home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Cream of the Crop 26
/
Cream of the Crop 26.iso
/
os2
/
sockd.zip
/
install.doc
< prev
next >
Wrap
Text File
|
1997-05-18
|
33KB
|
865 lines
Installation instructions and documentation (from sockd help)
_____________________________________________________________
The multi-threaded socks server for OS/2 enables to build a
firewall gateway on an OS/2 (Warp) system. The objective is
just to interconnect small TCP/IP PC Lan with the public
network (through a "Service Provider").
Like in all "standard" sockd server, the protection is
build in a configuration file (sockd.cfg in the ETC direc-
tory).
Access is controlled with two statements "deny" or "per-
mit". Origin address and subnet mask and destination ad-
dress and mask can be checked for a destination port
number...
For applications using socks version 4 protocol the support
is only for TCP application due to the protocol stack.
The current version has support for three LAN adapters
(LAN0, LAN1 and LAN2), and two SLIP or PPP adapters (sl0,
sl1, ppp0 and ppp1). One of the "serial" adapters can be
configured in "auto-dial" to give access to the Internet
through a "network" provider.
The current version supports SOCKS Version 4 and 5. In
SOCKS version 5, only NO AUTHENTICATION REQUIRED and
USERNAME/PASSWORD authentication methods are supported. The
GSSAPI support is NOT implemented.
In V5 only support for IP V4 addresses is provided not V6.
DNS names are evidendly supported.
To be used, a correct support of the TCP/IP names must be
implemented in
the way the "client" stations can convert external names in
IP addresses.
This restriction can be modified with SOCKS Version 5 where
DNS names have
to be resolved only on the SOCKD station.
To provide the correct "names" support in Socks V4, we use
the DNS kit of TCP/IP V2.0
on the same workstation as "sockD". In this way this
"nameD" server can provide
caching mechanism to the external (and internal) name serv-
ers.
We used also the DDNS kit of Warp Server in a similar con-
figuration.
In Socks V5, only a resolv file pointing to a "public" name
server and an "hosts" file to traduce "internal" names are
required. The usage of a real "caching" name server is NOT
mandatory. The customization of the "SockD" server is eas-
ier.
The support of UDP associated of V5 is a little bit modified
to add support for a "remote" ping command when the destina-
tion port is "1". In this case sockd opens a "raw" socket
with protocol "icmp" to ping the external host and communi-
cates with the standard UDP Associated protocol to the "cli-
ent" host.
AUTO-DIAL FACILITY.
___________________
You need to customize first the access to your network pro-
vider.
SockD was only tested with IBM Global Network. When the ac-
cess is working with the "dialer.exe", you have to customize
two "cmd" files one to get the access and the second one to
close it.
This facility is only supported on one adapter sl0, sl1,
ppp0 or ppp1. It was only tested on sl0.
To check if the connection is OK, sockd uses the "flags" of
the adapter status. When the sl0 adapter is
"<UP,POINTTOPOINT>", the flags are "811" or
"<UP,POINTTOPOINT,RUNNING>" ("851")...
Sockd reads normally a sockd.cfg and sockd.rte files in the
ETC directory. These files are the socks configuration. In
auto-dial mode, sockd tries to build an "automatic" config.
It should be OK for the first tests. If you want to look at
this default config, you have just to read the sockd.log
file (in the sockd directory) after stopping sockd.
By sample I used this sockdial.cmd whith a correct
userid/password and account to start the connection.
/************************************************/
/* */
/* sockdial.cmd : to start the slip connection */
/* */
/************************************************/
'start dialer account userid password -d'
And this sockclos.cmd to stop the connection after the "de-
lay" without session is expired.
/***********************************************/
/* */
/* sockclos.cmd : to stop the slip connection */
/* */
/***********************************************/
'dialer -c'
These two cmd MUST be put in a subdirectory in the PATH
statement (I used \TCPIP\BIN).
Evidendly you have to enable the "auto-dial" function
through the "dial-up" option of the "config" menu (and setup
your command names and the "delay" time). Then you have to
stop/start sockd.
