home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
OS/2 Shareware BBS: 35 Internet
/
35-Internet.zip
/
sockd.zip
/
install.doc
< prev
next >
Wrap
Text File
|
1998-02-21
|
38KB
|
1,017 lines
TCP/IP SockD server for OS/2
____________________________
SOCKD DESCRIPTION
_________________
The multi-threaded socks server for OS/2 enables to build a
firewall gateway on an OS/2 (Warp) system. The objective is
just to interconnect small TCP/IP PC Lan with the public
network (through a "Service Provider").
Like in all "standard" sockd server, the protection is
build in a configuration file (sockd.cfg in the ETC direc-
tory).
Access is controlled with two statements "deny" or "per-
mit". Origin address and subnet mask and destination ad-
dress and mask can be checked for a destination port
number...
For applications using socks version 4 protocol the support
is only for TCP application due to the protocol stack.
The current version has support for three LAN adapters
(LAN0, LAN1 and LAN2), and two SLIP or PPP adapters (sl0,
sl1, ppp0 and ppp1). One of the "serial" adapters can be
configured in "auto-dial" to give access to the Internet
through a "network" provider.
The current version supports SOCKS Version 4 and 5. In
SOCKS version 5, only NO AUTHENTICATION REQUIRED and
USERNAME/PASSWORD authentication methods are supported. The
GSSAPI support is NOT implemented.
In V5 only support for IP V4 addresses is provided not V6.
DNS names are evidendly supported.
To be used, a correct support of the TCP/IP names must be
implemented in
the way the "client" stations can convert external names in
IP addresses.
This restriction can be modified with SOCKS Version 5 where
DNS names have
to be resolved only on the SOCKD station.
To provide the correct "names" support in Socks V4, we use
the DNS kit of TCP/IP V2.0
on the same workstation as "sockD". In this way this
"nameD" server can provide
caching mechanism to the external (and internal) name serv-
ers.
We used also the DDNS kit of Warp Server in a similar con-
figuration.
In Socks V5, only a resolv file pointing to a "public" name
server and an "hosts" file to traduce "internal" names are
required. The usage of a real "caching" name server is NOT
mandatory. The customization of the "SockD" server is eas-
ier.
The support of UDP associated of V5 is a little bit modified
to add support for a "remote" ping command when the destina-
tion port is "1". In this case sockd opens a "raw" socket
with protocol "icmp" to ping the external host and communi-
cates with the standard UDP Associated protocol to the "cli-
ent" host.
AUTO-DIAL FACILITY.
___________________
You need to customize first the access to your network pro-
vider.
SockD was only tested with IBM Global Network. When the ac-
cess is working with the "dialer.exe", you have to customize
two "cmd" files one to get the access and the second one to
close it.
This facility is only supported on one adapter sl0, sl1,
ppp0 or ppp1. It was only tested on sl0.
To check if the connection is OK, sockd uses the "flags" of
the adapter status. When the sl0 adapter is
"<UP,POINTTOPOINT>", the flags are "811" or
"<UP,POINTTOPOINT,RUNNING>" ("851")...
Sockd reads normally a sockd.cfg and sockd.rte files in the
ETC directory. These files are the socks configuration. In
auto-dial mode, sockd tries to build an "automatic" config.
It should be OK for the first tests. If you want to look at
this default config, you have just to read the sockd.log
file (in the sockd directory) after stopping sockd.
By sample I used this sockdial.cmd whith a correct
userid/password and account to start the connection.
/************************************************/
/* */
/* sockdial.cmd : to start the slip connection */
/* */
/************************************************/
'start dialer account userid password -d'
And this sockclos.cmd to stop the connection after the "de-
lay" without session is expired.
/***********************************************/
/* */
/* sockclos.cmd : to stop the slip connection */
/* */
/***********************************************/
'dialer -c'
These two cmd MUST be put in a subdirectory in the PATH
statement (I used \TCPIP\BIN).
Evidendly you have to enable the "auto-dial" function
through the "dial-up" option of the "config" menu (and setup
your command names and the "delay" time). Then you have to
stop/start sockd.
