Re: danted problem
i thought there might be firewall contribute to my problem...
but i stopped it & retrying i found there was no guilty!
i laso tried the sample all-permitting conf file... but... nothing!
mmmhh...
it's possible nobody (once i've seen a similar question in google groups..
but i don't understand german!!) knows the answer???!?!
bye
G.
----- Original Message -----
From: "Gianluca P." <gia.web@tiscali.it>
To: "debian-firewall" <debian-firewall@lists.debian.org>
Sent: Monday, July 14, 2003 10:28 AM
Subject: danted problem
> hi there!
> i've a little(?!) problem with the socks server dante...
> i't seems to work right.. no conf errors.. port binding ok & listening ...
> but as soon as i start a connection it shuts me immediately.. firewll
closed
> connection....
> someone can help me?? the os version is woody 3r1 and the sockd ver in
> 1.1.12pre1
> bottom ther are further info...
>
> thanks
>
> Gianluca
>
>
>
>
> --------------------------------------------------------------------------
--
> ---------------here the conf
>
file....--------------------------------------------------------------------
> -------------------------------------------
>
> # $Id: sockd.conf,v 1.41 2001/12/12 13:56:41 karls Exp $
> #
> # A sample sockd.conf
> #
> #
> # The configfile is divided into two parts; first serversettings,
> # then the rules.
> #
> # The recommended order is:
> # Serversettings:
> # logoutput
> # internal
> # external
> # method
> # clientmethod
> # users
> # compatibility
> # extension
> # connecttimeout
> # iotimeout
> # srchost
> #
> # Rules:
> # client block/pass
> # from to
> # libwrap
> # log
> #
> # block/pass
> # from to
> # method
> # command
> # libwrap
> # log
> # protocol
> # proxyprotocol
>
> # the server will log both via syslog, to stdout and to
/var/log/lotsoflogs
> #logoutput: syslog stdout /var/log/lotsoflogs
> #logoutput: stderr
> #logoutput: stdout
> logoutput: /var/log/danted
>
> # The server will bind to the address 10.1.1.1, port 1080 and will only
> # accept connections going to that address.
> #internal: 10.1.1.1 port = 1080
> # Alternatively, the interface name can be used instead of the address.
> internal: eth1 port = 8880
>
> # all outgoing connections from the server will use the IP address
> # 195.168.1.1
> external: ppp0
> #external: 217.133.174.35
>
> # list over acceptable methods, order of preference.
> # A method not set here will never be selected.
> #
> # If the method field is not set in a rule, the global
> # method is filled in for that rule.
> #
>
> # methods for socks-rules.
> #method: username none #rfc931
> method: none
>
> # methods for client-rules.
> clientmethod: none
>
> #or if you want to allow rfc931 (ident) too
> #method: username rfc931 none
>
> #or for PAM authentification
> #method: pam
>
> #
> # An important section, pay attention.
> #
>
> # when doing something that can require privilege, it will use the
> # userid:
> user.privileged: proxy
> #user.privileged: root
>
> # when running as usual, it will use the unprivileged userid of:
> user.notprivileged: proxy
> #user.notprivileged: root
>
> # If you compiled with libwrap support, what userid should it use
> # when executing your libwrap commands? "libwrap".
> #user.libwrap: libwrap
> user.libwrap: proxy
> #user.libwrap: root
>
>
> #
> # some options to help clients with compatibility:
> #
>
> # when a client connection comes in the socksserver will try to use
> # the same port as the client is using, when the socksserver
> # goes out on the clients behalf (external: IP address).
> # If this option is set, Dante will try to do it for reserved ports
aswell.
> # This will usually require user.privileged to be set to "root".
> #compatibility: sameport
>
> # If you are using the bind extension and have trouble running servers
> # via the server, you might try setting this. The consequences of it
> # are unknown.
> #compatibility: reuseaddr
>
> #
> # The Dante server supports some extensions to the socks protocol.
> # These require that the socks client implements the same extension and
> # can be enabled using the "extension" keyword.
