Kernun Handbook

HtmlMatchPasswd.pm — encapsulates the databases of the HTML form value control tool html-match-db(1) for storing two couples of credentials (internal username and password and external username and password). It also keeps the logs of the actions over the particular accounts.
clear-web-db-update.sh — tool for updating the Clear Web DataBase
clear-web-db — tool for managing the Clear Web DataBase
diskdb — tool for creating and querying file system content database
fwpasswd — create and update password authentication files
greplog.sh — tool for selecting messages from Kernun logs
html-match-db — controls databases of HTML form values used by the generic data matching module
kernun-audit — checks for bugs and new versions of the Kernun software
license — tool for checking Kernun license file
mkblacklist — tool for converting http-proxy blacklists into DB format
monitor — report current status of Kernun proxies
ooba-samba — uses a Samba server to update the out of band authentication user list
printblacklist — tool for converting http-proxy blacklists into textual format
quarc.sh — mail quarantine control tool
resolveblacklist — tool for resolving hostnames in http-proxy blacklists
rrd — system parameter watching
sum-avas — print a summary of antivirus and antispam usage
sum-dns — print a summary of dns-proxy usage
sum-http — print a summary of the http-proxy usage
sum-proxy — print a summary of a proxy usage
sum-smtp — print a summary of the smtp-proxy usage
switchlog — distribute messages from Kernun log according to message id and proxy name
triplicator — SMTP Grey-listing Triplet Database Manipulator

II. Kernun Firewall Reference (5)

acl — format of acl component configuration
altq — format of altq component configuration
auth — format of auth component configuration
clear-web-db — format of clear-web-db component configuration
common — format of common component configuration
dhcp-server — format of dhcp-server component configuration
dns-proxy — format of dns-proxy component configuration
dns-proxy.cfg — format of dns-proxy program configuration file
ftp-proxy — format of ftp-proxy component configuration
ftp-proxy.cfg — format of ftp-proxy program configuration file
gk-proxy — format of gk-proxy component configuration
gk-proxy.cfg — format of gk-proxy program configuration file
h323-proxy — format of h323-proxy component configuration
h323-proxy.cfg — format of h323-proxy program configuration file
http-proxy — format of http-proxy component configuration
http-proxy.cfg — format of http-proxy program configuration file
icap-server — format of icap-server component configuration
icap-server.cfg — format of icap-server program configuration file
imap4-proxy — format of imap4-proxy component configuration
imap4-proxy.cfg — format of imap4-proxy program configuration file
interface — format of interface component configuration
ipc — format of ipc component configuration
ipsec — format of ipsec component configuration
kernun.cml — format of Kernun configuration file
ldap — format of ldap component configuration
listen-on — format of listen-on component configuration
log — format of log component configuration
mod-antispam — format of mod-antispam component configuration
mod-antivirus — format of mod-antivirus component configuration
mod-html-filter — format of mod-html-filter component configuration
mod-mail-doc — format of mod-mail-doc component configuration
mod-match — format of mod-match component configuration
monitoring — format of monitoring component configuration
nameserver — format of nameserver component configuration
netio — format of netio component configuration
nls — format of nls component configuration
ntp — format of ntp component configuration
openvpn — format of openvpn component configuration
packet-filter — format of packet-filter component configuration
pfconfd.cfg — format of pfconfd program configuration file
pop3-proxy — format of pop3-proxy component configuration
pop3-proxy.cfg — format of pop3-proxy program configuration file
proxy — format of proxy component configuration
radius — format of radius component configuration
resolver — format of resolver component configuration
sip-proxy — format of sip-proxy component configuration
sip-proxy.cfg — format of sip-proxy program configuration file
smtp-proxy — format of smtp-proxy component configuration
smtp-proxy.cfg — format of smtp-proxy program configuration file
sqlnet-proxy — format of sqlnet-proxy component configuration
sqlnet-proxy.cfg — format of sqlnet-proxy program configuration file
ssl — format of ssl component configuration
sysctl — format of sysctl component configuration
system — format of system component configuration
tcp-proxy — format of tcp-proxy component configuration
tcp-proxy.cfg — format of tcp-proxy program configuration file
tcpserver — format of tcpserver component configuration
test-expr — format of test-expr command-line arguments
udp-proxy — format of udp-proxy component configuration
udp-proxy.cfg — format of udp-proxy program configuration file
udpserver — format of udpserver component configuration

