DragonFly On-Line Manual Pages
srelay(8) DragonFly System Manager's Manual srelay(8)
NAME
srelay - socks protocol server.
SYNOPSIS
srelay [options]
DESCRIPTION
The srelay is socks version 5 server, including version 4 support.
The srelay has following features.
- socks version 5 connect/bind operation for TCP relaying.
- socks version 4 connect/bind operation, including FQDN extensions.
- series of multiple socks servers relaying with both version 4 and 5
servers.
- support username/password authentication.
- connection control with tcp_wrappers(libwrap).
- support IPv6 as well as IPv4 (hopefully).
- You can build IPv4 <-> IPv6 gateway with the srelay.
- nicely cope(relay) with NEC's SOCKSv5 reference implementation
servers.
- Free to use/distribute.
OPTIONS
The options are as follows:
-c file configuration file.
-i i/f Interface, or listening port. See Listening Port.
-m num Maximum child process for non-threading daemon. Or, number
of thread for threading daemon.
-o minutes
Idle transfer timeout in minutes. 0(zero) means no
timeout(default.)
-p file PID file; stores main process or main thread process ID.
-u file srelay password file used in intermediate SOCKS5 server.
-a [n|p] authentication method.
n No Authentication.
p Username/Password authentication.
Authentication methods are evaluated in its placing order. If
this option is not present, 'No Authentication' method is
taken.
-f Run foreground. (not tested well :-p)
-r Try resolve client ip to name on logging.
-s Logging to syslog, even if running foreground.
-t Disable threading. (valid in thread-enabled configuration)
-b Avoid BIND port restriction.
-g Use the same interface for outbound as inbound.
-v Show version info.
-h -? Show help.
Listening Port
Specifing the server listening ports are in following format.
-i 192.168.1.5
Single IP spec. If no port number is specified, defaults to
1080/tcp. Server socket will be 192.168.1.5 port 1080.
-i 192.168.1.5:9999
Single IP with port. Server socket will be 192.168.1.5 port
9999.
-i my.socks.host:5432
Hostname is also accepted.
-i :1234
No host IP or hostname is specified. Server socket will be
INADDR_ANY port 1234.
-i '[2003:268:1234:4321:250:8bff:fea8:1234]:1234'
IPv6 address must be surrounded by '[' and ']'. In most of the
cases, you have to escape '[' and ']' characters against your
shell.
-i options can be appear multiple times if you'd like to have a lot
of holes.
If no -i option is specified, default port is INADDR_ANY/INADDR6_ANY
port 1080 .
Authentication method
The socks version 5 authentication is mechanism for authenticate the
server user. The srelay only supports 'No Authentication' and
'Username/Password Authentication'. On the Username/Password
authentication, the srelay using the server host's account information.
For instance, using UNIX host's password database. This is deprecated
if you are in the network with full of sniffers :) Why ? er, plain text
password is launched by the client every time at connecting the server.
I recommend not to use -ap option.
When the srelay is working as the intermediate of socks servers chain,
it is some time required to use socks authentication to connect to
next-hop socks server. In this case, you can specify the username and
password for the next-hop socks by using srelay.passwd file. This is
done whether you are specifing -a option or not.
srelay.conf
Configuration file format.
# this line is comment.
# destination port range next [next-p x-next x-next-p]
# subnet length
123.123.131.0/24 any 10.10.10.1
# subnet mask in doted format higher port is 65535
223.224.2.128/255.255.255.128 512- 10.11.22.1 11080
# lower port is 1
223.224.2.128/25 -511 10.11.22.2
# IPv6 destinations go through Gateway
:: - 100.200.1.1
# IPv4 destinations go through another Gateway
0.0.0.0 - 100.200.1.2
# (IPv6 to IPv4 destinations)
0.0.0.0 - 3002::1:4321:250:8bff:ffa8:1234
# no next-hop means connect direct.
1.2.3.4 -
#---
If a next-p (next-hop socks port) is ommitted, is defaulted to 1080, as
you can guess. A next-hop socks port can be like, 8080/H or 8080/S,
where H, S means HTTP, SOCKS, respectively. this also defaults to
SOCKS.
HTTP relaying method is experimental, and supports minimized spec of
HTTP Proxying.
You can be on your network environment like this.
[Client]-->(socks)[srelay]-->(http)[FireWall]
-->(socks)[Socks_Island]-->[Dest]
srelay.conf setting could have the third Host, [FilreWall] like this.
# dest dest-port proxy proxy-p proxy2 proxy2-p
Dest any Socks-Island 1080 FireWall 8080/H
The listing order of proxy and proxy2 is farthest first order.
srelay.passwd
Username/Password information for connecting next-hop socks server.
# this line is comment.
# next-hop server username password
123.234.0.1 hogehoga xyz$12#
10.11.22.1 opopop tutut555
FILES
/usr/local/etc/srelay.conf
default configuration file.
/usr/local/etc/srelay.passwd
username/password information using in connecting to the next-
hop socks v5 server.
/var/run/srelay.pid
default PID file.
/etc/hosts.allow /etc/hosts.deny
(if supported in compile time,) tcp_wrappers configuration. TAG
name is 'srelay'.
SIGNALS
The following signals are meaningful:
SIGHUP reload srelay.conf.
SIGTERM
Exit.
SEE ALSO
hosts_access(5),
RFC 1928 SOCKS Protocol Version 5,
RFC 1929 Username/Password Authentication for SOCKS V5,
http://www.socks.nec.com/socksproto.html
AUTHOR
Tomo.M <tomoyuki@pobox.com>
27 Mar 2003 srelay(8)