> #
> # enable the bind extension.
> #extension: bind
>
>
> #
> #
> # misc options.
> #
>
> # how many seconds can pass from when a client connects til it has
> # sent us it's request? Adjust according to your network performance
> # and methods supported.
> #connecttimeout: 30 # on a lan, this should be enough if method is
"none".
>
> # how many seconds can the client and it's peer idle without sending
> # any data before we dump it? Unless you disable tcp keep-alive for
> # some reason, it's probably best to set this to 0, which is
> # "forever".
> #iotimeout: 0 # or perhaps 86400, for a day.
>
> # do you want to accept connections from addresses without
> # dns info? what about addresses having a mismatch in dnsinfo?
> #srchost: nounknown nomismatch
>
> #
> # The actual rules. There are two kinds and they work at different
levels.
> #
> # The rules prefixed with "client" are checked first and say who is
allowed
> # and who is not allowed to speak/connect to the server. I.e the
> # ip range containing possibly valid clients.
> # It is especially important that these only use IP addresses, not
> hostnames,
> # for security reasons.
> #
> # The rules that do not have a "client" prefix are checked later, when the
> # client has sent its request and are used to evaluate the actual
> # request.
> #
> # The "to:" in the "client" context gives the address the connection
> # is accepted on, i.e the address the socksserver is listening on, or
> # just "0.0.0.0/0" for any address the server is listening on.
> #
> # The "to:" in the non-"client" context gives the destination of the
clients
> # socksrequest.
> #
> # "from:" is the source address in both contexts.
> #
>
>
> # the "client" rules. All our clients come from the net 10.0.0.0/8.
> #
>
> # Allow our clients, also provides an example of the port range command.
> #client pass {
> # from: 10.0.0.0/8 port 1-65535 to: 0.0.0.0/0
> # method: rfc931 # match all idented users that also are in passwordfile
> #}
>
> # This is identical to above, but allows clients without a rfc931 (ident)
> # too. In practise this means the socksserver will try to get a rfc931
> # reply first (the above rule), if that fails, it tries this rule.
> client pass {
> # from: 10.0.0.0/8 port 1-65535 to: 0.0.0.0/0
> from: 192.168.0.0/8 port 1-65535 to: 0.0.0.0/0
> # from: 0.0.0.0/0 port 1-65535 to: 0.0.0.0/0
> log: connect error
> }
>
>
> # drop everyone else as soon as we can and log the connect, they are not
> # on our net and have no business connecting to us. This is the default
> # but if you give the rule yourself, you can specify details.
> #client block {
> # from: 0.0.0.0/0 to: 0.0.0.0/0
> # log: connect error
> #}
>
>
> # the rules controlling what clients are allowed what requests
> #
>
> # you probably don't want people connecting to loopback addresses,
> # who knows what could happen then.
> #block {
> # from: 0.0.0.0/0 to: 127.0.0.0/8
> # log: connect error
> #}
>
> # the people at the 172.16.0.0/12 are bad, no one should talk to them.
> # log the connect request and also provide an example on how to
> # interact with libwrap.
> #block {
> # from: 0.0.0.0/0 to: 172.16.0.0/12
> # libwrap: spawn finger @%a
> # log: connect error
> #}
>
> # unless you need it, you could block any bind requests.
> #block {
> # from: 0.0.0.0/0 to: 0.0.0.0/0
> # command: bind
> # log: connect error
> #}
>
> # or you might want to allow it, for instance "active" ftp uses it.
> # Note that a "bindreply" command must also be allowed, it
> # should usually by from "0.0.0.0/0", i.e if a client of yours
> # has permission to bind, it will also have permission to accept
> # the reply from anywhere.
> #pass {
> # from: 10.0.0.0/8 to: 0.0.0.0/0
> # command: bind
> # log: connect error
> #}
>
> # some connections expect some sort of "reply", this might be
> # the reply to a bind request or it may be the reply to a
> # udppacket, since udp is packetbased.
