summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlin Năstac <mrness@gentoo.org>2005-06-04 12:30:59 +0000
committerAlin Năstac <mrness@gentoo.org>2005-06-04 12:30:59 +0000
commit04f3a169857c8c18219cd9ffdd0ca67a9b84bb70 (patch)
treed81a0bcbeecbfb69f187c0c07bf857c51b4b5949 /net-proxy
parentMinor tweaks (diff)
downloadhistorical-04f3a169857c8c18219cd9ffdd0ca67a9b84bb70.tar.gz
historical-04f3a169857c8c18219cd9ffdd0ca67a9b84bb70.tar.bz2
historical-04f3a169857c8c18219cd9ffdd0ca67a9b84bb70.zip
add /etc/socks/sock?.conf; add sockd user; improve init script
Package-Manager: portage-2.0.51.19
Diffstat (limited to 'net-proxy')
-rw-r--r--net-proxy/dante/ChangeLog11
-rw-r--r--net-proxy/dante/Manifest16
-rw-r--r--net-proxy/dante/dante-1.1.15-r2.ebuild87
-rw-r--r--net-proxy/dante/files/dante-sockd-init33
-rw-r--r--net-proxy/dante/files/digest-dante-1.1.15-r21
-rw-r--r--net-proxy/dante/files/sockd.conf243
-rw-r--r--net-proxy/dante/files/sockd.conf-with-libwrap.patch41
-rw-r--r--net-proxy/dante/files/sockd.conf-with-pam.patch12
-rw-r--r--net-proxy/dante/files/socks.conf127
9 files changed, 555 insertions, 16 deletions
diff --git a/net-proxy/dante/ChangeLog b/net-proxy/dante/ChangeLog
index 6e53adc1810a..764e13f6253b 100644
--- a/net-proxy/dante/ChangeLog
+++ b/net-proxy/dante/ChangeLog
@@ -1,6 +1,15 @@
# ChangeLog for net-proxy/dante
# Copyright 2002-2005 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-proxy/dante/ChangeLog,v 1.3 2005/05/16 16:58:47 mrness Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-proxy/dante/ChangeLog,v 1.4 2005/06/04 12:30:59 mrness Exp $
+
+*dante-1.1.15-r2 (04 Jun 2005)
+
+ 04 Jun 2005; Alin Nastac <mrness@gentoo.org> files/dante-sockd-init,
+ +files/sockd.conf, +files/sockd.conf-with-libwrap.patch,
+ +files/sockd.conf-with-pam.patch, +files/socks.conf,
+ +dante-1.1.15-r2.ebuild:
+ Added default configuration files in /etc/socks. Create sockd user, used in
+ user.* parameters of the sockd daemon. Improve init script.
16 May 2005; Alin Nastac <mrness@gentoo.org> dante-1.1.15-r1.ebuild:
Remove unused inheritance of gcc eclass (#92745).