An other method consists in starting directly sockd with a
parameter:
start sockd -dsl0
where: sl0 is the auto-dial adapter
In this case you have to keep the default for other parame-
ters: "sockdial.cmd", "sockclos.cmd" and 5 minutes of de-
lay.
The delay time should be shorter than the "delay" set in the
"dialer" configuration to keep the control of the connection
in "sockd".
SOCKD.CFG
_________
The configuration files are saved in the ETC directory.
deny 0.0.0.0 0.0.0.0 9.0.0.0 255.0.0.0 gt 0
permit 9.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 ge 1024
permit 9.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 eq 21
permit 9.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 eq 20
permit *=PhilG,Test 9.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 eq 23
permit 9.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 eq 70
permit 9.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 eq 80
A list of userids can be used in addition of IP addresses
on the "permit" statement. They are case sensitive. The
value sent from the OS/2 Warp station comes from the USER
variable set in the "config.sys" in SOCKS V4.
On the time being no checking of "password" is performed
(through identd).
In SOCKS V5, the userid used in userid/password
authentication is checked with the userid list in the permit
statement if *= field is set.
Good practice specifies a first statement to denies all ex-
ternal accesses to your "private" network (all ports) with:
"deny 0.0.0.0 0.0.0.0 nnn.nnn.nnn.nnn mmm.mmm.mmm.mmm gt 0"
where nnn is your network number and mmm the mask.
then you can permit all stations from your network to ac-
cess all TCP applications through the socks gateway with:
"permit nnn.nnn.nnn.nnn mmm.mmm.mmm.mmm 0.0.0.0 0.0.0.0 gt
0"
"proxy" statements can be added if you require to intercon-
nect sockd servers. The syntax is like :
"proxy IP_addr port_nb subnet_nb subnet_mask
[site_certificate] "
Where :
IP_addr is the IP address of next proxy server
port_nb is the port number (1080 by default) of this proxy server
subnet_nb is the destination subnet we can access through this proxy
subnet_mask the destination subnet mask
site_certificate the file to use for authentication and encryption
(not yet supported)
SOCKD.PRO
_________
SOCKD uses also a profile file (sockd.pro) in the ETC di-
rectory to save the number of sessions set, server port nb,
the window position, the level of logging used ("Full", "all
Sessions", "only errors and sessions refused (Minimum)" or
"No logging") and the font used on main window.
In the second line of this file, we have the "auto dial"
parameters:
is this facility enabled (Y or N), the dial command, the
hangup command,
and the "short hold mode" delay.
In addition a "TCP" time-out and a "UDP" time-out (in sec-
onds) are
also set. These permit to "tune" the delay sockd is waiting
for the next
transaction before considering the session is lost.
If these parameters are too short sockd is cutting the ses-
sion during a
normal "wait" time. If they are too long, some "client"
threads can be
blocked and are not available for "new" sessions.
The defaults are respectively 20 minutes for TCP and 50
seconds for UDP
applications. TCP is really using a "session". In UDP there
is no real
session. The communication is never really closed. The UDP
time-out is used
to standardly close this communication. SockD was tested
with Real-Audio
UDP application and archie as UDP associate applications.
The default of
50 seconds was enough to use both applications with a
dial-up connection.
The default of 20 minutes for TCP applications was set big-
ger than the
standard FTP time-out (15 minutes). It is NOT enough for
"permanent"
telnet sessions.
A third line contains info on log archiving : yes or no, de-
lay in hours or days, delay value, maximum number of files
to archive. The fifth parm in this line permits to support
only socks V5 userid/password authentication if a userid is
set on a permit statement. In Socks V4 there is no password
checking. Normally sockd is giving the same process to V4
as V5. Enabling this option obliges to use a password in ad-
dition to the userid.
This file is created automatically by sockd.exe
SOCKD.RTE
_________
Another configuration file (sockd.rte) is required for
SOCKS_BIND in the ETC directory describing the gateway
adapters and IP addresses. Most of the applications (Web
Explorer, Rtelnet, ...) use only SOCKS_CONNECT. That's the
reason why I put "sockd.rte" as optional.... But if you
want to use Rftp you need the SOCKS_BIND support and then
sockd.rte.
