프록시서버(Socks4/5 Dante)를 설치하고 실행하니... 이런 오류

FreeBSD 5.0에서
dante-1.1.13 A circuit-level firewall/proxy
를 설치했지요...

용도는 방화벽 내부에서 기필코 메신저를 좀 써보고자해서
말예요...

디버깅 모드로 실행하고 접속을 해보면서...
어디에서 문제가 발생하는지 쫓아가봤지만...
잘 모르겠네요...

Nov 4 02:28:21 sockd[35840]: pass(1): tcp/connect ]: 192.168.0.21.4004 -> 207.46.104.20.1863: Permission denied

주루룩 내려가다보면... 위의 내용처럼... 퍼미션 거부가 발생하는데...
환경파일에 이 부분도 추가를 했는데... 방법이 틀렸는지...
잘 안되네요...
-----------------------
root# sockd -d
Nov 4 02:28:15 sockd[35838]: socks_seteuid(): old: 0, new: 65534
Nov 4 02:28:15 sockd[35838]: socks_reseteuid(): current: 65534, new: 0
Nov 4 02:28:15 sockd[35838]: socks_seteuid(): old: 0, new: 65534
Nov 4 02:28:15 sockd[35838]: socks_reseteuid(): current: 65534, new: 0
Nov 4 02:28:15 sockd[35838]: socks_seteuid(): old: 0, new: 0
Nov 4 02:28:15 sockd[35838]: socks_reseteuid(): current: 0, new: 0
Nov 4 02:28:15 sockd[35838]: socks_seteuid(): old: 0, new: 0
Nov 4 02:28:15 sockd[35838]: socks_reseteuid(): current: 0, new: 0
Nov 4 02:28:15 sockd[35838]: socks_seteuid(): old: 0, new: 0
Nov 4 02:28:15 sockd[35838]: socks_reseteuid(): current: 0, new: 0
Nov 4 02:28:15 sockd[35838]: internal addresses (3):
Nov 4 02:28:15 sockd[35838]: 127.0.0.1.1080
Nov 4 02:28:15 sockd[35838]: 192.168.0.1.1080
Nov 4 02:28:15 sockd[35838]: 61.73.5.224.1080
Nov 4 02:28:15 sockd[35838]: external addresses (1):
Nov 4 02:28:15 sockd[35838]: address: lo0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: external address rotation: none
Nov 4 02:28:15 sockd[35838]: compatibility options:
Nov 4 02:28:15 sockd[35838]: extensions enabled:
Nov 4 02:28:15 sockd[35838]: logoutput goes to: "stderr",
Nov 4 02:28:15 sockd[35838]: cmdline options:
"configfile": "/usr/local/etc/sockd.conf",
"daemon": "0",
"debug": "1",
"keepalive": "1",
"linebuffer": "1",
"servercount": "1",
Nov 4 02:28:15 sockd[35838]: resolveprotocol: udp
Nov 4 02:28:15 sockd[35838]: srchost:
"nomismatch": "0",
"nounknown": "0",
Nov 4 02:28:15 sockd[35838]: negotiate timeout: 120s
Nov 4 02:28:15 sockd[35838]: i/o timeout: 86400s
Nov 4 02:28:15 sockd[35838]: euid: 0
Nov 4 02:28:15 sockd[35838]: userid:
"privileged": "root",
"unprivileged": "nobody",
"libwrap": "nobody",
Nov 4 02:28:15 sockd[35838]: child.maxidlenumber: 0
Nov 4 02:28:15 sockd[35838]: method(s): username, none
Nov 4 02:28:15 sockd[35838]: clientmethod(s): none
Nov 4 02:28:15 sockd[35838]: client-rules (6):
Nov 4 02:28:15 sockd[35838]: client-rule #1, line #0
Nov 4 02:28:15 sockd[35838]: verdict: pass
Nov 4 02:28:15 sockd[35838]: src: address: 203.245.0.0/8, tcp: 1, udp : 1, op: range, end: 65535
Nov 4 02:28:15 sockd[35838]: dst: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: method(s): none,
Nov 4 02:28:15 sockd[35838]: log: connect, disconnect, error, iooperation,
Nov 4 02:28:15 sockd[35838]: client-rule #2, line #0
Nov 4 02:28:15 sockd[35838]: verdict: pass
Nov 4 02:28:15 sockd[35838]: src: address: 192.168.0.0/8, tcp: 1, udp : 1, op: range, end: 65535
Nov 4 02:28:15 sockd[35838]: dst: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: method(s): none,
Nov 4 02:28:15 sockd[35838]: log: connect, disconnect, error, iooperation,
Nov 4 02:28:15 sockd[35838]: client-rule #3, line #0
Nov 4 02:28:15 sockd[35838]: verdict: pass
Nov 4 02:28:15 sockd[35838]: src: address: 127.0.0.0/8, tcp: 1, udp : 1, op: range, end: 65535