diff --git a/net-proxy/dante/Manifest b/net-proxy/dante/Manifest
index 9062030a2881..b2b30ebc959e 100644
--- a/net-proxy/dante/Manifest
+++ b/net-proxy/dante/Manifest
@@ -1,20 +1,26 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
+MD5 e49aa34e96ca6caded6a17f6c9b157a9 dante-1.1.15-r2.ebuild 2460
MD5 a6a5bd8eb855005685f1e525babf1094 dante-1.1.15-r1.ebuild 2266
-MD5 335176ca1f54f38465d44cdf5003e9de ChangeLog 7424
+MD5 c56c2d5e1064afec9081d976445620f3 ChangeLog 7809
MD5 19688263fcbda666eeb085869012f86a metadata.xml 246
MD5 e1b94493b162bbdb56acba97cec7349a files/dante-1.1.15_pre1-socksify.patch 811
+MD5 7573426ad7edc9ea4dd95f020205fda4 files/sockd.conf-with-pam.patch 295
MD5 5e74662c76571e30e6a190a2d4d1193a files/dante-1.1.15-optionalpam.patch 10896
MD5 0a5831b02f1ee3c0b9810c4354839906 files/digest-dante-1.1.15-r1 64
+MD5 0a5831b02f1ee3c0b9810c4354839906 files/digest-dante-1.1.15-r2 64
+MD5 aa0bc92f8670b91aaf92f1e89b7e06c7 files/sockd.conf 7031
+MD5 cf06ad88e50a36ba1326579ab64366b8 files/socks.conf 4185
+MD5 05b76026b104b3a12fcd5d42aecc3041 files/sockd.conf-with-libwrap.patch 870
MD5 72d9add89e45e3cb921c99d79bdf31a7 files/dante-1.1.15-bindresvport.patch 485
MD5 30064015b5702cf8059a1639167e8a3f files/dante-1.1.15-getipnodebyname.patch 789
MD5 eb2041b3f61750335f8702515cb20b7c files/dante-sockd-conf 463
-MD5 4b441393f14c9a13b7f4cb22242f659c files/dante-sockd-init 1319
+MD5 1ff7ae828153ebdd013aa82e5c247b7f files/dante-sockd-init 1722
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
-iD8DBQFCiNFgjiC39V7gKu0RAmAGAKCQj1e5veSZ65HWCn5V7bFCNqcLDQCgvOLg
-70lVQAi27ojkYK0wGUd4Ndc=
-=E2rr
+iD8DBQFCoZ8bjiC39V7gKu0RAn0rAKCXS6NacPrR3uWE/9aZi6CXCssgeACgqpRP
+eaUj+5Takiqa+9MlILhOsTE=
+=BJEP
-----END PGP SIGNATURE-----
diff --git a/net-proxy/dante/dante-1.1.15-r2.ebuild b/net-proxy/dante/dante-1.1.15-r2.ebuild
new file mode 100644
index 000000000000..57fa30ca9a96
--- /dev/null
+++ b/net-proxy/dante/dante-1.1.15-r2.ebuild
@@ -0,0 +1,87 @@
+# Copyright 1999-2005 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-proxy/dante/dante-1.1.15-r2.ebuild,v 1.1 2005/06/04 12:30:59 mrness Exp $
+
+inherit fixheadtails eutils
+
+DESCRIPTION="A free socks4,5 and msproxy implementation"
+HOMEPAGE="http://www.inet.no/dante/"
+SRC_URI="ftp://ftp.inet.no/pub/socks/${P}.tar.gz"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="tcpd debug selinux pam"
+
+RDEPEND="virtual/libc
+ pam? ( sys-libs/pam )
+ tcpd? ( sys-apps/tcp-wrappers )
+ selinux? ( sec-policy/selinux-dante )"
+DEPEND="${RDEPEND}
+ >=sys-apps/sed-4
+ >=sys-devel/automake-1.9"
+
+src_unpack() {
+ unpack ${A}
+ cd ${S}
+ epatch ${FILESDIR}/${P}_pre1-socksify.patch
+ epatch ${FILESDIR}/${P}-bindresvport.patch
+ epatch ${FILESDIR}/${P}-optionalpam.patch
+ epatch ${FILESDIR}/${P}-getipnodebyname.patch
+
+ ht_fix_file configure configure.ac
+ sed -i \
+ -e 's:/etc/socks\.conf:/etc/socks/socks.conf:' \
+ -e 's:/etc/sockd\.conf:/etc/socks/sockd.conf:' \
+ doc/{faq.ps,faq.tex,sockd.8,sockd.conf.5,socks.conf.5}
+}
+
+src_compile() {
+ libtoolize --copy --force
+ econf \
+ `use_enable debug` \
+ `use_enable tcpd libwrap` \
+ `use_with pam` \
+ --with-socks-conf=/etc/socks/socks.conf \
+ --with-sockd-conf=/etc/socks/sockd.conf \
+ || die "bad ./configure"
+ # the comments in the source say this is only useful for 2.0 kernels ...