III. Kernun Firewall Reference (6)

ARGS-000 — Application initialisation failed when preparing getopt() system call
ARGS-001 — Application has improperly started
ARGS-002 — Application command line arguments array is NULL
ARGS-010 — Application requested to register an illegal option char
ARGS-011 — Function initgetopt() failed due to duplicate command-line option
ARGS-012 — Function initgetopt() failed due to a large option set
ARGS-013 — Function initgetopt() failed due to a large option set
ARGS-500 — Command line argument array starts by a NULL pointer (bad program name)
ARGS-520 — Command-line option used more than once
ARGS-521 — Application called with an unknown command-line option
ARGS-522 — Application called with option without proper argument
ARGS-523 — Option -f specifies too long filename
ARGS-524 — Options on command line are followed by an extra argument
ARGS-529 — Terminal message in case of wrong command line parameters
ASN1-300 — Parser ran out of read buffer
ASN1-700 — Parser read integer out of allowed range
ASN1-701 — Parser read integer coding length greater than 4 bytes
ASN1-702 — Parser read length encoding starting with two ones
ASN1-720 — Parser read IA5 string character with unknown code
AUTH-110 — Authorisation handle cannot be allocated
AUTH-111 — Authorisation password file cannot be opened
AUTH-112 — Authorisation tool cannot be opened
AUTH-131 — Authorisation password file read failed
AUTH-135 — Call to authentication library failed
AUTH-631 — User not found in authorisation password file
AUTH-632 — User password does not match to the one in password file
AUTH-635 — User password/response rejected by authetication tool
AUTH-731 — Proxy-user name too long
AUTR-500 — Configuration does not contain RADIUS library settings
AUTR-501 — RADIUS server host is not correctly specified in configuration file
AUTR-600 — A call to RADIUS client library returned an error
AUTR-601 — RADIUS client library initialization failed
AUTR-602 — A response of unknown type was received from a RADIUS server
AUTR-603 — A user was rejected by a RADIUS server
AUTR-604 — A user was accepted by a RADIUS server
AUTR-605 — A RADIUS server has sent a challenge to a user
AUTR-606 — A user has respoded to an authentication challenge
CASE-500 — Obsolete feature used in configuration
CFGL-020 — Incorrect call of regexpizelist()
CFGL-031 — Incorrect key is to be searched in list
CFGL-340 — List extraction function called with insufficient array
CFGL-500 — Attempt to add item '*' into non-extended list
CFGL-501 — Too deep sublist nesting
CFGL-520 — Adding to '*'-list requested
CFGL-521 — Adding of exclude-member to simple list requested
CFGL-522 — Overlapping range is to be added to list
CFGL-523 — Lower and upper bounds are not compatible
CFGL-524 — Adding of string, regexp or sock range requested
CFGL-549 — Name-set represents no section
CFGP-100 — Revoking configuration file from RCS failed
CFGP-500 — Configuration file is empty
CFGP-501 — First character of configuration is illegal
CFGP-531 — Illegal character found
CFGP-532 — Configuration contains character string
CFGP-533 — Integer found in configuration is too large
CFGP-534 — Illegal character found in IP address
CFGP-535 — Illegal syntax of IP address
CFGP-544 — Alphanumeric character expected in configuration
CFGP-545 — Incorrect character escape sequence used in string
CFGP-546 — String expression not closed
CFGP-547 — String or regexp exceeded the maximum length
CFGP-548 — String or regexp not closed
CFGP-549 — IP address probably not closed
CFGP-591 — IPv4 address byte value too big
CFGP-592 — IPv4 address byte empty
CFGP-593 — Incorrect number of IPv4 address bytes
CFGP-594 — IPv4 address syntax error
CFGP-595 — IPv4 mask specification invalid
CFGP-596 — IPv4 mask specification invalid
CFGP-599 — IPv6 addresses not supported yet
CFGR-000 — Section/item parser routine failed
CFGR-003 — Application version tag misformed
CFGR-109 — Parser initialisation failed
CFGR-110 — System error during configuration reading
CFGR-160 — Item addition to list failed
CFGR-161 — Value to list conversion failed
CFGR-162 — Sublist creation failed
CFGR-500 — Configuration integrity constraints error
CFGR-501 — Parser started without configuration file
CFGR-502 — No VERSION statement in configuration
CFGR-503 — VERSION statement has incorrect argument
CFGR-504 — VERSION statement has incorrect argument
CFGR-505 — VERSION statement repeated
CFGR-511 — Configuration item must be closed by semicolon
CFGR-512 — Section must begin with left brace
CFGR-513 — List member must be followed by comma or right brace
CFGR-514 — Configuration ended incorrectly
CFGR-515 — Closing brace not found
CFGR-517 — Item/subsection name expected in configuration
CFGR-518 — Item/subsection name expected in configuration
CFGR-519 — Incorrect configuration directive found
CFGR-520 — Obligatory keyword not found
CFGR-521 — Integer value expected in configuration
CFGR-523 — String value expected in configuration
CFGR-524 — Enumeration value expected in configuration
CFGR-525 — Hostname/IP address expected in configuration
CFGR-526 — Hostname/regexp/IP network expected in configuration
CFGR-527 — Regular expression expected in configuration
CFGR-528 — Hostname/IP address not followed by a colon
CFGR-529 — IP address value and type incompatibility
CFGR-530 — Section reference invalid
CFGR-531 — Section reference invalid
CFGR-540 — Element is not optional
CFGR-542 — Integer value too large
CFGR-543 — Port/service name invalid
CFGR-544 — Empty hostname is not allowed
CFGR-545 — Direct integer value not allowed
CFGR-546 — Using of hostnames is not allowed
CFGR-547 — Enumeration keyword invalid
CFGR-548 — Time value is not in hhmm format
CFGR-549 — List of values is not allowed
CFGR-550 — Section defined more than once
CFGR-551 — Name of repeatable section missing
CFGR-552 — Name of repeatable section too long
CFGR-559 — Nonrepeatable item defined more than once
CFGR-560 — List not closed by regular member
CFGR-561 — Excluding members not allowed in simple lists
CFGR-562 — Member ranges not allowed in simple lists
CFGR-563 — Operator '*' not allowed in simple lists
CFGR-564 — List member reading failed
CFGR-566 — Member ranges not allowed
CFGR-590 — Negative final configuration message
CFGR-700 — Configuration file has been opened
CFGR-710 — Configuration hash reader report
CFGR-790 — Configuration successfully completed
CKGB-100 — Cannot copy system configuration file prototype to system image
CKGB-121 — Kernun component configuration generation failed
CKGB-191 — Cannot create directory
CKGB-192 — System call failed
CKGB-331 — Syslog devices over
CKGB-390 — Filename too long
CKGB-500 — Kernun configuration file contains no SYSTEM
CKGB-560 — ALTQ queue set definition incorrect
CKGB-561 — ALTQ queue set definition incorrect
CKGB-562 — ALTQ queue set definition incorrect
CKGB-563 — ALTQ queue set definition incorrect
CKGB-564 — ALTQ queue set definition incorrect
CKGB-565 — ALTQ queue set definition incorrect
CKGB-566 — ALTQ queue set definition incorrect
CKGB-567 — ALTQ queue set definition incorrect
CKGB-573 — Proxy probably uses reserved port and will not operate
CKGB-580 — System resolver nameserver specification invalid
CKGB-584 — Nameserver zone defined by incorrect address
CKGB-587 — Socket collision report message
CKGB-710 — Kernun generation started
CKGB-711 — Kernun verification started
CKGB-718 — Kernun verification/generation has failed
CKGB-719 — Kernun verification/generation has succeeded
CKGB-790 — Particular system configuration file saved
CKGB-799 — Particular system configuration file failure
CMLI-120 — File completion failed
CMLI-125 — Path to Kernun manual pages invalid
CMLI-190 — KAT cannot display output to terminal
CMLI-700 — User interface startup message
CMLI-709 — User interface closeup message
CMLI-710 — CML C3H failed
CMLI-711 — CML C3H failed
CMLI-712 — CML C3H failed
CMLI-713 — CML C3H failed
CMLI-714 — Cannot use C3H for long lines
CMLI-720 — C3H cannot find filename continuation
CMLI-725 — Manual page section invalid
CMLI-775 — Automatic reply in batch mode
CMLK-101 — Unaccessible diretory
CMLK-130 — KAT sends signal to proxy/ssh server
CMLK-140 — KAT cannot determine running processes
CMLK-149 — KAT component control command failed for some component
CMLK-156 — Log file line misformed
CMLK-500 — Current directory information
CMLK-509 — Current directory change error report
CMLK-540 — Misformed line found in 'component.lst' file
CMLK-541 — Unknown component type found in 'component.lst' file
CMLK-542 — KAT cannot read proxy configuration
CMLK-609 — Issued command denied in read-only mode
CMLK-700 — KAT exiting
CMLK-702 — KAT/CML file name invalid
CMLK-708 — KAT command option not known
CMLK-709 — KAT command name not known
CMLK-710 — Configuration hash report
CMLK-712 — KAT cannot find continuation
CMLK-713 — Too many arguments to KAT command
CMLK-714 — Incorrect selection for KAT operation
CMLK-715 — KAT command parameter invalid
CMLK-716 — KAT command parameters invalid
CMLK-720 — KAT cannot find CML SYSTEM file tree
CMLK-725 — Configuration RCS version shortcut invalid
CMLK-731 — KAT KILL command invoked with incorrect signal name/number
CMLK-732 — KAT KILL command invoked without application name
CMLK-733 — KAT KILL command invoked with incorrect child specification
CMLK-740 — KAT detected running application, cannot start new one
CMLK-742 — Not daemonized proxy cannot be started by KAT
CMLK-748 — Command can be applied to Kernun proxies only
CMLK-749 — Component control command failed to finish
CMLK-755 — No log file matching given criteria exists
CMLM-621 — Issued command denied in read-only mode
CMLM-701 — Configuration consistency warning
CMLM-702 — Configuration consistency warning
CMLM-713 — CML /SAVE operation not completed
CMLM-714 — CML command-line options incompatible
CMLM-715 — Bad revision number requested
CMLM-720 — Unknown CML command name
CMLM-721 — CML command misuse
CMLM-722 — Invalid arguments of CML command
CMLM-731 — Bad parameter, information not available
CMLM-732 — Bad parameter, information not available
CMLM-740 — Bad parameter, target node invalid
CMLM-750 — Multinode operation allowed only for structured comments
CMLR-113 — Include file path is invalid
CMLR-510 — Configuration version inconsistency
CMLR-511 — Configuration file incomplete
CMLR-512 — Configuration file probably corrupted
CMLR-513 — Configuration root path setting failed
CMLR-515 — Include directive failed for some reason
CMLR-518 — Configuration file probably corrupted
CMLR-519 — Configuration file not loaded after previous errors
CMLR-530 — Incorrect CML path specification
CMLR-540 — Incorrect high-level configuration command usage
CMLR-542 — CML include file content incorrect
CMLR-543 — Compound comment syntax error
CMLR-550 — General CML syntax error message
CMLR-551 — CML parser detected syntax error
CMLR-552 — Section format error
CMLR-560 — Item completeness error
CMLR-564 — Excluding member misuse
CMLR-565 — Configuration directive not closed properly
CMLR-566 — List definition misformed
CMLR-567 — Item definition misformed
CMLR-569 — Item completeness error
CMLR-570 — Variable definition misformed
CMLR-571 — Variable definition misformed
CMLR-572 — Variable definition misformed
CMLR-573 — Variable definition misformed
CMLR-574 — CML SWITCH command syntax error
CMLR-575 — CML SWITCH/CASE command syntax error
CMLR-580 — CML parser detected syntax error
CMLR-581 — CML parser detected syntax error
CMLR-582 — CML parser detected syntax error
CMLR-583 — CML parser detected syntax error
CMLR-584 — CML parser detected syntax error
CMLR-585 — CML parser detected syntax error
CMLR-586 — CML parser detected syntax error
CMLR-587 — CML SWITCH/CASE command syntax error
CMLR-590 — Configuration directive misformed
CMLR-591 — Configuration directive misformed
CMLR-592 — Configuration directive misformed
CMLR-593 — Configuration directive specified twice
CMLR-710 — Final loading result message
CMLR-712 — Configuration loading was aborted
CMLR-713 — INCLUDE statements with relative paths found
CMLR-720 — Operation not allowed in this point of configuration
CMLR-721 — Improper use of /EDIT command
CMLR-732 — CML command parameter invalid
CMLR-770 — Incorrect variable definition
CMLS-110 — Configuration file cannot be opened
CMLS-114 — Configuration was not succesfully saved
CMLS-311 — Inline-file line format invalid
CMLS-321 — Variable or sublist tree too deep
CMLS-501 — Incorrect variable usage
CMLS-505 — Incorrect for loop usage
CMLS-506 — Incorrect variable application
CMLS-507 — CML SWITCH command incompleteness found
CMLS-510 — Inline-file line format invalid
CMLS-511 — Inline-file line format invalid
CMLS-541 — ACL level 1 inconsistency
CMLS-551 — Incorrect for loop usage
CMLS-561 — Two SHARED files/directories have the same name
CMLS-569 — Shared file or directory check failed
CMLS-719 — Bad filter parameter of /SHOW command
CMLT-302 — Name chosen is not allowed
CMLT-501 — Name chosen is not allowed
CMLT-502 — Name chosen is not allowed
CMLT-521 — Incorrect variable usage
CMLT-530 — Reference leading toward end of configuration
CMLT-533 — Variable/path incosistency warning
CMLT-534 — Variable or reference invalid
CMLT-540 — Incorrect CML path construction
CMLT-541 — Incorrect CML path construction
CMLT-542 — Incorrect CML path construction
CMLT-543 — Incorrect CML path construction
CMLT-544 — Incorrect CML path construction
CMLT-545 — Incorrect CML path construction
CMLT-548 — Incorrect CML path construction
CMLT-549 — Path continuation invalid
CMLT-559 — Undefined value referenced
CMLT-560 — Integer value incompatibility
CMLT-561 — Mnemonic name misuse
CMLT-563 — Overlapping range is to be added to list
CMLT-564 — Item element value incorrect
CMLT-565 — SOCK type incompatibility warning
CMLT-566 — Inline-file specification incorrect
CMLT-568 — List value inconsistency
CMLT-569 — Type and value inconsistency
CMLT-570 — Configuration redundancy warning
CMLT-572 — Name chosen is not allowed
CMLT-573 — ACL name '*' inconsistency
CMLT-574 — Dynamic names for some section types unimplemented
CMLT-575 — CML SWITCH command syntax error
CMLT-577 — Illegal sections in for-loop definition
CMLT-578 — Context inconsistency warning
CMLT-579 — Section variable definition incorrect
CMLT-583 — String concatenation is allowed in variable definition only
CMLT-584 — Parameter declaration misplaced
CMLT-589 — Top level section misuse
CMLT-591 — Parametrized variable misuse
CMLT-592 — Parametrized variable misuse
CMLT-593 — List tail meaningless
CMLT-594 — List not closed by regular member
CMLT-720 — Operation not allowed in this point of configuration
CMLT-722 — Clipboard empty
CMLT-723 — Cannot undelete node
CMLT-724 — Undelete not possible
CMLT-770 — CML operation not allowed due to context check
CMLT-771 — Incorrect CML edit operation
CMLT-772 — CML command misuse
CMLT-800 — CML configuration identification report
CMLT-801 — CML configuration CDF version report
CMLT-802 — CML configuration root path report
CMLT-803 — CML configuration origin report
DHDR-710 — Document header syntax error
DHDR-711 — Document header syntax error
DHDR-712 — Document header syntax error
DHDR-721 — Document header syntax error
DNSC-001 — Zone name not found in cache
DNSC-002 — Domain name not found in cache
DNSC-192 — Cannot get list of IP addresses
DNSC-580 — No valid root server record for zone
DNSC-590 — Non-periodical cleanup did not clear cache sufficiently
DNSC-600 — Received answer contains our own address to be queried
DNSC-700 — Cache storing function finds resource record of incorrect type
DNSC-701 — Resolving process cannot continue due to incorrect answer
DNSC-702 — Resource record set contains no valid authority records
DNSC-705 — Glue records missing
DNSC-897 — Cache cleanup efectivity report
DNSC-898 — Cache cleanup final report
DNSC-899 — Cache capacity report
DNSC-980 — No valid server record for domain
DNSE-001 — Request state is invalid
DNSE-003 — Event on socket non belonging to any request
DNSE-012 — Used socket registered by another request
DNSE-013 — Request tried to open second server connection
DNSE-097 — Invalid event in particular request state
DNSE-105 — ALTQ queue assigment has failed
DNSE-109 — Syscall select() in main proxy loop failed
DNSE-120 — Binding to a random port failed
DNSE-130 — Getting a socket or preparing it to work failed
DNSE-210 — Reading request from UDP socket failed
DNSE-211 — Accepting connection on TCP socket failed
DNSE-212 — Reading request from TCP connection failed
DNSE-218 — Timeout expired when reading query
DNSE-219 — Client closed TCP connection
DNSE-221 — Connection to server failed
DNSE-228 — Timeout expired when reading reply
DNSE-230 — Sending request to server failed
DNSE-239 — Server has closed connection during sending query to it
DNSE-240 — Reading reply from server failed
DNSE-249 — Server closed TCP connection
DNSE-260 — Reply was not sent to client
DNSE-269 — Client has closed connection during sending reply to it
DNSE-300 — Requests table is exhausted
DNSE-301 — Sockets table is exhausted
DNSE-308 — DNS request table monitoring message
DNSE-309 — Requests table dump final info
DNSE-310 — Received query length exceeds allowed size
DNSE-340 — Reading reply from server failed
DNSE-342 — UDP reply from server exceeds 512 bytes
DNSE-360 — Proxy cannot send response via TCP
DNSE-361 — Reply is too long, it could cause problem to resolver
DNSE-390 — Cannot connect server due to long name
DNSE-590 — Proxy tried all possible forwarders getting no answer
DNSE-612 — Named DNS operation not implemented
DNSE-613 — Only single-query requests implemented
DNSE-614 — Named resource record class not implemented
DNSE-615 — DNS extensions not implemented
DNSE-710 — Received query/response is shorter than minimal size
DNSE-711 — Request is formally incorrect
DNSE-712 — Named DNS operation not known
DNSE-713 — Request must contain exactly one QUERY
DNSE-714 — Query resource record contains unknown class
DNSE-715 — IXFR query with invalid NS part
DNSE-716 — Bad transport protocol for AXFR request
DNSE-740 — Proxy received reply with unexpected response code
DNSE-741 — Query section of the answer does not match one of request
DNSE-742 — Nameserver response contains invalid flags
DNSE-743 — Zone transfer response does not start with SOA
DNSE-744 — Incremental zone transfer response does not end with proper SOA
DNSE-749 — Server connection is not idle
DNSE-750 — Too deep recursion of internal requests
DNSE-790 — Proxy tried all possible servers getting no answer
DNSE-791 — Retry of request is not allowed
DNSE-792 — Information about domain contains no glue record
DNSE-793 — Querying to name loops back to itself
DNSE-794 — Reasonable amount of attempts exhausted
DNSE-795 — Informational output of requests dependency
DNSE-798 — Internal request final report
DNSE-799 — Request timed out
DNSI-500 — Section LISTEN-ON contains incorrect address
DNSP-010 — Searching of ACL failed
DNSP-500 — Zone transfer cannot be resolved
DNSP-510 — Cannot force source address in dns-proxy
DNSP-610 — Request is not covered by configuration
DNSP-641 — Reply resource record policy decision
DNSP-649 — Reply resource record not found in configuration
DNSP-700 — Notification about the mode of operation of the proxy
DNSP-701 — The proxy has been initialized and is ready to accept packets
DNSP-709 — Proxy received signal, exiting immediately
DNSP-808 — Session has started, client connection has arrived
DNSP-809 — TCP session finished
DNSP-810 — ACL decision has been made, operation either accepted or rejected
DNSP-820 — ACL decision has been made, operation either accepted or rejected
DNSP-860 — Request processing finished
DNSR-001 — Name or label being stored is too long
DNSR-011 — Resource record of unknown type being stored
DNSR-301 — Read domain name exceeds 254 characters
DNSR-310 — DNS message RR count limit reached
DNSR-619 — Resource record contains unimplemented feature
DNSR-630 — Answer resource record has class oher than IN
DNSR-631 — Answer resource record has unimplemented or incorrect type
DNSR-653 — Query resource record type unimplemented
DNSR-654 — Reply resource record type unimplemented
DNSR-702 — Label contains incorrect character
DNSR-703 — Token does not start with 00 or 11 bits couple
DNSR-704 — Token length exceeds end of block
DNSR-705 — Token references offset greater than offset of itself
DNSR-710 — Resource record length differs from length field value
DNSR-711 — Resource record exceeds block boundary
DNSR-717 — Received block length disagree with total length of resource records
DNSR-718 — Received block length disagree with total length of resource records
DNSR-719 — Resource record formally incorrect
DNSR-730 — Nameserver response inconsistency message
DNSR-731 — General appearance incorrectness message
DNSR-732 — DNS reply contains incorrect CNAME
DNSR-734 — Irrelevant additional record found
DNSR-735 — Nameserver response contains invalis CNAME chain
DNSR-753 — Query resource record type unknown
DNSR-754 — Reply resource record type unknown
DNSX-501 — QUERY or REPLY item will never act
DNSX-502 — No QUERY item contains operation requiring REPLY/FAKE definition
DNSX-503 — No REPLY item found in forwarding or resolving ACL
DNSX-510 — Faked name is longer then 254 characters
DNSX-511 — Faked name label is longer then 64 characters
DNSX-512 — Faked name contains invalid character
FTPH-739 — Resending FTP server reply to HTTP proxy
FTPH-750 — FTP directory listing not understood
FTPP-090 — TCP server returned with error
FTPP-099 — Final startup failure message
FTPP-573 — Proxy probably uses reserved port and will not operate
FTPP-808 — Session has started, client connection has arrived
FTPP-809 — Session finished
FTPS-009 — Answer prepared for client has no response code
FTPS-105 — ALTQ queue assigment has failed
FTPS-110 — Searching of ACL failed
FTPS-119 — Authentication system is unsable
FTPS-131 — Connection to server failed
FTPS-230 — Target server name cannot be resolved to IP address
FTPS-232 — Target server connection failed
FTPS-234 — Targer server response invalid
FTPS-238 — I/O operation on socket failed
FTPS-239 — Control socket closed by peer
FTPS-341 — Client reply buffer is over
FTPS-342 — Data command parameter exceeded internal buffer size
FTPS-530 — Next-hop server/proxy name cannot be resolved to IP address
FTPS-532 — Next-hop server/proxy connection failed
FTPS-533 — Address being to be forced as source toward the server cannot be resolved
FTPS-534 — Next-hop server/proxy response invalid
FTPS-628 — User illegally requested connection to non-ftp port
FTPS-640 — FTP command has been rejected
FTPS-642 — Simple username expected
FTPS-643 — Username should contain target server
FTPS-644 — Password must combine proxy user's and remote user's ones
FTPS-679 — PORT family command has illegal parameter
FTPS-690 — Data transfer size limit exceeded
FTPS-691 — Data transfer size limit exceeded
FTPS-701 — Timeout reached
FTPS-710 — Too many commands used prior to connecting to server
FTPS-732 — Command not allowed if target server known
FTPS-738 — Remote server has answered with error message
FTPS-739 — Remote server has logically closed session
FTPS-744 — RNTO received without RNFR
FTPS-745 — Proxy received an unknown command
FTPS-746 — FTP command syntax error
FTPS-747 — FTP initialisation command USER/PASS duplicated
FTPS-748 — User setting required
FTPS-749 — Port required by user is invalid
FTPS-771 — Received EPSV command with bad argument
FTPS-773 — Data transfer parameter commands invalid if EPSV ALL is set
FTPS-774 — PORT family command contains bad argument
FTPS-791 — Reissuing the REST command failed
FTPS-810 — ACL decision has been made, operation either accepted or rejected
FTPS-819 — Proxy user authentication finished
FTPS-820 — ACL decision has been made, operation either accepted or rejected
FTPS-840 — FTP command received
FTPS-870 — File Transfer Protocol command handling
FTPT-001 — Wrong address of server requested
FTPT-105 — ALTQ queue assigment has failed
FTPT-110 — Searching of ACL failed
FTPT-119 — Cannot recognize document type
FTPT-181 — Data connection accept failed
FTPT-280 — Data connection to peer cannot be established
FTPT-281 — Cannot create listening socket for data transfer
FTPT-288 — Data connection not established
FTPT-289 — Another data connection arrived
FTPT-600 — Data arrived from wrong peer
FTPT-688 — PASV family command response contains bad address
FTPT-689 — Data connection arrived from bad peer
FTPT-690 — Data transfer size limit exceeded
FTPT-702 — Listening timeout expired
FTPT-746 — FTP command syntax error
FTPT-772 — Received repeated data transfer parameter command
FTPT-788 — PASV family command response invalid
FTPT-830 — ACL decision has been made, operation either accepted or rejected
FTPT-872 — Client used data command without transfer parameter setting
FTPT-880 — Data transfer initialized
FTPT-881 — Data connection server established
FTPT-890 — Data transfer stopped
H225-700 — Unrecoverable H.323 parser error
H225-710 — Received packet with unimplemented H.323 feature
H225-720 — Received packet with more RAS/CSA addresses
H245-700 — Unrecoverable H.323 parser error
H245-710 — Received packet with unimplemented H.323 feature
H245-711 — Received packet with unimplemented H.323 feature
HTCT-100 — An operation with the cookie table failed
HTCT-102 — An operation with the cookie table failed
HTCT-104 — An operation with the cookie table failed
HTCT-105 — An operation with the cookie table failed
HTCT-107 — An operation with the cookie table failed
HTCT-108 — An operation with the cookie table failed
HTCT-800 — A cookie has been received from other client than expected
HTCW-100 — Closing a Clear Web DataBase file failed
HTCW-101 — Opening a Clear Web DataBase file failed
HTCW-102 — Reading all records from a Clear Web DataBase file failed
HTCW-103 — The Clear Web DataBase cannot test whether its database was changed
HTCW-104 — Search operation in the Clear Web DataBase file failed
HTCW-105 — Inserting a record into the Clear Web DataBase file failed
HTCW-106 — Deleting a record from the Clear Web DataBase file failed
HTCW-700 — The Clear Web DataBase cannot open its updated database file
HTTA-100 — AProxy session table initialization failed
HTTA-101 — AProxy session table initialization failed
HTTA-102 — A new proxy process cannot use the session table
HTTA-157 — AProxy session table lock cannot be unlocked
HTTA-500 — AProxy session table must have non-zero size
HTTA-502 — Required item OOB_AUTH-SRV missing in configuration
HTTA-600 — An error occurred when calling authentication functions
HTTA-601 — RADIUS state does not fit into the session table entry
HTTA-710 — Information about OOB user authentication
HTTA-720 — Information about AProxy user authentication
HTTA-801 — Client returned invalid authentication data to AProxy
HTTA-802 — AProxy session table lock cannot be locked
HTTA-803 — Maximum number of sessions reached, no new session cannot be created
HTTA-804 — User name does not fit into the session table entry
HTTA-805 — Client returned invalid contents of the authentication form to AProxy
HTTA-806 — AProxy cannot prepare the authentication form
HTTA-807 — List of groups does not fit into the session table entry
HTTA-808 — OOB external authentication produces too long lines
HTTA-809 — OOBA update list line not understood
HTTA-810 — Unterminated line at the end of an OOBA update list is ignored
HTTA-811 — An OOB-authenticated user cannot be found in LDAP
HTTA-812 — A user tried logout without previous login
HTTA-813 — Authentication form incorrectly filled/sent
HTTA-858 — AProxy cannot decode the request
HTTF-800 — The proxy cannot convert FTP directory listing into an HTML page
HTTF-801 — The proxy cannot convert FTP directory listing into an HTML page
HTTF-802 — The proxy cannot convert FTP directory listing into an HTML page
HTTH-025 — Invalid method number in parsed request line
HTTH-101 — The proxy cannot replace credentials
HTTH-102 — The proxy cannot replace credentials
HTTH-105 — ALTQ queue assigment has failed
HTTH-701 — Information about source address of the connection to the server
HTTH-702 — A new request has been started
HTTH-703 — Information about user authentication on the proxy
HTTH-704 — A URL is temporarily accessible due to bypass
HTTH-705 — Bypass has been activated for a single domain
HTTH-706 — Bypass life time has expired and must be reactivated
HTTH-707 — Bypass has not been activated or has expired and must be reactivated
HTTH-708 — The bypass activation page has not been returned to the proxy in time
HTTH-709 — Bypass cannot be activated due to an internal error
HTTH-711 — Maximum number of bypass sessions has been reached
HTTH-712 — Bypass has been activated for a set of categories
HTTH-713 — A request has terminated
HTTH-714 — A request has terminated
HTTH-715 — Information about a request
HTTH-716 — A set of categories has been looked up in the Clear Web DataBase
HTTH-717 — Bypass is disabled due to an internal error in the bypass table
HTTH-718 — A URL is temporarily accessible due to bypass
HTTH-741 — Proxy repairs invalid Host request header
HTTH-750 — Data from server were rejected by antivirus checking
HTTH-792 — The proxy cannot initialize client CONNECT data filtering
HTTH-793 — The proxy cannot initialize server CONNECT data filtering
HTTH-794 — The proxy cannot perform NTLM authentication
HTTH-795 — NTLM authentication data format is invalid
HTTH-796 — The proxy cannot execute an external program
HTTH-797 — Bad format of a cookie deletion request
HTTH-798 — Matching of request body data not possible
HTTH-799 — Matching of response data not possible
HTTH-800 — Cannot decode the server response due to an unsupported encoding
HTTH-801 — Http-proxy cannot communicate with ftp-proxy
HTTH-802 — Connection of http-proxy with ftp-proxy, is not configured
HTTH-803 — The client has not sent compulsory HTTP/1.1 Host header
HTTH-804 — Challenge/response proxy authentication is not supported
HTTH-805 — The request URI has been invalidated by a rewrite operation
HTTH-806 — The request specifies an unsupported scheme
HTTH-807 — Setup for request body decoding failed
HTTH-808 — Setup for request body encoding failed
HTTH-809 — The proxy cannot initialize the image filtration module
HTTH-810 — The proxy received the status line from the server twice
HTTH-811 — Reports REQUEST-ACL used for this request
HTTH-812 — HTTP header name contains an illegal character
HTTH-813 — HTTP header does not contain the colon separating name and value
HTTH-814 — Repeated HTTP header which may occur only once
HTTH-815 — Value of a HTTP header is invalid and cannot be parsed
HTTH-816 — Internal form of a HTTP header is invalid
HTTH-817 — Repeated HTTP header which may occur only once
HTTH-818 — HTTP request line must contain a HTTP method
HTTH-819 — HTTP request line must contain a HTTP request URI
HTTH-820 — HTTP version in request or response is invalid
HTTH-821 — Something invalid at the end of the HTTP request line
HTTH-822 — A bad %xx sequence in URI has been encountered
HTTH-823 — Internal form of URI is invalid
HTTH-824 — Internal form of HTTP version is invalid
HTTH-825 — Internal form of HTTP request line is invalid
HTTH-826 — Status line must contain version identifier
HTTH-827 — Status line must contain a valid status code
HTTH-828 — Internal form of HTTP status line is invalid
HTTH-829 — Internal form of a HTTP header is invalid
HTTH-830 — Unknown type of authentication
HTTH-831 — URI cannot be parsed
HTTH-832 — Only GET method is allowed in HTTP v. 0.9 requests
HTTH-833 — Received HTTP message has an unsupported version of HTTP
HTTH-834 — Content-Length header contains an invalid value
HTTH-835 — Request or status line is forbidden by REQUEST-ACL
HTTH-836 — Request or response header is forbidden by REQUEST-ACL
HTTH-837 — Request failed due to inoperative web filter
HTTH-838 — Invalid HTTP status code in response from server
HTTH-839 — Request continues despite web filter failure
HTTH-840 — Proxy cannot configure NAT address mapping on connection to server
HTTH-841 — Proxy cannot initialize data related to server connection
HTTH-842 — Proxy cannot create modules for communication with the server
HTTH-843 — Proxy cannot create module for sending CONNECT response headers
HTTH-844 — The proxy cannot process response headers
HTTH-845 — An unexpected error occurred when searching REQUEST-ACLs
HTTH-846 — The request is denied because it does not match any REQUEST-ACL
HTTH-847 — Matching REQUEST-ACL contains item DENY
HTTH-848 — Request URI has a form unsupported by http-proxy
HTTH-849 — A file to be sent as a response does not exist or is not readable
HTTH-850 — Antivirus has reported a virus
HTTH-851 — The proxy is unable to verify user authentication
HTTH-852 — The proxy cannot establish an SSL/TLS secure channel to the server
HTTH-853 — The request specifies an unsupported scheme
HTTH-854 — AProxy is enabled in the configuration, but cannot be initialized
HTTH-855 — FTP requests allow only downloading (GET) and uploading (PUT) data
HTTH-856 — HTTP Host header contains an invalid port number
HTTH-857 — Proxy cannot interpret Transfer-Encoding header