Nov 4 02:28:15 sockd[35838]: dst: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: method(s): none,
Nov 4 02:28:15 sockd[35838]: log: connect, disconnect, error, iooperation,
Nov 4 02:28:15 sockd[35838]: client-rule #4, line #0
Nov 4 02:28:15 sockd[35838]: verdict: pass
Nov 4 02:28:15 sockd[35838]: src: address: 211.0.0.0/8, tcp: 1, udp : 1, op: range, end: 65535
Nov 4 02:28:15 sockd[35838]: dst: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: method(s): none,
Nov 4 02:28:15 sockd[35838]: log: connect, disconnect, error, iooperation,
Nov 4 02:28:15 sockd[35838]: client-rule #5, line #0
Nov 4 02:28:15 sockd[35838]: verdict: pass
Nov 4 02:28:15 sockd[35838]: src: address: 61.0.0.0/8, tcp: 1, udp : 1, op: range, end: 65535
Nov 4 02:28:15 sockd[35838]: dst: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: method(s): none,
Nov 4 02:28:15 sockd[35838]: log: connect, disconnect, error, iooperation,
Nov 4 02:28:15 sockd[35838]: client-rule #6, line #0
Nov 4 02:28:15 sockd[35838]: verdict: block
Nov 4 02:28:15 sockd[35838]: src: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: dst: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: method(s): none,
Nov 4 02:28:15 sockd[35838]: log: connect, disconnect, error, iooperation,
Nov 4 02:28:15 sockd[35838]: socks-rules (6):
Nov 4 02:28:15 sockd[35838]: socks-rule #1, line #0
Nov 4 02:28:15 sockd[35838]: verdict: pass
Nov 4 02:28:15 sockd[35838]: src: address: 192.168.0.0/8, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: dst: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: redirect from: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: redirect to: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: command(s): bind, bindreply, connect, udpassociate, udpreply,
Nov 4 02:28:15 sockd[35838]: extension(s):
Nov 4 02:28:15 sockd[35838]: protocol(s): tcp, udp,
Nov 4 02:28:15 sockd[35838]: method(s): username, none,
Nov 4 02:28:15 sockd[35838]: proxyprotocol(s): socks v4, socks v5,
Nov 4 02:28:15 sockd[35838]: log: connect, disconnect, error, iooperation,
Nov 4 02:28:15 sockd[35838]: socks-rule #2, line #0
Nov 4 02:28:15 sockd[35838]: verdict: pass
Nov 4 02:28:15 sockd[35838]: src: address: 127.0.0.0/8, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: dst: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: redirect from: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: redirect to: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: command(s): bind, bindreply, connect, udpassociate, udpreply,
Nov 4 02:28:15 sockd[35838]: extension(s):
Nov 4 02:28:15 sockd[35838]: protocol(s): tcp, udp,
Nov 4 02:28:15 sockd[35838]: method(s): username, none,
Nov 4 02:28:15 sockd[35838]: proxyprotocol(s): socks v4, socks v5,
Nov 4 02:28:15 sockd[35838]: log: connect, disconnect, error, iooperation,
Nov 4 02:28:15 sockd[35838]: socks-rule #3, line #0
Nov 4 02:28:15 sockd[35838]: verdict: pass
Nov 4 02:28:15 sockd[35838]: src: address: 211.0.0.0/8, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: dst: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: redirect from: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: redirect to: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: command(s): bind, bindreply, connect, udpassociate, udpreply,
