NAME
       socks.conf - SOCKS clients configuration file

SYNOPSIS
       /etc/socks.conf

DESCRIPTION
       All  SOCKS  client  programs  use  this  file to determine
       whether to use direct or proxy connection to a given  des-
       tination  host,  and  to exert access control based on the
       destination host, the requested service  (port  number  on
       the  destination  host),  and the effective user-id of the
       requesting local user.

       Each line in the file may be up to 1024  characters  long.
       Lines  starting  with  a # are comments. Non-comment lines
       must be of one of the three forms:

       deny [*=userlist]   dst_addr  dst_mask  [op dst_port]  [: shell_cmd]
       direct    [*=userlist]   dst_addr  dst_mask  [op dst_port]  [: shell_cmd]
       sockd     [@=serverlist] [*=userlist]  dst_addr  dst_mask  [op dst_port]  [: shell_md]

       A deny line tells the  SOCKS  clients  when  to  reject  a
       request.   A  direct lines tells when to use a direct con-
       nection. A sockd line indicates when to use a  proxy  con-
       nection  and,  optionally,  which  SOCKS  proxy  server or
       servers it should try.

       Spaces and tabs separate the fields.  Fields  enclosed  in
       sqaure brackets are optional.

       The  userlist field, when present, consists of one or more
       user-ids or filenames, with comma as separator. No  spaces
       or  tabs  are  allowed in the list. The user-ids should be
       ids of users on the local host, not those on the  destina-
       tion host or the SOCKS server host.  The filenames must be
       full pathnames with the leading /.  Inside  the  specified
       files,  user-ids  may  be  listed one or several per line,
       with any combination of blanks, tabs, and commas as  sepa-
       rators.  The  appearance  of  # marks the remainder of the
       line as comment. Each line in the files may be up to  1023
       characters  long.  If the *=userlist field is omitted, the
       line applies to all user-ids.

       The dst_addr dst_mask pair together specify  the  destina-
       tion  IP address or the range of destination IP addresses.
       They are both  given  in  the  usual  dotted  form,  e.g.,
       129.1.2.3. Bits in dst_mask that are set to 0 indicate the
       bit positions which should be masked off  (i.e.,  ignored)
       during  comparison  of dst_addr and the actual destination
       IP address.  So  specifying  255.255.255.255  in  dst_mask
       demands  an  exact match with dst_addr, whereas 0.0.0.0 in
       dst_mask causes an address match no matter what is  speci-
       fied  for  dst_addr.  (NOTE: This is the same way netmasks
       are interpreted, but is the direct  opposite  of  how  the
       address masks are used in cisco router's access-lists.)

       The  op  field must be eq, neq, lt, gt, le, or ge, for the
       condition of equal, not equal, less  than,  greater  than,
       less  than  or  equal,  and greater than or equal, respec-
       tively.  The dst_port field can be either a  port  number,
       e.g.,  23,  or the equivalent service name as specified in
       file /etc/services, e.g., telnet for port  number  23.  If
       this pair is omitted, the line applies to all services.

       The  serverlist,  which  may only be used in a sockd line,
       consists of one or more SOCKS  proxy  servers,  which  the
       client  program should try to use (in the indicated order)
       for establishing a proxy connection.  Only commas  can  be
       used  as  separator,  no spaces or tabs are allowed in the
       list. Domain names of the servers may be used in the list,
       though   it   is  probably  more  prudent  to  specify  IP
       addresses.  If this field is omitted, the  client  program
       will  use  the default SOCKS proxy server, which is deter-
       mined by  the  environment  variable  SOCKS_SERVER  if  it
       exists, or the name compiled into the SOCKS client program
       otherwise.

       Consider

       sockd  @=1.2.3.4  *=boss,root 11.12.13.14 255.255.255.255 eq telnet

       To match the condition indicated in this line,  a  request
       must  come  from a local user whose effective id is either
       boss  or  root,  the  detination  IP   address   must   be
       11.12.13.14  exactly,  and  the  service requested must be
       telnet. In  that  case,  connection  to  host  11.12.13.14
       should be done via a SOCKS proxy server on host 1.2.3.4.

       Every  time  a  SOCKS client has to make a network connec-
       tion, it checks  the  pending  request  against  the  file
       /etc/socks.conf,  one line at a time. Once it finds a line
       with conditions that  are  matched  by  the  request,  the
       action  specified  on  that  line  is taken. The remaining
       lines of file /etc/socks.conf are skipped. So the order of
       the  lines  in the file is extremely important; switch two
       lines and you may have entirely different results.  If  no
       matching line is found throughout the file, the request is
       denied.

       The shell_cmd field specifies a  command  string  that  is
       executed  when  the conditions on that line are satisfied.
       The following substitutions occur  before  the  string  is
       presented to the Borne shell for execution:

        %A -- replaced by the client host's domainname if known, by its IP address otherwise
        %a -- replaced by the client host's IP address
        %c -- replaced by "connect" or "bind"
        %p -- replaced by the process id of the client program
        %S -- replaced by the service name (e.g., ftp) if known, by the destination port number otherwise
        %s -- replaced by the destination port number
        %U -- replaced by the user-id at login
        %u -- replaced by the effective user-id
        %Z -- replaced by the destination host's domainname if known, by its IP address otherwise
        %z -- replaced by the destination host's IP address
        %% -- replaced by a single %

       Several shell commands can be strung together in the usual
       way with `|', `;', etc.

       Although there is an implied 'deny all' at the end of  the
       control  file, you may supply one explicitly so as to take
       some specific action when requests are so rejected, e.g.,

        deny 0.0.0.0 0.0.0.0 : /usr/ucb/mail -s 'SOCKS: rejected %S from %u to %Z' root

       Unlike  the  previous  version,  connection   to   address
       127.0.0.1 (localhost) is always done directly, so there is
       no need to specify that in /etc/socks.conf.

ENVIRONMENT
       SOCKS_SERVER, if defined, specifies the name or IP address
       of  the  SOCKS  proxy  server  host to use, overriding the
       default server compiled into the programs.