+ # well it may fix 2.0 but it breaks with 2.6 :)
+ [ "${KV:0:3}" == "2.6" ] && sed -i 's:if HAVE_LINUX_ECCENTRICITIES:if 0:' include/common.h
+ emake || die "compile problem"
+}
+
+src_install() {
+ make DESTDIR=${D} install || die
+
+ # bor: comment libdl.so out it seems to work just fine without it
+ sed -i -e 's:libdl\.so::' ${D}/usr/bin/socksify || die 'sed failed'
+
+ # default configuration files
+ insinto /etc/socks
+ doins ${FILESDIR}/sock?.conf
+ cd ${D}/etc/socks && {
+ use pam && epatch ${FILESDIR}/sockd.conf-with-pam.patch
+ use tcpd && epatch ${FILESDIR}/sockd.conf-with-libwrap.patch
+ }
+ cd ${S}
+
+ # our init script
+ exeinto /etc/init.d
+ newexe ${FILESDIR}/dante-sockd-init dante-sockd
+ insinto /etc/conf.d
+ newins ${FILESDIR}/dante-sockd-conf dante-sockd
+
+ # install documentation
+ dodoc BUGS CREDITS NEWS README SUPPORT TODO VERSION
+ docinto txt
+ cd doc
+ dodoc README* *.txt SOCKS4.*
+ docinto example
+ cd ../example
+ dodoc *.conf
+}
+
+pkg_postinst() {
+ enewuser sockd -1 /bin/false /etc/socks daemon
+}
diff --git a/net-proxy/dante/files/dante-sockd-init b/net-proxy/dante/files/dante-sockd-init
index b2f641142046..dd5285fdcf7c 100644
--- a/net-proxy/dante/files/dante-sockd-init
+++ b/net-proxy/dante/files/dante-sockd-init
@@ -1,12 +1,13 @@
#!/sbin/runscript
# Copyright 1999-2004 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-proxy/dante/files/dante-sockd-init,v 1.1 2005/04/22 20:47:27 mrness Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-proxy/dante/files/dante-sockd-init,v 1.2 2005/06/04 12:30:59 mrness Exp $
SOCKD_OPT="-D"
[ "${SOCKD_FORKDEPTH}" -gt 1 ] && SOCKD_OPT="${SOCKD_OPT} -N ${SOCKD_FORKDEPTH}"
[ "${SOCKD_DEBUG}" -eq 1 ] && SOCKD_OPT="${SOCKD_OPT} -d"
[ "${SOCKD_DISABLE_KEEPALIVE}" -eq 1 ] && SOCKD_OPT="${SOCKD_OPT} -n"
+PIDFILE=/var/run/sockd.pid
depend() {
need net
@@ -17,29 +18,41 @@ checkconfig() {
if [ ! -f /etc/socks/sockd.conf ] ; then
eerror "You need to setup /etc/socks/sockd.conf first"
eerror "Examples are in /usr/share/doc/dante[version]/example"
- eerror "for info: info sockd.conf"
+ eerror "for more info, see: man sockd.conf"
return 1
fi
- /usr/sbin/sockd -V
- ret=$?