Nov 4 02:28:15 sockd[35838]: extension(s):
Nov 4 02:28:15 sockd[35838]: protocol(s): tcp, udp,
Nov 4 02:28:15 sockd[35838]: method(s): username, none,
Nov 4 02:28:15 sockd[35838]: proxyprotocol(s): socks v4, socks v5,
Nov 4 02:28:15 sockd[35838]: log: connect, disconnect, error, iooperation,
Nov 4 02:28:15 sockd[35838]: socks-rule #4, line #0
Nov 4 02:28:15 sockd[35838]: verdict: pass
Nov 4 02:28:15 sockd[35838]: src: address: 61.0.0.0/8, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: dst: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: redirect from: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: redirect to: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: command(s): bind, bindreply, connect, udpassociate, udpreply,
Nov 4 02:28:15 sockd[35838]: extension(s):
Nov 4 02:28:15 sockd[35838]: protocol(s): tcp, udp,
Nov 4 02:28:15 sockd[35838]: method(s): username, none,
Nov 4 02:28:15 sockd[35838]: proxyprotocol(s): socks v4, socks v5,
Nov 4 02:28:15 sockd[35838]: log: connect, disconnect, error, iooperation,
Nov 4 02:28:15 sockd[35838]: socks-rule #5, line #0
Nov 4 02:28:15 sockd[35838]: verdict: pass
Nov 4 02:28:15 sockd[35838]: src: address: 207.0.0.0/8, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: dst: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: redirect from: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: redirect to: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: command(s): bind, bindreply, connect, udpassociate, udpreply,
Nov 4 02:28:15 sockd[35838]: extension(s):
Nov 4 02:28:15 sockd[35838]: protocol(s): tcp, udp,
Nov 4 02:28:15 sockd[35838]: method(s): username, none,
Nov 4 02:28:15 sockd[35838]: proxyprotocol(s): socks v4, socks v5,
Nov 4 02:28:15 sockd[35838]: log: connect, disconnect, error, iooperation,
Nov 4 02:28:15 sockd[35838]: socks-rule #6, line #0
Nov 4 02:28:15 sockd[35838]: verdict: block
Nov 4 02:28:15 sockd[35838]: src: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: dst: address: 127.0.0.0/8, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: redirect from: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: redirect to: address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0
Nov 4 02:28:15 sockd[35838]: command(s): bind, bindreply, connect, udpassociate, udpreply,
Nov 4 02:28:15 sockd[35838]: extension(s):
Nov 4 02:28:15 sockd[35838]: protocol(s): tcp, udp,
Nov 4 02:28:15 sockd[35838]: method(s): username, none,
Nov 4 02:28:15 sockd[35838]: proxyprotocol(s): socks v4, socks v5,
Nov 4 02:28:15 sockd[35838]: log: connect, disconnect, error, iooperation,
Nov 4 02:28:15 sockd[35838]: socks_seteuid(): old: 0, new: 65534
Nov 4 02:28:15 sockd[35838]: socks_seteuid(): old: 65534, new: 0
Nov 4 02:28:15 sockd[35838]: socks_seteuid(): old: 0, new: 65534
Nov 4 02:28:15 sockd[35839]: created new negotiatorchild
Nov 4 02:28:15 sockd[35839]: selectn(), timeout = NULL
Nov 4 02:28:15 sockd[35840]: created new requestchild
Nov 4 02:28:15 sockd[35841]: created new requestchild
Nov 4 02:28:15 sockd[35842]: created new requestchild
Nov 4 02:28:15 sockd[35843]: created new requestchild
Nov 4 02:28:15 sockd[35838]: dante/server v1.1.13 running
Nov 4 02:28:15 sockd[35844]: created new iochild
Nov 4 02:28:15 sockd[35844]: selectn(), timeout = NULL

