"Simon J. Gerraty" <sjg @
>Now (one day) I just have to modify SOCKS such that if the client can
>resolve a name it knows it can connect directly, otherwise it uses
>goes to sockd on the proxy host. This would allow a single client to
>work inside and out, without unnecessary load on the proxy...
It's been done. There is a split DNS patch for cstc4.2beta as
well as a stand alone Rgethostbyname.c on ftp.nec.com in
/pub/security/socks.cstc. I wrote my own version in about 15
minutes before I heard about those.
The logic is very simple -- first use standard gethostbyname
to resolve hosts using a local policy (NIS, DNS, hosts, what
have you) and upon failure use the code already present in
Rconnect.c to check the Internet aware name server.
SOCKS can be told to use 'direct' rather than 'sockd' connections
using IP addresses & masks in socks.conf.
p.s. this subject has more to do with SOCKS than firewalls in
general, and should probably move to the socks mailing list.