HTTH-858 — Transfer-Encoding header defines an incorrect encoding
HTTH-859 — Transfer-Encoding header defines an incorrect encoding
HTTH-860 — Communication with a FTP server failed
HTTH-861 — A file to be sent as a response does not exist or is not readable
HTTH-862 — The proxy cannot decode chunked trasfer encoding of response
HTTH-863 — The proxy cannot use an external program to reply to a request
HTTH-864 — Cannot decode the server response due to an unsupported encoding
HTTH-865 — Proxy informs the client about an unsupported content encoding
HTTH-866 — The proxy cannot encode the response into the chunked encoding
HTTH-867 — The proxy cannot decode a gzipped response
HTTH-868 — The proxy cannot perform requested HTML filtration
HTTH-869 — The proxy cannot return a directory listing obtained from ftp-proxy
HTTH-870 — The proxy cannot send the response to the antivirus
HTTH-871 — The client has closed the connection when it should not
HTTH-872 — The request line is wrong
HTTH-873 — A request cannot escape from a subdirectory
HTTH-874 — The request headers are wrong
HTTH-875 — Proxy cannot configure NAT address mapping on connection to ftp-proxy
HTTH-876 — Forwarding the request to ftp-proxy failed
HTTH-877 — Request line processing failed
HTTH-878 — The request line does not fit into the appropriate buffer
HTTH-879 — Request header processing failed
HTTH-880 — A request line does not fit into the appropriate buffer
HTTH-881 — The server has closed the connection when it should not
HTTH-882 — The status line is wrong
HTTH-883 — A cookie modification failed
HTTH-884 — The response headers are wrong
HTTH-885 — Status line processing failed
HTTH-886 — The status line does not fit into the appropriate buffer
HTTH-887 — Response header processing failed
HTTH-888 — A response line does not fit into the appropriate buffer
HTTH-889 — The request would require the proxy to connect back to itself
HTTH-890 — HTTP header value contains an illegal character
HTTH-891 — Repeated HTTP header which may occur only once
HTTH-892 — An unexpected error occurred when searching DOC-ACLs
HTTH-893 — Reports DOC-ACL used for this request
HTTH-894 — The request is denied because it does not match any DOC-ACL
HTTH-895 — Matching DOC-ACL contains item DENY
HTTH-896 — Proxy cannot use the module for guessing MIME types
HTTH-897 — The server has specified response body length incorrectly
HTTH-898 — The client has specified request body length incorrectly
HTTH-899 — The proxy is unable to verify user authentication
HTTH-901 — The proxy cannot extract lifetime information from a cookie
HTTH-923 — Proxy requests user authentication
HTTH-924 — Proxy authentication request sent to client
HTTP-104 — The main loop for serving clients (tcpserver) failed
HTTP-105 — ALTQ queue assigment has failed
HTTP-123 — Blacklist database cannot be used
HTTP-124 — The proxy cannot use SSL/TLS
HTTP-125 — The table for storing modified cookie cannot be initialized
HTTP-126 — The proxy cannot delete stored cookie values
HTTP-501 — AProxy configuration error
HTTP-502 — AProxy configuration error
HTTP-710 — A new proxy session has been started
HTTP-711 — A proxy session has terminated
HTTP-712 — Session ACLs have been processed
HTTP-801 — Error during initial processing of a new session
HTTP-802 — The next request on a persistent connection cannot be processed
HTTP-803 — Error during initialization of a new request
HTTP-804 — The client has closed the connection to the proxy
HTTP-810 — The proxy is unable to respond with a local file
HTTP-811 — The proxy is unable to respond with a local file
HTTP-812 — The proxy is unable to respond with a local file
HTTP-813 — Data size limit has been exceeded
HTTP-814 — Data size limit has been exceeded
HTTP-815 — Data size limit has been exceeded
HTTP-816 — Data size limit has been exceeded
HTTP-817 — An unexpected error occurred when searching SESSION-ACLs
HTTP-818 — The session is denied because it does not match any SESSION-ACL
HTTP-819 — Matching SESSION-ACL contains item DENY
HTTP-820 — The proxy captured a CONNECT request and will handle it itself
HTTP-821 — The proxy creates a TCP tunnel to the server
HTTP-822 — A shared library cannot be used
HTTP-823 — A shared library does not contain a required function
HTTP-824 — A shared library cannot be initialized
HTTP-825 — The proxy is unable to respond with locally generated data
HTTP-852 — The proxy cannot establish an SSL/TLS secure channel from the client
ICAB-700 — Received ICAP message has unsupported version of ICAP
ICAB-701 — ICAP version in request is invalid
ICAB-710 — ICAP request line misformed
ICAB-711 — Request line ends incorrectly
ICAB-725 — ICAP Host header contains an invalid port number
ICAB-730 — Unknown type of authentication
ICAR-120 — An unexpected error occurred when searching REQUEST-ACLs
ICAR-140 — Setup for request body decoding failed
ICAR-150 — Proxy cannot use the module for guessing MIME types
ICAR-160 — The proxy cannot send the response to the antivirus
ICAR-170 — The proxy cannot encode the response into the chunked encoding
ICAR-200 — The client has closed the connection when it should not
ICAR-580 — The status line does not fit into the appropriate buffer
ICAR-581 — A response line does not fit into the appropriate buffer
ICAR-620 — Matching SERVICE-ACL contains item DENY
ICAR-621 — The request is denied because it does not match any SERVICE-ACL
ICAR-625 — Matching REQUEST-ACL contains item DENY
ICAR-626 — The request is denied because it does not match any REQUEST-ACL
ICAR-630 — Matching DOC-ACL contains item DENY
ICAR-631 — The request is denied because it does not match any DOC-ACL
ICAR-711 — The request line is wrong
ICAR-712 — The request headers are wrong
ICAR-715 — The request specifies an unsupported scheme
ICAR-716 — The client has not sent compulsory HTTP/1.1 Host header
ICAR-727 — Challenge/response proxy authentication is not supported
ICAR-728 — Proxy requests user authentication
ICAR-729 — The proxy is unable to verify user authentication
ICAR-810 — A new request has been started
ICAR-819 — A request has terminated
ICAR-820 — Reports SERVICE-ACL used for this request
ICAR-825 — Reports REQUEST-ACL used for this request
ICAR-829 — Information about user authentication on the proxy
ICAR-830 — Reports DOC-ACL used for this request
ICAS-111 — Blacklist database cannot be used
ICAS-130 — Error during initial processing of a new session
ICAS-131 — The next request on a persistent connection cannot be processed
ICAS-132 — The proxy cannot establish an SSL/TLS secure channel from the client
ICAS-133 — ALTQ queue assigment has failed
ICAS-139 — Error during initialization of a new request
ICAS-191 — The proxy cannot use SSL/TLS
ICAS-330 — Data size limit has been exceeded
ICAS-621 — Session denied due to no matching SESSION-ACL
ICAS-622 — Matching SESSION-ACL contains item DENY
ICAS-801 — Session has started, client connection has arrived
ICAS-809 — Session finished
ICAS-821 — SESSION-ACL search report
IMAP-100 — The main loop for serving clients (tcpserver) failed
IMAP-101 — ALTQ queue assigment has failed
IMAP-200 — Cannot change source address of a connection to a server
IMAP-201 — The proxy cannot initialize a connection to a server
IMAP-202 — The proxy cannot initialize a connection to a server
IMAP-700 — Session ACL has been processed
IMAP-701 — Command ACL has been processed
IMAP-702 — A client has been disconnected from the proxy
IMAP-704 — A new client has connected to the proxy
IMAP-705 — The source address of a connection to a server has been changed
IMAP-706 — Information about direction of a mail transfer
IMAP-710 — A command has been denied by ACL
IMAP-711 — A capability has been denied by ACL
IMAP-712 — An unimplemented capability received from the server
IMAP-713 — An unimplemented command received from the client
IMAP-760 — Mail ACL has been processed
IMAP-800 — Proxy initialization failed
IMAP-801 — An error occurred during searching SESSION-ACLs
IMAP-802 — The client has been denied by SESSION-ACL
IMAP-803 — The proxy is unable to verify user authentication
IMAP-804 — The proxy does not know a server address to connect
IMAP-805 — Initial processing of a new client connection has failed
IMAP-806 — Proxy cannot start SSL/TLS on the client connection
IMAP-807 — Proxy cannot start IMAP4 protocol
IMAP-808 — An error occurred during searching COMMAND-ACLs
IMAP-809 — The client has been denied by COMMAND-ACL
IMAP-810 — Limit for session duration has been reached
IMAP-811 — The client is sending too much data
IMAP-812 — The server is sending too much data
IMAP-813 — Proxy cannot start SSL/TLS on the server connection
IMAP-814 — The session is being idle for too long
IMAP-817 — A temporary file cannot be read
IMAP-818 — A mail from the server cannot be processed
IMAP-819 — The proxy is unable to get size of a temporary file
IMAP-820 — The client has unexpectedly disconnected from the proxy
IMAP-821 — The server has unexpectedly disconnected from the proxy
IMAP-822 — A FETCH response does not correspond to the FETCH command
IMAP-823 — Proxy cannot decode length of a literal
IMAP-824 — A client command line is too long
IMAP-825 — A server response line is too long
IMAP-843 — IMAP4 BINARY protocol extension (RFC3516) is not implemented
IMAP-844 — The proxy does not understand a request for mail data
IMAP-845 — The proxy detented data which should not occur in a FETCH response
IMAP-846 — The server response is not a valid mail
IMAP-847 — Bad format of an IMAP4 command line
IMAP-848 — A command tag does not fit to a buffer in the proxy
IMAP-850 — The proxy cannot create a temporary file
IMAP-851 — The proxy is unable pro process a mail
IMAP-852 — A mail from client to server is denied by configuration
IMAP-853 — A mail from client to server is denied by configuration
IMAP-854 — Bad format of an IMAP4 response line
IMAP-855 — A response tag does not match the last last command
IMAP-856 — A response tag does not match the last last command
IMAP-857 — The proxy is unable to get size of a temporary file
IMAP-858 — A command tag does not fit to a buffer in the proxy
IMAP-860 — The proxy cannot create a temporary file
IMAP-861 — The proxy cannot start processing of a mail
IMAP-862 — A mail from server to client is denied by configuration
IMAP-863 — A mail from server to client is denied by configuration
IMAP-865 — The proxy cannot finish processing of a mail
IMAP-867 — The client asked for a nonexistent part of a mail
IMAP-868 — The proxy cannot sent a mail in the form of literal string
IMAP-870 — There is not cached mail in the proxy
IMAP-871 — The proxy received unexpected data from the server
IPCL-100 — The proxy cannot create a lock for synchronizing its processes
IPCL-101 — The proxy cannot write its PID to the lock file
IPCL-102 — The proxy cannot close a lock file
IPCL-103 — The proxy cannot delete a lock file
IPCL-104 — A proxy process cannot open a lock file
IPCL-106 — A proxy process cannot lock a lock file
IPCL-107 — A proxy process cannot unlock a lock file
IPSE-800 — Bad interface referenced in an IPSEC configuration section
IPSE-801 — No interface referenced in an IPSEC configuration section
IPSE-802 — Configuration directory of the ISAKMP daemon cannot be generated
IPSE-803 — The specified DH group value is not allowed
KERN-001 — Function called with NULL parameter
KERN-002 — Expression has incorrect (NULL) value
KERN-003 — An unexpected true value of a Boolean expression detected
KERN-011 — Library function returned unknown return value
KERN-012 — Application has detected an incorrect value
KERN-100 — System call failed with reported errno
KEYV-701 — Keyword-value parser error
KEYV-702 — Keyword-value parser error
KEYV-703 — Keyword-value parser error
KEYV-704 — Keyword-value parser error
KEYV-710 — Keyword-value parser error
KEYV-711 — Keyword-value parser error
KEYV-751 — Keyword-value parser error
LDAP-301 — Buffer for ldap filter is too short for storing string "(|(attribute_name=value)(attribute_name=value))"
LDAP-302 — Buffer for ldap filter is too short for storing string "(attribute_name=value)"
LDAP-501 — Bad attribute name
LDAP-502 — Invalid configuration of the server's URI
LDAP-601 — Bad username
LDAP-603 — User not found in the LDAP database
LDAP-607 — Bind to account successful
LDAP-610 — Bind LDAP server to the user's DN unsuccessful due to invalid credentials
LDAP-613 — Error when binding to the LDAP server using user's DN
LDAP-701 — LDAP initialization failed
LDAP-702 — More than 1 value returned as the group name
LDAP-703 — Setting LDAP_OPT_X_TLS_KEYFILE failed
LDAP-704 — More than 1 object for user found in the LDAP directory
LDAP-706 — More than 1 value returned as the users default GID number
LDAP-707 — ldap_start_tls_s returned error
LDAP-709 — Error while searching for the user's UID number
LDAP-710 — Error getting users's DN
LDAP-711 — Error retrieving group number from the group's node
LDAP-712 — Error retrieving user's default GID number
LDAP-713 — Error while searching for the user's GID list
LDAP-714 — Setting LDAP_OPT_X_TLS_REQUIRE_CERT option failed
LDAP-715 — Setting LDAP_OPT_TIMEOUT option failed
LDAP-716 — Setting LDAP_OPT_TIMELIMIT failed
LDAP-717 — Setting LDAP_OPT_NETWORK_TIMEOUT option failed
LDAP-718 — Error binding to the LDAP server
LDAP-721 — Setting LDAP_OPT_PROTOCOL_VERSION option failed
LDAP-722 — Setting LDAP_OPT_X_TLS_CERTFILE failed
LDAP-723 — Setting LDAP_OPT_X_TLS_CACERTFILE option failed
LDAP-724 — Setting LDAP_OPT_X_TLS_CACERTDIR option failed
LDAP-726 — Error retrieving group number from the group's node
LDAP-727 — Getting LDAP_OPT_X_TLS_CTX option failed
LDAP-728 — Setting LDAP_OPT_X_TLS_CTX option failed
LDAP-729 — List of groups for a user cannot be obtained from Active Directory
LDAP-730 — List of groups for a user cannot be obtained from Active Directory
LDAP-731 — List of groups for a user cannot be obtained from Active Directory
LDAP-732 — List of groups for a user cannot be obtained from Active Directory
LDAP-733 — Setting LDAP_OPT_REFERRALS failed
LDAP-734 — Failed to reinitialize the LDAP structure
LDAP-901 — Unsuscpected behaiour; ldap_result returned unsuspected value
LIBA-700 — Reports the list of user groups matched by an ACL
LIBI-009 — Closing of file descriptor failed
LIBI-101 — Socket number not applicable to select()
LIBI-102 — Traffic shaping support not present in kernel and system libraries
LIBI-103 — Cannot configure traffic shaping for a network socket
LIBI-141 — Function dupip() failed to allocate memory
LIBI-220 — Setting of socket option failed
LIBI-221 — File descriptor flag operation failed
LIBI-230 — Attempt to connect timed out
LIBI-941 — Function dupip() allocates memory at specified address
LIBP-031 — System call of sigaction() failed
LIBP-120 — System call to daemon() failed
LIBP-730 — Kernun signal handler caught signal
LIBP-931 — Kernun signal handler has been registered
LIBT-001 — Syscall gettimeofday() failed
LIBT-120 — System clock disruption
LIBT-150 — Sleeping for a time interval terminated with error
LIBT-959 — A system call was interrupted by a signal
LIBU-020 — Wrong formatting directive
LIBU-021 — Printing bad address argument
LIBU-022 — Printing bad regexp argument
LIBU-023 — Printing bad IP argument
LIBU-140 — Error during re-creating file
LIBU-145 — Input file opening failed
LIBU-320 — Printing too long string
LIBU-330 — Filename too long
LIBU-510 — Regular expression library fails to compile given regexp
LIBU-530 — Filename contains invalid characters
LIBU-533 — Filename longer than OS limitations
LIBU-534 — Library function cannot assemble file name
LICC-100 — The Kernun license file cannot be found or read
LICC-101 — The license fail verification failed
LICC-102 — Cannot check hardware serial number
LICC-103 — Cannot check hrdware serial number
LICC-500 — A component is not available and cannot be configured
LICC-501 — A component is not available and cannot be configured
LICC-502 — Each SYSTEM section should contain PRODUCT specification
LICC-700 — Information about a license
LICC-701 — Reports date when new functionality will not be licensed
LICC-800 — The license file has bad content
LICC-801 — The license file does not permit the named component to run
LICC-802 — The license is no longer valid
LICC-803 — Cannot check hardware serial number
LICC-804 — License was issued for another computer
LICC-805 — License was issued for another software version
LIST-001 — There are bad links in a linked list data structure
MAVS-101 — The proxy cannot initialize the file used for communication with antivirus
MAVS-102 — The proxy cannot initialize the file used for communication with antivirus
MAVS-103 — Antivirus module cannot read data
MAVS-104 — Antivirus module cannot read data
MAVS-105 — ALTQ queue assigment has failed
MAVS-200 — Communication with antivirus failed
MAVS-201 — Communication with antivirus failed
MAVS-202 — The request for an antivirus does not fit into a buffer
MAVS-203 — Communication with antivirus failed
MAVS-204 — Communication with antivirus failed
MAVS-205 — The proxy cannot forward data checked by antivirus
MAVS-700 — Data are not checked by antivirus due to to big size
MAVS-710 — The antivirus program reported a file as clean
MAVS-800 — The antivirus is unable to check data received from the proxy
MAVS-801 — The proxy has received EOF when waiting for data from antivirus
MAVS-802 — The proxy cannot store data for a later check by an antivirus
MAVS-810 — The antivirus program has found some viruses
MAVS-811 — The antivirus program has found some virus
MAVS-820 — ClamAV antivirus has not returned the expected reply
MAVS-821 — ClamAV antivirus has not returned a valid reply
MAVS-830 — Proxy does not understand a response from NOD32 antivirus
MAVS-920 — Status code returned by DrWeb antivirus
MAVS-930 — Status message returned by NOD32 antivirus
MCHU-702 — Found error in chunked body from the client or server
MCHU-703 — Found error in chunked body from the client or server
MCHU-704 — Found error in chunked body from the client or server
MCHU-705 — Found error in chunked body from the client or server
MEMM-000 — Memory manager detected a cycle in its internal data structures
MEMM-001 — Re-initialization of memory management is not allowed
MEMM-002 — Reparenting of root resource pool is not allowed
MEMM-003 — Invalid value in memory allocation limits
MEMM-004 — The structure of resource pools must always be a tree
MEMM-005 — Repeated deletion of a cleanup function attempted
MEMM-010 — Root resource pool can never be destroyed
MEMM-011 — Specification of a string to be copied is invalid
MEMM-100 — An allocation error occurred
MEMM-101 — Cannot allocate memory, process will terminate
MEMM-102 — Cannot allocate memory
MEMM-103 — Cannot allocate memory, process will terminate
MEMM-104 — Cannot allocate memory
MEMM-105 — Maximum size of a pool reached, cannot allocate more memory
MEMM-106 — Cannot allocate too large memory block
MEMM-107 — Maximum number of allocated blocks in a pool reached
MEMM-108 — Maximum number of sub-pools of a resource pool reached
MEMM-109 — Cannot allocate memory for a pool structure
MEMM-110 — Cannot register a function to be called at process exit
MEMM-111 — Cannot register a function to be called at process exit
MEMM-112 — Cannot register a cleanup function in a pool, process will terminate
MEMM-113 — Cannot register a cleanup function in a pool
MEMM-114 — Maximum number of registered cleanup handlers reached
MEMM-115 — Cannot allocate memory for a pool structure, process will terminate
MEMM-116 — Cannot create a new resource pool, process will terminate
MEMM-117 — Cannot create a new resource pool
MEMM-120 — Cannot allocate memory on the stack
MEMM-121 — Cannot allocate memory on the stack, process will terminate
MEMM-122 — Cannot register a pair of related cleanup functions in pools
MEMM-125 — A resource pool cannot get assigned name
MGZI-100 — Gzip (de)compression cannot be initialized
MGZI-101 — Gzip (de)compression failed
MGZI-102 — An error occurred in the zlib data compression library
MGZI-103 — An unexpected end of file occurred while reading compressed data
MIME-101 — Proxy cannot use the library for guessing MIME types
MIME-103 — Proxy cannot use the library for guessing MIME types
MIME-104 — It is not known if compiled database is up to date
MIME-105 — The magic database cannot be compiled
MIME-106 — The magic database cannot be compiled
MIME-150 — The proxy is unable to open the file with definitions of MIME types
MIME-151 — Data structure for suffix->MIME type mapping cannot be initialized
MIME-152 — The proxy is unable to read the file with definitions of MIME types
MIME-153 — The proxy is unable to close the file with definitions of MIME types
MIME-154 — An error occurred when storing a value to DB database
MIME-160 — Error when looking MIME type in database
MIME-501 — Configuration specifies more than 3 doctype identification methods
MIME-502 — Magic database cannot be compiled
MIME-550 — There is very long line in the file defining MIME types
MIME-551 — A file extension occurs twice in the file defining MIME types
MIME-700 — The magic database will be recompiled by the proxy
MIME-701 — The magic database will not be recompiled by the proxy
MIMX-503 — Configuration specifies incorrect doctype identification method
MMAT-100 — The proxy cannot save values from a HTML form
MMAT-101 — The proxy cannot close a database with HTML form values
MMAT-102 — The proxy cannot open a database used for replacing HTML form values
MMAT-103 — The proxy cannot open a database of values searched for in HTML forms
MMAT-800 — The proxy denied further communication because of forbidden data
MMAT-801 — The proxy cannot store values from a HTML form for later searching
MMAT-802 — The proxy cannot look up received HTML form data in a database
MMAT-803 — Forbidden data found in a HTML form
MMAT-804 — The proxy cannot look up received HTML form data in a database
MMAT-805 — The proxy cannot look up received HTML form data in a database
MMAT-806 — The proxy denied further communication because of missing required data
MMCC-105 — ALTQ queue assigment has failed
MMCC-131 — Connection to server failed
MMCC-181 — H.245 control connection accept failed
MMCC-231 — Target server cannot be connected within timeout period
MMCC-232 — Target server connection failed
MMCC-281 — Cannot create listening socket for H.245 session
MMCC-530 — Next-hop server/proxy name cannot be resolved to IP address
MMCC-533 — Address being to be forced as source toward the server cannot be resolved
MMCC-700 — H.225/H.245 packet format error
MMCC-710 — H.323 destination missing
MMCC-711 — H.323 destination unknown
MMCC-720 — Q.931 packet format error
MMCC-721 — Unimplemented feature in H.323 protocol
MMCC-730 — Q.931 address unexpected
MMCC-731 — Unknown Q.931 message
MMCC-742 — Unimplemented feature in H.323 protocol
MMCC-781 — Peer cancelled H.245 connection before accepting
MMCC-808 — Session initialized, proxy is ready to mediate communication
MMCC-881 — H.245 session announced and ready
MMCD-105 — ALTQ queue assigment has failed
MMCD-110 — H.323 chnannel cannot be created
MMCD-219 — Peer cancelled channel connection before accepting
MMCD-600 — Maximal number of H.323 data channel reached
MMCD-610 — Data connection arrived from bad peer
MMCD-720 — H.323 data channel I/O failed
MMCD-721 — H.323 data channel I/O failed
MMCD-810 — H.323 data channel announced and ready
MMCG-121 — Udp-proxy was not able to find an ACL appropriate to session
MMCG-590 — ANY-address used as listen-on for gk-proxy
MMCG-810 — A datagram from a client has arrived, a session has started
MMCG-811 — Session initialized, proxy is ready to mediate communication
MMCG-812 — Session finished
MMCG-821 — ACL decision has been made, operation either accepted or rejected
MMCP-090 — TCP server returned with error
MMCP-099 — Final startup failure message
MMCP-100 — Proxy main loop select call failed
MMCP-104 — Original connection destination getting failed
MMCP-105 — ALTQ queue assigment has failed
MMCP-110 — Searching of ACL failed
MMCP-200 — Proxy main loop timeout reached
MMCP-239 — TPKT socket closed by peer
MMCP-500 — ACL misconfigured
MMCP-700 — Misformed TPKT packet received
MMCP-801 — Client connection arrives to proxy
MMCP-808 — Session has started, client connection has arrived
MMCP-809 — Session finished
MMCP-810 — ACL decision has been made, operation either accepted or rejected
MMCR-700 — Nonrecoverable parser error reading RAS packet
MMCR-701 — Unknown RAS packet received
MMCR-710 — RRQ RAS packet does not contain crucial attributes
MMCR-720 — URQ RAS packet does not contain crucial attributes
MMCR-730 — Unknown client registers known H.323/URL identification
MMCR-800 — RAS packet parsing summary
MMCY-100 — YP map file cannot be opened
MMCY-110 — YP map file has incorrect content
MMCY-111 — RAS YP map file corrupted
MMCY-113 — RAS YP map file corrupted
MMCY-120 — YP map file cannot be extended
MMCY-121 — YP map file seek failed
MMCY-130 — Memory (re)mapping of YP file failed
MMCY-510 — RAS YP map file outdated
MNIO-001 — Invalid network communication mode
MNIO-003 — Unexpected data found in data buffers during certain operations
MNIO-021 — Invalid network communication mode
MNIO-100 — Proxy cannot check for unexpected connection close
MNIO-101 — Proxy cannot check for unexpected connection close
MNIO-102 — Proxy cannot check for unexpected connection close
MNIO-103 — Proxy cannot check for unexpected connection close
MNIO-150 — Cannot connect to server due to resolution error
MNIO-151 — Cannot connect to server due to bad socket name
MNIO-160 — Connection to a remote server timed out
MNIO-170 — Connection to a remote server failed
MNIO-171 — Address of a local network socket cannot be obtained
MNIO-172 — Address of a remote network socket cannot be obtained
MNIO-200 — Data from client contains bare line-feed character
MNIO-301 — The proxy has received a line which does not fit into its buffers
MNIO-302 — The proxy has received a line which does not fit into its buffers
MNIO-303 — Timeout while waiting for connection close
MNIO-600 — Peer has sent a certificate which does not satisfy proxy's requirements
MNIO-710 — A network connection has been successfully established
MNIO-800 — Some error occurred during receiving data from a network socket
MNIO-802 — Some error occurred during sending data to a network socket
MNIO-803 — Connection to a remote server failed
MNIO-840 — Attempt to shut down one or both directions of a connection failed
MNIO-850 — There is no more addresses the proxy could try to connect to
MNIO-851 — A network socket cannot be created
MNIO-852 — An error occurred in handling the SSL/TLS protocol
MNIO-853 — A system call failed during a SSL/TLS operation
MNIO-870 — The proxy cannot shutdown a SSL/TLS connection properly
MNIO-871 — A TCP connection has been closed without a proper SSL/TLS shutdown
MODM-003 — System call setitimer() unexpectedly failed
MODM-004 — System call getitimer() unexpectedly failed
MODM-005 — An unregistered file descriptor has been selected for I/O
MODM-007 — A deadlock detected in the proxy
MODM-008 — Creating a temporary resource pool outside a module's run() function
MODM-009 — Cannot write data to nonexistent output buffer
MODM-010 — Debugging output of the module manager in case of an internal error
MODM-011 — Non-existent group number assigned to a new module
MODM-012 — Non-existent group number assigned to a new module
MODM-040 — Inconsistent file descriptor and netio structure
MODM-100 — A program cannot be executed
MODM-101 — A process for a program execution cannot be created
MODM-102 — A proxy cannot communicate with an executed program
MODM-156 — Proxy cannot determine transparency of a client connection
MODM-801 — A serious error occurred, the client will be disconnected
MODM-802 — A serious error occurred, the client will be disconnected
MODM-803 — An error occurred, an error message will be sent to the client
MODM-804 — A timeout expired which killed the current client's request
MODM-805 — A process exceeded a maximum allowed runtime
MODM-806 — A process exceeded a maximum allowed runtime
MODM-821 — Initialization of a new request failed
MODM-832 — Initialization of a new proxy module failed
MODM-835 — A per-client module cannot be attached to a request
MODM-838 — A per-client module cannot be detached from a request
MONI-100 — Proxy cannot initialize communication with monitoring utility
MONI-101 — Proxy cannot initialize communication with monitoring utility
MONI-102 — Proxy cannot initialize communication with monitoring utility
MONI-103 — Proxy cannot terminate monitoring properly
MONI-500 — Proxy cannot initialize communication with monitoring utility
MPWF-001 — Unknown content of ICAP response Encapsulated header
MPWF-200 — Proxy cannot communicate with the web filter
MPWF-201 — Proxy cannot communicate with the web filter
MPWF-202 — A web filtration request does not fit to a buffer
MPWF-203 — The proxy is unable to return the web filter response
MPWF-700 — The web filter has rejected the request
MPWF-800 — The web filter terminated its response unexpectedly
MPWF-801 — A web filter response does not fit to a buffer
MPWF-802 — A web filter response cannot be processed
MPWF-810 — Request failed due to inoperative web filter
MPWF-811 — Request continues despite web filter failure
MRDF-000 — Trying to subtitute a nonexisting string in a file
MRDF-003 — Unexpected data found in data buffers during certain operations
MRDF-100 — A file cannot be opened for reading
MRDF-101 — A file size cannot be obtained
MRDF-102 — A file cannot be mapped to memory
MRDF-300 — Line longer than internal buffer size
MRDF-800 — Trying to subtitute a nonexisting string in a file
MSPA-105 — ALTQ queue assigment has failed
MSPA-310 — Antispam report truncated
MSPA-709 — Antispam failed, spam score invalid
MSPA-710 — Spam checker has returned unknown response
MSPA-800 — Information about mail size and antispam score
MWRF-100 — The proxy cannot open a local file
NATT-002 — It is not possible to issue bind() syscall to desired address
NETL-002 — Function netopen() attempts to change netio socket type
NETL-003 — Internal buffer pointers are inconsistent
NETL-010 — Improper call to netctl() function
NETL-011 — Scratch of too many bytes requested
NETL-012 — Function ungetc() called to empty buffer
NETL-032 — Improper call of netgetcmd() function
NETL-060 — Inconsistent options given to write operation
NETL-089 — Send to invalid address requested
NETL-101 — Shutdown operation with socket failed
NETL-202 — Setting socket flags by fcntl() or setsockopt() failed
NETL-203 — Preparing socket for TCP reset by setsockopt() failed
NETL-211 — Binding of socket to printed address failed
NETL-212 — Syscall getsockname() failed
NETL-220 — The proxy sends TCP reset instead of normal TCP connection close
NETL-231 — Socket read failed
NETL-262 — Writing data to socket failed
NETL-267 — Non-blocking write ended by some data unsent
NETL-283 — UDP data not sent
NETL-291 — Timeout reached during netio operation
NETL-390 — Netio function failed due to buffer shortage
NETL-391 — Netio function failed due to buffer shortage
NETS-001 — Select handler size is negative
NETS-010 — Adding too high socket number
NETS-011 — Unregistered socket used to select
NETS-012 — Unopened socket used to select
NETS-101 — Too many file descriptors are requested
NETS-228 — Timeout reached during select() syscall
NETS-700 — Select handler manipulation function already called
NTIF-001 — Network interface has no link address
NTIF-004 — Network interface name not found
NTIF-007 — Socket address information for netmask is not valid
NTIF-101 — Kernel routing information is not available
NTIF-102 — No memory available for kernel routing information
NTIF-103 — No memory available for network interface information
NTIF-901 — Function has started its operation
NTIF-902 — Function has finished its operation
NTLM-200 — The proxy cannot communicate with the NTLM helper program
NTLM-201 — The proxy cannot communicate with the NTLM helper program
NTLM-500 — NTLM-related communication with an AD controller should be limited
NTLM-501 — NTLM-related communication should be limited by INTERFACE or NETWORK
NTLM-800 — Client provided unexpected authentication information
NTLM-801 — The proxy cannot communicate with the NTLM helper program
NTLM-802 — An error has occured in the NTLM authentication module
NTLM-803 — The NTLM helper program have not replied in time
NTLM-804 — The NTLM helper program have returned an unexpected response
NTLM-805 — The NTLM helper program have returned an unexpected response
NTLM-806 — The NTLM helper program have returned an unexpected response
NTLM-807 — NTLM authentication failed
NTLM-808 — NTLM authentication cannot obtain group information from LDAP
NTLM-809 — The NTLM helper program have returned a too long response
OOBA-001 — No OOBA handle exists for a given set of configuration parameters
OOBA-100 — The OOB authentication server cannot communicate with proxies
OOBA-101 — The OOB authentication server cannot communicate with proxies
OOBA-102 — The OOB authentication server cannot communicate with proxies
OOBA-103 — The OOB authentication server cannot communicate with proxies
