# # SECTION # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # # TAG: set # # set option name: # # SS5_DNSORDER -> order dns answer # SS5_VERBOSE -> enable verbose output to be written into logfile # SS5_DEBUG -> enable debug output to be written into logfile # SS5_CONSOLE -> enable web console # SS5_ATIMEOUT -> for future uses # SS5_STIMEOUT -> set session idle timeout (default 1800 seconds, # 0 for infinite) # SS5_LDAP_TIMEOUT -> set ldap query timeout # SS5_LDAP_BASE -> set BASE method for profiling (see PROFILING section) # It is default option! # SS5_LDAP_FILTER -> set FILTER method for profiling (see PROFILING # section) # SS5_SRV -> enable ss5srv admin tool # SS5_PAM_AUTH -> set PAM authentication # SS5_RADIUS_AUTH -> set RADIUS authentication # SS5_RADIUS_INTERIM_INT -> set interval beetwen interim update packet # SS5_RADIUS_INTERIM_TIMEOUT -> set interim response timeout # SS5_AUTHCACHEAGE -> set age in seconds for authentication cache # SS5_AUTHOCACHEAGE -> set age in seconds for authorization cache # SS5_STICKYAGE -> set age for affinity # SS5_STICKYSESSION -> enable affinity session # SS5_SUPAKEY -> set SUPA secret key (default SS5_SERVER_S_KEY) # SS5_ICACHESERVER -> set internet address of ICP server # SS5_GSS_PRINC -> set GSS service principal # SS5_PROCESSLIFE -> set number of requests process must servs before # closing # SS5_NETBIOS_DOMAIN -> enable netbios domain mapping with directory store, # during autorization process # SS5_SYSLOG_FACILITY -> set syslog facility # SS5_SYSLOG_LEVEL -> set syslog level # # /////////////////////////////////////////////////////////////////////////////////// # # SECTION # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # # TAG: auth # # auth source host, source port, authentication type # # Some examples: # # Authentication from 10.253.8.0 network # auth 10.253.8.0/22 - u # # Fake authentication from 10.253.0.0 network. In this case, ss5 request # authentication but doesn't check for password. Use fake authentication # for logging or profiling purpose. # auth 10.253.0.0/16 - n # # Fake authentication: ss5 doesn't check for correct password but fetchs # username for profiling. # auth 0.0.0.0/0 - n # # TAG: external_auth_program # # external_auth_program program name and path # # Some examples: # # Use shell file to autheticate user via ldap query # external_auth_program /usr/local/bin/ldap.sh # # TAG: RADIUS authentication could be used setting SS5_RADIUS_AUTH option and # configuring the following attributes: # # radius_ip (radius address) # radius_bck_ip (radius secondary address) # radius_auth_port (radius authentication port, DFAULT = 1812) # radius_acct_port (radius authorization port, DFAULT = 1813) # radius_secret (secret password betw # # # # /////////////////////////////////////////////////////////////////////////////////// # SHost SPort Authentication # #auth 0.0.0.0/0 - - # # SECTION # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # # TAG: bandwidth # # bandwidth group, max number of connections, bandwidth, session timeout # # Some examples: # # Limit connections to 2 for group Admin # bandwidth Admin 2 - - # # Limit bandwidth to 100k for group Users # bandwidth Users - 102400 - # # note: if you enable bandwith profiling per user, SS5 use this value instead of # value specified into permit directive. # # /////////////////////////////////////////////////////////////////////////////////// # Group MaxCons Bandwidth Session timeout # bandwidth grp1 5 - - # # SECTION # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # # TAG: proxy/noproxy # # proxy/noproxy dst host/network, dst port, socks proxy address, port address, ver # # Some examples: # # Proxy request for 172.0.0.0 network to socks server 10.253.9.240 on port 1081: # # if authentication is request, downstream socks server have to check it; # if resolution is request, downstream socks server does it before proxying # the request toward the upstream socks server. # proxy 172.0.0.0/16 - 10.253.9.240 1081 # # SS5 makes direct connection to 10.253.0.0 network (in this case, port value is not # verified) without using upstream proxy server # noproxy 0.0.0.0/0 - 10.253.0.0/16 1080 - # # /////////////////////////////////////////////////////////////////////////////////// # DHost/Net DPort DProxyip DProxyPort SocksVer # # proxy 0.0.0.0/0 - 1.1.1.1 - - # # SECTION # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # # TAG: dump # # dump host/network, port, s/d (s=source d=destination), dump mode (r=rx, t=tx, b=rx+tx) # # Some examples: # # Dump traffic for 172.30.1.0 network on port 1521: # # if authentication is request, downstream socks server have to check it; # if resolution is request, downstream socks server does it before proxying # the request toward the upstream socks server. # dump 172.30.1.0/24 1521 d b # # /////////////////////////////////////////////////////////////////////////////////// # DHost/Net DPort Dir Dump mode (r=rx,t=tx,b=rx+tx) # # dump 0.0.0.0/0 - d t # # SECTION # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # # TAG: permit/deny # permit/deny src auth flag, host/network, src port, dst host/network, dst port, # fixup, group, bandwidth (from 256 bytes per second to 2147483647), expdate # # Some examples: # # FTP Control + Passive Mode # permit - 0.0.0.0/0 - 172.0.0.0/8 21 - - - - # # FTP DATA Active Mode # permit - 0.0.0.0/0 - 172.0.0.0/8 21 - - - - # permit - 172.0.0.0/8 - 0.0.0.0/0 - - - - - # # Query DNS # permit - 0.0.0.0/0 - 172.30.0.1/32 53 - - - - # # Http + fixup # permit - 0.0.0.0/0 - www.example.com 80 http - - - # # Http + fixup + profile + bandwidth (bytes x second) # permit - 0.0.0.0/0 - www.example.com 80 http admin 10240 - # # Sftp + profile + bandwidth (bytes x second) # permit - 0.0.0.0/0 - sftp.example.com 22 - developer 102400 - # # Http + fixup # permit - 0.0.0.0/0 - web.example.com 80 - - - - # # Http + fixup + user autentication required with expiration date to 31/12/2006 # permit u 0.0.0.0/0 - web.example.com 80 - - - 31-12-2006 # # Deny all connection to web.example.com # deny - 0.0.0.0/0 - web.example.com - - - - - # # # ///////////////////////////////////////////////////////////////////////////////////////////////// # Auth SHost SPort DHost DPort Fixup Group Band ExpDate # #permit - 0.0.0.0/0 - 0.0.0.0/0 - - - - - # # SECTION # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # # 1) File profiling: # # ss5 look for a file name specified in permit line in the /etc/ss5 directory. # This file must contain user members. File profiling is the default option. # # 2) Ldap profiling: # # ldap_profile_ip (directory internet address) # ldap_profile_port (directory port) # ldap_profile_base (ss5 replaces % with "group specified in permit line" # if SS5LDAP_BASE if specified, otherwise if # SS5LDAP_FILTER is specified, it uses base and search # for group as attribute in user entry; see examples) # ldap_profile_filter (ss5 uses filter for search operation) # ldap_profile_dn (directory manager or another user authorized to # query the directory) # ldap_profile_pass ("dn" password) # ldap_netbios_domain (If SS5_NETBIOS_DOMAIN option is set, ss5 map netbios # domain user in authentication request with his configured # directory sever. Otherwise no match is done and # directory are contacted in order of configuration) # # 3) Mysql profiling: # # mysql_profile_ip (mysql server internet address) # mysql_profile_db (mysql db ) # mysql_profile_user (mysql username ) # mysql_profile_pass (mysql password ) # mysql_profile_sqlstring (sql base string for query. DEFAULT 'SELECT uname FROM grp WHERE gname like' ) # # Some examples: # # Directory configuration for ldap profiling with SS5_LDAP_BASE option: # in this case, ss5 look for attribute uid="username" with base ou="group", # dc=example,dc=com where group is specified in permit line as # "permit - - - - - group - - # # Note: in this case, attribute value is not userd # # ldap_profile_ip 10.10.10.1 # ldap_profile_port 389 # ldap_profile_base ou=%,dc=example,dc=com # ldap_profile_filter uid # ldap_profile_attribute gid # ldap_profile_dn cn=root,dc=example,dc=com # ldap_profile_pass secret # ldap_netbios_domain dir # # Directory configuration for ldap profiling with SS5_LDAP_FILTER option: # in this case, ss5 look for attributes uid="username" & "gid=group" with # base dc=example,dc=com where group is specified in permit line as # "permit - - - - - group - - # # Note: you can also use a base like "ou=%,dc=example,dc=com", where % # will be replace with "group". # # ldap_profile_ip 10.10.10.1 # ldap_profile_port 389 # ldap_profile_base ou=Users,dc=example,dc=com # ldap_profile_filter uid # ldap_profile_attribute gecos # ldap_profile_dn cn=root,dc=example,dc=com # ldap_profile_pass secret # ldap_domain_domain dir # # Sample OpenLdap log: # conn=304 op=0 BIND dn="cn=root,dc=example,dc=com" mech=simple ssf=0 # conn=304 op=0 RESULT tag=97 err=0 text= # conn=304 op=1 SRCH base="ou=Users,dc=example,dc=com" scope=1 filter="(&(uid=usr1)(gecos=Users))" # conn=304 op=1 SRCH attr=gecos # # where ldap entry is: # dn: uid=usr1,ou=Users,dc=example,dc=com # uid: usr1 # cn: usr1 # objectClass: account # objectClass: posixAccount # objectClass: top # userPassword:: dXNyMQ== # loginShell: /bin/bash # homeDirectory: /home/usr1 # uidNumber: 1 # gidNumber: 1 # gecos: Users # # SECTION # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # # TAG: virtual # # virtual virtual identification (vid), real ip server # # Some examples: # # Two vip balancing on three real server each one # virtual 1 172.30.1.1 # virtual 1 172.30.1.2 # virtual 1 172.30.1.3 # # virtual 2 172.30.1.6 # virtual 2 172.30.1.7 # virtual 2 172.30.1.8 # # Note: Server balancing only works with -t option, (threaded mode) and ONLY # with "connect" operation. # # /////////////////////////////////////////////////////////////////////////////////// # Vid Real ip # #vitual - -