An other method consists in starting directly sockd with a
parameter:
start sockd -dsl0
where: sl0 is the auto-dial adapter
In this case you have to keep the default for other parame-
ters: "sockdial.cmd", "sockclos.cmd" and 5 minutes of de-
lay.
The delay time should be shorter than the "delay" set in the
"dialer" configuration to keep the control of the connection
in "sockd".
SOCKD.CFG
_________
The configuration files are saved in the ETC directory.
deny 0.0.0.0 0.0.0.0 9.0.0.0 255.0.0.0 gt 0
permit 9.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 ge 1024
permit 9.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 eq 21
permit 9.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 eq 20
permit *=PhilG,Test 9.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 eq 23
permit 9.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 eq 70
permit 9.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 eq 80
A list of userids can be used in addition of IP addresses
on the "permit" statement. They are case sensitive. The
value sent from the OS/2 Warp station comes from the USER
variable set in the "config.sys" in SOCKS V4.
On the time being no checking of "password" is performed
(through identd).
In SOCKS V5, the userid used in userid/password
authentication is checked with the userid list in the permit
statement if *= field is set.
Good practice specifies a first statement to denies all ex-
ternal accesses to your "private" network (all ports) with:
"deny 0.0.0.0 0.0.0.0 nnn.nnn.nnn.nnn mmm.mmm.mmm.mmm gt 0"
where nnn is your network number and mmm the mask.
then you can permit all stations from your network to ac-
cess all TCP applications through the socks gateway with:
"permit nnn.nnn.nnn.nnn mmm.mmm.mmm.mmm 0.0.0.0 0.0.0.0 gt
0"
"proxy" statements can be added if you require to intercon-
nect sockd servers. The syntax is like :
"proxy IP_addr port_nb subnet_nb subnet_mask auth comp
encr name [site_certificate] "
Where :
IP_addr is the IP address of next proxy server
port_nb is the port number (1080 by default) of this proxy
server
subnet_nb is the destination subnet number we can access
through this proxyu
subnet_mask the destination subnet mask
auth Y_or_N use local_node_name/node_name as
userid/password authentication
comp Y_or_N compress data frames on this proxy connection
encr Y_or_N encrypt data frames on this proxy connection
name remote node name (used as password in userid/pswd
authentication)
site_certificate a pgp public key ring where we can get
the key for node name
SOCKD.PRO
_________
SOCKD uses also a profile file (sockd.pro) in the ETC di-
rectory to save the number of sessions set, server port nb,
the window position, the level of logging used ("Full", "all
Sessions", "only errors and sessions refused (Minimum)" or
"No logging") and the font used on main window.
In the second line of this file, we have the "auto dial"
parameters:
is this facility enabled (Y or N), the dial command, the
hangup command,
and the "short hold mode" delay.
In addition a "TCP" time-out and a "UDP" time-out (in sec-
onds) are
also set. These permit to "tune" the delay sockd is waiting
for the next
transaction before considering the session is lost.
If these parameters are too short sockd is cutting the ses-
sion during a
normal "wait" time. If they are too long, some "client"
threads can be
blocked and are not available for "new" sessions.
The defaults are respectively 20 minutes for TCP and 50
seconds for UDP
applications. TCP is really using a "session". In UDP there
is no real
session. The communication is never really closed. The UDP
time-out is used
to standardly close this communication. SockD was tested
with Real-Audio
UDP application and archie as UDP associate applications.
The default of
50 seconds was enough to use both applications with a
dial-up connection.
The default of 20 minutes for TCP applications was set big-
ger than the
standard FTP time-out (15 minutes). It is NOT enough for
"permanent"
telnet sessions.
A third line contains info on log archiving : yes or no, de-
lay in hours or days, delay value, maximum number of files
to archive. The fifth parm in this line permits to support
only socks V5 userid/password authentication if a userid is
set on a permit statement. In Socks V4 there is no password
checking. Normally sockd is giving the same process to V4
as V5. Enabling this option obliges to use a password in ad-
dition to the userid.
A fourth line can be added with the local node name. If this
parameter exists it can be used for a sort of
userid/password checking on proxy connections. The name is
case sensitive with a maximal length of 128 characters. No
space, new line or carriage return can be used in it. A
second parameter can be set as a PGP certificate file name.
When encryption should be supported we 'll find the private
key in it corresponding to the local node name as userid.
This file is created automatically by sockd.exe but you can
complete it through the "profile" menu option.
SOCKD.RTE
_________
Another configuration file (sockd.rte) is required for
SOCKS_BIND in the ETC directory describing the gateway
adapters and IP addresses. Most of the applications (Web
Explorer, Rtelnet, ...) use only SOCKS_CONNECT. That's the
reason why I put "sockd.rte" as optional.... But if you
want to use Rftp you need the SOCKS_BIND support and then
sockd.rte.
It is a list of the local adapter addresses and the neworks
you can reach through these... These definitions are used in
sequence for testing an address. Thus it seems better to
put the more restrictive definitions first (describing pri-
vate network access) and the "public network" adapter
finally (giving access to world).
By sample :
9.36.69.41 9.36.69.32 255.255.255.224
9.132.89.238 0.0.0.0 0.0.0.0
If you plan to use the auto-dial facility avoid to set rout-
ing for the dial-up adapter. If no route file is found,
sockd builds one with your LAN adapters giving access to
their local subnets and put a last dynamic entry for the
switched adapter giving access to world (0.0.0.0).
You can want to have other subnets accessible through fixed
(LAN) adapters. For that you must define a sockd.rte with a
line per subnet and setting in first parameter the local IP
address giving access to it. Sockd 'll add dynamically a
last entry for the switched adapter giving access to 0.0.0.0
By sample :
9.36.71.9 9.36.71.0 255.255.255.0
9.132.89.238 9.0.0.0 255.0.0.0
9.132.89.238 198.74.69.0 255.255.255.0
SOCKD.USR
_________
This file is in the ETC directory for Socks version 5
userid/password authentication. On the time being, no en-
cryption technic is used on this confidential dataset. A
userid as a password can theoretically use 256 characters. I
think in our test implementation it is limited to 255 (due
to the end of string character).
By sample :
userid01 password01
userid02 password02
UTILISATION:
____________
Start sockd without any parameter or with some of these
options:
⌐ "-c" option: The number of concurrent clients is 32 by
default. It can be changed at startup with the -c pa-
rameter or by modifying the sockd.pro profile file with
the menu option. By sample :"sockd -c64" to support 64
simultaneous clients. Note there is NO space between -c
and the value. This number should be between 8 and 255.
Each client uses one thread (in addition to the base
sockd thread).
⌐ "-l" option: to suppress logging (sockd.log file in the
current directory)
⌐ "-i" option: to start iconized .
⌐ "-d" option: to setup an auto-dial adapter, by sample
"-dsl0".
⌐ "-p" option: by default sockd uses the port 1080. You
can change it starting "sockd -p2080" by sample.
If you want to use more than one option, specify different
parameters: "start sockd -c48 -p2080 -i".
The frame forwarding MUST be disabled (with the "ipgate
off" command or through MPTS customization) to protect the
access to your "internal" network.
The "socks" support is required to run (and use) applica-
tions through gateway. (see SOCKS FORUM) or a Web Browser
with "socks" support (like Web Explorer for
OS/2).
SOCKD MENU
__________
⌐ "Config": create, modify or simply check your configura-
tion
₧ "edit": to create or modify "line by line" the
sockd.cfg in ETC directory
₧ "proxy": to define proxy servers and the subnets
they are giving access.
₧ "view": to review the configuration in memory and
eventualy change it
with the standard MLE (Multiple Line Entry
field) keyboard manipulation.
(select text with mouse button 1 or Shift key
and move the cursor,
then cut, copy and paste text with
Ctrl+Delete, Shift+Delete and Shift+Insert)
₧ "profile": to change the maximum number of concur-
rent sessions,
the server port number or the logging level.
₧ "route": to configure the sockd.rte file in ETC di-
rectory.
₧ "save conf": to save the sockd.cfg from memory to
ETC directory
₧ "userid": for Socks V5 Userid/Password
authentication method
₧ "dial-up": to customize auto-dial facility
₧ "font": to select the font used in the main window.
⌐ "reset": If you want to activate a change, a new profile
or config
₧ "server": to stop/restart the server
₧ "log file": to clean the log file when reports are
too long.
