.B .noip
in the calling user's home directory, as determined by the
.B HOME
-environment, or, failing that, looking up the
-.I real
-(not effective) user id in the password database. However, if the
-environment variable
+environment, or, failing that, looking up the effective user id in the
+password database. However, if the environment variable
.B NOIP_CONFIG
is set, then the file it names is read instead (assuming it exists; if
it doesn't, no configuration is read).
.B NOIP_SOCKETDIR
can also be used to control which directory is used for sockets.
.TP
+.BI "autoports " min "\-" max
+Select which ports are used for implicit binding. Allocating ports can
+be a bit slow, since checking whether a Unix domain socket is in use is
+difficult. A wide range makes things easier, because
+.B noip
+starts by trying ports at random from the given range. The environment
+variable
+.B NOIP_AUTOPORTS
+can also be used to control which ports are assigned automatically.
+.TP
.BI "realbind " acl-entry
Add an entry to the
.B realbind
are also put at the end (before the
.B _AFTER
rules), though this may change later.
+.TP
+.BI "impbind " bind-rule
+Add an entry to the implicit-bind rule list. When a program attempts to
+.BR connect (2)
+a socket without binding its local address first,
+.B noip
+consults this list to decide on the correct local address to assign.
+Each entry in the list has the form
+.RS
+.IP
+.I address-range
+.IR address | \c
+.B same
+.PP
+The rules are tried in order: if the remote address matches (in the same
+way as in an ACL entry) the address range on the left side of the rule,
+then the socket is bound to the address from the right side; if the
+address on the right is
+.B same
+then the remote address is used.
+.PP
+Three environment variables
+are consulted too:
+.BR NOIP_IMPBIND_BEFORE ,
+.BR NOIP_IMPBIND ,
+and
+.BR NOIP_IMPBIND_AFTER .
+The
+.B _BEFORE
+rules are inserted at the front of the list; the
+.B _AFTER
+rules are appended on the end. Currently, the rules in
+.B NOIP_IMPBIND
+are also put at the end (before the
+.B _AFTER
+rules), though this may change later.
+.RE
.PP
(Aside: An attempt to connect to a remote host may not be a hopeless failure,
even if a real IP socket is denied:
is a comma-separated list of entries of the form:
.IP
.BR + | \-
-.IR address \c
-.RB [ \- \c
-.IR address | \c
-.BR / \c
-.IR mask ]| \c
-.BR local | any
+.I address-range
.RB [ : \c
-.IR port [ \c
-.BI \- \c
-.IR port ]]
+.IR port-range ]
.PP
(The spaces in the above are optional.)
.PP
-The leading sign says whether
-matching addresses should be
+The leading sign says whether matching addresses should be
.I accepted
.RB (` + ')
or
.I denied
.RB (` \- ').
.PP
-The IP-address portion may be any of the following
+The
+.I address-range
+portion may be any of the following.
.TP
.B any
Matches all addresses.
Matches the address of one of the machine's network interfaces.
.TP
.I address
-Matches just the given address
+Matches just the given IPv4 or IPv6 address. An
+.I address
+may be enclosed in square brackets; IPv6 addresses must be so enclosed,
+because colons are significant in the rest of the ACL syntax.
.TP
.IB address \- address
Matches any address which falls in the given range. Addresses are
compared lexicographically, with octets to the left given precedence
over octets to the right.
.TP
-.IB address / mask
-Matches an address in the given network. The
-.I mask
-may be a netmask in dotted-quad form, or a one-bit-count.
+.IB address / prefix-length
+Matches an address in the given network.
.PP
-The port portion may be omitted (which means `match any port'), or may
-be a single
+The
+.I port-range
+may be omitted (which means `match any port'), or may be a single
.I port
or a range
.IB port \- port
For example, it may be useful to allow access at least to a DNS server.
This can be accomplished by adding a line
.VS
-realconnect +1.2.3.4:52
+realconnect +1.2.3.4:53
.VE
to the configuration file, where 1.2.3.4 is the IP address of one of
your DNS server.
is implemented as an
.B LD_PRELOAD
hack. It won't work on setuid programs. Also, perhaps more
-importantly, it can't do anything a
+importantly, it can't do anything to prevent a
.I malicious
-program use of networking: a program could theoretically issue sockets
+program's use of networking: a program could theoretically issue sockets
system calls directly instead of using the C library calls that
.B noip
intercepts. It is intended only as a tool for enhancing the security of
.PP
This manual is surprisingly long and complicated for such a simple hack.
.SH AUTHOR
-Mark Wooding, <mdw@nsict.org>
+Mark Wooding, <mdw@distorted.org.uk>