-<para>
- The Windows version of <application>Junkbuster</application> puts an icon in
- the system tray, which also allows you to change this option. If you
- right-click on that icon (or select the <quote>Options</quote> menu), one
- choice is <quote>Enable</quote>. Clicking on enable toggles
- <application>Junkbuster</application> on and off. This is useful if you want
- to temporarily disable <application>Junkbuster</application>, e.g., to access
- a site that requires cookies which you would otherwise have blocked. This can also
- be toggled via a web browser at the <application>Junkbuster</application>
- internal address of <ulink url="http://i.j.b">http://i.j.b</ulink> on
- any platform.
-</para>
-
-<para>
- <quote>toggle 1</quote> means <application>Junkbuster</application> runs
- normally, <quote>toggle 0</quote> means that
- <application>Junkbuster</application> becomes a non-anonymizing non-blocking
- proxy. Default: 1 (on).
-</para>
-
-<para>
- <literal>
- <msgtext>
- <literallayout>
- <emphasis>toggle 1</emphasis>
- </literallayout>
- </msgtext>
- </literal>
-</para>
-
-<para>
- For content filtering, i.e. the <quote>+filter</quote> and
- <quote>+deanimate-gif</quote> actions, it is necessary that
- <application>Junkbuster</application> buffers the entire document body.
- This can be potentially dangerous, since a server could just keep sending
- data indefinitely and wait for your RAM to exhaust. With nasty consequences.
-</para>
-
-<para>
- The <application>buffer-limit</application> option lets you set the maximum
- size in Kbytes that each buffer may use. When the documents buffer exceeds
- this size, it is flushed to the client unfiltered and no further attempt to
- filter the rest of it is made. Remember that there may multiple threads
- running, which might require increasing the <quote>buffer-limit</quote>
- Kbytes <emphasis>each</emphasis>, unless you have enabled
- <quote>single-threaded</quote> above.
-</para>
-
-<para>
- <literal>
- <msgtext>
- <literallayout>
- <emphasis>buffer-limit 4069</emphasis>
- </literallayout>
- </msgtext>
- </literal>
-</para>
-
-<para>
- To enable the web-based <filename>ijb.action</filename> file editor set
- <application>enable-edit-actions</application> to 1, or 0 to disable. Note
- that you must have compiled <application>JunkBuster</application> with
- support for this feature, otherwise this option has no effect. This
- internal page can be reached at <ulink
- url="http://i.j.b">http://i.j.b</ulink>.
- </para>
-
-<para>
- Security note: If this is enabled, anyone who can use the proxy
- can edit the actions file, and their changes will affect all users.
- For shared proxies, you probably want to disable this. Default: enabled.
-</para>
-
-<para>
- <literal>
- <msgtext>
- <literallayout>
- <emphasis>enable-edit-actions 1</emphasis>
- </literallayout>
- </msgtext>
- </literal>
-</para>
-
-<para>
- Allow <application>JunkBuster</application> to be toggled on and off
- remotely, using your web browser. Set <quote>enable-remote-toggle</quote>to
- 1 to enable, and 0 to disable. Note that you must have compiled
- <application>JunkBuster</application> with support for this feature,
- otherwise this option has no effect.
-</para>
-
-<para>
- Security note: If this is enabled, anyone who can use the proxy can toggle
- it on or off (see <ulink url="http://i.j.b">http://i.j.b</ulink>), and
- their changes will affect all users. For shared proxies, you probably want to
- disable this. Default: enabled.
-</para>
-
-<para>
- <literal>
- <msgtext>
- <literallayout>
- <emphasis>enable-remote-toggle 1</emphasis>
- </literallayout>
- </msgtext>
- </literal>
-</para>
-
-</sect3>
-
-<!-- ~ End section ~ -->
-
-
-<!-- ~~~~~ New section ~~~~~ -->
-
-<sect3>
-<title>Access Control List (ACL)</title>
-<para>
- Access controls are included at the request of some ISPs and systems
- administrators, and are not usually needed by individual users. Please note
- the warnings in the FAQ that this proxy is not intended to be a substitute
- for a firewall or to encourage anyone to defer addressing basic security
- weaknesses.
-</para>
-
-<para>
- If no access settings are specified, the proxy talks to anyone that
- connects. If any access settings file are specified, then the proxy
- talks only to IP addresses permitted somewhere in this file and not
- denied later in this file.