It is a list of the local adapter addresses and the neworks
you can reach through these... These definitions are used in
sequence for testing an address. Thus it seems better to
put the more restrictive definitions first (describing pri-
vate network access) and the "public network" adapter
finally (giving access to world).
By sample :
9.36.69.41 9.36.69.32 255.255.255.224
9.132.89.238 0.0.0.0 0.0.0.0
If you plan to use the auto-dial facility avoid to set rout-
ing for the dial-up adapter. If no route file is found,
sockd builds one with your LAN adapters giving access to
their local subnets and put a last dynamic entry for the
switched adapter giving access to world (0.0.0.0).
You can want to have other subnets accessible through fixed
(LAN) adapters. For that you must define a sockd.rte with a
line per subnet and setting in first parameter the local IP
address giving access to it. Sockd 'll add dynamically a
last entry for the switched adapter giving access to 0.0.0.0
By sample :
9.36.71.9 9.36.71.0 255.255.255.0
9.132.89.238 9.0.0.0 255.0.0.0
9.132.89.238 198.74.69.0 255.255.255.0
SOCKD.USR
_________
This file is in the ETC directory for Socks version 5
userid/password authentication. On the time being, no en-
cryption technic is used on this confidential dataset. A
userid as a password can theoretically use 256 characters. I
think in our test implementation it is limited to 255 (due
to the end of string character).
By sample :
userid01 password01
userid02 password02
UTILISATION:
____________
Start sockd without any parameter or with some of these
options:
⌐ "-c" option: The number of concurrent clients is 32 by
default. It can be changed at startup with the -c pa-
rameter or by modifying the sockd.pro profile file with
the menu option. By sample :"sockd -c64" to support 64
simultaneous clients. Note there is NO space between -c
and the value. This number should be between 8 and 255.
Each client uses one thread (in addition to the base
sockd thread).
⌐ "-l" option: to suppress logging (sockd.log file in the
current directory)
⌐ "-i" option: to start iconized .
⌐ "-d" option: to setup an auto-dial adapter, by sample
"-dsl0".
⌐ "-p" option: by default sockd uses the port 1080. You
can change it starting "sockd -p2080" by sample.
If you want to use more than one option, specify different
parameters: "start sockd -c48 -p2080 -i".
The frame forwarding MUST be disabled (with the "ipgate
off" command or through MPTS customization) to protect the
access to your "internal" network.
The "socks" support is required to run (and use) applica-
tions through gateway. (see SOCKS FORUM) or a Web Browser
with "socks" support (like Web Explorer for
OS/2).
SOCKD MENU
__________
⌐ "Config": create, modify or simply check your configura-
tion
₧ "edit": to create or modify "line by line" the
sockd.cfg in ETC directory
₧ "proxy": to define proxy servers and the subnets
they are giving access.
₧ "view": to review the configuration in memory and
eventualy change it
with the standard MLE (Multiple Line Entry
field) keyboard manipulation.
(select text with mouse button 1 or Shift key
and move the cursor,
then cut, copy and paste text with
Ctrl+Delete, Shift+Delete and Shift+Insert)
₧ "profile": to change the maximum number of concur-
rent sessions,
the server port number or the logging level.
₧ "route": to configure the sockd.rte file in ETC di-
rectory.
₧ "save conf": to save the sockd.cfg from memory to
ETC directory
₧ "userid": for Socks V5 Userid/Password
authentication method
₧ "dial-up": to customize auto-dial facility
₧ "font": to select the font used in the main window.
⌐ "reset": If you want to activate a change, a new profile
or config
₧ "server": to stop/restart the server
₧ "log file": to clean the log file when reports are
too long.
⌐ "Report":
₧ "accepted": to check all sessions through this
server
₧ "denied": to check all demands rejected by the
server.
₧ "connect": to read the dial-up connection time in
auto-dial mode.
⌐ "Help": to read this help file.