⌐ "Report":
₧ "accepted": to check all sessions through this
server
₧ "denied": to check all demands rejected by the
server.
₧ "connect": to read the dial-up connection time in
auto-dial mode.
⌐ "Help": to read this help file.
⌐ "Exit": to save the "profile" file and exit.
DNS SUPPORT
___________
HOW TO SETUP A NAME SERVER
__________________________
To solve the V4 "name" problem, I put the DNS kit (at CSD
UN60004 level) on the PS/VP. This name server should be cus-
tomized with caching to the external name server(s) and to
internal domain name server. On the "client" station the
resolv2 file points to the socks gateway address as the name
server (the DNS running on the sockd station can be the only
name server on this small subnet).
Here after the configuration files used during our tests,
where:
⌐ Where test.benelux.ibm.com (9.36.71.0) is the 'private'
domain
⌐ ztmaixn1.benelux.ibm.com (9.132.56.2) is the external
name server for the
ibm.com domain and ns01.ny.us.ibm.net (165.87.194.244)
is the external
DNS server.
⌐ The socks gateway is using 9.132.89.238 on the
"ibm.com" adapter and
9.36.71.9 on the "secure" side (philg.benelux.ibm.com).
⌐ Tests were performed from testuser.test.benelux.ibm.com
(9.36.71.10).
⌐ All "external" sessions were performed through the sl0
adapter and a connection to IBM Global Network as "Ser-
vice" provider.
In fact, on a small LAN with just a few PCs connected a
"hosts" file must be enough to succeed with DNS conversion
in Socks V5.
hosts file in ETC directory
9.132.89.238 bedb238.benelux.ibm.com
9.36.71.9 bedb238.philg.benelux.ibm.com
9.36.71.10 testuser.philg.benelux.ibm.com
165.87.194.244 ns01.ny.us.ibm.net
128.123.35.151 hobbes.nmsu.edu
206.101.97.101 www.lycos.com
205.216.146.70 www.yahoo.com
In Socks V4, you can perform the first sockd tests just with
a similar hosts file. But quickly, you should be blocked and
due to the protocol you need to start a "named" server on
your sockd gateway. You need then a "resolv2" file on your
LAN attached PC pointing to your named server.
In any case keep also an "hosts" file on your sockd PC, be-
cause the code uses a "gethostbyaddr()" macro to get the
"hostname" of the workstation. Sometimes the named server
doesn't answer and you have to start sockd before named. You
need then the "hosts" file to get a name.
DNS KIT OF TCP/IP V2
____________________
named.bt
________
;
; NAMED.BT file for name server configuration.
;
; type domain source file or host
;
domain philg.benelux.ibm.com
cache . d&colon.\\tcpip\\etc\\namedb\\named.ca
primary philg.benelux.ibm.com d&colon.\\tcpip\\etc\\namedb\\named.dom
primary 71.36.9.in-addr.arpa d&colon.\\tcpip\\etc\\namedb\\named.rev
;
;
domain benelux.ibm.com
primary ztmaixn1.benelux.ibm.com 9.132.56.2
primary 9.in-addr.arpa 9.132.56.2
;
domain ibm.net
primary ns01.ny.us.ibm.net 165.87.194.244
primary .in-addr.arpa 165.87.194.244
;
named.ca
________
;
; define parent(root) domain nameserver (Note trailing dot)
;
philg.benelux.ibm.com. 99999999 IN NS bedb238.benelux.ibm.com.
71.36.9.in-addr.arpa. 99999999 IN NS bedb238.benelux.ibm.com.
benelux.ibm.com. 99999999 IN NS ztmaixn1.benelux.ibm.com.
ibm.com. 99999999 IN NS ztmaixn1.benelux.ibm.com.
9. 99999999 IN NS ztmaixn1.benelux.ibm.com.
9.in-addr.arpa. 99999999 IN NS ztmaixn1.benelux.ibm.com.
in-addr.arpa. 99999999 IN NS ns01.ny.us.net.com.