OOBA-104 — The OOB authentication server cannot communicate with proxies
OOBA-105 — Proxy cannot terminate using a session table file properly
OOBA-106 — Proxy cannot terminate using a session table file properly
OOBA-107 — The proxy cannot communicate with the authentication server
OOBA-108 — Contents of the OOB authentication session table is not valid
OOBA-109 — The OOB authentication server cannot release its session table
OOBA-800 — Limit for number of OOB authenticated users has been reached
OOBA-801 — A user name does not fit into the OOBA session table entry
OOBA-802 — List of groups does not fit into the OOBA session table entry
OSSL-000 — The proxy tried to initialize OpenSSL twice
OSSL-001 — No SSL context exists for a given set of configuration parameters
OSSL-002 — The required feature is not implemented in OpenSSL
OSSL-100 — An SSL context cannot be created
OSSL-101 — Cipher list for an SSL context cannot be set
OSSL-102 — The proxy cannot initialize OpenSSL error logging
OSSL-103 — Contents of the SSL error queue
OSSL-104 — The proxy cannot load a certificate for SSL/TLS
OSSL-105 — The proxy cannot load its private key
OSSL-106 — The proxy cannot load a certificate revocation list
OSSL-107 — The proxy cannot load a certificate revocation list
OSSL-108 — The proxy cannot load a certificate revocation list
OSSL-109 — Parameters for ephemeral DH key exchange cannot be created
OSSL-110 — Parameters for ephemeral DH key exchange cannot be created
OSSL-111 — A structure representing a new SSL/TLS connection cannot be created
OSSL-112 — The OpenSSL library cannot attach to a TCP connection
OSSL-113 — A SSL/TLS operation failed due to an OS-level I/O error
OSSL-114 — An SSL/TLS operation due to an error at the OpenSSL library level
OSSL-115 — The underlaying TCP connection has been unexpectedly closed
OSSL-116 — A system call has failed during an SSL/TLS operation
OSSL-117 — The proxy cannot load certificates of trusted certification authorities
OSSL-118 — The proxy will not use a certificate revocation list
OSSL-121 — The session id context cannot be set for an SSL context
OSSL-130 — The SSL session cache cannot be initialized
OSSL-131 — The SSL session cache cannot be initialized
OSSL-134 — The SSL session cache cannot be initialized
OSSL-156 — The process cannot access the SSL/TLS session cache
OSSL-157 — The SSL/TLS session cache cannot be unlocked
OSSL-158 — An SSL/TLS session obtained from the session cache is unusable
OSSL-159 — An SSL/TLS session obtained from the session cache is unusable
OSSL-160 — The process cannot access the SSL/TLS session cache
OSSL-161 — The process cannot access a cached SSL/TLS session
OSSL-162 — The process cannot access the SSL/TLS session cache
OSSL-600 — The peer has not presented a certificate during SSL/TLS handshake
OSSL-601 — Peer's certificate could not be verified
OSSL-602 — Information about a valid peer certificate
OVPN-001 — Openvpn failed to start the client connect script
OVPN-098 — Final startup failure message
OVPN-099 — Final startup failure message
OVPN-101 — Failed to exec the openvpn daemon
OVPN-102 — Error during accepting a connection on a socket
OVPN-103 — Failed to open the socket for reading
OVPN-104 — Failed to read line from the management socket
OVPN-105 — Connection from client has been closed before accepted
OVPN-107 — Openvpn configuration provider failed to create the server socket
OVPN-108 — Failed to bind the unix-domain socket
OVPN-109 — Failed to listen on the server socket
OVPN-111 — Failed to create the client socket
OVPN-112 — Cannot establish a connection to the openvpn management socket
OVPN-113 — The parent process tried to signal its children and received an error
OVPN-114 — An error occured during waiting for a child process
OVPN-115 — Failed to unlink the socket file
OVPN-116 — Openvpn failed to execute the client-connect script
OVPN-301 — Openvpn configuration provider failed to read the row
OVPN-302 — Openvpn policy enforcement failed to read the row
OVPN-405 — Client is connected without permission, it will be disconnected now
OVPN-406 — Openvpn policy enforcement client disconnection report
OVPN-408 — Failed to load the client connect script
OVPN-410 — Client is disabled now
OVPN-501 — Failed to reread the configuration
OVPN-502 — Openvpn section must reference an interface of the correct type
OVPN-503 — Ifconfig-pool address must respect the interface range
OVPN-504 — Ifconfig-push address must respect the interface range
OVPN-505 — Address pushing in OPENVPN must respect the INTERFACE type
OVPN-506 — OPEVNPN pushing address collision
OVPN-507 — Interface not specified for openvpn
OVPN-508 — Invalid interface type referenced in the openvpn section
OVPN-510 — Ifconfig-pool collides with the ifconfig-push address
OVPN-511 — OPENVPN pushing address must not collid with the INTERFACE address
OVPN-512 — Ifconfig-ipv6-pool address must respect the interface IPv6 network range
OVPN-513 — Ifconfig-ipv6-push address must respect the interface IPv6 range
OVPN-514 — Items PROTO, LOCAL and REMOTE must respect each other's address family
OVPN-515 — Ifconfig-ipv6-pool collides with the ifconfig-ipv6-push address
OVPN-701 — Unknown command to the openvpn config provider
OVPN-702 — Failed to serve the client
OVPN-703 — Failed to connect to the openvpn manage socket
OVPN-705 — Failed to disconnect the client
OVPN-706 — Failed to list the connected clients
OVPN-707 — Openvpn management command failed
OVPN-709 — Reading the contents of file was unsuccessful
OVPN-712 — Failed to obtain the status from the openvpn
OVPN-801 — Openvpn config provider failed to serve the client
OVPN-802 — Openvpn parent process failed to create a child process
OVPN-806 — Too many openvpn terminated child processes
OVPN-807 — Openvpn parent process detected the reload request
PFCD-720 — PF configuration daemon failed to load new PF tables
PFCD-820 — PF tables refresh report
POP3-100 — The main loop for serving clients (tcpserver) failed
POP3-101 — ALTQ queue assigment has failed
POP3-200 — Cannot change source address of a connection to a server
POP3-201 — The proxy cannot initialize a connection to a server
POP3-202 — The proxy cannot initialize a connection to a server
POP3-700 — Session ACL has been processed
POP3-701 — Command ACL has been processed
POP3-702 — A client has been disconnected from the proxy
POP3-704 — A new client has connected to the proxy
POP3-705 — The source address of a connection to a server has been changed
POP3-710 — A command has been denied by ACL
POP3-711 — A capability has been denied by ACL
POP3-712 — An unimplemented capability received from the server
POP3-800 — Proxy initialization failed
POP3-801 — An error occurred during searching SESSION-ACLs
POP3-802 — The client has been denied by SESSION-ACL
POP3-803 — The proxy is unable to verify user authentication
POP3-804 — The proxy does not know a server address to connect
POP3-805 — Initial processing of a new client connection has failed
POP3-806 — Proxy cannot start SSL/TLS on the client connection
POP3-807 — Proxy cannot start POP3 protocol
POP3-808 — An error occurred during searching COMMAND-ACLs
POP3-809 — The client has been denied by COMMAND-ACL
POP3-810 — Limit for session duration has been reached
POP3-811 — The client is sending too much data
POP3-812 — The server is sending too much data
POP3-813 — Proxy cannot start SSL/TLS on the server connection
POP3-814 — The session is being idle for too long
POP3-815 — Proxy cannot create module for sending a processed mail to the client
POP3-820 — The client has unexpectedly disconnected from the proxy
POP3-821 — The server has unexpectedly disconnected from the proxy
POP3-823 — A client command line is too long
POP3-824 — A capability line is longer than the configured limit
POP3-825 — A server response line is too long
POP3-826 — An authentication challenge line is too long
POP3-827 — An authentication answer line is too long
POP3-829 — A command line is longer than the configured limit
POP3-830 — A line with capability is too long
POP3-831 — The command from the client is bad
POP3-832 — A response line is longer than the configured limit
POP3-833 — The response from the server is bad
POP3-835 — A mail line is longer than the configured limit
POP3-836 — The command from the client is bad
POP3-837 — A mail being retrieved from the server is too big
POP3-838 — A mail line is longer than the configured limit
POP3-840 — A mail message contains too long line
POP3-841 — The proxy does not understand a server response
POP3-850 — Proxy cannot store a mail for processing
POP3-851 — A mail cannot be processed
POP3-852 — A mail has been rejected by DOC-ACL
POP3-853 — A mail has been rejected by MAIL-ACL
POP3-860 — Information about selected MAIL-ACL
POP3-861 — Proxy cannot create module for processing a mail
PRXY-132 — Switching list of groups from root to another user failed
PRXY-133 — Switching real and effective GID from root to another user failed
PRXY-134 — Switching real and effective UID from root to another user failed
PRXY-135 — Setting login class for the proxy user failed
PRXY-139 — Proxy cannot change its root directory
PRXY-251 — Socket option failed to be set on the socket
PRXY-500 — Application configuration missing
PRXY-501 — Application configuration is not unique
PRXY-521 — No USE-RESOLVER used
PRXY-523 — Resolver configuration reduced
PRXY-530 — Invalid run-time user specified
PRXY-531 — Application cannot change its root directory if not started by root
PRXY-533 — Application cannot be switched to unknown user
PRXY-541 — Working directory specification invalid
PRXY-549 — Application cannot create working directory
PRXY-550 — The application cannot resolve an address it should be listening on
PRXY-551 — The given IP address is not configured on any interface
PRXY-552 — No server address to listen on
PRXY-554 — Failed to prepare the server address
PRXY-734 — The proxy was switched from root to some other user
PRXY-739 — Proxy changed its root directory
PRXY-950 — Listening socket has been prepared
PRXY-953 — Listen-on address protocol family was deduced
PRXY-954 — Listen-on address protocol family was deduced
RCSL-719 — Configuration file inconsistency warning
RDST-201 — Client has closed connection too early
RDST-901 — Function realdest() has started its operation
RDST-902 — Function realdest() has finished its operation
RSLV-180 — Resolver mapping file unaccessible
RSLV-213 — DNS resolution failed
RSLV-330 — Resolver got response with too many resource records
RSLV-331 — Resolver got response with too many strings
RSLV-589 — Resolver pool directory misconfigured
RSLV-730 — Nameserver response inconsistency message
RSLV-735 — Nameserver response contains invalis CNAME chain
RSLV-739 — Nameserver response contains no applicable data
RSLV-741 — Query section of the answer does not match one of request
RSLV-761 — Nameserver response contains invalid name
SDPB-710 — SDP line misformed
SDPB-720 — SDP line misformed
SDPB-721 — SDP version unrecognized
SDPB-740 — SDP line misformed
SDPC-120 — Data port assignment failure
SDPC-310 — Data channel table exhausted
SDPC-800 — SIP data channel closed
SIPB-710 — SIP method recognition message
SIPB-719 — SIP line misformed
SIPB-750 — SIP line misformed
SIPB-751 — SIP line misformed
SIPB-760 — SIP line misformed
SIPB-781 — SIP line misformed
SIPB-789 — SIP line misformed
SIPC-180 — Routing table search failed
SIPC-232 — Control connection attempt unsuccessful
SIPC-310 — Control channel table exhausted
SIPC-330 — Control channel table exhausted
SIPC-340 — Control message line too long
SIPC-341 — Control message unrecognized
SIPC-588 — Listening socket missing for outgoing direction
SIPM-380 — Control message too long
SIPM-753 — Unsupported document body in SIP message
SIPM-759 — SIP message misformed
SIPP-119 — Syscall select() in main proxy loop failed
SIPP-700 — Notification about the mode of operation of the proxy
SIPP-701 — The proxy has been initialized and is ready to accept packets
SIPP-708 — The proxy has unbound the sockets used for listening for clients
SIPP-709 — The proxy has finished
SIPR-719 — Incomplete request removed
SIPR-729 — Request was not finished in time
SIPR-739 — Proxy rejects request
SIPR-740 — Client registration not accepted
SIPR-741 — Client registration not accepted
SIPR-745 — Call transfer requested by user
SIPR-751 — Misplaced ACK/CANCEL request
SIPR-759 — Misplaced ACK/CANCEL request
SIPR-760 — Response message not accepted
SIPR-761 — Request matching response not found
SIPR-762 — Misordered response to request received
SIPR-769 — Cannot match response to request
SIPR-800 — Response to request arrived and forwarded
SIPS-130 — Routing table search failed
SIPS-310 — Session table exhausted
SIPS-311 — Session table exhausted
SIPS-530 — Listening socket missing for server session transaction
SIPS-710 — Received request that cannot establish session
SIPS-730 — Next-hop for request cannot be determined
SIPS-760 — Configured IDLE-TIMEOUT expired
SIPS-800 — Session has started, unmatched request arrived
SIPS-801 — Session initialized, proxy is ready to mediate communication
SIPS-809 — Session finished
SIPS-821 — SESSION-ACL search report
SIPS-822 — REQUEST-ACL search report
SIPY-111 — SIP YP map file corrupted
SIPY-113 — SIP YP map file corrupted
SIPY-119 — SIP YP map is corrupted
SIPY-510 — SIP YP map format is older than proxy version
SLOG-009 — Application has improperly started
SLOG-011 — Improper combination of arguments to opentnslog() function
SLOG-020 — Logging function called with unknown severity code
SLOG-100 — Backup log file cannot be opened
SLOG-110 — Forwarding log to file failed
SLOG-120 — A process cannot terminate its logging to memory correctly
SLOG-121 — A file with memory log of a process cannot be deleted
SLOG-122 — The process cannot perform logging into memory
SLOG-123 — The process cannot perform logging into memory
SLOG-500 — The process cannot perform logging into memory
SLOG-501 — The process cannot perform logging into memory
SLOG-700 — Application initial log message
SLOG-701 — Process initial log message
SLOG-702 — Change of program identification in log
SLOG-703 — PID suffix will be used
SLOG-704 — Communication to syslog daemon successfully reopened
SLOG-710 — Log destination changed to file
SLOG-711 — Log destination changed to standard error
SLOG-712 — Log destination changed to syslog daemon
SLOG-713 — Re-introduction log message
SLOG-714 — A memory log file has been successfully initialized for a process
SLOG-720 — Logging level changed to a new value
SMTB-350 — Header too long
SMTB-750 — Header contains invalid character
SMTB-751 — Header contains invalid quoted character
SMTB-752 — Header contains unpaired parenthesis
SMTB-753 — Header contains incorrect quotting
SMTB-760 — No semicolon found between header arguments
SMTB-761 — Unquoted character occurred in header
SMTB-762 — Illegal character used in structured header
SMTB-780 — MIME header syntax error
SMTB-781 — Incomplete value in MIME header
SMTB-789 — Mail or MIME header RFC violation
SMTC-541 — Header modification too long
SMTC-542 — Incorrect character found in header modification configuration
SMTC-560 — Mailbox address incorrect
SMTC-561 — Mailbox address incorrect
SMTC-562 — Mailbox address incorrect
SMTC-563 — Mailbox address incorrect
SMTC-564 — Mailbox address incorrect
SMTC-565 — Mailbox address incorrect
SMTC-569 — SMTP forwarders misconfiguration
SMTD-100 — Searching of ACL failed
SMTD-300 — Cannot read mail body line
SMTD-320 — Message MIME structure is too large
SMTD-340 — Mail will not be sent as-is, it must be re-assembled from parts
SMTD-360 — Cannot write mail body line
SMTD-511 — Incorrect header modification defined in configuration
SMTD-700 — Possible forwarding loop
SMTD-720 — Incorrect MIME specification
SMTD-721 — Incorrect multipart MIME boundary definition
SMTD-722 — Invalid Content-Transfer-Encoding
SMTD-726 — Mail text does not contain any boundary line
SMTD-727 — Boundary regeneration failed
SMTD-728 — Header and body not separated
SMTD-729 — MIME structure corrupted
SMTD-739 — Final message reporting mail/MIME header error
SMTD-742 — Incorrect character found in mail body
SMTD-790 — Non US-ASCII mail not correctly declared
SMTD-803 — DOC-ACL search report
SMTI-502 — SMTP forwarder contains too many servers
SMTI-520 — Incorrect black-list configuration
SMTI-552 — Antivirus configuration inconsistency
SMTI-553 — QUARANTINE configuration must be specified
SMTI-554 — SMTP proxy QUARANTINE configuration inconsistent
SMTI-555 — GREY-LISTING configuration must be specified
SMTP-090 — TCP server returned with error
SMTP-099 — Final startup failure message
SMTP-104 — The proxy cannot use SSL/TLS
SMTP-239 — Control socket closed by peer
SMTP-738 — I/O operation on socket failed
SMTP-801 — Session has started, client connection has arrived
SMTP-809 — Session finished
SMTR-101 — Searching of ACL failed
SMTR-105 — ALTQ queue assigment has failed
SMTR-109 — Session initialization failed
SMTR-169 — Mail storing failed
SMTR-181 — Quarantine storing failed
SMTR-202 — The proxy cannot establish an SSL/TLS secure channel from the client
SMTR-300 — The proxy has received line longer than protocol defined maximum
SMTR-310 — Mail size reached configuration limit
SMTR-330 — Mail too big
SMTR-500 — Mail cannot be sent due to unknown forwarder
SMTR-510 — Cannot force source address in SESSION-ACL
SMTR-540 — Configuration does not cover fatal error
SMTR-601 — Unknown client - access denied
SMTR-602 — Unknown client - access denied
SMTR-603 — Client found in black list
SMTR-609 — Client sent too many bad commands
SMTR-640 — Client sent too many RCPT commands
SMTR-641 — Client sent too many bad RCPT commands
SMTR-700 — SMTP command processing report
SMTR-701 — Unknown command sent by client
SMTR-702 — Incorrect character in SMTP command
SMTR-703 — Client has not closed session
SMTR-709 — Session idle timeout reached
SMTR-710 — SMTP command syntax error
SMTR-712 — SMTP command parameter syntax error
SMTR-719 — SMTP command arguments not valid
SMTR-730 — MAIL BODY parameter value not valid
SMTR-740 — Recipient change report
SMTR-750 — No valid recipient remained
SMTR-760 — The proxy has received line with unencoded leading dot
SMTR-769 — EOF encountered during mail reception
SMTR-801 — SESSION-ACL search report
SMTR-802 — DELIVERY-ACL search report
SMTR-803 — MAIL-ACL search report
SMTR-811 — Opening mail report message
SMTR-819 — Final mail report message
SMTS-105 — ALTQ queue assigment has failed
SMTS-202 — The proxy cannot establish an SSL/TLS secure channel to the server
SMTS-208 — Forwarder closed connection not using the x21 message
SMTS-209 — Forwarder has sent x21 message
SMTS-300 — Forwarder sent too long line
SMTS-500 — Trivial configuration loop danger
SMTS-533 — Address being to be forced as source toward the server cannot be resolved
SMTS-600 — Forwarding channel does not satisfy proxy SSL requirements
SMTS-700 — Forwarder sent unexpected response
SMTS-708 — Mail forwarding failed
SMTS-709 — Session idle timeout reached
SMTS-711 — Forwarder sent incorrect response
SMTS-720 — Forwarder sent unknown response
SMTS-729 — Negative response got from forwarder
SMTS-730 — Forwarder uses incorrect ESMTP option
SMTS-739 — Forwarder rejects connection from proxy
SMTS-740 — Recipient accepted/refused by forwarder
SMTS-741 — Incorrect mail for 7bit forwarders
SMTS-750 — Forwarder rejects mail body
SMTS-815 — Sending mail report message
SMTT-500 — Triplicator called for configuration w/o grey-listing
SMTT-740 — Triplet database modification failed
SMTT-741 — Triplet database modification incorrect - bad state
SMTT-742 — Triplet database modification incorrect - bad date/time
SMTT-743 — Triplet database modification incorrect - invalid IP address
SMTT-744 — Triplet database modification incorrect - bad sender/recipient address
SMTT-749 — Triplet database modification incorrect
SMTT-810 — Triplet information display
SMTT-820 — Triplet database statistical information
SMTT-830 — Final report message from triplet database cleanup
SMTV-371 — Checked domain SPF definition incorrect
SMTV-388 — Domain name stripped suring SPF verification
SMTV-389 — Checked domain SPF definition incorrect
SMTV-540 — Grey-listing database filename too long
SMTV-712 — SPF processing truncated
SMTV-750 — Checked domain SPF definition incorrect
SMTV-751 — No SPF definition for domain verified
SMTV-752 — Checked domain SPF definition incorrect
SMTV-758 — SPF processing truncated
SMTV-759 — Final SPF processing message
SMTV-761 — Checked domain SPF definition incorrect
SMTV-762 — Checked domain SPF definition incorrect
SMTV-763 — Checked domain SPF definition incorrect
SMTV-771 — Checked domain SPF definition incorrect
SMTV-772 — Checked domain SPF definition incorrect
SMTV-780 — Checked domain SPF definition incorrect
SMTX-590 — Boundary length out of bounds
SQLP-090 — TCP server returned with error
SQLP-099 — Final startup failure message
SQLP-100 — Proxy main loop select call failed
SQLP-104 — Original connection destination getting failed
SQLP-200 — Proxy main loop timeout reached
SQLP-239 — TCP socket closed by peer
SQLP-500 — Database users checking not allowed in unknown protocols
SQLP-550 — Connect string character set invalid
SQLP-801 — Client connection arrives to proxy
SQLP-808 — Session has started, client connection has arrived
SQLP-809 — Session finished
SQLS-105 — ALTQ queue assigment has failed
SQLS-110 — Searching of ACL failed
SQLS-119 — The proxy is unable to verify user authentication
SQLS-131 — Connection to server failed
SQLS-230 — Target server name cannot be resolved to IP address
SQLS-231 — Target server cannot be connected within timeout period
SQLS-232 — Target server connection failed
SQLS-239 — TCP socket closed by peer
SQLS-530 — Next-hop server/proxy name cannot be resolved to IP address
SQLS-531 — Next-hop server/proxy cannot be connected within timeout period
SQLS-532 — Next-hop server/proxy connection failed
SQLS-533 — Address being to be forced as source toward the server cannot be resolved
SQLS-700 — TNS protocol version information
SQLS-711 — TNS protocol checksum is not zero
SQLS-719 — SQL*Net service name exceeds configured limit
SQLS-730 — SQL*Net proxy cannot determine target server
SQLS-732 — Unexpected packet type received
SQLS-740 — Packet exceeds Session Data Unit
SQLS-741 — Packet length less than header size
SQLS-742 — Data offset points into packet structure
SQLS-743 — Packet is too short to contain data
SQLS-747 — Server offers TDU less than SDU
SQLS-748 — Server offers SDU out of valid range
SQLS-749 — Transparent Network Substrate layer error
SQLS-750 — Connect packet contains invalid connect string
SQLS-751 — Connect packet contains invalid connect string
SQLS-752 — Connect packet contains invalid connect string
SQLS-753 — Incorrect character found in attribute name
SQLS-754 — Real destination server cannot be determined
SQLS-759 — Connect packet contains invalid connect string
SQLS-760 — Connect string must contain named attribute
SQLS-761 — Named attribute of connect string must be string
SQLS-762 — Named attribute of connect string must be list
SQLS-763 — Named attribute of connect string value invalid
SQLS-771 — Too many redirection packets encountered
SQLS-781 — Continuation packet exceeds total packet size
SQLS-782 — Total length of fragmented message not reached
SQLS-783 — MORE flag set in packet completing whole message
SQLS-784 — Connect/redirect string packet splitted in incorrect offset
SQLS-810 — ACL decision has been made, session either accepted or rejected
SQLS-819 — Proxy user authentication finished
SQLS-820 — ACL decision has been made, operation either accepted or rejected
SQLS-831 — Connection to server was refused
SQLS-832 — Connection to server was redirected to another server
SQLS-840 — Session initialized, proxy is ready to mediate communication
SQLS-850 — Connect string parser message
SQLT-620 — SQL*Net RPC session authentication started
SQLT-621 — Database user successfully authenticated by SQL server
SQLT-622 — Database user logged off
SQLT-628 — Database user logon failed
SQLT-629 — Database user not allowed by configuration
SQLT-720 — Logon packet has incorrect format
SQLT-721 — Logon packet contain too long user name
SQLT-722 — Logon packet contains user name with invalid characters
SQLT-723 — SQL*Net RPC LOGON partially misunderstood
SQLT-725 — SQL*Net proxy cannot recognize RPC LOGON encoding
SQLT-727 — SQL*Net proxy registered database authentication result
SQLT-728 — Incorrect logging sequence
SQLT-729 — SQL*Net Remote Procedure Call received w/o authentication
SQLX-501 — Cannot use DB-USER for unknown protocol versions
TCPC-100 — Socket for outgoing connection not created
TCPC-210 — Function tcpclient() has successfully connected to server
TCPC-218 — Connection to one of server's IP addresses failed
TCPC-219 — Function tcpclient() failed to connect to server
TCPC-229 — Source network address translation failed
TCPP-104 — The main loop for serving clients (tcpserver) failed
TCPP-105 — ALTQ queue assigment has failed
TCPP-124 — The proxy cannot use SSL/TLS
TCPP-200 — Proxy cannot configure NAT address mapping on connection to server
TCPP-201 — Proxy cannot initialize data related to server connection
TCPP-202 — Proxy cannot create modules for communication with the server
TCPP-300 — Configured maximum of size of data from server to client exceeded
TCPP-301 — Configured maximum of size of data from client to server exceeded
TCPP-701 — Reports NAT mapping of source address of the server connection
TCPP-710 — A new proxy session has been started
TCPP-711 — A proxy session has terminated
TCPP-712 — Reports ACL used for this session
TCPP-801 — Proxy cannot create modules for communication with the client
TCPP-802 — The proxy cannot establish an SSL/TLS secure channel from the client
TCPP-803 — The proxy cannot establish an SSL/TLS secure channel to the server
TCPP-804 — The proxy is unable to verify user authentication
TCPP-805 — The proxy cannot initialize client data filtering
TCPP-806 — The proxy cannot initialize server data filtering
TCPP-850 — Some unexpected error occurred when searching ACLs
TCPP-851 — No ACL matches the connection from the client
TCPP-852 — The ACL matching the client connection denies access
TCPP-853 — The proxy does not know to which server it should connect
TCPS-001 — The parent process encountered a child process in unknown state
TCPS-002 — The child process encountered an unknown command from the parent
TCPS-104 — Error during waiting for a connection on multiple sockets
TCPS-105 — Error during accepting a connection on a socket
TCPS-109 — Cannot allocate memory for communication between parent and children
TCPS-110 — Cannot deallocate memory for communication between parent and children
TCPS-113 — Allocation of file descriptor array by malloc() failed
TCPS-118 — Trying to kill a superfluos child which already terminated
TCPS-119 — Killing a superfluos child failed
TCPS-120 — Parent failed when trying to create a new child process
TCPS-123 — The parent process tried to signal its children and received an error
TCPS-124 — The parent process tried to signal its children and received an error
TCPS-125 — Getting exit status of a terminated child process returned error
TCPS-128 — Connection from client has been closed before accepted
TCPS-500 — There are some invalid values in the configuration
TCPS-501 — There are some invalid values in the configuration
TCPS-502 — There are some invalid values in the configuration
TCPS-503 — There are some invalid values in the configuration
TCPS-700 — Notification about the mode of operation of the proxy
TCPS-701 — The parent process finds out that all its children terminated
TCPS-702 — The parent process finds out that a child was terminated by a signal
TCPS-704 — The parent process finds out that a child exited
TCPS-705 — The select() syscall returned and reported no ready file descriptor
TCPS-706 — The proxy accepted a new connection from a client
TCPS-707 — A client connection was handled
TCPS-708 — Log level incremented in response to a received signal
TCPS-709 — Log level decremented in response to a received signal
TCPS-710 — Graceful proxy termination is performed after receiving a signal
TCPS-711 — Immediate proxy termination is performed after receiving a signal
TCPS-712 — Log level incremented in response to a received signal
TCPS-713 — Log level decremented in response to a received signal
TCPS-714 — The proxy parent process is waiting for termination of children
TCPS-715 — Connection to a client was closed, proxy is waiting for another client
TCPS-716 — The proxy has received an information request signal
TCPS-717 — Statistical message about management of child processes
TCPS-718 — The proxy has been initialized and is ready to accept packets
TCPS-719 — Termination of a proxy process by a signal
TCPS-722 — The proxy has unbound the sockets used for listening for clients
TCPS-723 — The proxy has finished
TCPS-730 — Log file will be reopened
TCPS-731 — An alternative locking algorithm will be used
TCPS-732 — The standard flock(2) locking algorithm will be used
TCPS-800 — An address in an unsupported address family was specified for a socket
TCPS-802 — There is not place for storing state of a new process
TCPS-804 — A client connection was finished with error
TCPS-805 — The child process with given PID cannot be found in the scoreboard
TCPS-810 — The configured maximum of proxy child processes has been reached
TCPS-811 — The tcpserver cannot be initialized properly
TCPS-812 — Proxy runtime monitoring support cannot be initialized
TCPS-813 — The tcpserver cannot be initialized properly
TCPS-820 — Failed to build listen-on sockets
TCPS-900 — Information about the number of server sockets
TCPS-902 — The proxy starts serving connections from clients
TCPS-903 — A client connection accepted, handling function will be called
TCPS-904 — A new child process was started
TCPS-905 — Initial set of children is being created
TCPS-906 — The proxy parent process started initial children and continues
TCPS-907 — A proxy child process is terminating itself
TCPS-908 — Immediate child termination is performed after receiving a signal
TCPS-909 — Graceful child termination is performed after receiving a signal
TCPS-910 — Log level incremented in response to a received signal
TCPS-911 — Log level decremented in response to a received signal
TCPS-912 — The child process is superfluous and should exit
TCPS-913 — The child process got SIGHUP, but there is no command from the parent
TCPS-914 — The child process is superfluous and exits
TCPS-915 — There are not enough idle children, parent is creating new ones
TCPS-916 — There are too many idle children, some of them are asked to exit
TEST-500 — Configuration tester expects command as -t option
TEST-530 — Too high phase number requested
UDPP-121 — Udp-proxy was not able to find an ACL appropriate to session
UDPP-709 — The exit code returned by the proxy process to its parent
UDPP-712 — The proxy is unable to verify user authentication
UDPP-810 — A datagram from a client has arrived, a session has started
UDPP-811 — Session initialized, proxy is ready to mediate communication
UDPP-812 — Session finished
UDPP-821 — ACL decision has been made, operation either accepted or rejected
UDPS-011 — An error occurred during waiting for a child process
UDPS-110 — The proxy is unable to create a child process
UDPS-121 — No route to client
UDPS-141 — No route to server
UDPS-242 — The proxy cannot initialize communication with a server
UDPS-320 — The number of active sessions reached table size
UDPS-350 — UDP datagram is being sent
UDPS-360 — The proxy received too large datagram
UDPS-368 — Amount of data transferred exceeded its limit during a session
UDPS-369 — The number of datagrams reached its limit during a session
UDPS-501 — There are no addresses on which the proxy should wait for datagrams
UDPS-510 — The proxy has failed
UDPS-540 — Cannot resolve name needed for server connection
UDPS-541 — Session is non-transparent and no plug-to server found in acl
UDPS-542 — Proxy cannot receive responses from server
UDPS-543 — Cannot use aliased interface for source-port broadcast input and output
UDPS-630 — Data from invalid host on server side socket
UDPS-631 — Data from server occured in session of one-way type
UDPS-700 — Notification about the mode of operation of the proxy
UDPS-701 — The proxy has been initialized and is ready to accept packets
UDPS-705 — Proxy-specific code encapsulated in special function has finished
UDPS-708 — The proxy has unbound the sockets used for listening for clients
UDPS-709 — The proxy has finished
UDPS-710 — The child process was unexpectedly terminated
UDPS-711 — The child process was unexpectedly terminated by a signal
UDPS-730 — Server addres of an any-port or any-sock session will be fixed
UDPS-751 — Session lasts longer than allowed and will be terminated
UDPS-752 — The peer has not sent any data for too long
UDPS-810 — Child process PID info
UDPS-812 — Proxy runtime monitoring support cannot be initialized
URIP-710 — Processing %xx sequences in URI failed
URIP-720 — URI cannot be parsed

IV. Kernun Firewall Reference (7)

access-control — Kernun proxies access control system
auth — client authentication on proxy
cluster — Kernun firewall cluster support
configuration — general syntax of configuration files
data-matching — generic data matching and processing in proxies
doctype-identification — document type recognition methods and configuration
host-matching — configuration semantics of lists of hosts
ips — intrusion detection/prevention system and the related aspects
kernun — signpost to Kernun firewall manual pages
logging — Kernun firewall logging facility
monitoring — Kernun firewall runtime monitoring support
netio — Kernun firewall network I/O layer
port-range-listen — the ability of proxies to listen on a port range and the related aspects
resolving — DNS resolving in Kernun applications
tcpserver — TCP client connections and process management in proxies
time-matching — syntax and semantics of time specification in configuration
traffic-shaping — Kernun firewall traffic shaping support
transparency — network transparency and the related aspects
udpserver — UDP session and process management in proxies

V. Kernun Firewall Reference (8)

bootmgr — tool for configuring Kernun boot manager
cml — Configuration Meta-Language
configure-isds — creates or edits a configuration based on the template isds.cml
dns-proxy — Domain Name System (DNS) proxy
ftp-proxy — File Transfer Protocol (FTP) proxy
gk-proxy — H.323 Gatekeeper RAS proxy
h323-proxy — H.323 Protocol Family proxy
http-proxy — HyperText Transfer Protocol (HTTP) proxy
icap-server — ICAP server for document inspection
imap4-proxy — Internet Message Action Protocol v. 4 (IMAP4) proxy
kat — Kernun Admin Tool
pop3-proxy — Post Office Protocol v. 3 (POP3) proxy
sip-proxy — Session Initiation Protocol (SIP) proxy
smtp-proxy — Simple Mail Transfer Protocol (SMTP) proxy
sqlnet-proxy — Oracle SQL*Net Proxy
sysmgr — tool for Kernun installation, upgrade, backup, and restore
tcp-proxy — transparent generic TCP proxy
udp-proxy — generic UDP proxy

List of Figures

3.1. The System Manager icon in the toolbar
3.2. Installation images in the System Manager
3.3. Selection of the installation target
3.4. The system partitions after the installation
3.5. An error during the installation
3.6. Existing backup files in the GUI
3.7. Parameters of a restore operation
3.8. Final settings after restoring a backup
3.9. Parameters of an upgrade operation
3.10. The conflict resolution window during an upgrade
3.11. Final settings after an upgrade
4.1. GUI Launcher
4.2. Connecting to Server
4.3. GKAT — Kernun management console
4.4. Kernun Manage Page
4.5. System state synchronization dialog
4.6. Process List page
4.7. Process List context menu
4.8. Graphs page
4.9. Top page
4.10. Misc page
4.11. Version
4.12. Proxy Monitor
4.13. Proxy Log
4.14. Main window toolbar buttons, listed together with the corresponding menu items, and sometimes keyboard shortcuts:
4.15. Example of a simple HTTP filter and marker set
4.16. GUI CML Editor
4.17. Configuration commit dialog
4.18. Bookmarks and relevant sections in GUI CML
4.19. Configuration already locked by other user
4.20. Break lock confirmation
4.21. Configuration and System Manager at the same time
4.22. Configuration unlock failed
4.23. Commit configuration to RCS confirmation
4.24. Initialize RCS confirmation
4.25. Configuration lock broken
4.26. Configuration not longer locked
5.1. Tree structure of the configuration
5.2. Tree structure of the configuration
5.3. Including configuration files and using section variables
5.4. The global level of the initial configuration file
5.5. Various system-level definitions
5.6. Definitions of network interfaces
5.7. Definitions of various network parameters
5.8. An SSH server for administrative access
5.9. The server for handling locally-originated mail
5.10. Hidden proxies and a global ACL
5.11. DNS Proxy
5.12. HTTP Proxy
5.13. FTP proxy
5.14. Proxies HTTPS and SSH
5.15. SMTP Proxy System Sections and Forward Agent
5.16. SMTP Proxy ACLs
5.17. SMTP Proxy Mail Filter
5.18. SMTP Proxy Mail Sever in the Internal Network
5.19. IMAP4 Proxy
5.20. POP3 Proxy
5.21. The Kernun running the initial configuration
5.22. The modified configuration
5.23. Activation of the new configuration
5.24. Reconfigured Kernun is running
5.25. TCP proxy general network settings
5.26. TCP proxy ACL settings
5.27. TCP proxy miscellaneous settings
5.28. TCP proxy recapitulation
5.29. Non-transparent TCP proxy ACL settings
6.1. A simple blocking packet filter rule
6.2. A blocking packet filter rule with return
6.3. Option block-policy instead of return in rule
6.4. More specific rule must come first
6.5. Simple antispoofing rule
6.6. Antispoofing rule including routes
6.7. Selective packet forwarding rule
6.8. Mapping NAT rule
6.9. Redirection NAT rule
6.10. Forwarding of ICMP Packets over NAT
6.11. User account configuration
6.12. Network Interfaces
6.13. Static Routes
6.14. rc.conf configuration
6.15. sysctl.conf configuration
6.16. crontab configuration
6.17. Caching Name Server configuration
6.18. DNS Server - Proxy configuration
6.19. DNS Server - BIND configuration
6.20. DHCP configuration
6.21. Minimum NTP server configuration
6.22. Peer for NTP server
6.23. On-board clock with NTP server
6.24. Log of an HTTP request
6.25. Statistics browser window
6.26. Configuration of statistics
6.27. HTTP Proxy listening both in transparent and non-transparent mode
6.28. Configuration of non-transparent mode in Firefox and Microsoft Internet Explorer Web browsers
6.29. Sockstat tab showing the list of all sockets
6.30. Tracking transparent and non-transparent connections in the http-proxy log (the log was filtered, in order to save space).
6.31. Transparency for servers (source-address client)
6.32. A port shared by two applications
6.33. The sip-proxy configured to listen transparently on a port range 5060-5062
6.34. SIP Proxy
6.35. SQL*Net Proxy
6.36. UDP proxy
6.37. Cooperation of HTTP and FTP
6.38. Cooperation of HTTP and FTP
6.39. Authentication methods
6.40. Log of authentication in FTP proxy
6.41. Proxy authentication dialog in a Web browser
6.42. User authentication configuration in the HTTP proxy
6.43. Log of user authentication in the HTTP proxy
6.44. NTLM authentication — section system
6.45. NTLM authentication — section http-proxy
6.46. Configuration of the HTTP authentication proxy
6.47. The user authentication dialog of the HTTP authentication proxy
6.48. The logout confirmation message of the HTTP authentication proxy
6.49. Configuration of the out-of-band authentication
6.50. Login to the OOB authentication server
6.51. Configuration of the connection to the antivirus program
6.52. Use of antivirus in the FTP and HTTP proxies
6.53. Discarding infected messages in the SMTP proxy
6.54. Replacing infected documents in the SMTP proxy
6.55. Replacing infected documents in the POP3 proxy
6.56. Replacing infected documents in the IMAP4 proxy
6.57. Antispam protection for POP3 proxy
6.58. Antispam protection for IMAP4 proxy
6.59. Antispam protection for SMTP proxy
6.60. White- and black-listing for SMTP proxy
6.61. Grey-listing for SMTP proxy
6.62. Content Type detection configuration for HTTP proxy
6.63. HTML filter example
6.64. Mail filter example in use with IMAP4, POP3 and SMTP proxies
6.65. Request URI matching and rewriting
6.66. Log of URI matching and rewriting
6.67. A blacklist in the HTTP proxy
6.68. A log of blacklist usage in the HTTP proxy
6.69. Kernun Clear Web DataBase in the HTTP proxy
6.70. An HTTP proxy configured for use of an external Web filter
6.71. A Web server blocked by the Web filter
6.72. Intrusion detection/prevention system
6.73. Configuration of traffic shaping queues
6.74. Traffic shaping by packet filter ACLs
6.75. Traffic shaping by proxy ACLs
6.76. OpenVPN components in a GKAT window
6.77. RAS: Virtual network settings
6.78. RAS: Physical network settings
6.79. Shared file creation dialog
6.80. RAS: Authentication settings
6.81. RAS: Client settings
6.82. RAS OpenVPN wizard: The resulting configuration
6.83. Net-to-Net OpenVPN wizard: Virtual network settings page
6.84. Net-To-Net OpenVPN wizard: Physical network settings page
6.85. Net-To-Net OpenVPN wizard: Authentication settings page
6.86. Net-To-Net OpenVPN wizard: The resulting configuration
6.87. IPsec components in a GKAT window
6.88. IPsec: General page
6.89. IPsec: Tunnel network settings
6.90. IPsec: Phase 1 negotiation settings
6.91. IPsec: Authentication settings
6.92. IPsec: Phase 2 negotiation settings
6.93. IPsec: Transport physical network settings
6.94. IPsec configuration
6.95. Simple cluster with two nodes and two networks
6.96. Definition of shared IP addresses
6.97. apply-host is used to distinguish the local system from the remote one
6.98. Definition of system variable CLUSTER
6.99. Usage of parameters inside CLUSTER definition
6.100. Use of variable CLUSTER to define two nodes
6.101. Section monitor binds cluster interfaces together
6.102. Preemptive cluster
6.103. IPv6 interfaces
6.104. IPv6 networking parameters
6.105. Proxies with IPv6 support

How to Read the Documentation

The documentation of Kernun consists of several parts; all of them are available in the electronic form. The complete documentation is installed with the software in the directories /usr/local/kernun/doc and /usr/local/kernun/man, so it is always available on any Kernun system. The documentation is also contained in the doc directory on the installation CD and is therefore accessible also before the installation. The Kernun documentation is available in the following formats:

Text files

Only several short documents that should be read before the installation of Kernun are available as plain text files:

KERNUN-CHANGES.txt: List of changes between individual versions of Kernun.
KERNUN-INSTALL.txt: Short installation instructions. This file basically refers to Chapter 3, Kernun System Management in the Kernun Handbook.
KERNUN-RELNOTES.txt: Release notes; various notices concerning the installation, configuration, and use of Kernun.

PDF

The Kernun Handbook, that is, this document. The PDF version of the handbook contains also the reference pages except for section 6. This format is suitable for printing and reading as a book, basically from the beginning to the end.

HTML

The Kernun Handbook. The HTML version of the handbook contains also all the reference pages. It is available either as a single very long HTML file, or broken into many smaller HTML files. This format is suitable as a reference, with the possibility of hypertext navigation between its parts.

Manual pages

The reference part of the documentation is available also in the form of the standard manual pages that can be viewed using the man(1) command. The manual pages are categorized into sections, similarly as the system manual pages. Kernun uses the following manual page sections:

Section 1: User commands, mainly various tools for runtime monitoring and generation of statistics.
Section 5: Configuration. Individual sections of the /usr/local/kernun/conf/kernun.cml configuration file are documented in this section.
Section 6: For each log message, except for the debugging ones, there is a manual page that describes the conditions, under which the message is logged, and the possible consequences of its appearance in the Kernun log. The manual pages' names are the IDs of the corresponding messages.
Section 7: The manual pages in this section explain general concepts. They cover features that are common to many parts of Kernun, such as proxies.
Section 8: Administrative commands, including application proxies and configuration management tools.

If you are looking for the description of a Kernun feature, you can find its explanation in Section 8 (if it is a separate program), or in Section 7 (if it is a part of a program). If the feature is configurable, its configuration is defined in detail in Section 5. The corresponding manual pages in Section 5 and Section 7 or 8 often have the same name; they are distinguished only by the section number.

This Handbook will help you learn how to administer Kernun. An overview of individual products from the Kernun family is given in Chapter 1, Kernun Product Overview, whereas Chapter 2, Kernun Hardware describes the hardware that Kernun comes installed on. The first steps and the installation instructions are provided in Chapter 3, Kernun System Management. For the first time, it suffices to read only the sections needed for the initial installation (Section 3, “Licensing”, Section 5.1, “Standalone Installer”, and Section 5.2, “Initial Configuration”). Reading of the remaining parts of the chapter can be postponed until you need to know more about alternative installation methods, upgrades, backups, or disk layout. If you already have a preinstalled and licensed instance of Kernun, you can skip Chapter 3, Kernun System Management altogether. Chapter 4, User Interface contains an introduction to the graphical and command line administrative interface. Beginners will probably find the GUI (Section 1, “Graphical User Interface”) to be the easiest way of controlling Kernun. If, for any reason, you cannot (or do not want to) use the graphical interface, you find the information about the command line tools in Section 2, “Command Line Interface” and Section 3, “Administrative Utilities”. If you know how to connect to a running Kernun system, monitor and control its operation, view logs, and edit the configuration, you may learn principles of the Kernun configuration and find an explanation of the initial configuration generated during the installation in Chapter 5, Configuration Basics. Chapter 6, Advanced features deals with configuration of advanced features . At any time, details about features, commands, configuration syntax and semantics, as well as the meaning of log messages can be found in the reference pages, which are contained in the Appendix of this Handbook and available also in the form of manual pages.

Chapter 1. Kernun Product Overview

Table of Contents

1. Kernun Net Access (KNA)
2. Kernun Mail Access (KMA)
3. Kernun VPN Access (KVPNA)
4. Kernun Office Access (KOA)
5. Kernun Web Access (KWA)
6. Product Summary

The Kernun family consists of several products that are each useful for a specific set of network security tasks. We will provide a brief introduction to each of them now. As individual Kernun products contain different subsets of features, not all parts of the configuration are applicable to each of them. The configuration of Kernun is explained in Chapter 5, Configuration Basics and Chapter 6, Advanced features of this handbook. Individual subsections of those chapters specify the Kernun products they are related to.

1. Kernun Net Access (KNA)

Kernun Net Access is a new type of a UTM secure device that contains multiple features, such as firewall, antivirus, antispam, antispyware, content filtering, intrusion detection (IDS or IPS), routing, QoS or VPN, in a single package. It has been designed to protect private data networks and DMZ segments (demilitarized zones, including servers with public services, for example WWW, FTP, mail servers, secure remote VPN connection, etc.). It provides antivirus and antispam protection, as well as an ability to block unsuitable protocols (Skype, ICQ, etc.) and unsuitable Web pages.

Kernun Net Access is highly flexible during the process of secure policy implementation. This includes simple rules of status inspection, as well as sophisticated management on the level of application protocols. Thanks to its ability to inspect the contents of each application protocol, this technology is the ideal solution for environments with high security demands.

A typical implementation of the Kernun Net Access technology is located on the perimeter of the protected network as a gateway between the Internet and the internal network. All connections to and from the Internet are authorized or prohibited at a central location. Kernun Net Access also serves as an antivirus and antispam gateway, and as a server, where VPN connections for clients who work from home or while travelling and of VPN tunnels between branches are terminated. Public service network servers (DMZ) are usually located on another network interface.

2. Kernun Mail Access (KMA)

Kernun Mail Access is an appliance that provides security for e-mail correspondence. It contains antivirus and antispam filters and a secure system for protocols, such as SMTP, POP3 and IMAP4. An optional extension contains a fully functional e-mail server with mailboxes and shared electronic calendars.

The technology offers a complex e-mail correspondence and electronic calendar solution for the entire company. It contains tools that ensure inspection and protection of the application protocols SMTP, POP3 and IMAP4, antispam and antimalware inspection, access via a Web interface and synchronization support for mobile devices (ActiveSync). Kernun Mail Access can handle all electronic communication needs of the entire company.

A typical implementation of the Kernun Mail Access technology is maintained inside the internal company network or within the DMZ network. All e-mail correspondence is directed to this server. Clients have Kernun Mail Access set as their SMTP/POP3/IMAP4/MAPI server. All incoming and outgoing mail is subject to thorough inspections in the corresponding proxy applications.

3. Kernun VPN Access (KVPNA)

Kernun VPN Access is an appliance, in which you can create secure and encoded tunnels between branches. It may also be used by travelling clients to access their private network remotely. It contains a firewall and it is compatible with all devices compliant with the IPSec and OpenVPN standards.

The Kernun VPN Access technology provides secure interconnection of geographically distant computer networks. This interconnection creates a robust Virtual Private Network, within which each user may share all documents, databases, disk space and other resources, regardless of where the data is physically stored. This solution is absolutely transparent and offers many advantages to all end users.

Kernun VPN Access also enables users to access the internal network securely from a given computer; this is appreciated especially by managers and travelling employees. Electronic mail, databases, files, printers, and other sources included in the internal network will be available to you from anywhere. All you need is a portable computer and connection to the Internet; Kernun VPN Access takes care of everything else.

Kernun VPN Access supports many popular protocols used when creating private networks, such as IPSec, OpenVPN (SSL-based VPN) and PPTP, making it possible to get connected under any operating system.

