etc/sockd.route to direct all traffic through the  host’s  one  and
       only network interface.

       sockd  uses  syslog  with  facility  daemon and level notice to log its
       activities and errors. Typical lines look like

        Apr 11 08:51:29 eon sockd[636]: connected -- Connect from don(don) to (telnet)
        Apr 11 09:24:59 eon sockd[636]: terminated -- Connect from don(don) to (telnet)
        Apr 11 09:24:59 eon sockd[636]: 1048 bytes from, 285143 bytes from
        Jun 22 18:24:54 eon sockd[884]: refused -- Connect from sam(unknown) to (ftp)

       In these lines, the first user-id is the one  reported  by  the  client
       program, the second one (within the parentheses) is what is reported by
       identd on the client host.  These log  lines  usually  appear  in  file
       /var/adm/messages   though   that   can   be   changed   by   modifying
       /etc/syslog.conf. (See syslogd(8) and syslog.conf(5).)

       If you allow access to infosystems such as Gopher or WWW, you should be
       aware  that  they  by nature would tend to get connections to hosts all
       over the world and would use not only Gopher and WWW ports but possibly
       also  ports  for  finger,  telnet,  ftp,  nntp,  etc.  as  well as non-
       privileged ports ( > 1023).

       For  a  stand-alone  sockd,  /etc/sockd.fc  (or  /etc/sockd.conf)   and
       /etc/  (or  /etc/sockd.route),  if  required, are only read and
       parsed once at the beginning of program execution. If  you  change  the
       contents  of either file and want to make the running sockd use the new
       contents, you must send a SIGHUP signal to the running  sockd  process.
       Sending  a  running  stand-alone  sockd  a  SIGUSR1 signal causes it to
       record  on  the  systems’s  log  file   the   effective   contents   of
       configuration and route files that it is currently using.  You can find
       the process id of the stand-alone sockd in /etc/

       Rather than using plain-text  configuration  file  /etc/sockd.conf  and
       route  file  /etc/sockd.route,  sockd  now  looks for the corresponding
       frozen files /etc/sockd.fc  and  /etc/  first.  The  plain-text
       files  are  used  only if the corresponding frozen files are not found.
       Use commands make_sockdfc and make_sockdfr to produce the frosen files.
       Use  commands  dump_sockdfc and dump_sockdfr to examine the contents of
       frozen files. (See make_sockdfc(8),  make_sockdfr(8),  dump_sockdfc(8),
       and  dump_sockdfr(8).)  Using  frozen configuration and route files can
       save a lot of overhead at start-up of sockd.


       The options are mutually exclusive and thus may only be used one  at  a

       -ver   With  this  option,  sockd  prints  its  own version number, the
              version number of the SOCKS protocol, whether it is  SOCKSified,
              whether  it  is  a standalone daemon or must be run under inetd,
              whether it support RBIND, and whether a route file is  required.

       -I     Use  identd  (RFC  1413) to verify the requester’s user-id. Deny
              access if connection to client’s identd fails or if  the  result
              does  not  match  the  user-id  reported  by the client program.
              Client hosts without a properly installed identd daemon will not
              be  served.  User verification is done before and in addition to
              the normal  access  control.  This  can  be  overridden  in  the
              sockd.conf file on a line by line basis.

       -i     Similar  to  -I  but  more  lenient.  Access  is  denied only if
              client’s identd reports a user-id that’s different from what the
              client  program claims. This can be overridden in the sockd.conf
              file on a line by line basis.

       Log entries similar to the following are produced upon failure of user-
       id verification:

        Apr 15 14:42:51 eon sockd[729]: cannot connect to identd on
        Apr 15 14:42:51 eon sockd[729]: refused -- Connect from bob(unknown) to (ftp)
        Jul 15 12:23:06 eon sockd[832]: *Alert*: real user is sam, not jim
        Jul 15 12:23:06 eon sockd[832]: refused -- Connect from jim(sam) to (WWW)


       /etc/sockd.fc,    /etc/sockd.conf,   /etc/,   /etc/sockd.route,
       /etc/inetd.conf, /etc/services, /var/adm/messages, /etc/syslog.conf


       socks_clients(1),   sockd.conf(5),    sockd.route(5),    socks.conf(5),
       make_sockdfc(8), make_sockdfr(8), dump_sockdfc(8), dump_sockdfr(8)


       David Koblas,
       Ying-Da Lee,
       David Mischel,

                                 June 6, 1996