.B .noip
in the calling user's home directory, as determined by the
.B HOME
-environment, or, failing that, looking up the
-.I real
-(not effective) user id in the password database.
+environment, or, failing that, looking up the effective user id in the
+password database. However, if the environment variable
+.B NOIP_CONFIG
+is set, then the file it names is read instead (assuming it exists; if
+it doesn't, no configuration is read).
.PP
The configuration file has a simple line-based format. A line is
ignored if it consists only of whitespace, or if its first whitespace
.BI "socketdir " directory
Store the Unix-domain sockets in
.IR directory
-rather than the default.
+rather than the default. The environment variable
+.B NOIP_SOCKETDIR
+can also be used to control which directory is used for sockets.
+.TP
+.BI "autoports " min "\-" max
+Select which ports are used for implicit binding. Allocating ports can
+be a bit slow, since checking whether a Unix domain socket is in use is
+difficult. A wide range makes things easier, because
+.B noip
+starts by trying ports at random from the given range. The environment
+variable
+.B NOIP_AUTOPORTS
+can also be used to control which ports are assigned automatically.
.TP
.BI "realbind " acl-entry
Add an entry to the
.B realbind
ACL is consulted. If the address is matched, then the program is
allowed to bind a real Internet socket to that address; otherwise, the
-socket is bound to a Unix-domain socket.
+socket is bound to a Unix-domain socket. Three environment variables
+are consulted too:
+.BR NOIP_REALBIND_BEFORE ,
+.BR NOIP_REALBIND ,
+and
+.BR NOIP_REALBIND_AFTER .
+The
+.B _BEFORE
+rules are inserted at the front of the list; the
+.B _AFTER
+rules are appended on the end. Currently, the rules in
+.B NOIP_REALBIND
+are also put at the end (before the
+.B _AFTER
+rules), though this may change later.
.TP
-.BI "realbind " acl-entry
+.BI "realconnect " acl-entry
Add an entry to the
.B realconnect
access control list (ACL). When a program attempts to
.B realconnect
ACL is consulted. If the destination address is matched, then the
program is allowed to contact the real Internet socket; otherwise, the
-attempt is made to contact a Unix-domain socket.
+attempt is made to contact a Unix-domain socket. Three environment variables
+are consulted too:
+.BR NOIP_REALCONNET_BEFORE ,
+.BR NOIP_REALCONNECT ,
+and
+.BR NOIP_REALCONNECT_AFTER .
+The
+.B _BEFORE
+rules are inserted at the front of the list; the
+.B _AFTER
+rules are appended on the end. Currently, the rules in
+.B NOIP_REALCONNECT
+are also put at the end (before the
+.B _AFTER
+rules), though this may change later.
.PP
(Aside: An attempt to connect to a remote host may not be a hopeless failure,
even if a real IP socket is denied:
.PP
An
.I acl-entry
-has this format:
+is a comma-separated list of entries of the form:
.IP
.BR + | \-
.IR address \c
For example, it may be useful to allow access at least to a DNS server.
This can be accomplished by adding a line
.VS
-realconnect +1.2.3.4:52
+realconnect +1.2.3.4:53
.VE
to the configuration file, where 1.2.3.4 is the IP address of one of
your DNS server.
is implemented as an
.B LD_PRELOAD
hack. It won't work on setuid programs. Also, perhaps more
-importantly, it can't do anything a
+importantly, it can't do anything to prevent a
.I malicious
-program use of networking: a program could theoretically issue sockets
+program's use of networking: a program could theoretically issue sockets
system calls directly instead of using the C library calls that
.B noip
intercepts. It is intended only as a tool for enhancing the security of
.PP
This manual is surprisingly long and complicated for such a simple hack.
.SH AUTHOR
-Mark Wooding, <mdw@nsict.org>
+Mark Wooding, <mdw@distorted.org.uk>