X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/preload-hacks/blobdiff_plain/f6049fdd4722ff4a4a0cfc6498653ce101a7e646..ba98b375ff7fd7c5c848d650d50848c4ef4c1d65:/noip.1 diff --git a/noip.1 b/noip.1 index d11ce7d..a79a872 100644 --- a/noip.1 +++ b/noip.1 @@ -79,10 +79,8 @@ reads configuration from .B .noip in the calling user's home directory, as determined by the .B HOME -environment, or, failing that, looking up the -.I real -(not effective) user id in the password database. However, if the -environment variable +environment, or, failing that, looking up the effective user id in the +password database. However, if the environment variable .B NOIP_CONFIG is set, then the file it names is read instead (assuming it exists; if it doesn't, no configuration is read). @@ -177,6 +175,43 @@ rules are appended on the end. Currently, the rules in are also put at the end (before the .B _AFTER rules), though this may change later. +.TP +.BI "impbind " bind-rule +Add an entry to the implicit-bind rule list. When a program attempts to +.BR connect (2) +a socket without binding its local address first, +.B noip +consults this list to decide on the correct local address to assign. +Each entry in the list has the form +.RS +.IP +.I address-range +.IR address | \c +.B same +.PP +The rules are tried in order: if the remote address matches (in the same +way as in an ACL entry) the address range on the left side of the rule, +then the socket is bound to the address from the right side; if the +address on the right is +.B same +then the remote address is used. +.PP +Three environment variables +are consulted too: +.BR NOIP_IMPBIND_BEFORE , +.BR NOIP_IMPBIND , +and +.BR NOIP_IMPBIND_AFTER . +The +.B _BEFORE +rules are inserted at the front of the list; the +.B _AFTER +rules are appended on the end. Currently, the rules in +.B NOIP_IMPBIND +are also put at the end (before the +.B _AFTER +rules), though this may change later. +.RE .PP (Aside: An attempt to connect to a remote host may not be a hopeless failure, even if a real IP socket is denied: @@ -191,28 +226,22 @@ An is a comma-separated list of entries of the form: .IP .BR + | \- -.IR address \c -.RB [ \- \c -.IR address | \c -.BR / \c -.IR mask ]| \c -.BR local | any +.I address-range .RB [ : \c -.IR port [ \c -.BI \- \c -.IR port ]] +.IR port-range ] .PP (The spaces in the above are optional.) .PP -The leading sign says whether -matching addresses should be +The leading sign says whether matching addresses should be .I accepted .RB (` + ') or .I denied .RB (` \- '). .PP -The IP-address portion may be any of the following +The +.I address-range +portion may be any of the following. .TP .B any Matches all addresses. @@ -221,20 +250,22 @@ Matches all addresses. Matches the address of one of the machine's network interfaces. .TP .I address -Matches just the given address +Matches just the given IPv4 or IPv6 address. An +.I address +may be enclosed in square brackets; IPv6 addresses must be so enclosed, +because colons are significant in the rest of the ACL syntax. .TP .IB address \- address Matches any address which falls in the given range. Addresses are compared lexicographically, with octets to the left given precedence over octets to the right. .TP -.IB address / mask -Matches an address in the given network. The -.I mask -may be a netmask in dotted-quad form, or a one-bit-count. +.IB address / prefix-length +Matches an address in the given network. .PP -The port portion may be omitted (which means `match any port'), or may -be a single +The +.I port-range +may be omitted (which means `match any port'), or may be a single .I port or a range .IB port \- port @@ -251,7 +282,7 @@ is empty, the default is to deny all addresses. For example, it may be useful to allow access at least to a DNS server. This can be accomplished by adding a line .VS -realconnect +1.2.3.4:52 +realconnect +1.2.3.4:53 .VE to the configuration file, where 1.2.3.4 is the IP address of one of your DNS server. @@ -282,9 +313,9 @@ port to himself or a small group. is implemented as an .B LD_PRELOAD hack. It won't work on setuid programs. Also, perhaps more -importantly, it can't do anything a +importantly, it can't do anything to prevent a .I malicious -program use of networking: a program could theoretically issue sockets +program's use of networking: a program could theoretically issue sockets system calls directly instead of using the C library calls that .B noip intercepts. It is intended only as a tool for enhancing the security of @@ -319,4 +350,4 @@ child processes will be unaffected. .PP This manual is surprisingly long and complicated for such a simple hack. .SH AUTHOR -Mark Wooding, +Mark Wooding,