- if [ $ret -ne 0 ]; then
+
+ /usr/sbin/sockd -V &> /tmp/dante-sockd.checkconf
+ if [ $? -ne 0 ]; then
+ cat /tmp/dante-sockd.checkconf
eerror "Something is wrong with your configuration file"
+ eerror "for more info, see: man sockd.conf"
return 1
fi
+ rm /tmp/dante-sockd.checkconf
+
+ #Create pidfile with owner set to daemon's uid
+ DAEMON_UID=`sed -e '/^[ \t]*user[.]notprivileged[ \t]*:/{s/.*:[ \t]*//;q};d' /etc/socks/sockd.conf`
+ if [ -n "$DAEMON_UID" ]; then
+ touch $PIDFILE && chown $DAEMON_UID $PIDFILE
+ fi
+
+ return 0
}
start() {
checkconfig || return 1
ebegin "Starting dante sockd"
- start-stop-daemon --start --quiet --pidfile /var/run/sockd.pid \
- --make-pidfile --exec /usr/sbin/sockd -- ${SOCKD_OPT}
+ start-stop-daemon --start --quiet --pidfile $PIDFILE \
+ --make-pidfile --exec /usr/sbin/sockd -- ${SOCKD_OPT} &> /dev/null
eend $? "Failed to start sockd"
}
stop() {
ebegin "Stopping dante sockd"
- start-stop-daemon --stop --quiet --pidfile /var/run/sockd.pid
- eend $? "Failed to stop sockd"
+ start-stop-daemon --stop --quiet --pidfile $PIDFILE
+ eend $? "Failed to stop sockd" || return 1
+
# clean stale pidfile
- [ -f /var/run/sockd.pid ] && rm -f /var/run/sockd.pid
+ [ -f "$PIDFILE" ] && rm -f $PIDFILE
}
diff --git a/net-proxy/dante/files/digest-dante-1.1.15-r2 b/net-proxy/dante/files/digest-dante-1.1.15-r2
new file mode 100644
index 000000000000..88330bda9942
--- /dev/null
+++ b/net-proxy/dante/files/digest-dante-1.1.15-r2
@@ -0,0 +1 @@
+MD5 c737faf4ba6282777070d8c0580c3832 dante-1.1.15.tar.gz 839660
diff --git a/net-proxy/dante/files/sockd.conf b/net-proxy/dante/files/sockd.conf
new file mode 100644
index 000000000000..70b18747ba34
--- /dev/null
+++ b/net-proxy/dante/files/sockd.conf
@@ -0,0 +1,243 @@
+# The configfile is divided into two parts; first serversettings,
+# then the rules.
+#
+# The recommended order is:
+# Serversettings:
+# logoutput
+# internal
+# external
+# method
+# clientmethod
+# users
+# compatibility
+# extension
+# connecttimeout
+# iotimeout
+# srchost
+#
+# Rules:
+# client block/pass
+# from to
+# log
+#
+# block/pass
+# from to
+# method
+# command
+# log
+# protocol
+# proxyprotocol
+
+# the server will log both via syslog, to stdout and to /var/log/lotsoflogs
+#logoutput: syslog stdout /var/log/lotsoflogs
+logoutput: syslog
+
+# The server will bind to the address 10.1.1.1, port 1080 and will only
+# accept connections going to that address.
+#internal: 10.1.1.1 port = 1080
+# Alternatively, the interface name can be used instead of the address.
+#internal: eth0 port = 1080
+
+# all outgoing connections from the server will use the IP address
+# 195.168.1.1
+#external: 192.168.1.1
+
+# list over acceptable methods, order of preference.
+# A method not set here will never be selected.
+#
+# If the method field is not set in a rule, the global
+# method is filled in for that rule.
+#
+
+# methods for socks-rules.
+#method: username none #rfc931
+
+# methods for client-rules.
+#clientmethod: none
+
+#or if you want to allow rfc931 (ident) too
+#method: username rfc931 none
+
+#
+# An important section, pay attention.
+#
+
+# when doing something that can require privilege,
+# it will use the userid "sockd".
+user.privileged: sockd
+
+# when running as usual,
+# it will use the unprivileged userid of "sockd".
+user.notprivileged: sockd
+
+#
+# some options to help clients with compatibility:
+#
+
+# when a client connection comes in the socksserver will try to use
+# the same port as the client is using, when the socksserver
+# goes out on the clients behalf (external: IP address).
+# If this option is set, Dante will try to do it for reserved ports aswell.
+# This will usually require user.privileged to be set to "root".
+#compatibility: sameport
+
+# If you are using the bind extension and have trouble running servers
+# via the server, you might try setting this. The consequences of it
+# are unknown.
+#compatibility: reuseaddr
+
+#
+# The Dante server supports some extensions to the socks protocol.
+# These require that the socks client implements the same extension and
+# can be enabled using the "extension" keyword.