Nov 4 02:28:20 sockd[35838]: selectn(), tv_sec = 0, tv_usec = 0
Nov 4 02:28:20 sockd[35838]: got accept(): 192.168.0.21.4004
Nov 4 02:28:20 sockd[35839]: accessmatch(): method: none, 192.168.0.21.4004 -> 61.73.5.224.1080
Nov 4 02:28:20 sockd[35839]: addressmatch(): address: 203.245.0.0/8, tcp: 1, udp : 1, op: range, end: 65535, 192.168.0.21.4004, tcp, 0
Nov 4 02:28:20 sockd[35839]: accessmatch(): method: none, 192.168.0.21.4004 -> 61.73.5.224.1080
Nov 4 02:28:20 sockd[35839]: addressmatch(): address: 192.168.0.0/8, tcp: 1, udp : 1, op: range, end: 65535, 192.168.0.21.4004, tcp, 0
Nov 4 02:28:20 sockd[35839]: addressmatch(): address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0, 61.73.5.224.1080, tcp, 0
Nov 4 02:28:20 sockd[35839]: pass(2): tcp/accept [: 192.168.0.21.4004 -> 61.73.5.224.1080
Nov 4 02:28:20 sockd[35839]: selectn(), tv_sec = 120, tv_usec = 0
Nov 4 02:28:21 sockd[35839]: recv_username(): got socks v4 username:
Nov 4 02:28:21 sockd[35839]: selectn(), timeout = NULL
Nov 4 02:28:21 sockd[35839]: sending request to mother
Nov 4 02:28:21 sockd[35839]: selectn(), timeout = NULL
Nov 4 02:28:21 sockd[35838]: selectn(), tv_sec = 0, tv_usec = 0
Nov 4 02:28:21 sockd[35840]: received request: (V4) VN: 4 CD: 1 address: 207.46.104.20.1863
Nov 4 02:28:21 sockd[35840]: accessmatch(): method: none, 192.168.0.21.4004 -> 61.73.5.224.1080
Nov 4 02:28:21 sockd[35840]: addressmatch(): address: 192.168.0.0/8, tcp: 0, udp : 0, op: none, end: 0, 192.168.0.21.4004, tcp, 0
Nov 4 02:28:21 sockd[35840]: addressmatch(): address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0, 207.46.104.20.1863, tcp, 0
Nov 4 02:28:21 sockd[35840]: pass(1): tcp/connect [: 192.168.0.21.4004 -> 207.46.104.20.1863
Nov 4 02:28:21 sockd[35840]: pass(1): tcp/connect ]: 192.168.0.21.4004 -> 207.46.104.20.1863: Permission denied
Nov 4 02:28:21 sockd[35840]: send_response(): sending response: (V4) VN: 0 CD: 91 address: 207.46.104.20.1863
Nov 4 02:28:22 sockd[35845]: created new requestchild
Nov 4 02:28:23 sockd[35838]: selectn(), tv_sec = 0, tv_usec = 0
Nov 4 02:28:23 sockd[35838]: got accept(): 192.168.0.21.4005
Nov 4 02:28:23 sockd[35839]: accessmatch(): method: none, 192.168.0.21.4005 -> 61.73.5.224.1080
Nov 4 02:28:23 sockd[35839]: addressmatch(): address: 203.245.0.0/8, tcp: 1, udp : 1, op: range, end: 65535, 192.168.0.21.4005, tcp, 0
Nov 4 02:28:23 sockd[35839]: accessmatch(): method: none, 192.168.0.21.4005 -> 61.73.5.224.1080
Nov 4 02:28:23 sockd[35839]: addressmatch(): address: 192.168.0.0/8, tcp: 1, udp : 1, op: range, end: 65535, 192.168.0.21.4005, tcp, 0
Nov 4 02:28:23 sockd[35839]: addressmatch(): address: 0.0.0.0/0, tcp: 0, udp : 0, op: none, end: 0, 61.73.5.224.1080, tcp, 0
Nov 4 02:28:23 sockd[35839]: pass(2): tcp/accept [: 192.168.0.21.4005 -> 61.73.5.224.1080
Nov 4 02:28:23 sockd[35839]: selectn(), tv_sec = 120, tv_usec = 0
Nov 4 02:28:23 sockd[35839]: unknown version 80 in request
Nov 4 02:28:23 sockd[35839]: pass(2): tcp/accept ]: 192.168.0.21.4005 -> 61.73.5.224.1080: socks protocol error
Nov 4 02:28:23 sockd[35839]: selectn(), timeout = NULL