In a typical scenario, Kernun VPN Access is deployed either on the perimeter of the internal network, or in the DMZ. All VPN tunnels and end-user connections are terminated in it.

4. Kernun Office Access (KOA)

Kernun Office Access is a high-performance appliance designed for protection of inner segments of private networks, typically in cases when high data throughput is required. This is realized using special hardware and a specific system configuration. This technology is suitable for management of communication between networks that requires extremely high data throughput, usually up to 1 Gb or more.

For example, this technology may protect the segments of a database farm that serves huge amounts of data for a front-end WWW system. Due to security reasons, this system is separated and placed on another network segment. Kernun Office Access ensures high availability between the front-end system and the database farm and, at the same time, manages the operations and protection of the database farm.

5. Kernun Web Access (KWA)

Kernun Web Access is a security-oriented application designed to protect Web servers. It is placed in front of the server and detects hacker attacks before they can reach the server itself. It also provides visualisation of Web visit frequencies and includes an optional module for load balancing (distribution of load among several real Web servers).

In addition to the communication comparison process with a set of samples of known data flows and its normalization, the system offers basic protection tools against Denial-of-Service (DoS) attacks. In this case, the attacker attempts to overload the server with a huge amount of requests that seem to be legitimate. Kernun Web Access uses sophisticated algorithms to control the increase in the number of connections coming from each client and thus eliminate many DoS attacks.

Kernun Web Access protects Web servers from attacks performed by means of the HTTP protocol, which is used for Web page and application transfers. The technology detects known attack attempts, including i.a. SQL injection and PHP injection attacks. It also normalizes communication between the Web browser and server and filters out non-standard or otherwise incorrect requests.

Web servers that do not support encryption using the TLS protocol can also be protected by Kernun Web Access. The Web server may still answer without encryption, but Kernun Web Access adds a secure encrypted envelope to the communication. Using Kernun Web Access, you can design and deploy authenticated access to certain Web pages on the protected server to a limited group of users (supported authentication methods include X.509 certificates, authentication tokens and plain passwords).

Kernun Web Access is placed in the hosting centre. The protected Web server is not directly connected to the Internet, but instead, it communicates with the outside world through the Kernun Web Access technology. This security device controls the Web server's entire communication, normalizes it, and enables standard anonymous access to the Web server, as well as content management and administration to privileged users.

6. Product Summary

The Kernun software features are internally grouped into so-called components, which must be individually licensed in order to work properly. The following table provides a summary of the Kernun components that are included (i.e., licensed) with individual Kernun products.

	KNA	KMA	KVPNA	KOA	KWA
dns-proxy	Yes	No	No	Yes	Yes	No
ftp-proxy	Yes	No	No	Yes	Yes	No
gk-proxy	Yes	No	No	Yes	No	No
h323-proxy	Yes	No	No	Yes	No	No
http-proxy	Yes	No	No	Yes	Yes	No
imap4-proxy	Yes	Yes	No	Yes	No	No
pop3-proxy	Yes	Yes	No	Yes	No	No
sip-proxy	Yes	No	No	Yes	No	No
smtp-proxy	Yes	Yes	No	Yes	Yes	No
sqlnet-proxy	Yes	No	No	Yes	Yes	No
tcp-proxy	Yes	No	No	Yes	Yes	No
udp-proxy	Yes	No	No	Yes	Yes	No
mod-antivirus	Optional	Yes	No	No	Optional	No
mod-antispam	Optional	Yes	No	No	No	No
mod-pwf	Optional	No	No	No	No	No
mod-ids-ips	Optional	No	No	Yes	Yes	No
mod-vpn	Yes	No	Yes	No	Yes	Yes
packet-filter	Yes	Yes	Yes	Yes	Yes	Yes
mod-reporter	Optional	Optional	Optional	No	Optional	No
mod-cluster	Optional	Optional	Optional	Optional	Optional	No

The Kernun products are shipped as hardware appliances. For description of the Kernun hardware, see Chapter 2, Kernun Hardware.

Chapter 2. Kernun Hardware

The Kernun products are shipped as hardware appliances. The Kernun hardware comes in the following variants: SOHO, Pro, Enterprise and Enterprise Plus.

Note

Not all combinations of Kernun products and hardware are eligible. For instance, Kernun Mail Access is available in the SOHO and Enterprise variants. For more information, see the following table, which lists the valid combinations.

	SOHO	Pro	Enterprise	Enterprise Plus
Kernun Net Access	No	Yes	Yes	Yes	Yes
Kernun Mail Access	No	Yes	No	Yes	No
Kernun VPN Access	No	Yes	No	Yes	No
Kernun Office Access	No	Yes	No	Yes	No
Kernun Web Access	No	Yes	No	Yes	No

The individual hardware variants are briefly characterized as follows:

SOHO: The basic 1U rack server hardware with low profile (low depth), low performance, no management and no redundancy options. Recommended for networks with up to 50 users and a 10-Mbps or slower upstream line.
Pro: An advanced 1U rack server with full depth, advanced performance, a management option and no redundancy options. It is suitable for networks with up to 150 users, connected with a 50-Mbps line at the most.
Enterprise: A high-performance 2U rack server, featuring all the available management and redundancy options. This variant is designed for networks with up to 500 users and a 500-Mbps upstream line.
Enterprise Plus: An even better-performing 2U rack server hardware, again with all the available management and redundancy options. Designed for very demanding users, it fits into environments with hundreds or thousands of users and a 1-Gbps connection to the outside world.

The following table gives a summary of the parameters of individual hardware variants:

	SOHO	Pro	Enterprise	Enterprise Plus
Rack chassis	N/A	1U	1U	2U	2U
Height (cm)	3.00	4.26	4.24	8.64	8.64
Width (cm)	29.00	44.70	42.63	44.43	44.43
Depth (cm)	17.00	38.70	66.04	74.40	74.40
Weight (kg)	0.9	10.5	13.45	23.00	23.00
Processor freq.	500 MHz	2.0 GHz	1.86 GHz	2.0 GHz	3.0 GHz
Processor model	single/32bit	single/64bit	dual/64bit	quad/64bit	quad/64bit
Memory	512 MB	1 GB	2 GB	4 GB	8 GB
Disk size	2 GB	160 GB	250 GB	300 GB	600 GB
Disk model	CF card	SATA	SATA	SAS	SAS
Hot-plug disks	No	No	No	Yes	Yes
RAID	N/A	N/A	N/A	RAID 1	RAID 10
Power supply	24 W	400 W	400 W	750 W	750 W
Hot-plug power	No	No	No	Yes	Yes
Power redundancy	No	No	No	Yes	Yes
Max eth. ports	8	4	6	14	14
HW encr. accelerator	Optional	No	No	Optional	Optional
Remote mgmt	No	No	Yes	Yes	Yes

Chapter 3. Kernun System Management

Table of Contents

1. Installation Media, Releases, and Builds

2. Disk Space Layout

3. Licensing

4. Boot Manager

5. Installation

5.1. Standalone Installer
5.2. Initial Configuration
5.3. Installation from the GUI
5.4. Installation from the Command Line

6. Backup and Restoring

6.1. Backup and Restoring from the GUI
6.2. Backup and Restoring from the Command Line
6.3. Restoring a Backup in the Standalone Installer

7. Upgrade

7.1. Upgrade from the GUI
7.2. Upgrade from the Command Line

8. Audit

9. Emergency Repair Environment

In this chapter, we explain how to create and manage a Kernun installation. The system management tasks include installation, upgrade, system backup and restore. An auditing tool can be used to receive notification of discovered bugs and available new software updates. We also provide information about the use of license files and installation of up to three independent Kernun versions on a single computer.

Kernun uses (slightly modified) FreeBSD as its underlying operating system. Although experience with FreeBSD or another operating system based on Unix would certainly be beneficial when performing advanced administrative tasks, it is not required. Kernun provides its own set of powerful tools for installation, configuration, and monitoring of operation.

1. Installation Media, Releases, and Builds

Each Kernun release is distributed using the following types of distribution media:

CD: A bootable CD that contains the installation tools and the full installation image.
ISO image: An ISO image with the same content as the above-mentioned CD.
Full image: An installable image of the Kernun system partition. It can be installed either using the installer booted from the installation CD, or from a running Kernun system using the Kernun GUI or the sysmgr(8) command line tool. Each full image is uniquely identified by its build number.
Patch image: A patch image contains only the differences between two versions of Kernun, and is therefore much smaller than the full image. Patch images are usually created for maintenance updates. Their sole purpose is to optimize the amount of data that needs to be downloaded in order to update a Kernun installation to the current version. The result of installation is the same, no matter whether the full image or a patch image is used; the only difference is in the size of the image. A patch image is identified by its build number and by the build number of its base image.

Kernun releases are identified by version and build numbers. The version number denotes the source code version of the Kernun software (the operating system, application proxies, administrative tools, preinstalled third-party software packages, etc.). The format of the version number is either 3.0 for releases (containing new features), or 3.0.1 for patch releases (containing bug corrections and minor improvements). Some bug fixes are implemented using the fast development cycle and are distributed as hotfix releases, numbered e.g. 3.0.1-h3.

The build number identifies the particular build, i.e., a binary image that comprises the core Kernun software, the operating system, and third-party software, such as antivirus scanners, system monitoring tools, or administrative utilities. A build number contains the version number (formatted without the dots and with a fixed number of digits), the date and time when the image was created, and the hardware architecture. Examples: 030000h00.200809241501.i386 or 030001h00.200810170823.amd64.

2. Disk Space Layout

Kernun is able to use one or two disk devices. Each disk device is either a physical disk, or a logical disk provided by a hardware RAID. The disk space is divided into three system partitions, one data partition, and swap space. In single disk configurations, all four partitions and the swap space are located on the single disk. In configuration with two disks, the system partitions are on one disk, whereas the data partition and the swap space on the other.

Each system partition may contain a complete Kernun installation including the operating system, application proxies, administrative tools, and additional software. The data partition contains logs, statistics, installation images, and backups. The contents of the data partition are shared by all Kernun installations in the system partitions.

The use of three system partitions minimizes downtimes during reinstallations and upgrades. While the system started from one system partition is fully operational, it is possible to install another version in the second partition. Then the new version can be started by a simple reboot. It is always possible to revert to the old version if anything goes wrong with the new one. The next upgrade will be installed in the first partition while running the system from the second one. In this way, two system partitions can be alternated for subsequent upgrades. The third system partition can be used in a similar fashion, so that two previous versions are always available, or for an alternative installation, e.g. when testing a completely new configuration.

When a system partition is booted, it becomes the root file system. The other system partitions can be mounted to the directories /1, /2, and /3. There are lines in /etc/fstab prepared for this, but the partitions are not mounted automatically. The data partition is always mounted as /data automatically. It contains the following directories:

/data/backup: System backups are stored here. They can be used for restoration or copied to another medium.
/data/dist: This is where Kernun installation images are kept. During each installation, the installed image is stored here for future reuse.
/data/log: This directory contains log files. The log directory /var/log from all system partitions is symlinked here.
/data/rrd: This directory contains database files used to store system data for system performance monitoring, as well as graphs generated from this data.
/data/statistics: Reports with detailed statistics of proxy operation are stored in this directory.

The standard disk space layout is created during the first installation of Kernun on a new computer. It can be re-created or modified using the installer booted from the installation CD, but such action deletes all data on the system and data disks.

Warning

It is strongly recommended not to modify the standard disk layout, as many parts of Kernun depend on it. You may add additional file systems and directories, but do not delete or move any file system or directory created by the Kernun installer.

3. Licensing

Kernun requires a valid license file to operate properly. Without a license file, the software can be installed, the operating system runs allowing both local and remote administrator access, but no licensed component may be started. The licensed components include all application-level network proxies and some additional modules (for example, antivirus, antispam, and Web filter).

The license file is a cryptographically signed text file. It contains the following information:

The customer identification
An optional identifier used to distinguish different licenses of the same customer
A unique serial number
The license size (the permitted number of protected network devices)
A computer identifier, if the license is valid exclusively with particular hardware.
The expiration date, if the license is valid for a limited time.
(Only Kernun 3.3 and newer) The expiration date of upgrade subscription. Before this date, new features (components) added to Kernun will be automatically licensed if covered by the subscription. After this date, existing features will continue to work (until the optional license expiration date), but new features will not be licensed.
(Only Kernun 3.2 and older) The release version number, if the license is valid for a single Kernun release (e.g., 3.1) only. The license can be used on all patch releases and hotfixes of the licensed release (e.g, 3.1.2 or 3.1.1-h5), but not on other releases (e.g., 3.2).
The list of licensed components.
(Only Kernun 3.3 and newer) The list of licensed groups of components. Licenses are usually issued for groups of components. For example, there are groups corresponding to various Kernun products, such as Kernun Net Access or Kernun Kernun Mail Access. The use of component groups makes it possible to add new licensed components to users with active subscription without the need for a new license file.
(Only Kernun 3.3 and newer) Various parameters of the licensed components.
A cryptographic signature used to verify the integrity of the license.

Note

License files from Kernun 3.0 are not valid for 3.1 and newer releases.
Licenses from Kernun 3.1 and 3.2 are recognized by Kernun 3.3 and newer.

The license file must be installed as /usr/local/kernun/license.dat. The license file is stored in the system partition and must therefore be reinstalled after each installation or upgrade. The license file can be copied to Kernun either from the command line using SCP, or at the License tab of the GUI System Manager.

The set of configurable components changes depending on the type of the Kernun product and the set of licensed components. For example, if the HTTP proxy is not licensed, it should not be configured. A single configuration file may comprise configurations of many Kernun systems with different products. In each configuration section related to a single system (section system), the product can and should be specified using the product item. The product specification consists of the Kernun software type, the list of licensed components, the list of licensed component groups, and the upgrade subscription expiration value. The product specification should be filled according to the contents of the license file present in the configured system. When the configuration is verified, a check is made that only components usable in the selected products are configured. When the configuration is applied, it is checked that the product specified in the configuration complies with the product installed in the target Kernun system. At the time of writing of this text, there are two product types available:

kernun — all Kernun products;
unspecified — the product type is not specified and will not be checked when applying the configuration.

The recognized names of licensed components and component groups are the same as in the license files. Components:

product-kernun, product-kernun-net-access, product-kernun-mail-access, product-kernun-vpn-access, product-kernun-office-access, product-kernun-web-access, product-kernun-secure-box, product-kernun-secure-box-retail — Kernun product names;
dns-proxy, ftp-proxy, gk-proxy, h323-proxy, http-proxy, imap4-proxy, pop3-proxy, sip-proxy, smtp-proxy, sqlnet-proxy, tcp-proxy, udp-proxy — individual proxies;
icap-server — server for the ICAP protocol;
mod-antivirus — module for communication with an antivirus in proxies;
mod-antispam — module for spam checking in mail proxies;
mod-pwf — module for communication with an external Web filter in the HTTP proxy;
http-cookie — support for special handling of security-related HTTP cookies, for example, various session ID cookies;
mod-match, mod-match-replace — module for matching and replacement of HTML form data.

Component groups:

kernun-net-access, kernun-mail-access, kernun-vpn-access, kernun-office-access, kernun-web-access, kernun-secure-box, kernun-secure-box-retail — individual Kernun products;
modules-data-scanning — modules for security scanning of data, such as the antivirus module;
modules-secure-box — special modules for the Kernun Secure Box products;
modules-web-filter — modules providing URL-based categorization and filtration of WWW servers.

When the initial configuration file is created (see Section 5.2, “Initial Configuration”), the product type is detected, the currently installed license file is examined, and the system.product item is set appropriately. Therefore, it is recommended to install the license file during the installation of the system, before the initial configuration script is executed. The license file can be installed by the standalone installer, as described in Section 5.1, “Standalone Installer”. If the license file is not installed during the generation of the initial configuration or if a new system is being added to an already existing configuration, the product item must be set manually.

If you set the product item manually, select the correct product type and enter the list of licensed components, the list of licensed component groups, and the upgrade subscription expiration date according to your license file^[1]. It is also possible to include the samples/include/products.cml file in the main configuration file. This file contains definitions of variables that can be used instead of the system.product item.

Note

Some products may have optional components. Their respective variables in samples/include/products.cml have a parameter containing the list of licensed optional components. For example, Kernun Net Access with the optional antivirus and antispam modules will be specified as:

$PRODUCT-KERNUN-NET-ACCESS { mod-antivirus, mod-antispam };

Even if no optional components are licensed, the empty list must be written explicitly as the variable's parameter:

$PRODUCT-KERNUN-NET-ACCESS { };

Variables for products without optional components do not have a parameter and are therefore written without the braces:

$PRODUCT-KERNUN-MAIL-ACCESS;

4. Boot Manager

The Kernun boot manager is located on the system disk. It is installed during the initialization of the system performed by the standalone installer. The boot manager displays labels of up to three system partitions and allows selection of the partition to boot from by pressing F1, F2, or F3.

F1   Kernun 3.0 2008/10/01 07:36 (030000h00.200809241501.i386)
F2   Kernun 3.0 2008/10/18 05:21 (030000h00.200810170852.i386)
F3   Kernun 3.0.1 2008/11/15 07:22 (030001h00.200811142135.i386)

Default: F2

If no option is selected, the default one is chosen automatically after a timeout. The Kernun GUI or the command line bootmgr(8) utility can be used to change partition labels, enable and disable booting from individual partitions, and set whether the default boot partition is fixed, or is always changed to the last booted partition.

Anybody with physical access to the Kernun console may select a system partition to boot from, boot a different kernel or kernel modules, or boot to the single user mode and access the system without a password. If the system console is not physically secure, the following actions can be done to protect the system against unauthorized access:

Disable boot device selection in the BIOS (for example, by setting a BIOS password).
Enable only the desired system partition in the boot manager (using bootmgr(8)).
Add line “-n” to /boot.config. This prevents interrupting the boot process in the stages one and two.
```
# printf --
        '-n\n' >
        /boot.config
```

Protect the loader with a password by adding a password line to /boot/loader.conf. Make the file readable only by root.

#
        echo
        'password="SECRET"' >>
        /boot/loader.conf # chmod
        go-rw
        /boot/loader.conf

Force verification of the root password as a condition for entering the single user mode. Locate the line beginning with “console” in /etc/ttys and change its last word to “insecure”.

5. Installation

Kernun can be installed using either the standalone installer booted from the installation CD, or command line or GUI system management tools. The first installation on a new computer must be done using the standalone installer, which does not require an already installed Kernun with initialized system and data disks and is able to initialize the standard disk layout, as described in Section 2, “Disk Space Layout”. Once there is at least one working Kernun instance on the computer, further installations can by done from it using either the GUI, or the sysmgr command line tool. The standalone installer is able to install in any system partition. The GUI and command line installations cannot be performed in the system partition that contains the currently running Kernun instance.

Note

Regardless of the installation method, the newly installed system partition is, by default, enabled in the boot manager and made the default selection for the next boot. The boot manager can be reconfigured using the GUI or the command line utility bootmgr(8).

5.1. Standalone Installer

The standalone installer is normally used only for the first installation on a new computer, after replacing a disk, or if disk repartitioning is needed. In other situations, installation using the GUI (Section 5.3, “Installation from the GUI”) or the command line (Section 5.4, “Installation from the Command Line”) is more comfortable.

To start the standalone installer, you need the Kernun installation CD. You may either obtain the physical CD, or burn the ISO image to an empty CD-R or CD-RW medium. Boot from the CD and following the boot loader and kernel messages, you will see the installer menu.

*** KERNUN INSTALLATION ***

Build 030000h00.200809241501.i386

1. Install Kernun
2. Check for existing Kernun installations
3. Restore backup
4. Start rescue shell
5. Mount Kernun file systems
6. Resize installer's in-memory temporary file system (current size 32m)
7. Halt
8. Power down
9. Reboot
0. Install license

Select action:

Press 1<Enter>. If the disk partitioning for Kernun has already been done, the device names of the system and data disks are displayed and the installer asks whether you want repartitioning.

Detected Kernun system disk ad0
Detected Kernun data disk ad0
Repartition disks (y/n)?

Reply n to skip disk partitioning. If you reply y or if the disk partitioning has not been done yet, the system and data disks are selected and partitioned first:

Use file system journaling (y/n)? [y] <Enter>
Detected disk devices:
ad0 20480 MB
ad1 40960 MB
Kernun system disk (ad0 ad1) [ad0]: <Enter>
System disk size is 20480 MB
Kernun data disk (ad0 ad1) [ad0]: ad1
Data disk size is 40960 MB

Always select a disk that the BIOS will be able to boot from as the system disk^[2]. If there is only one disk device, the selection of devices will be skipped and the single device will be used as both the system disk and the data disk.

Tip

When the installer asks a question, it offers a default value in brackets. Press <Enter> to select the default value.

The installer then sets the partition sizes. Reasonable default values are provided, so it usually suffices to accept them by pressing <Enter>.

Memory size is 4096 MB
System partition size in MB, min. 489 MB [5120]:
Swap partition size in MB [8192]:
Disk ad0 will contain 3 system partitions of size 5120 MB each
Partition ad1s1 will contain 8192 MB of swap and 32768 MB for data
Use these values (y/n)? y
Disk partitioning will delete contents of selected disks,
continue (y/n)? y

If you want to cancel the installation process, answer n to the last question. It will return to the main menu without changing the disk contents.

Warning

Answering y to the ``continue'' question will initialize the selected system and data disks with the standard disk layout for Kernun. Any existing contents of the disks will be lost.

Messages concerning creation of disk partitions and file systems will then be displayed, followed by:

Current Kernun installations:
Boot manager on /dev/ad0
F1: Unused
F2: Unused
F3: Unused
type=Kernun 1024 B boot manager (74 character labels)
current_booted=
bootable=
update=yes
default_selection=F1
Select partition for installation (1 2 3) [1]:

These lines show the configuration of the Kernun boot manager, see bootmgr(8). The first installation will be usually performed in the first system partition, so just press <Enter>. After another confirmation whether you want to overwrite the selected system partition, the boot manager label for the newly installed Kernun instance is set. The default label consists of the installed Kernun version, the date and time of installation, and the build number.

Overwrite partition /dev/ad0s1 by new Kernun installation (y/n)? y
Enter the label that will be used to identify this installation in the
boot manager. The label can be at most 44 characters long. The Kernun
build number will be appended after the entered label automatically.
Label [Kernun 3.0 2008/09/25 14:07]:

After setting the label, the installer creates any missing standard directories in the data partition, creates a new empty file system in the selected system partition, and displays a list of the installation images (identified by build numbers) available on the CD and in the /data/dist directory. If there is more than one image, one can be selected, with the newest image as the default. If the image from the CD is selected, it is first copied to /data/dist. The selected image is then unpacked to the system partition. The /etc/fstab file in the newly installed partition is adjusted according to the system partition number. The build number of the installed Kernun is stored in the /kernun-version file in the system partition. The content of the newly installed Kernun instance is stored in /kernun-installed.fsdb.bz2. This file is used by the backup tools in order to decide which files have changed since the installation and therefore need to be backed up. After the installation is finished, the installer waits for <Enter> and then returns to the main menu.

...
Available installation images:
     1  030000h00.200809241501.i386
Copying installation image to /data/dist
Clearing system partition 1
...
Installing kernun-030000h00.200809241501.i386.tbz to system partition 1
Unpacking image
Removing file system content databases for installed images
Creating /etc/fstab
Writing build number into /kernun-version
Creating file system content database
Installation successfully finished

Press Enter for return to menu...

Optionally, if you have a license file for your newly installed system available, you can install it now. This ensures that the initial configuration script will set the system.product configuration item correctly after reboot. It will also ask whether the licensed proxies should be enabled in the initial configuration. The license installation is done in several steps:

Prepare a USB disk with a UFS or FAT file system.
Copy the license file license.dat to the root directory of the USB disk. Alternatively, if you have some other license files (for example, for the antivirus engine), you can pack them all^[3] in the license.tar file in the tar format with all paths relative to the Kernun system root directory.
Do not connect the USB disk yet and select 0 from the installer main menu.
When prompted, connect the USB disk. The license files present will be installed.

Select 9 from the main menu to have the newly installed Kernun booted. You can then perform its initial configuration, as described in the following section.

Note

The /data/dist directory may contain full and patch installation images. A full image can be always installed. A patch image contains only the differences from a base image. Hence the base image must be available in order to install the patch image. The base image may itself be a patch image, and its base image is then required as well. Generally, each patch image requires a continuous sequence of base images starting with a full image followed by zero or more patch images.

5.2. Initial Configuration

When a newly installed Kernun system is booted for the first time, an interactive initial configuration script (/etc/rc/kernun-config) is executed early in the boot process^[4]. It prompts the administrator for various basic system parameters, creates and applies the Kernun configuration file, and finishes the boot procedure with the new configuration. The initial configuration can be modified later using the standard Kernun GUI or command line configuration tools.

First, the time zone needs to be set. We recommend to use UTC for the CMOS clock—select Yes by pressing <Tab><Enter> in the first dialog. Even if the CMOS clock is currently set to the local time, it is better to select UTC here and adjust the time later using the date(1) command or by configuring NTP, see section ntp in system(5). After selecting the CMOS clock mode, the time zone menu is displayed. Choose the time zone suitable for your location. Then set the administrator password (user root).

After that, a new SSH host key is generated. It is used to authenticate the system to a remote access client^[5] (GUI or command line SSH). You should write down the reported key fingerprint and compare it with the fingerprint reported by SSH or the GUI when making the first remote connection to the system. The SSH host keys should be the same for all Kernun installations on the same computer. Therefore, if an SSH host key exists during the installation, it is copied to the newly installed system partition and the generation of a new key is skipped during the initial configuration. The GUI and command line installers look for an SSH host key in the current system partition. The standalone installer takes an SSH host key from the first system partition that contains one and is different from the partition, in which the installation is taking place.

Answer n to the following question (or just press <Enter>) if you want to input the basic configuration parameters and generate the initial Kernun configuration file.

**********************************************************************
Fingerprint of the SSH host DSA key. Compare this value with the value
reported by SSH client or Kernun GUI when connecting in order to check
that you are connecting to this system.

1024 71:0a:ec:8d:dd:9e:e7:2d:2b:91:79:0e:1a:ca:89:2b
        /etc/ssh/ssh_host_dsa_key.pub
**********************************************************************


*** KERNUN INITIAL SYSTEM CONFIGURATION ***

Skip Kernun configuration (y/n)? [n] <Enter>

Two network interfaces are configured in the default configuration: internal, intended to be connected to the protected network, and external, which is typically connected to the Internet. The configuration script asks for the names, IP addresses, and network masks of these interfaces. Then, the DNS server and default router addresses need to be specified. The initial configuration will allow the administrator SSH access from the internal network (using the GUI or a command line SSH client). If you want to allow some application protocols to pass from clients in the internal network to servers in the external network, you can enable the respective proxies. The configuration of the proxies will contain the default values of various parameters, which will be sufficient for the simplest use. More complicated configuration requirements can be implemented later by editing the generated initial configuration file using the GUI or command line configuration tools (modifying proxy configuration, adding new proxies, etc.). An example of the initial configuration setup is given and explained below.

Caution

In many environments, an initial configuration with enabled proxies may violate a security policy. Therefore, it is recommended not to enable any proxy in the initial configuration unless you are sure that you really need it.

Hostname without domain []: fw 
Domain []: example.com
Show only Ethernet interfaces (y/n)? [y] 

By repeating the following test with connected and
disconnected network cables, you can determine interface
names of physical network cards.

*** Media state of network interfaces ***
ed0:    media: Ethernet autoselect (100baseTX <full-duplex>)
ed1:    media: Ethernet autoselect (100baseTX <full-duplex>)
Show again (y/n)? [y]
*** Media state of network interfaces ***
ed0:    media: Ethernet autoselect (none) 
ed1:    media: Ethernet autoselect (100baseTX <full-duplex>)
Show again (y/n)? [y]
*** Media state of network interfaces ***
ed0:    media: Ethernet autoselect (100baseTX <full-duplex>)
ed1:    media: Ethernet autoselect (100baseTX <full-duplex>)
Show again (y/n)? [y] n
Internal interface name (ed0 ed1) []: ed0 
Internal IP address []: 192.168.10.1
Internal interface netmask [24]:
External interface name (ed0 ed1) []: ed1 
External IP address []: 192.168.11.2
External interface netmask [24]:
DNS server IP address []: 10.1.1.1 
Default router IP address []: 192.168.1.1 
Postmaster e-mail [postmaster@example.com]: 
Enable some proxies (y/n)? y 
Enable DNS proxy (y/n)? [n] y
Enable FTP proxy (y/n)? [n]
Enable HTTP proxy (y/n)? [n]
Enable HTTPS proxy (y/n)? [n]
Enable POP3 proxy (y/n)? [n]
Enable IMAP4 proxy (y/n)? [n]
Enable SMTP proxy (y/n)? [n]
Enable SSH proxy (y/n)? [n] y
Hostname:           fw 
Domain:             example.com
Internal interface: ed0
Internal IP:        192.168.10.1
Internal netmask:   24
External interface: ed1
External IP:        192.168.11.2
External netmask:   24
Name server:        10.1.1.1
Default router:     192.168.11.1
Postmaster e-mail:  postmaster@example.com
Enabled proxies:    DNS SSH

Use these values (y/n)? y

The configuration begins with setting the host name and the domain name. Then, the internal and external interfaces are selected. First, the available network interfaces are listed. You can choose whether you want to show all interfaces, or just Ethernet interfaces. The interfaces are repeatedly listed with their media states. This can be useful if you are not sure about the names of physical interfaces. You can unplug network cables one by one and observe, which interface changes its state. In the example , the cable was unplugged from the network interface ed0. The internal and external interface names, IP addresses, and network masks are defined. The DNS server IP address is used by Kernun for domain name resolution. The default router is typically a router in the external network. The postmaster e-mail address is used by the SMTP proxy to forward mail sent to the postmaster.

You can also enable some proxies for access from the internal to the external network. Questions about individual proxies are asked only if you reply y to the initial “enable some proxies” query. Otherwise, all proxies are disabled without further questions. The generated initial configuration file will contain configuration of the disabled proxies as well, with their configuration sections marked as hidden. A proxy can be easily enabled later by unhiding its configuration using the GUI or the command line configuration interface. Only licensed proxies are offered for enabling.

Finally, all values defined during the configuration setup are listed . If you are satisfied, reply y and the initial configuration file will be generated and applied. If you reply n, the whole configuration setup will be repeated with the previously specified values as defaults.

After defining values for the initial configuration, the SSH key for remote administrator access is generated. You must enter a passphrase used to encrypt the key. The same passphrase is also used for the initial download of the key from Kernun.

The configuration script will now generate the root's SSH key.
The passphrase for the key will be also used as the password
for initial key download from Kernun GUI.
Enter SSH key passphrase:
Repeat SSH key passphrase:
Generating public/private dsa key pair.
Your identification has been saved in /home/keygen/id_dsa.
Your public key has been saved in /home/keygen/id_dsa.pub.
The key fingerprint is:
33:27:5a:63:53:b1:ba:47:bf:e8:58:4a:d0:f6:d4:d4 root@fw.example.com

The SSH key generation is the last step in the initial configuration process. After that, the normal operation of the newly installed Kernun begins.

The SSH (private) key needs to be downloaded to the administrator's local computer and subsequently copied to any system used by the administrator to access Kernun. The administrator's computer must be in a network routed via the Kernun internal interface, e.g., 192.168.10.0/24 in our configuration example. There is a special user account keygen dedicated to SSH key download. The GUI is able to download the key automatically, you only need to select Initialize new firewall in the Connect to Server dialog. See also Section 1.1, “Kernun GUI Launcher” for details. For command line SSH access, you can either use the key downloaded by the GUI, or download the key manually:

Use SCP to copy the private OpenSSH key (id_dsa), the public OpenSSH key (id_dsa.pub), and the Putty key (key.ppk).

$ scp keygen@192.168.10.1:* .
keygen@192.168.10.1's password:
id_dsa                        100%  736     0.7KB/s   00:00
id_dsa.pub                    100%  609     0.6KB/s   00:00
key.ppk                       100%  807     0.8KB/s   00:00
$

$ ssh -i id_dsa root@192.168.10.1
Enter passphrase for key 'id_dsa':
...
[root@fw ~]#

Delete the key files in the home directory of user keygen.
```
[root@fw ~]# rm ~keygen/*
```
Disable the keygen account.
```
[root@fw ~]# pw lock keygen
```

Log out from Kernun.

[root@fw ~]# logout
Connection to 192.168.10.1 closed.
$

The steps after the first one are not strictly necessary, but they are recommended for security reasons. Although the secret SSH keys are protected by a passphrase, they should be kept in a secure store that can be accessed only by authorized administrators. If the key is downloaded by the GUI, the key files on Kernun as well as the keygen account are automatically removed when the GUI connects to Kernun with the downloaded key for the first time.

5.3. Installation from the GUI

In this section, we assume that the reader has at least the basic knowledge of the Kernun GUI. An introduction to the Kernun GUI can be found in Section 1, “Graphical User Interface” of this manual. The installation and its related tasks are controlled by the Kernun GUI System Manager, which is accessible using the button in the main window toolbar, as shown in Figure 3.1, “The System Manager icon in the toolbar”.

Figure 3.1. The System Manager icon in the toolbar

The installation is done from the Installation images tab in the System Manager window, see Figure 3.2, “Installation images in the System Manager”. It displays a list of available installation images (stored on Kernun in /kernun/dist). An image is marked as installable if it is either a full image, or a patch image with an available base image. The version number, build date, and build number are listed for each image. Installation images can be copied from the administrator's local machine, where the GUI runs, to Kernun by clicking the Upload button. The Download button can be used to copy in the opposite direction. It is also possible to delete a selected image (Remove) or all images older than the selected one^[6] (Remove older).

Figure 3.2. Installation images in the System Manager

Tip

Each installed image is is copied to /data/dist. As the images may consume a lot of disk space on a regularly updated Kernun, it is recommended to delete old images regularly or when you need more space on the data disk. An easy way to do this is to select one of the newest images and click Remove older. It is usually sufficient to retain only the one or two most recent images.

To initiate the installation of the selected image, click the Install button. In the example, we will install the newest (last) installation image from the list. The installation of Kernun can be alternatively initiated using the Install firewall button on the Quick Wizards page. A wizard window (see Figure 3.3, “Selection of the installation target”) appears and prompts you to select the target system partition. It displays the number and label of the system partition that contains the currently running system. This partition cannot be overwritten by the installation. One of the other two system partitions, which are also listed with their labels, needs to be chosen. If you started the wizard from the Quick Wizards page, you are then supposed to choose the desired installation image. Finally, the recapitulation of the selected values is displayed. Click the Finish button to launch the installation process (it deletes all the existing content of the selected partition).

Figure 3.3. Selection of the installation target

Caution

When performing an installation, make sure that you have selected the correct system partition, in order to avoid inadvertently overwriting a system partition that you want to retain.

The installation process takes several minutes; it can be aborted using a button in the progress dialog displayed in the meanwhile. The newly installed system partition is made bootable, but the default boot partition is not changed. The reason is that the new Kernun instance is not configured and until its initial configuration is performed from the console, it will be inaccessible via the network. The boot manager configuration after the finished installation can be viewed in the System Manager's Kernun systems tab, as shown in Figure 3.4, “The system partitions after the installation”. It is possible to change the partition label (using the Change Title button) or make the new system partition the default boot partition (the Set Default button).

Figure 3.4. The system partitions after the installation

If the installation process terminates because of an error, the output of the failed command is displayed. The example in Figure 3.5, “An error during the installation” shows an error message caused by a corrupted installation image file.

Figure 3.5. An error during the installation

5.4. Installation from the Command Line

The command line installation functionality is provided by the sysmgr(8) and bootmgr(8) utilities. An installation image that is to be installed must be stored in the /data/dist directory, along with the corresponding base image(s), if it is a patch image. The existing images can be listed using the following command:

[root@fw ~]# sysmgr images
*  030000h00.200809241501.i386
   030000h00.200810170852.i386 
*  030001h00.200811142135.i386

The installable images are marked with an asterisk. The image is a patch image that cannot be installed, because its base image is missing. Information about the currently installed instances of Kernun can be obtained using the bootmgr command or from the /kernun-version file. In order to get access to this file in other system partitions, the file systems in those partitions need to be mounted first.

[root@fw ~]# bootmgr
Boot manager on /dev/ad0
F1: Kernun 3.0 2008/10/01 07:36 (030000h00.200809241501.i386) 
F2: Unused
F3: Unused
type=Kernun 1024 B boot manager (74 character labels)
current_booted=1 
bootable=1
update=yes
default_selection=F1
[root@fw ~]# cat /kernun-version
030000h00.200809241501.i386
[root@fw ~]# mount /2
[root@fw ~]# cat /2/kernun-version
030000h00.200810170852.i386 
[root@fw ~]# mount /3
mount: /dev/ad0s3a on /3: incorrect super block

The bootmgr command displays labels of the system partitions and the number of the system partition that contains the currently running system . The second system partition in the example contains another Kernun version , even though it was manually relabeled as “Unused”. The third system partition is really unused; it does not even contain a file system .

We will install a new Kernun version in the second system partition. We choose the newest version available according to the sysmgr images report. Unlike the standalone installer described in Section 5.1, “Standalone Installer”, the command line installer asks no questions. The image build number and the target system partition number are given on the command line and the installation starts immediately. The standard partition label, containing the Kernun version, date of installation, and build number, is set for the newly installed partition. The initial configuration process (see Section 5.2, “Initial Configuration”) is started after booting from the newly installed system partition.

[root@fw ~]# sysmgr install 2 030001h00.200811142135.i386
Clearing system partition 2
...
Installing kernun-030001h00.200811142135.i386.tbz to system partition 2
Unpacking image
Installing SSH host keys
Removing file system content databases for installed images
Creating /etc/fstab
Writing build number into /kernun-version
Creating file system content database
Installation successfully finished
[root@fw ~]# bootmgr
Boot manager on /dev/ad0
F1: Kernun 3.0 2008/10/01 07:36 (030000h00.200809241501.i386)
F2: Kernun 3.0.1 2008/11/17 16:39 (030001h00.200811142135.i386)
F3: Unused
type=Kernun 1024 B boot manager (74 character labels)
current_booted=1
bootable=1 2
update=yes
default_selection=F2

Caution

Be careful when running sysmgr install. Especially, make sure that you specify the correct system partition number. Otherwise, you might inadvertently overwrite a system partition that you would like to retain.

Caution

The newly installed system partition is made the default choice for the next boot. As it is not configured, it will be inaccessible via the network after the reboot and its initial configuration will need to be performed from the console. If you want to keep the current default boot partition, so that you retain a fully working system after the reboot, use the -n parameter of the sysmgr command:

[root@fw ~]# sysmgr install -n 2 030001h00.200811142135.i386

6. Backup and Restoring

Kernun provides both GUI and command line tools used to back up system partitions and restore data from backups created in this way. They can be used to back up not only the current system partition, but any of the three system partitions. A backup file does not contain the complete contents of a system partition, but only the changes made since its installation. The size of the backup file therefore depends on the amount of changes that have been made in the system partition since its last installation. After an installation, the content of a system partition is stored in the /kernun-installed.fsdb.bz2 file. When doing backup, this file is compared with the current content of the system partition. Added and modified files are stored in the backup file, along with information about deleted files and files with changed metadata attributes^[7].

The backup and restore operations process only a subset of files contained in a system partition, mainly Kernun configuration files. The list of files included in a backup can be viewed and modified in the /etc/kernun-fsdb-include file. During backup and restore operations, this file is passed to diskdb(1) using the -I parameter.

Backup files are stored in the /data/backup directory, from which they should be copied to a safe place. They should not be renamed, because their names contain important information for backup processing: the build number of the Kernun instance, the number of the backed up system partitions, and the date and time when the backup was created.

A backup created on a particular Kernun version (build number) should be restored to a system partition containing a newly installed image with the same build number. On the other hand, a system partition with any partition number can be used for restoring, not only the one where the backup was created. The restore program adjusts the contents of the file system table /etc/fstab accordingly.

Kernun provides tools for manual backup and restoring of system partitions using local backup files in /data/backup. The administrator should create a backup at least after every major configuration change and copy it to a storage medium other than a local disk. Solutions for automated backup, remote backup, or backup of the data partition are not provided out of the box, because backup policies required for different deployments vary significantly. More sophisticated backup scenarios can be implemented using operating system tools (tar(1), cron(8), etc.) or various third-party backup software. The Kernun tools support only complete restoring of a backup to a newly installed system partition. Nevertheless, a backup file is a tar(1) archive compressed by bzip2(1) and can therefore be freely manipulated using these tools.

In some situations, especially when a backup is restored to a different version of Kernun or to a system partition that has been modified since the installation, conflicts may be reported during restoring. It is also possible that unresolved conflicts from an earlier restore operation interfere with the current one. In such a case, the old conflicts need to be resolved or discarded first. See Section 7, “Upgrade” for explanation of conflicts and instructions on how to resolve them.

6.1. Backup and Restoring from the GUI

A backup can be created in the GUI in the Kernun systems tab of the System Manager (Figure 3.4, “The system partitions after the installation”). All you need to do is select a system partition and click on the Backup button. A backup file will be created and stored in /data/backup. The new backup will appear in the Backups tab, see Figure 3.6, “Existing backup files in the GUI”. Using buttons under the list of backup files, a file can be downloaded to the administrator's computer, uploaded back to Kernun, or removed.

Figure 3.6. Existing backup files in the GUI

Click on the Restore button if you want to start the restore operation. Alternatively, restoring can be initiated using Restore backup on the Quick Wizards page. A wizard window appears. It prompts for the target system partition (must not be the currently booted one), for selection of a backup file and for a corresponding installation image. There are also buttons for uploading a locally stored backup or image to Kernun. As the last step, the recapitulation of the selected values is displayed, as shown in Figure 3.7, “Parameters of a restore operation”. When you click Finish, the selected image is installed in the chosen system partition and the selected backup is unpacked. Then it is possible to do any combination of the following operations: set the newly restored partition as the default boot partition; change the partition label; reboot Kernun immediately (see Figure 3.8, “Final settings after restoring a backup”).

Figure 3.7. Parameters of a restore operation

Figure 3.8. Final settings after restoring a backup

6.2. Backup and Restoring from the Command Line

The sysmgr(8) utility is used to create and restore backups from the command line. A new backup file in /data/backup is created by the following command:

[root@fw ~]# sysmgr backup 2
Creating backup content database /kernun-backup.fsdb.bz2
Creating file system content database
Creating backup file
    /data/backup/backup-030000h00.200809241501.i386-2-200807281400.tbz
[root@fw ~]#

If a backup of the current system partition is to be created, the partition number (2 in our example) may be omitted. A list of existing backup files is displayed by

[root@fw ~]# sysmgr backups
backup-030000h00.200809241501.i386-1-200810031714.tbz
backup-030000h00.200809241501.i386-2-200809261822.tbz
backup-030000h00.200809241501.i386-2-200809301350.tbz

A backup can be restored to a selected system partition; it must not be the currently used system partition. A clean installation of an image with the correct build number should be done first.

[root@fw ~]# sysmgr install 2 030000h00.200809241501.i386
...
Installation successfully finished
[root@fw ~]# sysmgr restore 2 \
> backup-030000h00.200809241501.i386-1-200810031714.tbz
Processing changes of file system contents
Unpacking files from backup
Resolving conflicts
All conflicts resolved
[root@fw ~]#

An attempt to restore a backup in a system partition that contains a Kernun instance with a different build number is detected and a warning is displayed:

[root@fw ~]# sysmgr restore 2 \
> backup-030000h00.200809241501.i386-1-200810031714.tbz
Backup is from different build than currently installed in /2.
Installed: 030001h00.200811142135.i386
Backup:    030000h00.200809241501.i386
It is strongly recommended to restore a backup to the Kernun build that
was used for creating the backup.
Continue anyway (y/n)? n
[root@fw ~]#

6.3. Restoring a Backup in the Standalone Installer

A backup can be restored also from the standalone installer booted from the Kernun installation CD. This can be helpful after installing a new system disk or when moving a Kernun installation to a new computer. First, select a system partition and install Kernun from an image corresponding to the backup that is to be restored, following the procedure described in Section 5.1, “Standalone Installer”. If the backup file is not already located in /data/dist, you can copy it there using the emergency repair environment tools, as described in Section 9, “Emergency Repair Environment”.

*** KERNUN INSTALLATION ***

Build 030001h00.200811142135.i386

1. Install Kernun
2. Check for existing Kernun installations
3. Restore backup
4. Start rescue shell
5. Mount Kernun file systems
6. Resize installer's in-memory temporary file system (current size 32m)
7. Halt
8. Power down
9. Reboot
0. Install license

Select action: 1 

Detected Kernun system disk ad0
Detected Kernun data disk ad0
Repartition disks (y/n)? n
Current Kernun installations:
Boot manager on /dev/ad0
F1: Kernun 3.0 2008/10/01 07:36 (030000h00.200809241501.i386)
F2: Kernun 3.0.1 2008/11/17 16:39 (030001h00.200811142135.i386)
F3: Unused
type=Kernun 1024 B boot manager (74 character labels)
current_booted=
bootable=1 2
update=yes
default_selection=F2
Select partition for installation (1 2 3) [1]: 3 
Overwrite partition /dev/ad0s3 by new Kernun installation (y/n)? y
Available installation images:
     1  030000h00.200809241501.i386
     2  030001h00.200811142135.i386
Select image to install (1-2) [2]: 1 
Enter the label that will be used to identify this installation in the
boot manager. The label can be at most 44 characters long. The Kernun
build number will be appended after the entered label automatically.
Label [Kernun 3.0 2008/11/20 10:26]:
Clearing system partition 3
...
Installing kernun-030000h00.200809241501.i386.tbz to system partition 3
...
Installation successfully finished

Press Enter for return to menu...

*** KERNUN INSTALLATION ***

Build 030001h00.200811142135.i386

1. Install Kernun
2. Check for existing Kernun installations
3. Restore backup
4. Start rescue shell
5. Mount Kernun file systems
6. Resize installer's in-memory temporary file system (current size 32m)
7. Halt
8. Power down
9. Reboot
0. Install license

Select action: 3 

Select partition to be restored (1 2 3) [1]: 3 
Available backups for build installed in partition 3:
     1  backup-030000h00.200809241501.i386-1-200810010405.tbz
     2  backup-030000h00.200809241501.i386-1-200810040604.tbz
Select backup to restore (1-2) [2]: 1 
Restoring backup-030000h00.200809241501.i386-1-200810010405.tbz
to partition 3
Are you sure (y/n)? y
Conflicts resolution data in /data/restore already exist 
Remove old /data/restore (y/n)? y 
Processing changes of file system contents
Unpacking files from backup 
Resolving conflicts
All conflicts resolved

Press Enter for return to menu...

In the example above, we assume that the backup file is already stored in the /data/backup directory and the corresponding installation image in the /data/dist directory. We start the backup restoring procedure by carrying out a fresh Kernun installation in an unused system partition . The installation image is chosen so that it corresponds to the backup file that will be restored. After returning to the installer main menu, we select Restore backup . The partition installed in the previous step should be selected. A list of backups compatible with the content of the target system partition is displayed. We choose one of the offered backup files and the restoring begins. The message indicates that there are unresolved conflicts from previous restore or upgrade operations. Usually, you should reply n to the question . This will interrupt the restore operation. You can restart it after you resolve the conflicts according to instructions given in Section 7, “Upgrade”. If you are sure that you do not need to resolve the old conflicts^[8], you may reply y and the conflict resolution data will be deleted. The message and question concerning the old conflicts will not be displayed if there are no pending conflicts. Finally , the backed up files are unpacked from the backup file and checked for conflicts. No conflicts should occur if the backup is restored to the same Kernun build that was installed at the time the backup was created. The restored files are installed in their proper places and the restore operation successfully finishes.