+#
+# enable the bind extension.
+#extension: bind
+
+
+#
+#
+# misc options.
+#
+
+# how many seconds can pass from when a client connects til it has
+# sent us it's request? Adjust according to your network performance
+# and methods supported.
+#connecttimeout: 30 # on a lan, this should be enough if method is "none".
+
+# how many seconds can the client and it's peer idle without sending
+# any data before we dump it? Unless you disable tcp keep-alive for
+# some reason, it's probably best to set this to 0, which is
+# "forever".
+#iotimeout: 0 # or perhaps 86400, for a day.
+
+# do you want to accept connections from addresses without
+# dns info? what about addresses having a mismatch in dnsinfo?
+#srchost: nounknown nomismatch
+
+#
+# The actual rules. There are two kinds and they work at different levels.
+#
+# The rules prefixed with "client" are checked first and say who is allowed
+# and who is not allowed to speak/connect to the server. I.e the
+# ip range containing possibly valid clients.
+# It is especially important that these only use IP addresses, not hostnames,
+# for security reasons.
+#
+# The rules that do not have a "client" prefix are checked later, when the
+# client has sent its request and are used to evaluate the actual
+# request.
+#
+# The "to:" in the "client" context gives the address the connection
+# is accepted on, i.e the address the socksserver is listening on, or
+# just "0.0.0.0/0" for any address the server is listening on.
+#
+# The "to:" in the non-"client" context gives the destination of the clients
+# socksrequest.
+#
+# "from:" is the source address in both contexts.
+#
+
+
+# the "client" rules. All our clients come from the net 10.0.0.0/8.
+#
+
+# Allow our clients, also provides an example of the port range command.
+#client pass {
+# from: 10.0.0.0/8 port 1-65535 to: 0.0.0.0/0
+# method: rfc931 # match all idented users that also are in passwordfile
+#}
+
+# This is identical to above, but allows clients without a rfc931 (ident)
+# too. In practise this means the socksserver will try to get a rfc931
+# reply first (the above rule), if that fails, it tries this rule.
+#client pass {
+# from: 10.0.0.0/8 port 1-65535 to: 0.0.0.0/0
+#}
+
+
+# drop everyone else as soon as we can and log the connect, they are not
+# on our net and have no business connecting to us. This is the default
+# but if you give the rule yourself, you can specify details.
+#client block {
+# from: 0.0.0.0/0 to: 0.0.0.0/0
+# log: connect error
+#}
+
+
+# the rules controlling what clients are allowed what requests
+#
+
+# you probably don't want people connecting to loopback addresses,
+# who knows what could happen then.
+#block {
+# from: 0.0.0.0/0 to: 127.0.0.0/8
+# log: connect error
+#}
+
+# the people at the 172.16.0.0/12 are bad, no one should talk to them.
+# log the connect request.
+#block {
+# from: 0.0.0.0/0 to: 172.16.0.0/12
+# log: connect error
+#}
+
+# unless you need it, you could block any bind requests.
+#block {
+# from: 0.0.0.0/0 to: 0.0.0.0/0
+# command: bind
+# log: connect error
+#}
+
+# or you might want to allow it, for instance "active" ftp uses it.
+# Note that a "bindreply" command must also be allowed, it
+# should usually by from "0.0.0.0/0", i.e if a client of yours
+# has permission to bind, it will also have permission to accept
+# the reply from anywhere.
+#pass {
+# from: 10.0.0.0/8 to: 0.0.0.0/0
+# command: bind
+# log: connect error
+#}
+
+# some connections expect some sort of "reply", this might be
+# the reply to a bind request or it may be the reply to a
+# udppacket, since udp is packetbased.
+# Note that nothing is done to verify that it's a "genuine" reply,
+# that is in general not possible anyway. The below will allow
+# all "replies" in to your clients at the 10.0.0.0/8 net.
+#pass {
+# from: 0.0.0.0/0 to: 10.0.0.0/8
+# command: bindreply udpreply
+# log: connect error
+#}
+
+
+# pass any http connects to the example.com domain if they
+# authenticate with username.