================== 아래는 환경파일입니다.

# $Id: sockd.conf,v 1.41 2001/12/12 13:56:41 karls Exp $
#
# A sample sockd.conf
#
#
# The configfile is divided into two parts; first serversettings,
# then the rules.
#
# The recommended order is:
# Serversettings:
# logoutput
# internal
# external
# method
# clientmethod
# users
# compatibility
# extension
# connecttimeout
# iotimeout
# srchost
#
# Rules:
# client block/pass
# from to
# libwrap
# log
#
# block/pass
# from to
# method
# command
# libwrap
# log
# protocol
# proxyprotocol

# the server will log both via syslog, to stdout and to /var/log/lotsoflogs
#logoutput: syslog stdout /var/log/lotsoflogs
logoutput: stderr

# The server will bind to the address 10.1.1.1, port 1080 and will only
# accept connections going to that address.
#internal: 10.1.1.1 port = 1080
internal: 127.0.0.1 port = 1080
internal: 192.168.0.1 port = 1080
# Alternatively, the interface name can be used instead of the address.
internal: tun0 port = 1080

# all outgoing connections from the server will use the IP address
# 195.168.1.1
#external: tun0
external: lo0

# list over acceptable methods, order of preference.
# A method not set here will never be selected.
#
# If the method field is not set in a rule, the global
# method is filled in for that rule.
#

# methods for socks-rules.
#method: username none #rfc931
method: username none #rfc931

# methods for client-rules.
#clientmethod: none
clientmethod: none

#or if you want to allow rfc931 (ident) too
#method: username rfc931 none

#or for PAM authentification
#method: pam

#
# An important section, pay attention.
#

# when doing something that can require privilege, it will use the
# userid "sockd".
#user.privileged: sockd

# when running as usual, it will use the unprivileged userid of "sockd".
#user.notprivileged: sockd
user.notprivileged: nobody

# If you compiled with libwrap support, what userid should it use
# when executing your libwrap commands? "libwrap".
#user.libwrap: libwrap
user.libwrap: nobody

#
# some options to help clients with compatibility:
#

# when a client connection comes in the socksserver will try to use
# the same port as the client is using, when the socksserver
# goes out on the clients behalf (external: IP address).
# If this option is set, Dante will try to do it for reserved ports aswell.
# This will usually require user.privileged to be set to "root".
#compatibility: sameport

# If you are using the bind extension and have trouble running servers
# via the server, you might try setting this. The consequences of it
# are unknown.
#compatibility: reuseaddr

#
# The Dante server supports some extensions to the socks protocol.
# These require that the socks client implements the same extension and
# can be enabled using the "extension" keyword.
#
# enable the bind extension.
#extension: bind

#
# misc options.
#

# how many seconds can pass from when a client connects til it has
# sent us it's request? Adjust according to your network performance
# and methods supported.
#connecttimeout: 30 # on a lan, this should be enough if method is "none".

# how many seconds can the client and it's peer idle without sending
# any data before we dump it? Unless you disable tcp keep-alive for
# some reason, it's probably best to set this to 0, which is
# "forever".
#iotimeout: 0 # or perhaps 86400, for a day.