;
; address of domain nameservers
;
bedb238.philg.benelux.ibm.com. 99999999 IN A 9.36.71.9
bedb238.benelux.ibm.com. 99999999 IN A 9.132.89.238
ztmaixn1.benelux.ibm.com. 99999999 IN A 9.132.56.2
beda002.benelux.ibm.com. 99999999 IN A 9.132.88.2
ns01.ny.us.net.com. 99999999 IN A 165.87.194.244
;
Where ns01.ny.us.net.com is the name server of the Internet
provider...
named.dom
_________
;
;********************************
;* Start of Authority Records *
;********************************
;
@ IN SOA bedb238.philg.benelux.ibm.com. (
93052601 ; Serial number for this data (yymmdd##)
86400 ; Refresh value for secondary name servers
300 ; Retry value for secondary name servers
864000 ; Expire value for secondary name servers
3600 ) ; Minimum TTL value
;
@ IN NS bedb238.philg.benelux.ibm.com.
ibm.com. IN NS bedb238.philg.benelux.ibm.com.
ibm.com. IN NS ztmaixn1.benelux.ibm.com.
com. IN NS bedb238.philg.benelux.ibm.com.
com. IN NS ns01.ny.us.ibm.net
edu. IN NS ns01.ny.us.ibm.net
be. IN NS ns01.ny.us.ibm.net
;
;********************************
;* Domain Address Information *
;********************************
;
bedb238 86400 IN A 9.36.71.9
IN HINFO IBM-PS/2 OS/2 3.0
;
testuser 86400 IN A 9.36.71.10
IN HINFO IBM-PS/2 OS/2 3.0
;
bedb238.benelux.ibm.com. 86400 IN A 9.132.89.238
bedb237.benelux.ibm.com. 86400 IN A 9.132.89.237
ns01.ny.us.ibm.net 86400 IN A 165.87.194.244
ztmaixn1.benelux.ibm.com 86400 IN A 9.132.56.2
w3.almaden.ibm.com. 86400 IN A 129.33.24.62
w3.pe.au.ibm.com. 86400 IN A 9.8.32.2
w3.austin.ibm.com. 86400 IN A 9.3.246.8
w3.bocaraton.ibm.com. 86400 IN A 9.83.4.179
w3.portsmouth.uk.ibm.com. 86400 IN A 9.180.145.185
w3.hursley.ibm.com. 86400 IN A 9.20.2.34
w3.issc.ibm.com. 86400 IN A 9.242.89.217
isscw3.raleigh.ibm.com. 86400 IN A 9.67.1.114
w3nhd.raleigh.ibm.com. 86400 IN A 9.67.195.102
netstd.raleigh.ibm.com. 86400 IN A 9.67.1.114
w3.raleigh.ibm.com. 86400 IN A 9.67.4.22
www.tcp.raleigh.ibm.com. 86400 IN A 9.67.106.6
www.lycos.com. 86400 IN A 206.101.97.101
www.yahoo.com. 86400 IN A 205.216.146.70
The translation of www.lycos.com, www.yahoo.com, ... Are
there to have a method to start a dial-up connection without
the external DNS server. These name translations are re-
quired for Socks V4 auto-dial process...
You must setup there the addresses of the WWW servers set in
the quicklist of the end-users connected on the local LAN
while Web explorer is not supporting V5.
named.rev
_________
;
;********************************
;* Start of Authority Records *
;********************************
;
71.36.9.in-addr.arpa. IN SOA bedb238.philg.benelux.ibm.com. (
93052601 ; Serial number for this data (yymmdd##)
86400 ; Refresh value for secondary name servers
300 ; Retry value for secondary name servers
864000 ; Expire value for secondary name servers
3600 ) ; Minimum TTL value
71.36.9.in-addr.arpa. IN NS bedb238.philg.benelux.ibm.com.
;
9 IN PTR bedb238.philg.benelux.ibm.com.
10 IN PTR testuser.philg.benelux.ibm.com.
237.89.132.9.in-addr.arpa. IN PTR bedb237.benelux.ibm.com.
238.89.132.9.in-addr.arpa. IN PTR bedb238.benelux.ibm.com.
101.97.101.206.in-addr.arpa. IN PTR www.lycos.com.
70.146.216.205.in-addr.arpa. IN PTR www.yahoo.com.
The translation of bedb238.benelux.ibm.com is required to
start sockd when the name server is running, because
9.132.89.238 is the IP address of the "lan0" adapter.