+# This matches "example.com" itself and everything ending in ".example.com".
+#pass {
+# from: 10.0.0.0/8 to: .example.com port = http
+# log: connect error
+# method: username
+#}
+
+# block any other http connects to the example.com domain.
+#block {
+# from: 0.0.0.0/0 to: .example.com port = http
+# log: connect error
+#}
+
+# everyone from our internal network, 10.0.0.0/8 is allowed to use
+# tcp and udp for everything else.
+#pass {
+# from: 10.0.0.0/8 to: 0.0.0.0/0
+# protocol: tcp udp
+#}
+
+# last line, block everyone else. This is the default but if you provide
+# one yourself you can specify your own logging/actions
+#block {
+# from: 0.0.0.0/0 to: 0.0.0.0/0
+# log: connect error
+#}
diff --git a/net-proxy/dante/files/sockd.conf-with-libwrap.patch b/net-proxy/dante/files/sockd.conf-with-libwrap.patch
new file mode 100644
index 000000000000..97d2a33f71bb
--- /dev/null
+++ b/net-proxy/dante/files/sockd.conf-with-libwrap.patch
@@ -0,0 +1,41 @@
+--- sockd.conf.orig 2005-06-04 13:57:39.770322448 +0300
++++ sockd.conf 2005-06-04 13:47:47.000000000 +0300
+@@ -18,12 +18,14 @@
+ # Rules:
+ # client block/pass
+ # from to
++# libwrap
+ # log
+ #
+ # block/pass
+ # from to
+ # method
+ # command
++# libwrap
+ # log
+ # protocol
+ # proxyprotocol
+@@ -73,6 +75,10 @@
+ # it will use the unprivileged userid of "sockd".
+ user.notprivileged: sockd
+
++# when running libwrap commands,
++# it will use the userid "sockd".
++user.libwrap: sockd
++
+ #
+ # some options to help clients with compatibility:
+ #
+@@ -179,9 +185,11 @@
+ #}
+
+ # the people at the 172.16.0.0/12 are bad, no one should talk to them.
+-# log the connect request.
++# log the connect request and also provide an example on how to
++# interact with libwrap.
+ #block {
+ # from: 0.0.0.0/0 to: 172.16.0.0/12
++# libwrap: spawn finger @%a
+ # log: connect error
+ #}
+
diff --git a/net-proxy/dante/files/sockd.conf-with-pam.patch b/net-proxy/dante/files/sockd.conf-with-pam.patch
new file mode 100644
index 000000000000..d6735a1cf30e
--- /dev/null
+++ b/net-proxy/dante/files/sockd.conf-with-pam.patch
@@ -0,0 +1,12 @@
+--- sockd.conf.orig 2005-06-04 14:01:40.492727080 +0300
++++ sockd.conf 2005-06-04 13:57:39.770322448 +0300
+@@ -58,6 +58,9 @@
+ #or if you want to allow rfc931 (ident) too
+ #method: username rfc931 none
+
++#or for PAM authentification
++#method: pam
++
+ #
+ # An important section, pay attention.
+ #
diff --git a/net-proxy/dante/files/socks.conf b/net-proxy/dante/files/socks.conf
new file mode 100644
index 000000000000..4a7d1520a7b5
--- /dev/null
+++ b/net-proxy/dante/files/socks.conf
@@ -0,0 +1,127 @@
+# The configfile is divided into two parts; first misc. settings,
+# then the routes. Objects in '[]' are optional.
+#
+#
+# recommended order is:
+# [debug]
+# [logoutput]
+# [resolveprotocol]
+#
+# routes:
+# from to via
+# [command]
+# [extension]
+# [protocol]
+# [proxyprotocol]
+
+
+#debug: 1 # uncomment to enable debugging
+
+#logoutput: stdout # users usually don't want to be bothered with that.
+
+# What protocol should be used for resolving hostnames? It's important
+# to set this right.