# do you want to accept connections from addresses without
# dns info? what about addresses having a mismatch in dnsinfo?
#srchost: nounknown nomismatch

#
# The actual rules. There are two kinds and they work at different levels.
#
# The rules prefixed with "client" are checked first and say who is allowed
# and who is not allowed to speak/connect to the server. I.e the
# ip range containing possibly valid clients.
# It is especially important that these only use IP addresses, not hostnames,
# for security reasons.
#
# The rules that do not have a "client" prefix are checked later, when the
# client has sent its request and are used to evaluate the actual
# request.
#
# The "to:" in the "client" context gives the address the connection
# is accepted on, i.e the address the socksserver is listening on, or
# just "0.0.0.0/0" for any address the server is listening on.
#
# The "to:" in the non-"client" context gives the destination of the clients
# socksrequest.
#
# "from:" is the source address in both contexts.
#

# the "client" rules. All our clients come from the net 10.0.0.0/8.
#

# Allow our clients, also provides an example of the port range command.
#client pass {
# from: 10.0.0.0/8 port 1-65535 to: 0.0.0.0/0
# method: rfc931 # match all idented users that also are in passwordfile
#}

# This is identical to above, but allows clients without a rfc931 (ident)
# too. In practise this means the socksserver will try to get a rfc931
# reply first (the above rule), if that fails, it tries this rule.
client pass {
from: 203.245.0.0/8 port 1-65535 to: 0.0.0.0/0
}

client pass {
from: 192.168.0.0/8 port 1-65535 to: 0.0.0.0/0
}

client pass {
from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0
}

client pass {
from: 211.0.0.0/8 port 1-65535 to: 0.0.0.0/0
}

client pass {
from: 61.0.0.0/8 port 1-65535 to: 0.0.0.0/0
}
# drop everyone else as soon as we can and log the connect, they are not
# on our net and have no business connecting to us. This is the default
# but if you give the rule yourself, you can specify details.
client block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}

# the rules controlling what clients are allowed what requests
#

# you probably don't want people connecting to loopback addresses,
# who knows what could happen then.

# the people at the 172.16.0.0/12 are bad, no one should talk to them.
# log the connect request and also provide an example on how to
# interact with libwrap.
#block {
# from: 0.0.0.0/0 to: 172.16.0.0/12
# libwrap: spawn finger @%a
# log: connect error
#}

# unless you need it, you could block any bind requests.
#block {
# from: 0.0.0.0/0 to: 0.0.0.0/0
# command: bind
# log: connect error
#}

# or you might want to allow it, for instance "active" ftp uses it.
# Note that a "bindreply" command must also be allowed, it
# should usually by from "0.0.0.0/0", i.e if a client of yours
# has permission to bind, it will also have permission to accept
# the reply from anywhere.
#pass {
# from: 211.245.0.0/8 to: 211.245.0.0/0
# command: bind
# log: connect error
#}

# some connections expect some sort of "reply", this might be
# the reply to a bind request or it may be the reply to a
# udppacket, since udp is packetbased.
# Note that nothing is done to verify that it's a "genuine" reply,
# that is in general not possible anyway. The below will allow
# all "replies" in to your clients at the 10.0.0.0/8 net.
#pass {
# from: 0.0.0.0/0 to: 10.0.0.0/8
# command: bindreply udpreply
# log: connect error
#}

# pass any http connects to the example.com domain if they
# authenticate with username.
# This matches "example.com" itself and everything ending in ".example.com".
#pass {
# from: 10.0.0.0/8 to: .example.com port = http
# log: connect error
# method: username
#}

# block any other http connects to the example.com domain.
#block {
# from: 0.0.0.0/0 to: .example.com port = http
# log: connect error
#}

# everyone from our internal network, 10.0.0.0/8 is allowed to use
# tcp and udp for everything else.
pass {
from: 192.168.0.0/8 to: 0.0.0.0/0
protocol: tcp udp
}

pass {
from: 127.0.0.0/8 to: 0.0.0.0/0
protocol: tcp udp
}

pass {
from: 211.0.0.0/8 to: 0.0.0.0/0
protocol: tcp udp
}

pass {
from: 61.0.0.0/8 to: 0.0.0.0/0
protocol: tcp udp
}

pass {
from: 207.0.0.0/8 to: 0.0.0.0/0
protocol: tcp udp
}

block {
from: 0.0.0.0/0 to: 127.0.0.0/8
log: connect error
}
# last line, block everyone else. This is the default but if you provide
# one yourself you can specify your own logging/actions
#block {
# from: 0.0.0.0/0 to: 0.0.0.0/0
# log: connect error
#}