> # Note that nothing is done to verify that it's a "genuine" reply,
> # that is in general not possible anyway. The below will allow
> # all "replies" in to your clients at the 10.0.0.0/8 net.
> #pass {
> # from: 0.0.0.0/0 to: 10.0.0.0/8
> # command: bindreply udpreply
> # log: connect error
> #}
>
>
> # pass any http connects to the example.com domain if they
> # authenticate with username.
> # This matches "example.com" itself and everything ending in
".example.com".
> #pass {
> # from: 10.0.0.0/8 to: .example.com port = http
> # log: connect error
> # method: username
> #}
>
> # block any other http connects to the example.com domain.
> #block {
> # from: 0.0.0.0/0 to: .example.com port = http
> # log: connect error
> #}
>
> # everyone from our internal network, 10.0.0.0/8 is allowed to use
> # tcp and udp for everything else.
> #pass {
> # from: 10.0.0.0/8 to: 0.0.0.0/0
> # from: 192.168.0.0/8 to: 0.0.0.0/0
> # protocol: tcp udp
> #}
>
> # last line, block everyone else. This is the default but if you provide
> # one yourself you can specify your own logging/actions
> #block {
> # from: 0.0.0.0/0 to: 0.0.0.0/0
> # log: connect error
> #}
>
>
>
>
>
>
>
> --------------------------------------------------------------------------
--
> ---------& here the log in debug mode (ie:
>
./danted -d -D)-------------------------------------------------------------
> -------------
> Jul 11 17:15:25 danted[3418]: socks_seteuid(): old: 0, new: 13
> Jul 11 17:15:25 danted[3418]: socks_reseteuid(): current: 13, new: 0
> Jul 11 17:15:25 danted[3418]: socks_seteuid(): old: 0, new: 13
> Jul 11 17:15:25 danted[3418]: socks_reseteuid(): current: 13, new: 0
> Jul 11 17:15:25 danted[3418]: socks_seteuid(): old: 0, new: 13
> Jul 11 17:15:25 danted[3418]: socks_reseteuid(): current: 13, new: 0
> Jul 11 17:15:25 danted[3418]: socks_seteuid(): old: 0, new: 13
> Jul 11 17:15:25 danted[3418]: socks_reseteuid(): current: 13, new: 0
> Jul 11 17:15:25 danted[3418]: internal addresses (1):
> Jul 11 17:15:25 danted[3418]: 192.168.0.1.8880
> Jul 11 17:15:25 danted[3418]: external addresses (1):
> Jul 11 17:15:25 danted[3418]: address: ppp0, tcp: 0, udp : 0, op: none,
> end: 0
> Jul 11 17:15:25 danted[3418]: external address rotation: none
> Jul 11 17:15:25 danted[3418]: compatibility options:
> Jul 11 17:15:25 danted[3418]: extensions enabled:
> Jul 11 17:15:25 danted[3418]: logoutput goes to: "/var/log/danted",
> Jul 11 17:15:25 danted[3418]: cmdline options:
> "configfile": "/etc/danted.conf",
> "daemon": "1",
> "debug": "1",
> "keepalive": "1",
> "linebuffer": "1",
> "servercount": "1",
> Jul 11 17:15:25 danted[3418]: resolveprotocol: udp
> Jul 11 17:15:25 danted[3418]: srchost:
> "nomismatch": "0",
> "nounknown": "0",
> Jul 11 17:15:25 danted[3418]: negotiate timeout: 120s
> Jul 11 17:15:25 danted[3418]: i/o timeout: 86400s
> Jul 11 17:15:25 danted[3418]: euid: 0
> Jul 11 17:15:25 danted[3418]: userid:
> "privileged": "proxy",
> "unprivileged": "proxy",