+#resolveprotocol: udp # default
+#resolveprotocol: tcp # set this if your socksserver only supports socksv4.
+#resolveprotocol: fake # set this if your clients can't access nameserver,
+ # neither directly nor proxied.
+
+
+
+#
+# the routes
+#
+
+# specifying routes for accepting remote connections (via bind()) is
+# difficult since we can't know what the "to:" address is
+# until we actually get the connection Since we support letting
+# the client accept connections both via the proxyserver and
+# "directly" at the same time, we have two options though:
+# a) specify a route for bind (only) first going via the proxyserver.
+# This will also handle "direct" connections.
+# b) specify a route for bind (only) first going "direct".
+# This means clients will only be able to accept "direct"
+# connections.
+
+# we want to accept remote connections via the proxyserver.
+#route {
+# from: 0.0.0.0/0 to: 0.0.0.0/0 via: 10.1.1.1 port = 1080
+# command: bind
+#}
+
+# we do not want to accept remote connections via the proxyserver.
+#route {
+# from: 0.0.0.0/0 to: 0.0.0.0/0 via: direct
+# command: bind
+#}
+
+
+# if you don't route all local connections via direct, you should
+# at least route nameserver connections via direct connections if you
+# can. That can make for much better performance, depending on
+# your setup. Make sure the nameserver line is the first.
+#
+# Assuming your nameserver runs on address 10.1.1.1, you can do it like this:
+#route {
+# from: 0.0.0.0/0 to: 10.1.1.1/32 port = domain via: direct
+#}
+
+
+# have a route making all connections to loopback addresses be direct.
+#route {
+# from: 0.0.0.0/0 to: 127.0.0.0/8 via: direct
+# command: connect udpassociate # everything but bind, bind confuses us.
+#}
+
+# Our net is the 10.0.0.0/8 net, let clients going to local address go
+# direct, not via server.
+#route {
+# from: 0.0.0.0/0 to: 10.0.0.0/8 via: direct
+#}
+
+# for poor souls trapped behind a msproxy server.
+#route {
+# from: 0.0.0.0/0 to: 0.0.0.0/0 via: 10.1.1.1 port = 1745
+# protocol: tcp # server supports tcp
+# proxyprotocol: msproxy_v2 # server runs msproxy_v2
+#}
+
+# clients going anywhere else go via server listening at
+# IP address 10.1.1.1, port 1080. Note that unless you have
+# specified a direct connection for DNS, or the socksserver is resolvable
+# without network traffic, you can't give a hostname for the socksserver,
+# you must give a IP address. (the reasons for that are logical enough,
+# you would create a loop otherwise.)
+#route {
+# from: 0.0.0.0/0 to: 0.0.0.0/0 via: 10.1.1.1 port = 1080
+# protocol: tcp udp # server supports tcp and udp.
+# proxyprotocol: socks_v4 socks_v5 # server supports socks v4 and v5.
+# method: none #username # we are willing to authenticate via
+# # method "none", not "username".
+#}
+
+# this is identical to the above, but it matches hostnames instead.
+# This is if you have clients that are unable to resolve hostnames.
+# It can be important that hostname routes come after address routes.
+#route {
+# from: 0.0.0.0/0 to: . via: 10.1.1.1 port = 1080
+# protocol: tcp udp # server supports tcp and udp.
+# proxyprotocol: socks_v4 socks_v5 # server supports socks v4 and v5.
+# method: none #username # we are willing to authenticate via
+# # method "none", not "username".
+#}
+
+# identical to above two routes, but using a httpproxy instead.
+#
+
+#route {
+# from: 0.0.0.0/0 to: 0.0.0.0/0 via: 10.1.1.1 port = 3128
+# command: connect # only thing a httproxy supports.
+# proxyprotocol: http_v1.0
+#}
+
+#route {
+# from: 0.0.0.0/0 to: . via: 10.1.1.1 port = 3128
+# command: connect # only thing a httproxy supports.
+# proxyprotocol: http_v1.0
+#}