⌐ "Exit": to save the "profile" file and exit.
DNS SUPPORT
___________
HOW TO SETUP A NAME SERVER
__________________________
To solve the V4 "name" problem, I put the DNS kit (at CSD
UN60004 level) on the PS/VP. This name server should be cus-
tomized with caching to the external name server(s) and to
internal domain name server. On the "client" station the
resolv2 file points to the socks gateway address as the name
server (the DNS running on the sockd station can be the only
name server on this small subnet).
Here after the configuration files used during our tests,
where:
⌐ Where test.benelux.ibm.com (9.36.71.0) is the 'private'
domain
⌐ ztmaixn1.benelux.ibm.com (9.132.56.2) is the external
name server for the
ibm.com domain and ns01.ny.us.ibm.net (165.87.194.244)
is the external
DNS server.
⌐ The socks gateway is using 9.132.89.238 on the
"ibm.com" adapter and
9.36.71.9 on the "secure" side (philg.benelux.ibm.com).
⌐ Tests were performed from testuser.test.benelux.ibm.com
(9.36.71.10).
⌐ All "external" sessions were performed through the sl0
adapter and a connection to IBM Global Network as "Ser-
vice" provider.
In fact, on a small LAN with just a few PCs connected a
"hosts" file must be enough to succeed with DNS conversion
in Socks V5.
hosts file in ETC directory
9.132.89.238 bedb238.benelux.ibm.com
9.36.71.9 bedb238.philg.benelux.ibm.com
9.36.71.10 testuser.philg.benelux.ibm.com
165.87.194.244 ns01.ny.us.ibm.net
128.123.35.151 hobbes.nmsu.edu
206.101.97.101 www.lycos.com
205.216.146.70 www.yahoo.com
In Socks V4, you can perform the first sockd tests just with
a similar hosts file. But quickly, you should be blocked and
due to the protocol you need to start a "named" server on
your sockd gateway. You need then a "resolv2" file on your
LAN attached PC pointing to your named server.
In any case keep also an "hosts" file on your sockd PC, be-
cause the code uses a "gethostbyaddr()" macro to get the
"hostname" of the workstation. Sometimes the named server
doesn't answer and you have to start sockd before named. You
need then the "hosts" file to get a name.
DNS KIT OF TCP/IP V2
____________________
named.bt
________
;
; NAMED.BT file for name server configuration.
;
; type domain source file or host
;
domain philg.benelux.ibm.com
cache . d&colon.\\tcpip\\etc\\namedb\\named.ca
primary philg.benelux.ibm.com d&colon.\\tcpip\\etc\\namedb\\named.dom
primary 71.36.9.in-addr.arpa d&colon.\\tcpip\\etc\\namedb\\named.rev
;
;
domain benelux.ibm.com
primary ztmaixn1.benelux.ibm.com 9.132.56.2
primary 9.in-addr.arpa 9.132.56.2
;
domain ibm.net
primary ns01.ny.us.ibm.net 165.87.194.244
primary .in-addr.arpa 165.87.194.244
;
named.ca
________
;
; define parent(root) domain nameserver (Note trailing dot)
;
philg.benelux.ibm.com. 99999999 IN NS bedb238.benelux.ibm.com.
71.36.9.in-addr.arpa. 99999999 IN NS bedb238.benelux.ibm.com.
benelux.ibm.com. 99999999 IN NS ztmaixn1.benelux.ibm.com.
ibm.com. 99999999 IN NS ztmaixn1.benelux.ibm.com.
9. 99999999 IN NS ztmaixn1.benelux.ibm.com.
9.in-addr.arpa. 99999999 IN NS ztmaixn1.benelux.ibm.com.
in-addr.arpa. 99999999 IN NS ns01.ny.us.net.com.