SockD uses a "gethostbyaddr()" macro to get the host-name of
the system where it is running. If the name server can not
give it, sockd is blocked during start-up...
DDNS KIT OF WARP SERVER
_______________________
In the \MPTN\ETC\NAMEDB directory we used the following
config files.
named.bt
________
;
; NAMED.BT file for name server configuration.
;
; type domain source file or host
;
domain philg.benelux.ibm.com
primary philg.benelux.ibm.com c&colon.\\mptn\\etc\\namedb\\named.dom presecured nokeytosec
primary 71.36.9.in-addr.arpa c&colon.\\mptn\\etc\\namedb\\named.rev presecured nokeytosec
;
;
cache . c&colon.\\mptn\\etc\\namedb\\named.ca presecured nokeytosec
;
named.dom
_________
;
;********************************
;* Start of Authority Records *
;********************************
;
@ IN SOA bedb238.philg.benelux.ibm.com. (
96090101 ; Serial number for this data (yymmdd##)
86400 ; Refresh value for secondary name servers
300 ; Retry value for secondary name servers
864000 ; Expire value for secondary name servers
3600 ) ; Minimum TTL value
;
@ IN NS bedb238.philg.benelux.ibm.com.
;
;********************************
;* Domain Address Information *
;********************************
;
bedb238 86400 IN A 9.36.71.9
IN HINFO IBM-PS/2 OS/2 3.0
;
testuser 86400 IN A 9.36.71.10
IN HINFO IBM-PS/2 OS/2 3.0
;
ns01.ny.us.ibm.net 86400 IN A 165.87.194.244
www.lycos.com. 86400 IN A 206.101.97.101
www.yahoo.com. 86400 IN A 205.216.146.70
named.rev
_________
;
;********************************
;* Start of Authority Records *
;********************************
;
71.36.9.in-addr.arpa. IN SOA bedb238.philg.benelux.ibm.com. (
93052601 ; Serial number for this data (yymmdd##)
86400 ; Refresh value for secondary name servers
300 ; Retry value for secondary name servers
864000 ; Expire value for secondary name servers
3600 ) ; Minimum TTL value
71.36.9.in-addr.arpa. IN NS bedb238.philg.benelux.ibm.com.
;
9.71.36.9.in-addr.arpa. IN PTR bedb238.philg.benelux.ibm.com.
10.71.36.9.in-addr.arpa. IN PTR testuser.philg.benelux.ibm.com.
101.97.101.206.in-addr.arpa. IN PTR www.lycos.com.
70.146.216.205.in-addr.arpa. IN PTR www.yahoo.com.
named.ca
________
;
; define parent(root) domain nameserver (Note trailing dot)
;
in-addr.arpa. 99999999 IN NS ns01.ny.us.net.com.
;
; address of domain nameservers
;
ns01.ny.us.net.com. 99999999 IN A 165.87.194.244
;
RESOLV2 ON SOCKD SERVER
_______________________
domain philg.benelux.ibm.com
nameserver 9.36.71.9
RESOLV ON SOCKD SERVER
______________________
domain philg.benelux.ibm.com
nameserver 9.36.71.9
RESOLV2 ON END-USER WORKSTATION
_______________________________
domain philg.benelux.ibm.com
nameserver 9.36.71.9
TEST CONFIGURATION
__________________
----
---- ---
---- ----
---- Internet --
---- -
------ IBM IGN --
---*-------
*
*
******* testuser
* * Modem ----------
* * Dial-up *Thinkpad*
* ----*-----
* * * *
* * ------*------ Ethernet *9.36.71.10
* T-R *** PS/VP *---------------------*---
* * * bebd238 *9.36.71.9
* * -------------
9.132.89.238
ibm.com philg.benelux.ibm.com
9.0.0.0 9.36.71.0
With a correct setup, it is possible to use Internal servers
(ibm.com) without dialing from "testuser". If an external
server is used (by sample www.yahoo.com) the auto-dial is
automaticcally used.
The choice is done through "sockd.rte" configuration. By de-
fault sockd gives only access to the "local" subnet on the
LAN adapter (9.132.88.0).
PROXY SUPPORT
______________
A "proxy" socks suppot is implemented. To use it you need
to know the IP address of the next sockd for OS/2 server and
the subnets you can access through this remote node.