> "libwrap": "proxy",
> Jul 11 17:15:25 danted[3418]: method(s): none
> Jul 11 17:15:25 danted[3418]: clientmethod(s): none
> Jul 11 17:15:25 danted[3418]: client-rules (1):
> Jul 11 17:15:25 danted[3418]: client-rule #1, line #0
> Jul 11 17:15:25 danted[3418]: verdict: pass
> Jul 11 17:15:25 danted[3418]: src: address: 192.168.0.0/8, tcp: 1, udp :
1,
> op: range, end: 65535
> Jul 11 17:15:25 danted[3418]: dst: address: 0.0.0.0/0, tcp: 0, udp : 0,
op:
> none, end: 0
> Jul 11 17:15:25 danted[3418]: method(s): none,
> Jul 11 17:15:25 danted[3418]: log: connect, disconnect, error,
iooperation,
> Jul 11 17:15:25 danted[3418]: socks-rules (0):
> Jul 11 17:15:25 danted[3418]: socks_seteuid(): old: 0, new: 13
> Jul 11 17:15:25 danted[3418]: socks_seteuid(): old: 13, new: 13
> Jul 11 17:15:25 danted[3418]: open(/var/run/danted.pid): Permission denied
> (errno = 13)
> Jul 11 17:15:25 danted[3418]: socks_seteuid(): old: 13, new: 13
> Jul 11 17:15:25 danted[3419]: created new negotiatorchild
> Jul 11 17:15:44 danted[3419]: accessmatch(): method: none,
> 192.168.0.2.1174 -> 192.168.0.1.8880
> Jul 11 17:15:44 danted[3419]: addressmatch(): address: 192.168.0.0/8, tcp:
> 1, udp : 1, op: range, end: 65535, 192.168.0.2.1174, tcp, 0
> Jul 11 17:15:44 danted[3419]: addressmatch(): address: 0.0.0.0/0, tcp: 0,
> udp : 0, op: none, end: 0, 192.168.0.1.8880, tcp, 0
> Jul 11 17:15:44 danted[3419]: pass(1): tcp/accept [: 192.168.0.2.1174 ->
> 192.168.0.1.8880
> Jul 11 17:15:45 danted[3419]: unknown version 13 in request
> Jul 11 17:15:45 danted[3419]: pass(1): tcp/accept ]: 192.168.0.2.1174 ->
> 192.168.0.1.8880: socks protocol error
> Jul 11 17:16:32 danted[3419]: accessmatch(): method: none,
> 192.168.0.2.1204 -> 192.168.0.1.8880
> Jul 11 17:16:32 danted[3419]: addressmatch(): address: 192.168.0.0/8, tcp:
> 1, udp : 1, op: range, end: 65535, 192.168.0.2.1204, tcp, 0
> Jul 11 17:16:32 danted[3419]: addressmatch(): address: 0.0.0.0/0, tcp: 0,
> udp : 0, op: none, end: 0, 192.168.0.1.8880, tcp, 0
> Jul 11 17:16:32 danted[3419]: pass(1): tcp/accept [: 192.168.0.2.1204 ->
> 192.168.0.1.8880
> Jul 11 17:16:32 danted[3419]: recv_methods(): sending authentication
reply:
> VER: 5 METHOD: 0
> Jul 11 17:16:32 danted[3419]: sending request to mother
> Jul 11 17:16:32 danted[3419]: accessmatch(): method: none,
> 192.168.0.2.1205 -> 192.168.0.1.8880
> Jul 11 17:16:32 danted[3419]: addressmatch(): address: 192.168.0.0/8, tcp:
> 1, udp : 1, op: range, end: 65535, 192.168.0.2.1205, tcp, 0
> Jul 11 17:16:32 danted[3419]: addressmatch(): address: 0.0.0.0/0, tcp: 0,
> udp : 0, op: none, end: 0, 192.168.0.1.8880, tcp, 0
> Jul 11 17:16:32 danted[3419]: pass(1)
>
>
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>
--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f
Sponsor:
Dai il suo nome ad una stella, un giorno speciale,una ricorrenza, un regalo unico e prezioso,
REGALA UNA STELLA, sarà tua per sempre!
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=1499&d=18-7
Reply to: