Cream of the Crop 26

home *** CD-ROM | disk | FTP | other *** search

/ Cream of the Crop 26 / Cream of the Crop 26.iso / os2 / sockd.zip / install.doc < prev next >

Wrap

Text File | 1997-05-18 | 33KB | 865 lines

Installation instructions and documentation (from sockd help) _____________________________________________________________ The multi-threaded socks server for OS/2 enables to build a firewall gateway on an OS/2 (Warp) system. The objective is just to interconnect small TCP/IP PC Lan with the public network (through a "Service Provider"). Like in all "standard" sockd server, the protection is build in a configuration file (sockd.cfg in the ETC direc- tory). Access is controlled with two statements "deny" or "per- mit". Origin address and subnet mask and destination ad- dress and mask can be checked for a destination port number... For applications using socks version 4 protocol the support is only for TCP application due to the protocol stack. The current version has support for three LAN adapters (LAN0, LAN1 and LAN2), and two SLIP or PPP adapters (sl0, sl1, ppp0 and ppp1). One of the "serial" adapters can be configured in "auto-dial" to give access to the Internet through a "network" provider. The current version supports SOCKS Version 4 and 5. In SOCKS version 5, only NO AUTHENTICATION REQUIRED and USERNAME/PASSWORD authentication methods are supported. The GSSAPI support is NOT implemented. In V5 only support for IP V4 addresses is provided not V6. DNS names are evidendly supported. To be used, a correct support of the TCP/IP names must be implemented in the way the "client" stations can convert external names in IP addresses. This restriction can be modified with SOCKS Version 5 where DNS names have to be resolved only on the SOCKD station. To provide the correct "names" support in Socks V4, we use the DNS kit of TCP/IP V2.0 on the same workstation as "sockD". In this way this "nameD" server can provide caching mechanism to the external (and internal) name serv- ers. We used also the DDNS kit of Warp Server in a similar con- figuration. In Socks V5, only a resolv file pointing to a "public" name server and an "hosts" file to traduce "internal" names are required. The usage of a real "caching" name server is NOT mandatory. The customization of the "SockD" server is eas- ier. The support of UDP associated of V5 is a little bit modified to add support for a "remote" ping command when the destina- tion port is "1". In this case sockd opens a "raw" socket with protocol "icmp" to ping the external host and communi- cates with the standard UDP Associated protocol to the "cli- ent" host. AUTO-DIAL FACILITY. ___________________ You need to customize first the access to your network pro- vider. SockD was only tested with IBM Global Network. When the ac- cess is working with the "dialer.exe", you have to customize two "cmd" files one to get the access and the second one to close it. This facility is only supported on one adapter sl0, sl1, ppp0 or ppp1. It was only tested on sl0. To check if the connection is OK, sockd uses the "flags" of the adapter status. When the sl0 adapter is "<UP,POINTTOPOINT>", the flags are "811" or "<UP,POINTTOPOINT,RUNNING>" ("851")... Sockd reads normally a sockd.cfg and sockd.rte files in the ETC directory. These files are the socks configuration. In auto-dial mode, sockd tries to build an "automatic" config. It should be OK for the first tests. If you want to look at this default config, you have just to read the sockd.log file (in the sockd directory) after stopping sockd. By sample I used this sockdial.cmd whith a correct userid/password and account to start the connection. /************************************************/ /* */ /* sockdial.cmd : to start the slip connection */ /* */ /************************************************/ 'start dialer account userid password -d' And this sockclos.cmd to stop the connection after the "de- lay" without session is expired. /***********************************************/ /* */ /* sockclos.cmd : to stop the slip connection */ /* */ /***********************************************/ 'dialer -c' These two cmd MUST be put in a subdirectory in the PATH statement (I used \TCPIP\BIN). Evidendly you have to enable the "auto-dial" function through the "dial-up" option of the "config" menu (and setup your command names and the "delay" time). Then you have to stop/start sockd. An other method consists in starting directly sockd with a parameter: start sockd -dsl0 where: sl0 is the auto-dial adapter In this case you have to keep the default for other parame- ters: "sockdial.cmd", "sockclos.cmd" and 5 minutes of de- lay. The delay time should be shorter than the "delay" set in the "dialer" configuration to keep the control of the connection in "sockd". SOCKD.CFG _________ The configuration files are saved in the ETC directory. deny 0.0.0.0 0.0.0.0 9.0.0.0 255.0.0.0 gt 0 permit 9.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 ge 1024 permit 9.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 eq 21 permit 9.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 eq 20 permit *=PhilG,Test 9.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 eq 23 permit 9.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 eq 70 permit 9.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 eq 80 A list of userids can be used in addition of IP addresses on the "permit" statement. They are case sensitive. The value sent from the OS/2 Warp station comes from the USER variable set in the "config.sys" in SOCKS V4. On the time being no checking of "password" is performed (through identd). In SOCKS V5, the userid used in userid/password authentication is checked with the userid list in the permit statement if *= field is set. Good practice specifies a first statement to denies all ex- ternal accesses to your "private" network (all ports) with: "deny 0.0.0.0 0.0.0.0 nnn.nnn.nnn.nnn mmm.mmm.mmm.mmm gt 0" where nnn is your network number and mmm the mask. then you can permit all stations from your network to ac- cess all TCP applications through the socks gateway with: "permit nnn.nnn.nnn.nnn mmm.mmm.mmm.mmm 0.0.0.0 0.0.0.0 gt 0" "proxy" statements can be added if you require to intercon- nect sockd servers. The syntax is like : "proxy IP_addr port_nb subnet_nb subnet_mask [site_certificate] " Where : IP_addr is the IP address of next proxy server port_nb is the port number (1080 by default) of this proxy server subnet_nb is the destination subnet we can access through this proxy subnet_mask the destination subnet mask site_certificate the file to use for authentication and encryption (not yet supported) SOCKD.PRO _________ SOCKD uses also a profile file (sockd.pro) in the ETC di- rectory to save the number of sessions set, server port nb, the window position, the level of logging used ("Full", "all Sessions", "only errors and sessions refused (Minimum)" or "No logging") and the font used on main window. In the second line of this file, we have the "auto dial" parameters: is this facility enabled (Y or N), the dial command, the hangup command, and the "short hold mode" delay. In addition a "TCP" time-out and a "UDP" time-out (in sec- onds) are also set. These permit to "tune" the delay sockd is waiting for the next transaction before considering the session is lost. If these parameters are too short sockd is cutting the ses- sion during a normal "wait" time. If they are too long, some "client" threads can be blocked and are not available for "new" sessions. The defaults are respectively 20 minutes for TCP and 50 seconds for UDP applications. TCP is really using a "session". In UDP there is no real session. The communication is never really closed. The UDP time-out is used to standardly close this communication. SockD was tested with Real-Audio UDP application and archie as UDP associate applications. The default of 50 seconds was enough to use both applications with a dial-up connection. The default of 20 minutes for TCP applications was set big- ger than the standard FTP time-out (15 minutes). It is NOT enough for "permanent" telnet sessions. A third line contains info on log archiving : yes or no, de- lay in hours or days, delay value, maximum number of files to archive. The fifth parm in this line permits to support only socks V5 userid/password authentication if a userid is set on a permit statement. In Socks V4 there is no password checking. Normally sockd is giving the same process to V4 as V5. Enabling this option obliges to use a password in ad- dition to the userid. This file is created automatically by sockd.exe SOCKD.RTE _________ Another configuration file (sockd.rte) is required for SOCKS_BIND in the ETC directory describing the gateway adapters and IP addresses. Most of the applications (Web Explorer, Rtelnet, ...) use only SOCKS_CONNECT. That's the reason why I put "sockd.rte" as optional.... But if you want to use Rftp you need the SOCKS_BIND support and then sockd.rte. It is a list of the local adapter addresses and the neworks you can reach through these... These definitions are used in sequence for testing an address. Thus it seems better to put the more restrictive definitions first (describing pri- vate network access) and the "public network" adapter finally (giving access to world). By sample : 9.36.69.41 9.36.69.32 255.255.255.224 9.132.89.238 0.0.0.0 0.0.0.0 If you plan to use the auto-dial facility avoid to set rout- ing for the dial-up adapter. If no route file is found, sockd builds one with your LAN adapters giving access to their local subnets and put a last dynamic entry for the switched adapter giving access to world (0.0.0.0). You can want to have other subnets accessible through fixed (LAN) adapters. For that you must define a sockd.rte with a line per subnet and setting in first parameter the local IP address giving access to it. Sockd 'll add dynamically a last entry for the switched adapter giving access to 0.0.0.0 By sample : 9.36.71.9 9.36.71.0 255.255.255.0 9.132.89.238 9.0.0.0 255.0.0.0 9.132.89.238 198.74.69.0 255.255.255.0 SOCKD.USR _________ This file is in the ETC directory for Socks version 5 userid/password authentication. On the time being, no en- cryption technic is used on this confidential dataset. A userid as a password can theoretically use 256 characters. I think in our test implementation it is limited to 255 (due to the end of string character). By sample : userid01 password01 userid02 password02 UTILISATION: ____________ Start sockd without any parameter or with some of these options: ⌐ "-c" option: The number of concurrent clients is 32 by default. It can be changed at startup with the -c pa- rameter or by modifying the sockd.pro profile file with the menu option. By sample :"sockd -c64" to support 64 simultaneous clients. Note there is NO space between -c and the value. This number should be between 8 and 255. Each client uses one thread (in addition to the base sockd thread). ⌐ "-l" option: to suppress logging (sockd.log file in the current directory) ⌐ "-i" option: to start iconized . ⌐ "-d" option: to setup an auto-dial adapter, by sample "-dsl0". ⌐ "-p" option: by default sockd uses the port 1080. You can change it starting "sockd -p2080" by sample. If you want to use more than one option, specify different parameters: "start sockd -c48 -p2080 -i". The frame forwarding MUST be disabled (with the "ipgate off" command or through MPTS customization) to protect the access to your "internal" network. The "socks" support is required to run (and use) applica- tions through gateway. (see SOCKS FORUM) or a Web Browser with "socks" support (like Web Explorer for OS/2). SOCKD MENU __________ ⌐ "Config": create, modify or simply check your configura- tion ₧ "edit": to create or modify "line by line" the sockd.cfg in ETC directory ₧ "proxy": to define proxy servers and the subnets they are giving access. ₧ "view": to review the configuration in memory and eventualy change it with the standard MLE (Multiple Line Entry field) keyboard manipulation. (select text with mouse button 1 or Shift key and move the cursor, then cut, copy and paste text with Ctrl+Delete, Shift+Delete and Shift+Insert) ₧ "profile": to change the maximum number of concur- rent sessions, the server port number or the logging level. ₧ "route": to configure the sockd.rte file in ETC di- rectory. ₧ "save conf": to save the sockd.cfg from memory to ETC directory ₧ "userid": for Socks V5 Userid/Password authentication method ₧ "dial-up": to customize auto-dial facility ₧ "font": to select the font used in the main window. ⌐ "reset": If you want to activate a change, a new profile or config ₧ "server": to stop/restart the server ₧ "log file": to clean the log file when reports are too long. ⌐ "Report": ₧ "accepted": to check all sessions through this server ₧ "denied": to check all demands rejected by the server. ₧ "connect": to read the dial-up connection time in auto-dial mode. ⌐ "Help": to read this help file. ⌐ "Exit": to save the "profile" file and exit. DNS SUPPORT ___________ HOW TO SETUP A NAME SERVER __________________________ To solve the V4 "name" problem, I put the DNS kit (at CSD UN60004 level) on the PS/VP. This name server should be cus- tomized with caching to the external name server(s) and to internal domain name server. On the "client" station the resolv2 file points to the socks gateway address as the name server (the DNS running on the sockd station can be the only name server on this small subnet). Here after the configuration files used during our tests, where: ⌐ Where test.benelux.ibm.com (9.36.71.0) is the 'private' domain ⌐ ztmaixn1.benelux.ibm.com (9.132.56.2) is the external name server for the ibm.com domain and ns01.ny.us.ibm.net (165.87.194.244) is the external DNS server. ⌐ The socks gateway is using 9.132.89.238 on the "ibm.com" adapter and 9.36.71.9 on the "secure" side (philg.benelux.ibm.com). ⌐ Tests were performed from testuser.test.benelux.ibm.com (9.36.71.10). ⌐ All "external" sessions were performed through the sl0 adapter and a connection to IBM Global Network as "Ser- vice" provider. In fact, on a small LAN with just a few PCs connected a "hosts" file must be enough to succeed with DNS conversion in Socks V5. hosts file in ETC directory 9.132.89.238 bedb238.benelux.ibm.com 9.36.71.9 bedb238.philg.benelux.ibm.com 9.36.71.10 testuser.philg.benelux.ibm.com 165.87.194.244 ns01.ny.us.ibm.net 128.123.35.151 hobbes.nmsu.edu 206.101.97.101 www.lycos.com 205.216.146.70 www.yahoo.com In Socks V4, you can perform the first sockd tests just with a similar hosts file. But quickly, you should be blocked and due to the protocol you need to start a "named" server on your sockd gateway. You need then a "resolv2" file on your LAN attached PC pointing to your named server. In any case keep also an "hosts" file on your sockd PC, be- cause the code uses a "gethostbyaddr()" macro to get the "hostname" of the workstation. Sometimes the named server doesn't answer and you have to start sockd before named. You need then the "hosts" file to get a name. DNS KIT OF TCP/IP V2 ____________________ named.bt ________ ; ; NAMED.BT file for name server configuration. ; ; type domain source file or host ; domain philg.benelux.ibm.com cache . d&colon.\\tcpip\\etc\\namedb\\named.ca primary philg.benelux.ibm.com d&colon.\\tcpip\\etc\\namedb\\named.dom primary 71.36.9.in-addr.arpa d&colon.\\tcpip\\etc\\namedb\\named.rev ; ; domain benelux.ibm.com primary ztmaixn1.benelux.ibm.com 9.132.56.2 primary 9.in-addr.arpa 9.132.56.2 ; domain ibm.net primary ns01.ny.us.ibm.net 165.87.194.244 primary .in-addr.arpa 165.87.194.244 ; named.ca ________ ; ; define parent(root) domain nameserver (Note trailing dot) ; philg.benelux.ibm.com. 99999999 IN NS bedb238.benelux.ibm.com. 71.36.9.in-addr.arpa. 99999999 IN NS bedb238.benelux.ibm.com. benelux.ibm.com. 99999999 IN NS ztmaixn1.benelux.ibm.com. ibm.com. 99999999 IN NS ztmaixn1.benelux.ibm.com. 9. 99999999 IN NS ztmaixn1.benelux.ibm.com. 9.in-addr.arpa. 99999999 IN NS ztmaixn1.benelux.ibm.com. in-addr.arpa. 99999999 IN NS ns01.ny.us.net.com. ; ; address of domain nameservers ; bedb238.philg.benelux.ibm.com. 99999999 IN A 9.36.71.9 bedb238.benelux.ibm.com. 99999999 IN A 9.132.89.238 ztmaixn1.benelux.ibm.com. 99999999 IN A 9.132.56.2 beda002.benelux.ibm.com. 99999999 IN A 9.132.88.2 ns01.ny.us.net.com. 99999999 IN A 165.87.194.244 ; Where ns01.ny.us.net.com is the name server of the Internet provider... named.dom _________ ; ;******************************** ;* Start of Authority Records * ;******************************** ; @ IN SOA bedb238.philg.benelux.ibm.com. bedb238.philg.benelux.ibm.com. ( 93052601 ; Serial number for this data (yymmdd##) 86400 ; Refresh value for secondary name servers 300 ; Retry value for secondary name servers 864000 ; Expire value for secondary name servers 3600 ) ; Minimum TTL value ; @ IN NS bedb238.philg.benelux.ibm.com. ibm.com. IN NS bedb238.philg.benelux.ibm.com. ibm.com. IN NS ztmaixn1.benelux.ibm.com. com. IN NS bedb238.philg.benelux.ibm.com. com. IN NS ns01.ny.us.ibm.net edu. IN NS ns01.ny.us.ibm.net be. IN NS ns01.ny.us.ibm.net ; ;******************************** ;* Domain Address Information * ;******************************** ; bedb238 86400 IN A 9.36.71.9 IN HINFO IBM-PS/2 OS/2 3.0 ; testuser 86400 IN A 9.36.71.10 IN HINFO IBM-PS/2 OS/2 3.0 ; bedb238.benelux.ibm.com. 86400 IN A 9.132.89.238 bedb237.benelux.ibm.com. 86400 IN A 9.132.89.237 ns01.ny.us.ibm.net 86400 IN A 165.87.194.244 ztmaixn1.benelux.ibm.com 86400 IN A 9.132.56.2 w3.almaden.ibm.com. 86400 IN A 129.33.24.62 w3.pe.au.ibm.com. 86400 IN A 9.8.32.2 w3.austin.ibm.com. 86400 IN A 9.3.246.8 w3.bocaraton.ibm.com. 86400 IN A 9.83.4.179 w3.portsmouth.uk.ibm.com. 86400 IN A 9.180.145.185 w3.hursley.ibm.com. 86400 IN A 9.20.2.34 w3.issc.ibm.com. 86400 IN A 9.242.89.217 isscw3.raleigh.ibm.com. 86400 IN A 9.67.1.114 w3nhd.raleigh.ibm.com. 86400 IN A 9.67.195.102 netstd.raleigh.ibm.com. 86400 IN A 9.67.1.114 w3.raleigh.ibm.com. 86400 IN A 9.67.4.22 www.tcp.raleigh.ibm.com. 86400 IN A 9.67.106.6 www.lycos.com. 86400 IN A 206.101.97.101 www.yahoo.com. 86400 IN A 205.216.146.70 The translation of www.lycos.com, www.yahoo.com, ... Are there to have a method to start a dial-up connection without the external DNS server. These name translations are re- quired for Socks V4 auto-dial process... You must setup there the addresses of the WWW servers set in the quicklist of the end-users connected on the local LAN while Web explorer is not supporting V5. named.rev _________ ; ;******************************** ;* Start of Authority Records * ;******************************** ; 71.36.9.in-addr.arpa. IN SOA bedb238.philg.benelux.ibm.com. ( 93052601 ; Serial number for this data (yymmdd##) 86400 ; Refresh value for secondary name servers 300 ; Retry value for secondary name servers 864000 ; Expire value for secondary name servers 3600 ) ; Minimum TTL value 71.36.9.in-addr.arpa. IN NS bedb238.philg.benelux.ibm.com. ; 9 IN PTR bedb238.philg.benelux.ibm.com. 10 IN PTR testuser.philg.benelux.ibm.com. 237.89.132.9.in-addr.arpa. IN PTR bedb237.benelux.ibm.com. 238.89.132.9.in-addr.arpa. IN PTR bedb238.benelux.ibm.com. 101.97.101.206.in-addr.arpa. IN PTR www.lycos.com. 70.146.216.205.in-addr.arpa. IN PTR www.yahoo.com. The translation of bedb238.benelux.ibm.com is required to start sockd when the name server is running, because 9.132.89.238 is the IP address of the "lan0" adapter. SockD uses a "gethostbyaddr()" macro to get the host-name of the system where it is running. If the name server can not give it, sockd is blocked during start-up... DDNS KIT OF WARP SERVER _______________________ In the \MPTN\ETC\NAMEDB directory we used the following config files. named.bt ________ DNS support 18 ; ; NAMED.BT file for name server configuration. ; ; type domain source file or host ; domain philg.benelux.ibm.com primary philg.benelux.ibm.com c&colon.