From a LAN connected to Internet in "auto-dial" mode it is
possible to access servers located on an other LAN attached
to Internet through a sockd using a fixed IP address (mainly
with a leased line).
You must "permit" the access on both sockd servers. Only
the dial-up sockd has to define the "leased line attached"
sockd with a "proxy" statement.
To setup proxy connections you must configure the connection
on the remote site (the site where the user's sessions are
started pointing to "central" servers). This site can
use an auto-dial sockd. You must define a "fixed" IP
address for the "central" site, but on the "central" sockd
no definition is required (except the permit statements) to
accept remote proxies.
In this way the Internet can be used to transport data be-
tween distributed offices. You need a different subnet in
each location (it can be a "reusable" nework address) and
then you have to build the "routing" with proxy statements.
If you want a light authentication to validate the con-
nection, you can setup a local node name in each sockd pro-
file, then you must give the correct name in the proxy setup
on the remote site. The connection between proxies uses
socks V5 protocols and then we can use the node names as
userid/password for authentication.
The use of PGP certificates is required to support encryption.
An "authentication" frame is sent before a socks command and connection
initialization. This packet is set with local and remote node names
(found as userids in PGP certificates) and a 128 bits key. If the
signature is accepted all TCP data packets are encrypted. A 128 bits
key is calculated and changed for each socket connection... Encryption
is required for all sessions if you enable this support in the profile.
Only TCP sessions are encrypted. The UDP Associate sessions are NOT encrypted
or compressed.
In the current version of SockD the node names are limited to 128 characters.
The node names can contain spaces or any special characters. They are case
sensitive. No hexa 0 value can be used. It can be a small sentence.
For encryption support sockd uses the PGP userids exactly as written in the
PGP certificates. That's why I set a button to read these userids from
the PGP certificate given by its file name in the proxy or profile setup window.
To succeed with proxy encryption you must specify the corresponding PGP
certificate in the proxy statement of the remote sockd and in the profile
of the local sockd, thus the private certificate on one site and the public
on the other site. You must distribute the "public" certificates to the
remote sites...
A first step consists in generating the pair of private and public
certificates with PGP and to rename secring.pgp and pubring.pgp to (by sample)
thinkpad.sec and thinkpad.pub or gateway.sec and gateway.pub.
After you can copy these files in the sockd directory locally(.sec) and
remotely (.pub).
Only "Connect" and "Bind" sessions are encrypted.
The UDP Associate sessions are NOT encrypted or compressed.
An option exists to define the proxy support only for encrypted sessions
requiring always the encrypted authentication ("encrypted sessions only").
This method permits a more secure socks server.
To test the proxy support I used my travelling thinkpad and
defined as proxy a fixed desktop PC giving access to Inter-
net through a dial-up connection. Both PCs were connected to
our intranet LAN. I defined locally in the socks config
file the address 127.0.0.1 (the loopback adapter) as the
socks gateway. When sockd was started on the thinkpad it re-
routed all sessions to the proxy giving access to 0.0.0.0...
The configuration files used :
sockd.pro
_________
32 1080 380 270 400 300 win F Tms Rmn
N sl0 sockdial.cmd sockclos.cmd 300 1200 50
N D 1 7 N
My_travelling_Thinkpad pubring.pgp
sockd.cfg
sockd.cfg
sockd.cfg
sockd.cfg
_________
deny 0.0.0.0 0.0.0.0 9.0.0.0 255.0.0.0 gt 0
deny 0.0.0.0 0.0.0.0 127.0.0.0 255.0.0.0 gt 0
permit 9.132.0.0 255.255.0.0 0.0.0.0 0.0.0.0 gt 0
permit 127.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 gt 0
proxy 9.132.89.237 1080 0.0.0.0 0.0.0.0 Y Y N Gateway_to_the_Internet pubring.pgp
sockd.rte
_________
9.132.89.142 0.0.0.0 0.0.0.0
127.0.0.1 127.0.0.0 255.0.0.0
socks.cfg
_________
direct 9.0.0.0 255.0.0.0
sockd @=127.0.0.1 0.0.0.0 0.0.0.0
All comments, remarks or critics are welcome on this subject
(and others).