;
; address of domain nameservers
;
bedb238.philg.benelux.ibm.com. 99999999 IN A 9.36.71.9
bedb238.benelux.ibm.com. 99999999 IN A 9.132.89.238
ztmaixn1.benelux.ibm.com. 99999999 IN A 9.132.56.2
beda002.benelux.ibm.com. 99999999 IN A 9.132.88.2
ns01.ny.us.net.com. 99999999 IN A 165.87.194.244
;
Where ns01.ny.us.net.com is the name server of the Internet
provider...
named.dom
_________
;
;********************************
;* Start of Authority Records *
;********************************
;
@ IN SOA bedb238.philg.benelux.ibm.com. bedb238.philg.benelux.ibm.com. (
93052601 ; Serial number for this data (yymmdd##)
86400 ; Refresh value for secondary name servers
300 ; Retry value for secondary name servers
864000 ; Expire value for secondary name servers
3600 ) ; Minimum TTL value
;
@ IN NS bedb238.philg.benelux.ibm.com.
ibm.com. IN NS bedb238.philg.benelux.ibm.com.
ibm.com. IN NS ztmaixn1.benelux.ibm.com.
com. IN NS bedb238.philg.benelux.ibm.com.
com. IN NS ns01.ny.us.ibm.net
edu. IN NS ns01.ny.us.ibm.net
be. IN NS ns01.ny.us.ibm.net
;
;********************************
;* Domain Address Information *
;********************************
;
bedb238 86400 IN A 9.36.71.9
IN HINFO IBM-PS/2 OS/2 3.0
;
testuser 86400 IN A 9.36.71.10
IN HINFO IBM-PS/2 OS/2 3.0
;
bedb238.benelux.ibm.com. 86400 IN A 9.132.89.238
bedb237.benelux.ibm.com. 86400 IN A 9.132.89.237
ns01.ny.us.ibm.net 86400 IN A 165.87.194.244
ztmaixn1.benelux.ibm.com 86400 IN A 9.132.56.2
w3.almaden.ibm.com. 86400 IN A 129.33.24.62
w3.pe.au.ibm.com. 86400 IN A 9.8.32.2
w3.austin.ibm.com. 86400 IN A 9.3.246.8
w3.bocaraton.ibm.com. 86400 IN A 9.83.4.179
w3.portsmouth.uk.ibm.com. 86400 IN A 9.180.145.185
w3.hursley.ibm.com. 86400 IN A 9.20.2.34
w3.issc.ibm.com. 86400 IN A 9.242.89.217
isscw3.raleigh.ibm.com. 86400 IN A 9.67.1.114
w3nhd.raleigh.ibm.com. 86400 IN A 9.67.195.102
netstd.raleigh.ibm.com. 86400 IN A 9.67.1.114
w3.raleigh.ibm.com. 86400 IN A 9.67.4.22
www.tcp.raleigh.ibm.com. 86400 IN A 9.67.106.6
www.lycos.com. 86400 IN A 206.101.97.101
www.yahoo.com. 86400 IN A 205.216.146.70
The translation of www.lycos.com, www.yahoo.com, ... Are
there to have a method to start a dial-up connection without
the external DNS server. These name translations are re-
quired for Socks V4 auto-dial process...
You must setup there the addresses of the WWW servers set in
the quicklist of the end-users connected on the local LAN
while Web explorer is not supporting V5.
named.rev
_________
;
;********************************
;* Start of Authority Records *
;********************************
;
71.36.9.in-addr.arpa. IN SOA bedb238.philg.benelux.ibm.com. (
93052601 ; Serial number for this data (yymmdd##)
86400 ; Refresh value for secondary name servers
300 ; Retry value for secondary name servers
864000 ; Expire value for secondary name servers
3600 ) ; Minimum TTL value
71.36.9.in-addr.arpa. IN NS bedb238.philg.benelux.ibm.com.
;
9 IN PTR bedb238.philg.benelux.ibm.com.
10 IN PTR testuser.philg.benelux.ibm.com.
237.89.132.9.in-addr.arpa. IN PTR bedb237.benelux.ibm.com.
238.89.132.9.in-addr.arpa. IN PTR bedb238.benelux.ibm.com.
101.97.101.206.in-addr.arpa. IN PTR www.lycos.com.
70.146.216.205.in-addr.arpa. IN PTR www.yahoo.com.