-</para>
-
-<para>
- Summary -- if using an ACL:
-</para>
-
- <simplelist>
- <member>
- Client must have permission to receive service.
- </member>
- </simplelist>
- <simplelist>
- <member>
- LAST match in ACL wins.
- </member>
- </simplelist>
- <simplelist>
- <member>
- Default behavior is to deny service.
- </member>
- </simplelist>
-
-<para>
- The syntax for an entry in the Access Control List is:
-</para>
-
-<para>
- <literal>
- <msgtext>
- <literallayout>
- ACTION SRC_ADDR[/SRC_MASKLEN] [ DST_ADDR[/DST_MASKLEN] ]
- </literallayout>
- </msgtext>
- </literal>
-</para>
-
-<para>
- Where the individual fields are:
-</para>
-
-<para>
- <literal>
- <msgtext>
- <literallayout>
- <emphasis>ACTION</emphasis> = <quote>permit-access</quote> or <quote>deny-access</quote>
-
- <emphasis>SRC_ADDR</emphasis> = client hostname or dotted IP address
- <emphasis>SRC_MASKLEN</emphasis> = number of bits in the subnet mask for the source
-
- <emphasis>DST_ADDR</emphasis> = server or forwarder hostname or dotted IP address
- <emphasis>DST_MASKLEN</emphasis> = number of bits in the subnet mask for the target
- </literallayout>
- </msgtext>
- </literal>
-</para>
-
-
-<para>
- The field separator (FS) is whitespace (space or tab).
-</para>
-
-<para>
- IMPORTANT NOTE: If the <application>junkbuster</application> is using a
- forwarder (see below) or a gateway for a particular destination URL, the
- <literal>DST_ADDR</literal> that is examined is the address of the forwarder
- or the gateway and <emphasis>NOT</emphasis> the address of the ultimate
- target. This is necessary because it may be impossible for the local
- <application>Junkbuster</application> to determine the address of the
- ultimate target (that's often what gateways are used for).
-</para>
-
-<para>
- Here are a few examples to show how the ACL features work:
-</para>
-
-<para>
- <quote>localhost</quote> is OK -- no DST_ADDR implies that
- <emphasis>ALL</emphasis> destination addresses are OK:
-</para>
-
-<para>
- <literal>
- <msgtext>
- <literallayout>
- <emphasis>permit-access localhost</emphasis>
- </literallayout>
- </msgtext>
- </literal>
-</para>
-
-<para>
- A silly example to illustrate permitting any host on the class-C subnet with
- <application>Junkbuster</application> to go anywhere:
-</para>
-
-<para>
- <literal>
- <msgtext>
- <literallayout>
- <emphasis>permit-access www.junkbusters.com/24</emphasis>
- </literallayout>
- </msgtext>
- </literal>
-</para>
-
-<para>
- Except deny one particular IP address from using it at all:
-</para>
-
-<para>
- <literal>
- <msgtext>
- <literallayout>
- <emphasis>deny-access ident.junkbusters.com</emphasis>
- </literallayout>
- </msgtext>
- </literal>
-</para>
-
-<para>
- You can also specify an explicit network address and subnet mask.
- Explicit addresses do not have to be resolved to be used.
-</para>
-
-<para>
- <literal>
- <msgtext>
- <literallayout>
- <emphasis>permit-access 207.153.200.0/24</emphasis>
- </literallayout>
- </msgtext>
- </literal>
-</para>
-
-<para>
- A subnet mask of 0 matches anything, so the next line permits everyone.
-</para>
-
-<para>
- <literal>
- <msgtext>
- <literallayout>
- <emphasis>permit-access 0.0.0.0/0</emphasis>
- </literallayout>
- </msgtext>
- </literal>
-</para>
-
-<para>
- Note, you <emphasis>cannot</emphasis> say:
-</para>
-
-<para>
- <literal>
- <msgtext>
- <literallayout>
- <emphasis>permit-access .org</emphasis>
- </literallayout>
- </msgtext>
- </literal>
-</para>
-
-<para>
- to allow all *.org domains. Every IP address listed must resolve fully.
-</para>
-
-<para>
- An ISP may want to provide a <application>Junkbuster</application> that is
- accessible by <quote>the world</quote> and yet restrict use of some of their
- private content to hosts on its internal network (i.e. its own subscribers).
- Say, for instance the ISP owns the Class-B IP address block 123.124.0.0 (a 16
- bit netmask). This is how they could do it:
-</para>