\\mptn\\etc\\namedb\\named.dom presecured nokeytosec primary 71.36.9.in-addr.arpa c&colon.\\mptn\\etc\\namedb\\named.rev presecured nokeytosec ; ; cache . c&colon.\\mptn\\etc\\namedb\\named.ca presecured nokeytosec ; named.dom _________ ; ;******************************** ;* Start of Authority Records * ;******************************** ; @ IN SOA bedb238.philg.benelux.ibm.com. ( 96090101 ; Serial number for this data (yymmdd##) 86400 ; Refresh value for secondary name servers 300 ; Retry value for secondary name servers 864000 ; Expire value for secondary name servers 3600 ) ; Minimum TTL value ; @ IN NS bedb238.philg.benelux.ibm.com. ; ;******************************** ;* Domain Address Information * ;******************************** ; bedb238 86400 IN A 9.36.71.9 IN HINFO IBM-PS/2 OS/2 3.0 ; testuser 86400 IN A 9.36.71.10 IN HINFO IBM-PS/2 OS/2 3.0 ; ns01.ny.us.ibm.net 86400 IN A 165.87.194.244 www.lycos.com. 86400 IN A 206.101.97.101 www.yahoo.com. 86400 IN A 205.216.146.70 named.rev _________ ; ;******************************** ;* Start of Authority Records * ;******************************** ; 71.36.9.in-addr.arpa. IN SOA bedb238.philg.benelux.ibm.com. ( 93052601 ; Serial number for this data (yymmdd##) 86400 ; Refresh value for secondary name servers 300 ; Retry value for secondary name servers 864000 ; Expire value for secondary name servers 3600 ) ; Minimum TTL value 71.36.9.in-addr.arpa. IN NS bedb238.philg.benelux.ibm.com. ; 9.71.36.9.in-addr.arpa. IN PTR bedb238.philg.benelux.ibm.com. 10.71.36.9.in-addr.arpa. IN PTR testuser.philg.benelux.ibm.com. 101.97.101.206.in-addr.arpa. IN PTR www.lycos.com. 70.146.216.205.in-addr.arpa. IN PTR www.yahoo.com. named.ca ________ ; ; define parent(root) domain nameserver (Note trailing dot) ; in-addr.arpa. 99999999 IN NS ns01.ny.us.net.com. ; ; address of domain nameservers ; ns01.ny.us.net.com. 99999999 IN A 165.87.194.244 ; RESOLV2 ON SOCKD SERVER _______________________ domain philg.benelux.ibm.com nameserver 9.36.71.9 RESOLV ON SOCKD SERVER ______________________ domain philg.benelux.ibm.com nameserver 9.36.71.9 RESOLV2 ON END-USER WORKSTATION _______________________________ domain philg.benelux.ibm.com nameserver 9.36.71.9 TEST CONFIGURATION __________________ ---- ---- --- ---- ---- ---- Internet -- ---- - ------ IBM IGN -- ---*------- * * ******* testuser * * Modem ---------- * * Dial-up *Thinkpad* * ----*----- * * * * * * ------*------ Ethernet *9.36.71.10 * T-R *** PS/VP *---------------------*--- * * * bebd238 *9.36.71.9 * * ------------- 9.132.89.238 ibm.com philg.benelux.ibm.com 9.0.0.0 9.36.71.0 With a correct setup, it is possible to use Internal servers (ibm.com) without dialing from "testuser". If an external server is used (by sample www.yahoo.com) the auto-dial is automaticcally used. The choice is done through "sockd.rte" configuration. By de- fault sockd gives only access to the "local" subnet on the LAN adapter (9.132.88.0). PROXY SUPPORT ______________ A "proxy" socks server is implemented. To use it you need to know the IP address of the next sockd for OS/2 server and the subnets you can access through this remote sockd. From a LAN connected to Internet in "auto-dial" mode it is possible to access servers located on an other LAN attached to Internet through a sockd using a fixed IP address (mainly with a leased line). You must "permit" the access on both sockd servers. Only the dial-up sockd has to define the "leased line attached" sockd with a "proxy" statement. ARCHIVING SOCKD LOG FILES AND REPORTING _______________________________________ Sockd can now archive its log files. The setup is done through the "profile" option of the main window menu. Four parameters are saved in the third line of the sockd.pro file in the ETC directory. The first parameter indicates if Yes or No the option is selected. The second parameter is "H" for hours or "D" for days. The third gives the delay used to close the sockd.log file and rename it to "sockdlog.XXX" where XXX is a three digits number. The fourth indicates the maximum number of archived files (+ the current sockd.log). The default is to keep seven files and to archive every 24 hours. With this setup you can build a weekly report using the sample REXX reporting program "sockdrep.cmd" (just type "sockdrep" without parm in the directory sockd is run- ning)... IF PROBLEMS ___________ ⌐ The DNS kit nameD server can block if the system is fully "socksified". Don't hesitate to rename the "socks.cfg" file in the ETC directory when you are run- ning sockD. ⌐ If your configuration is limited to one LAN adapter and one dial adapter, it is better to test sockd without configuring it... Use the view menu option to see the config. After tests, check sockd.log ... ⌐ If you have really a problem to setup a name server on the gateway station, define a "hosts" file. For that, when you are testing your "sockdial.cmd" after the con- nection and authentication are successfully completed, use : host www.yahoo.com in an OS/2 Window. You are able to get the IP addresses of your favorite servers. If you install a "completed" hosts file in the ETC directory of the end-user PC you can test sockd with WebEx (socks V4) without setting a name server. With a name server and its caching mech- anism, you have access to any server, with the hosts file access is limited... ⌐ To support socks V5 DNS, the dial-up connection is started automatically if the name can NOT be locally traduced... A better solution is perhaps to define a list of the "internal" domain names, and to start the connection only if the request is for another domain name. On the time being, sockd start the dial-up con- nection for V5, before checking if the connection is "permitted" except if the DNS name can be locally traduced. With the current implementation: - in socks V4 the first session (to start the dial-up connection) MUST be to a "locally" defined DNS name (then sockd check if the client has access to this address before starting the connection). - in V5 DNS support, the first session can be to any DNS name, but if this name can NOT be locally translatted, there a delay (nearly 1 min. in my tests) then the dial-up connection is started and the DNS name translation request is sent to the "external" name server. The "permission" can be checked only after sockd re- ceived the destination IP address. ⌐ In this version , only the flags "811" (<UP,POINTTOPOINT>) or "851" (<..,RUNNING>) are consid- ered as "good" status (connection established) on the dial-up adapter. If the "auto-dial" facility doesn't work for you, please check these flags with: "ifconfig ppp0" (by sample) Send a note to me and I'll add the required support... ⌐ With current V4 applications like WebEx, the first ses- sion must be done to a DNS name converted locally (named or hosts file). After the dial-up connection is estab- lished, names can be translatted by the Internet pro- vider name server, and cached in the local nameD. ⌐ Using WebEx through sockd, some ".gif" files are not correctly received I am investigating why and how to im- prove it. Any suggestion or question to Philippe Gillain (GILLAIN at BRUVMIS1 or Philippe_Gillain@be.ibm.com)...