The translation of bedb238.benelux.ibm.com is required to
start sockd when the name server is running, because
9.132.89.238 is the IP address of the "lan0" adapter.
SockD uses a "gethostbyaddr()" macro to get the host-name of
the system where it is running. If the name server can not
give it, sockd is blocked during start-up...
DDNS KIT OF WARP SERVER
_______________________
In the \MPTN\ETC\NAMEDB directory we used the following
config files.
named.bt
________
DNS support 18
;
; NAMED.BT file for name server configuration.
;
; type domain source file or host
;
domain philg.benelux.ibm.com
primary philg.benelux.ibm.com c&colon.\\mptn\\etc\\namedb\\named.dom presecured nokeytosec
primary 71.36.9.in-addr.arpa c&colon.\\mptn\\etc\\namedb\\named.rev presecured nokeytosec
;
;
cache . c&colon.\\mptn\\etc\\namedb\\named.ca presecured nokeytosec
;
named.dom
_________
;
;********************************
;* Start of Authority Records *
;********************************
;
@ IN SOA bedb238.philg.benelux.ibm.com. (
96090101 ; Serial number for this data (yymmdd##)
86400 ; Refresh value for secondary name servers
300 ; Retry value for secondary name servers
864000 ; Expire value for secondary name servers
3600 ) ; Minimum TTL value
;
@ IN NS bedb238.philg.benelux.ibm.com.
;
;********************************
;* Domain Address Information *
;********************************
;
bedb238 86400 IN A 9.36.71.9
IN HINFO IBM-PS/2 OS/2 3.0
;
testuser 86400 IN A 9.36.71.10
IN HINFO IBM-PS/2 OS/2 3.0
;
ns01.ny.us.ibm.net 86400 IN A 165.87.194.244
www.lycos.com. 86400 IN A 206.101.97.101
www.yahoo.com. 86400 IN A 205.216.146.70
named.rev
_________
;
;********************************
;* Start of Authority Records *
;********************************
;
71.36.9.in-addr.arpa. IN SOA bedb238.philg.benelux.ibm.com. (
93052601 ; Serial number for this data (yymmdd##)
86400 ; Refresh value for secondary name servers
300 ; Retry value for secondary name servers
864000 ; Expire value for secondary name servers
3600 ) ; Minimum TTL value
71.36.9.in-addr.arpa. IN NS bedb238.philg.benelux.ibm.com.
;
9.71.36.9.in-addr.arpa. IN PTR bedb238.philg.benelux.ibm.com.
10.71.36.9.in-addr.arpa. IN PTR testuser.philg.benelux.ibm.com.
101.97.101.206.in-addr.arpa. IN PTR www.lycos.com.
70.146.216.205.in-addr.arpa. IN PTR www.yahoo.com.
named.ca
________
;
; define parent(root) domain nameserver (Note trailing dot)
;
in-addr.arpa. 99999999 IN NS ns01.ny.us.net.com.
;
; address of domain nameservers
;
ns01.ny.us.net.com. 99999999 IN A 165.87.194.244
;
RESOLV2 ON SOCKD SERVER
_______________________
domain philg.benelux.ibm.com
nameserver 9.36.71.9
RESOLV ON SOCKD SERVER
______________________
domain philg.benelux.ibm.com
nameserver 9.36.71.9
RESOLV2 ON END-USER WORKSTATION
_______________________________
domain philg.benelux.ibm.com
nameserver 9.36.71.9
TEST CONFIGURATION
__________________
----
---- ---
---- ----
---- Internet --
---- -
------ IBM IGN --
---*-------
*
*
******* testuser
* * Modem ----------
* * Dial-up *Thinkpad*
* ----*-----
* * * *
* * ------*------ Ethernet *9.36.71.10
* T-R *** PS/VP *---------------------*---
* * * bebd238 *9.36.71.9
* * -------------
9.132.89.238
ibm.com philg.benelux.ibm.com
9.0.0.0 9.36.71.0
With a correct setup, it is possible to use Internal servers
(ibm.com) without dialing from "testuser". If an external
server is used (by sample www.yahoo.com) the auto-dial is
automaticcally used.