ARCHIVING SOCKD LOG FILES AND REPORTING
_______________________________________
Sockd can now archive its log files. The setup is done
through the "profile" option of the main window menu. Four
parameters are saved in the third line of the sockd.pro file
in the ETC directory. The first parameter indicates if Yes
or No the option is selected. The second parameter is "H"
for hours or "D" for days. The third gives the delay used to
close the sockd.log file and rename it to "sockdlog.XXX"
where XXX is a three digits number. The fourth indicates the
maximum number of archived files (+ the current sockd.log).
The default is to keep seven files and to archive every 24
hours. With this setup you can build a weekly report using
the sample REXX reporting program "sockdrep.cmd" (just type
"sockdrep" without parm in the directory sockd is run-
ning)...
How to manage sockd from batch command files
____________________________________________
An os/2 command called "sockdmsg" permits to reset the socks server configuration
from the sockd.cfg file in the ETC directory or from the sockd.pro profile..
It is a method to get support for variable config depending by sample of the
time of the day.
The sockdmsg module supports three types of requests:
- "sockdmsg -c [sockd.cfg]" to change the socks server configuration.
It uses sockd.cfg from the ETC directory if no file name is given as second
parameter. If a name is present, sockd looks for this file in the ETC directory
except if the file name includes some real path information (a backslash or
a colon).
- "sockdmsg -p [sockd.pro]" to restart sockd from a profile file.
- "sockdmsg -l" to reset the sockd.log logging file.
This command works only when sockd is running because it uses the \QUEUES\SOCKD
system queue to communicate with the sockd process. A parameter is MANDATORY.
IF PROBLEMS
___________
⌐ The DNS kit nameD server can block if the system is
fully "socksified". Don't hesitate to rename the
"socks.cfg" file in the ETC directory when you are run-
ning sockD.
⌐ If your configuration is limited to one LAN adapter and
one dial adapter, it is better to test sockd without
configuring it... Use the view menu option to see the
config. After tests, check sockd.log ...
⌐ If you have really a problem to setup a name server on
the gateway station, define a "hosts" file. For that,
when you are testing your "sockdial.cmd" after the con-
nection and authentication are successfully completed,
use :
host www.yahoo.com
in an OS/2 Window. You are able to get the IP addresses
of your favorite servers. If you install a "completed"
hosts file in the ETC directory of the end-user PC you
can test sockd with WebEx (socks V4) without setting a
name server. With a name server and its caching mech-
anism, you have access to any server, with the hosts
file access is limited...
⌐ To support socks V5 DNS, the dial-up connection is
started automatically if the name can NOT be locally
traduced... A better solution is perhaps to define a
list of the "internal" domain names, and to start the
connection only if the request is for another domain
name. On the time being, sockd start the dial-up con-
nection for V5, before checking if the connection is
"permitted" except if the DNS name can be locally
traduced. With the current implementation: - in socks
V4 the first session (to start the dial-up connection)
MUST be
to a "locally" defined DNS name (then sockd check if
the client has access
to this address before starting the connection). - in
V5 DNS support, the first session can be to any DNS
name, but if this
name can NOT be locally translatted, there is a delay
(nearly 1 min. in my tests)
then the dial-up connection is started and the DNS
name translation request
is sent to the "external" name server.
The "permission" can be checked only after sockd re-
ceived the destination
IP address.
⌐ In this version , only the flags "811"
(<UP,POINTTOPOINT>) or "851" (<..,RUNNING>) are consid-
ered as "good" status (connection established) on the
dial-up adapter. If the "auto-dial" facility doesn't
work for you, please check these flags with:
"ifconfig ppp0" (by sample)
Send a note to me and I'll add the required support...
⌐ With current V4 applications like WebEx, the first ses-
sion must be done to a DNS name converted locally (named
or hosts file). After the dial-up connection is estab-
lished, names can be translatted by the Internet pro-
vider name server, and cached in the local nameD.
⌐ Using WebEx through sockd, some ".gif" files are not
correctly received I am investigating why and how to im-
prove it.
Any suggestion or question to Philippe Gillain (GILLAIN at
BRUVMIS1 or Philippe_Gillain@be.ibm.com)...