The choice is done through "sockd.rte" configuration. By de-
fault sockd gives only access to the "local" subnet on the
LAN adapter (9.132.88.0).
PROXY SUPPORT
______________
A "proxy" socks server is implemented. To use it you need
to know the IP address of the next sockd for OS/2 server and
the subnets you can access through this remote sockd.
From a LAN connected to Internet in "auto-dial" mode it is
possible to access servers located on an other LAN attached
to Internet through a sockd using a fixed IP address (mainly
with a leased line).
You must "permit" the access on both sockd servers. Only
the dial-up sockd has to define the "leased line attached"
sockd with a "proxy" statement.
ARCHIVING SOCKD LOG FILES AND REPORTING
_______________________________________
Sockd can now archive its log files. The setup is done
through the "profile" option of the main window menu. Four
parameters are saved in the third line of the sockd.pro file
in the ETC directory. The first parameter indicates if Yes
or No the option is selected. The second parameter is "H"
for hours or "D" for days. The third gives the delay used to
close the sockd.log file and rename it to "sockdlog.XXX"
where XXX is a three digits number. The fourth indicates the
maximum number of archived files (+ the current sockd.log).
The default is to keep seven files and to archive every 24
hours. With this setup you can build a weekly report using
the sample REXX reporting program "sockdrep.cmd" (just type
"sockdrep" without parm in the directory sockd is run-
ning)...
IF PROBLEMS
___________
⌐ The DNS kit nameD server can block if the system is
fully "socksified". Don't hesitate to rename the
"socks.cfg" file in the ETC directory when you are run-
ning sockD.
⌐ If your configuration is limited to one LAN adapter and
one dial adapter, it is better to test sockd without
configuring it... Use the view menu option to see the
config. After tests, check sockd.log ...
⌐ If you have really a problem to setup a name server on
the gateway station, define a "hosts" file. For that,
when you are testing your "sockdial.cmd" after the con-
nection and authentication are successfully completed,
use :
host www.yahoo.com
in an OS/2 Window. You are able to get the IP addresses
of your favorite servers. If you install a "completed"
hosts file in the ETC directory of the end-user PC you
can test sockd with WebEx (socks V4) without setting a
name server. With a name server and its caching mech-
anism, you have access to any server, with the hosts
file access is limited...
⌐ To support socks V5 DNS, the dial-up connection is
started automatically if the name can NOT be locally
traduced... A better solution is perhaps to define a
list of the "internal" domain names, and to start the
connection only if the request is for another domain
name. On the time being, sockd start the dial-up con-
nection for V5, before checking if the connection is
"permitted" except if the DNS name can be locally
traduced. With the current implementation: - in socks
V4 the first session (to start the dial-up connection)
MUST be
to a "locally" defined DNS name (then sockd check if
the client has access
to this address before starting the connection). - in
V5 DNS support, the first session can be to any DNS
name, but if this
name can NOT be locally translatted, there a delay
(nearly 1 min. in my tests)
then the dial-up connection is started and the DNS
name translation request
is sent to the "external" name server.
The "permission" can be checked only after sockd re-
ceived the destination
IP address.
⌐ In this version , only the flags "811"
(<UP,POINTTOPOINT>) or "851" (<..,RUNNING>) are consid-
ered as "good" status (connection established) on the
dial-up adapter. If the "auto-dial" facility doesn't
work for you, please check these flags with:
"ifconfig ppp0" (by sample)
Send a note to me and I'll add the required support...
⌐ With current V4 applications like WebEx, the first ses-
sion must be done to a DNS name converted locally (named
or hosts file). After the dial-up connection is estab-
lished, names can be translatted by the Internet pro-
vider name server, and cached in the local nameD.
⌐ Using WebEx through sockd, some ".gif" files are not
correctly received I am investigating why and how to im-
prove it.
Any suggestion or question to Philippe Gillain (GILLAIN at
BRUVMIS1 or Philippe_Gillain@be.ibm.com)...