7. Upgrade

The upgrade procedure described in this section is applicable if you want to retain as much as possible from the configuration of the old Kernun instance in the new instance. If you want to configure a new Kernun version from scratch, follow the installation and configuration procedures described in Section 5, “Installation”.

Upgrading to a new version or build of Kernun is basically done by restoring a backup of the old version in a system partition that contains a fresh installation of the new version. The upgrade procedure comprises the following steps:

Normalizing the configuration.
Backing up the system partition with the old version.
Installing the new version.
Restoring the backup created in step 2 to the installed new version.
Resolving any conflicts arisen in step 4.
Upgrading the Kernun configuration file.
Checking the upgraded configuration.
Applying the upgraded configuration.
Starting the new Kernun version.

The syntax and semantics of the configuration files are sometimes slightly changed between versions. In order to be usable in the new Kernun version, the old configuration file must be converted in step 1. This is done automatically during the upgrade process. The configuration conversion script expects the configuration in a normalized format. Using just some formatting accepted by normal Kernun configuration tools (GUI or CML) is not sufficient. The normalization during the upgrade process is done either automatically (by GUI), or using a command in the command line upgrade.

Important

If you are upgrading from a Kernun version that does not implement automatic configuration normalization during the upgrade process, that is, from a version older than 3.3.2, you should perform the normalization manually. It can be done simply by opening and saving the configuration by either GUI, or CML. The normalization step may be skipped if the configuration has been saved recently and has not been modified outside the Kernun configuration tools, for example, by a text editor.

The upgrade operation results in a newly installed system partition that contains the new version of Kernun. If we want to keep the configuration across upgrades, we need to copy the main Kernun configuration file /usr/local/kernun/conf/kernun.cml and any other changes done in the old installation to the new one. The configuration files that have been changed, created, or deleted since the installation are found and saved when the old system partition is backed up in step 2.

Step 3 requires a full or patch installation image. Although it is possible to replace the contents of the currently used system partition with the new version, it is not recommended. You should always install an upgrade to a currently unused system partition, for two reasons. First, the old Kernun instance can continue running until the upgrade is finished. Second, you can quickly return Kernun to an operational state if something goes wrong with the upgrade.

Tip

The recommended practice is to use two system partitions for regular upgrades. One partition is occupied by the currently running version, while the other contains the old version and will be used for installation of the next upgrade. After each upgrade, the roles of the two partitions are switched. The third system partition can be reserved for special tasks, such as preparation of a completely new configuration.

Tip

Set the boot manager (as described in Section 4, “Boot Manager”) default boot partition so that it always boots the currently used Kernun instance. Consider disabling the automatic updating of the default boot partition or disabling the unused partitions altogether.

Restoring of the backup from step 2 in the system partition installed in step 3 effectively copies the complete configuration from the old system partition. Restoring of a backup to a build different from the one used for its creation may cause conflicts. These are files that cannot be restored automatically and a manual intervention of the administrator is necessary. A conflict occurs if there are two incompatible changes of the same file. The original version of the file comes from the installation image of the Kernun instance that is being upgraded; we will call it “old”. The second version (called “backed-up”) is contained in the backup file, if the file was changed^[9] at some time between the installation of the old version and the start of the upgrade process. The third version of the file (called “new”) is obtained from the installation image of the new Kernun instance installed in step 3. There are two potential changes of the file. One between the old and the backed-up version, the second between the old and the new version. If only one change exists, no conflict occurs and the changed (backed-up or new) version of the file will be used. For example, /etc/ttys may have been changed by the administrator in the installed Kernun, but remains the same in the build we are upgrading to. Another example is a proxy executable, which is modified in the new Kernun version, but left unchanged by the administrator. If all three versions exist, i.e. when the backed-up and the new version differ, a conflict occurs. The automated upgrade tools are unable to handle the file and the administrator must decide whether the new file, the backed-up file, or some combination of the two should be used. For example, a third party software added in the new build creates a new user account in /etc/master.passwd, and the administrator has created another user account. During the upgrade, a conflict is reported for /etc/master.passwd. The administrator can resolve this particular conflict by merging the two versions of the file, adding both new user accounts to the resulting file.

The detected conflicts are recorded in the /data/restore/resolve file during step 4. The conflicting files from the backup file (the “backed-up” version) are not unpacked to the root directory tree. Instead, they are stored in corresponding locations under the /data/restore/conflicts directory. The root directory tree contains the files as installed (the “new” version). In step 5, the administrator specifies for each file how the conflict should be resolved, choosing from the following possibilities:

The new version is retained and the backed-up version is deleted from /data/restore/conflicts.
The backed-up version replaces the new version.
The new or the backed-up version is used, but is modified first, for example by merging the contents of the two versions in a text editor.
The conflict is postponed until a later iteration of conflict resolution.

The /data/restore directory is deleted when all conflicts are resolved. Only one upgrade procedure can be in the conflict resolution stage at a time. If a conflict resolution session is started and there is already the /data/restore directory with unresolved conflicts, the administrator can either cancel the second resolution, or delete the old /data/restore directory, thus effectively using the “new” versions of the files for all conflicts in the earlier conflict resolution session.

In step 6, a script is executed that edits the contents of the main configuration file /usr/local/kernun/conf/kernun.cml to make it compatible with the upgraded Kernun. Sometimes, if there are complex changes in the configuration syntax and semantics between the two Kernun versions, or if the configuration file contains certain advanced constructs, the script may be unable to perform a perfect conversion. It is therefore recommended to always check the result of the automatic conversion in step 7.

The new configuration file needs to be applied before the upgraded system can be put into normal operation. The low-level configuration files are generated and the configuration is applied in the context of the newly installed system using the applycfg command of sysmgr(8). If the generation or application of the configuration fails, the configuration should be corrected and applied again.

Finally, the upgraded Kernun can be put into the normal production mode by rebooting to the newly installed system partition.

No modifications of the configuration (steps 6 and 7) are often required during the upgrade procedure. This is usually true when upgrading between two builds of the same version or between patch releases of the same version, for example, from 3.0 to 3.0.1 or from 3.0.1 to 3.0.2.

7.1. Upgrade from the GUI

An upgrade is initiated from the Quick Wizards page of the System Manager. There are two alternatives. Click Upgrade Firewall if you want to start the complete upgrade procedure. If you already have a recent backup of the system partition that you want to upgrade, you can skip the first step — creation of a backup. In this case, use the Restore backup into newer firewall button. We will describe only the former alternative; the latter is almost identical, only the backup step is missing.

The GUI assumes that we want to upgrade the currently running Kernun instance. Therefore, the current system partition will be backed up. After clicking on the Upgrade Firewall button, we select the target system partition in which the upgraded Kernun will be installed. Then we select the installation image of the new version. Our selections are displayed in the settings recapitulation window (Figure 3.9, “Parameters of an upgrade operation”). Click on the Finish button to start the upgrade.

Figure 3.9. Parameters of an upgrade operation

The GUI displays the progress of the upgrade procedure. First, the current system partition is backed up. Then, the new system partition is installed and the backup is restored in it. If there are any conflicts, the conflict resolution window is displayed, as shown in Figure 3.10, “The conflict resolution window during an upgrade”. The window shows a list of conflicting files. You can determine how to resolve the conflict of a file by clicking in the Action column. The following actions are possible:

+ — uses the “backed-up“ version of the file;
. — uses the “new” version of the file, as installed from the new installation image;
- — deletes the file;
! — postpones the conflict to the next iteration of conflict resolution.

It is also possible to select a file and then click a button on the right-hand side of the window to display the differences between the two versions of the file, or to open one of them in an editor.

Figure 3.10. The conflict resolution window during an upgrade

After you give instructions for conflict resolution and optionally edit some conflicting files, click OK to have the conflicts resolved. Finally, a window is displayed (see Figure 3.11, “Final settings after an upgrade”) that makes it possible to realise any combination of the following actions: set the newly upgraded system partition as the default boot partition; run the configuration conversion script; change the partition label; reboot Kernun immediately.

Figure 3.11. Final settings after an upgrade

7.2. Upgrade from the Command Line

Command line upgrades are realized using the sysmgr(8) utility. Unlike when using the GUI, which performs all the required steps automatically, a command line upgrade must be done step by step. An example of the upgrade procedure follows:

[root@fw ~]# cml -l -f /usr/local/kernun/conf/kernun.cml 
RCSL-730-N File '/usr/local/kernun/conf/kernun.cml' locked for current user
CMLM-790-N RCS command completed
[root@fw ~]# sysmgr checkcfg 
...
Configuration is correct
[root@fw ~]# sysmgr backup 
Creating backup content database /kernun-backup.fsdb.bz2
Creating file system content database
Creating backup file
/data/backup/backup-030000h00.200809241501.i386-1-200811300006.tbz
[root@fw ~]# sysmgr install 2 030002h00.200811291341.i386 
Clearing system partition 2
...
Installation successfully finished
[root@fw ~]# sysmgr upgrade 2 \
> backup-030000h00.200809241501.i386-1-200811300006.tbz 
Processing changes of file system contents
Unpacking files from backup
Resolving conflicts
There are pending conflicts, see /data/restore/resolve


*** CONFLICT RESOLUTION *** 

1. Resolve with easy editor (ee)
2. Resolve with editor vi
3. Do not resolve now

Select action: 2
# Conflict resolution file for system partition /2 
# Each line of this file contains an instruction for one file. You
# can edit the file and then apply the instructions by running
# "sysmgr resolve". Every line contains three fields:
# - one character that defines an action to be done with the file
# - one character for file type ('d' for a directory, '-' for any
#   other type)
# - path to the file, interpreted either relative to /2 for the
#   existing file and relative to //data/restore/conflicts
#   for the file from the backup
# Procedure of conflict resolution:
# 1. Locate all lines beginning with '!'. These denote conflicting
#    files.
# 2. Optionally edit the conflicting files.
# 3. Change the character '!' to
#         + ... to use the file from backup, temporarily stored in
#               /data/restore/conflicts
#         . ... to keep the current file
#         - ... to delete the current file
#         ! ... keep the conflict for future resolution
# 4. Run "sysmgr resolve".
# 5. Repeat steps 1-4 until all conflicts are resolved.
# Merging file from the backup with the current file can be done
# either by editing the current file and specifying action '.'
# (keep) or editing the file from the backup and specifying
# action '+' (use backup).
! - ./etc/motd
! - ./etc/login.conf
...
Resolving conflicts
There are pending conflicts, see /data/restore/resolve 
[root@fw ~]# vi /data/restore/resolve 
...
[root@fw ~]# sysmgr resolve 
Resolving conflicts
All conflicts resolved
[root@fw ~]# sysmgr upgradecfg 2 
Upgrading Kernun configuration /2/usr/local/kernun/conf/kernun.cml
/2/usr/local/kernun/conf/kernun.cml,v  <--
  /2/usr/local/kernun/conf/kernun.cml
new revision: 1.2; previous revision: 1.1
done
Automatic configuration upgrade done. It is recommended to review the
configuration before returning Kernun to production use.
[root@fw ~]# sysmgr applycfg 2 
...
System kernun applied in system partition 2
[root@fw ~]#  cml -u -f /usr/local/kernun/conf/kernun.cml 
CMLM-790-N RCS command completed
[root@fw ~]#

Before upgrade, the configuration should be locked ^[10], checked and normalized . This step ensures that the configuration upgrade step will understand the configuration file. The upgrade procedure starts by backing up the current system partition . Specify a system partition number to upgrade a currently inactive partition. If a recent backup already exists, this step can be skipped. A new Kernun version is installed to an unused system partition . This command also sets the default boot manager label for the newly installed partition, and makes it bootable and the default boot selection for the next booting. The backup is then restored to the newly installed system partition . This command writes the list of conflicts to /data/restore/resolve. The conflicting files from the backup are stored in the /data/restore/conflicts directory. If there are conflicts, the conflict resolution menu is displayed . You can either resolve the conflicts, or postpone the conflict resolution to do it later. If you choose to resolve the conflicts, the conflict resolution file /data/restore/resolve is opened in a text editor. Edit the file according to the displayed instructions to determine the way of resolution of individual conflicts. After the file is saved and the editor is terminated, the conflict resolution is executed in accordance with the file. If some conflicts remain unresolved, a message is printed. It is then possible to edit /data/restore/resolve manually and restart the conflict resolution . Commands and can be repeated until all conflicts are resolved. The main configuration file is upgraded and applied . Finally, the lock is released . You can then reboot to the new system partition and start using the upgraded Kernun.

8. Audit

The Kernun auditing tool kernun-audit(1) provides a convenient source of information about bugs discovered in the Kernun software. The auditing tool also reports when a new software version becomes available. A Kernun audit is usually executed daily by the cron daemon via the periodic command. It downloads the up-to-date auditing database, and then examines the product type, version, and architecture of the installed system. Based on these values, the relevant records are extracted from the database and reported. There are two classes of records: bugs and software updates.

Each bug that is discovered in the currently installed version of the Kernun product is reported. A bug has a unique identification number, a description, a list of versions, in which it occurs, a solution, and a workaround. The recommended solution is always a software update to a version in which the bug has been fixed (if such version is available). The workaround (if available) describes how to minimize the impact of the bug without updating the software. It should be applied if the software has not been fixed yet or if an immediate update is infeasible. Nevertheless, the workaround should always be regarded as a temporary solution and the Kernun installation should be updated as soon as possible.

Software updates are reported only for the same product and architecture as in the installed system. The latest patch release from each release branch is shown. Only versions newer than the currently installed version are displayed. For example, if 3.1 is the version installed and 3.0–3.0.6, 3.1–3.1.3, and 3.2–3.2.1 are available, 3.1.3 and 3.2.1 will be the versions reported.

The initial configuration of a Kernun system runs the auditing tool daily using the DEFAULT-CRONTAB and DEFAULT-PERIODIC variables from the included crontab and the periodic configuration file crontab.cml. Auditing can be disabled by setting daily_status_security_kernun_audit_enable to "NO" in that file. The auditing tool kernun-audit can be also executed manually from the command line. The product name, version number, and architecture name are obtained from the current system, or can be specified using the command line arguments of kernun-audit. The identification of the current system is stored in the files /kernun-product (product name) and /kernun-version (build number, which contains the version number before the first dot and the architecture name after the second dot). If the location (local or remote) of the audit database is not specified, the database is downloaded from download.kernun.com by default.

The www.kernun.com Web site provides an online version of the Kernun auditing tool. After filling the Kernun product, version, and architecture in a form, the auditing report is generated in the same format as the one kernun-audit produces.

9. Emergency Repair Environment

Warning

The instructions in this section are intended for experienced administrators with profound knowledge of Kernun and FreeBSD.

The Kernun installer booted from the installation CD can be used to repair the system if all system partitions are unable to boot. The available functions are accessible from the installer main menu:

1. Install Kernun
2. Check for existing Kernun installations
3. Restore backup
4. Start rescue shell
5. Mount Kernun file systems
6. Resize installer's in-memory temporary file system (current size 32m)
7. Halt
8. Power down
9. Reboot
0. Install license

Option 1 is described in Section 5.1, “Standalone Installer”. Options 7, 8, and 9 are self-descriptive. Option 2 displays the boot manager configuration and the disk device names.

System disk is /dev/ad0
Boot manager on /dev/ad0
F1: Kernun 3.0 2008/10/01 07:36 (030000h00.200809241501.i386)
F2: Unused
F3: Unused
type=Kernun 1024 B boot manager (74 character labels)
current_booted=
bootable=1
update=yes
default_selection=F1
Data disk is /dev/ad0s4d
Swap is /dev/ad0s4b

Option 3 restores a backup selected from a list of backup files found in /data/backup. If the backup is stored on another medium, it must be first copied to the /data/backup directory, using for example the rescue shell (option 4). For details about backup and restoring, see Section 6, “Backup and Restoring”.

Option 4 starts a rescue shell (bash). It provides the environment for emergency maintenance of a computer with non-bootable Kernun installations. The rescue shell (as well as the whole standalone installer) runs in a custom FreeBSD environment. The standard Kernun kernel is used. The root file system is mounted from the installation CD and is therefore read-only. A read-write RAM disk for temporary data is mounted under /tmp, symlinked also from /var/tmp. The standard size of the RAM disk is 32 MB. It can be resized using option 6 of the installer main menu.

Warning

The content of the RAM disk is lost when the installer is terminated or when the RAM disk is resized.

Caution

Do not make the RAM disk too large, because its content is stored in the kernel memory. If the free kernel memory gets too low, the kernel may panic.

Option 5 of the menu mounts any existing Kernun partitions under the directories /1, /2, /3 (the system partitions), and /data (the data partition). The rescue shell provides many standard FreeBSD command line programs. Programs from a mounted Kernun system partition can be run as well.

Tip

It is often useful to perform a chroot(8) to a mounted Kernun system partition and to run commands in the chrooted environment.

^[1]Collect values from lines starting with component:, group:, and upgrade: in the license file.

^[2]It is usually the first disk: da0 (SCSI), ad0 (PATA), ad10 (SATA).

^[3]including usr/local/kernun/license.dat

^[4]More precisely speaking, the initial configuration script is executed during any system boot if there is no Kernun configuration file /usr/local/kernun/conf/kernun.cml and none of the files /etc/rc.conf and /etc/rc.conf.local contains the line kernun_config_enable=NO.

^[5]The host key is used by the SSH client (or GUI) to ensure that it is communicating with the intended server. It is different from the client's key, which is used to authenticate the client to the server.

^[6]An image is considered older if it has a lower version number or an earlier build date.

^[7]for example, access rights, owner, or modification time

^[8]for example because they are in a system partition that is not used any more

^[9]By a change, we mean modification of the contents of the file, deletion of the file, a change of the file attributes (e.g., the owner or access rights), or creation of a previously nonexistent file.

^[10]Steps and are supported by Kernun since release 3.6. In the prior versions, these steps should be skipped.

Chapter 4. User Interface

Table of Contents

1. Graphical User Interface

1.1. Kernun GUI Launcher
1.2. GKAT—Management Console
1.3. Logs
1.4. GCML — Configuration
1.5. Locking

2. Command Line Interface

2.1. Command Line Interface Details
2.2. C³H — Command Completion and Context Help
2.3. KAT — Kernun Admin Tool
2.4. CML — Configuration Meta Language

3. Administrative Utilities

Kernun can be administered locally, or remotely via the network. Local administrator access is usually limited to the initial installation, when the network is not yet configured, and emergency situations after a failure or misconfiguration if the network is not accessible. The administrator can access the system locally via a text system console. It provides the same set of command line tools as the remote text login via SSH. In normal operation, Kernun is usually administered remotely. There are two options for remote access: a text command line interface and a graphical user interface.

An administrator can log in to Kernun remotely via SSH and get shell access to the system. Administrative tools accessible from the shell include the primary Kernun command line control and configuration tools kat(8) and cml(8), see also Section 2, “Command Line Interface”. Besides these two, many additional command line utilities are available, including specific Kernun commands introduced in Section 3, “Administrative Utilities” and all the standard FreeBSD commands.

Kernun's graphical user interface (GUI for short, described in Section 1, “Graphical User Interface”) provides a similar functionality as the command line utilities, but in a more intuitive and comprehensive way. It shows the current state of all system components and can display details for each component. The GUI contains also a powerful log analyzer, a configuration editor, and a system manager, which administers installations, backups, and upgrades. There is some functionality that is unique to the GUI and cannot be accessed from the command line, such as displaying of performance graphs. The GUI runs on the administrator's local computer and communicates with Kernun via the network, using SSH internally. Hence, the same prerequisites are needed for both the command line and GUI access to Kernun (especially, SSH keys and the SSH protocol enabled on the way between Kernun and the administrator's computer).

1. Graphical User Interface

In this section, we will introduce the Kernun GUI. In later chapters dealing with configuration (Chapter 5, Configuration Basics, and Chapter 6, Advanced features) we will assume that the administrator knows how to use the GUI.

The GUI is distributed on a separate installation CD. Unlike other parts of Kernun, the GUI is distributed under the terms of the GNU General Public License (GPL). The license text is available in the LICENSE.GPL file in the directory containing the GUI source code.

The Kernun GUI is available in two functionally equivalent versions: for Microsoft Windows and for UNIX. The binary executables of the Kernun GUI are distributed for MS Windows and for FreeBSD ^[11]. The Kernun GUI can be easily compiled also for other UNIX platforms. See the README file for instructions on how to compile the Kernun GUI.

On UNIX machines, the Kernun GUI expects OpenSSH to be installed (namely, the ssh, ssh-agent, ssh-keygen and ssh-add programs are expected to be located in a directory listed in the PATH environment variable).

There are no prerequisites to be installed on MS Windows. All the necessary executables are included in the Kernun GUI distribution.

The Kernun GUI provides the following functionalities:

monitoring of the state of Kernun;
management (starting, stopping, restarting, …) of Kernun (or its particular components);
work with logs (both current online logs and downloaded offline logs) and statistics;
modification and application of the configuration of Kernun;
administration of Kernun installations, backups, and installation images.

1.1. Kernun GUI Launcher

When the GUI is started, the launcher window is displayed, see Figure 4.1, “GUI Launcher”. The launcher provides buttons to open (and change) a local copy of the Kernun configuration file (for more information on work with the configuration in the GUI see Section 1.4, “GCML — Configuration”) or examine a local log file (see Section 1.3, “Logs”). However, the main purpose of the GUI launcher is to establish a new connection to Kernun and launch the main GUI management window.

Figure 4.1. GUI Launcher

The GUI communicates with Kernun via SSH connections. You therefore need to have the sshd service running and correctly configured (see Section 2.3, “SSH Server”). The parameters of the SSH connection to Kernun are specified in the Connection Parameters dialog, as depicted in Figure 4.2, “Connecting to Server”. You need to fill in the Host name or IP address of the Kernun machine, Username, Port and select the SSH key file.

Tip

If you are connecting to Kernun via SSH for the first time, you need to initialize Kernun (i.e., download your private SSH key from Kernun). To do this, use the dialog that appears after the Initialize new system button is pressed. Fill in the Hostname and the Password you entered during the installation. See also Section 5.2, “Initial Configuration”.

Figure 4.2. Connecting to Server

If you intend to apply the configuration to other Kernun than the one you are logged in (for example, the second Kernun in a cluster), you must check the Forward SSH agent check box. See ssh(1) for information about security risks of SSH agent forwarding.

Important

It is unsafe to leave the SSH keys loaded in the ssh-agent after finishing your work with Kernun.

The key is deleted automatically on UNIX, if there was no ssh-agent running before the Kernun GUI was started. Otherwise, you need to unload it yourself (e.g. using ssh-add -d private_key_file).

On MS Windows, the Kernun GUI instances are managed by the GUI launcher, which is set to unload the keys automatically (after a timeout) if there are no main Kernun GUI applications running. You can change this behavior or unload the key manually using the context menu of the Kernun GUI taskbar icon.

1.2. GKAT—Management Console

The functionality of the Kernun GUI main window, depicted in Figure 4.3, “GKAT — Kernun management console”, is basically equivalent to the command line administrative tool kat(8). It displays the states of individual Kernun components and allows them to be started, stopped, and monitored.

Figure 4.3. GKAT — Kernun management console

When connected to Kernun, the state of the proxies and other system components is indicated by their state icons. The states of the components are also propagated to the state icon of their parent component groups and of the whole Kernun. There are the following component groups: Proxies, System Components (such as SSH servers, mail forwarders, or DNS servers), Network (interfaces, packet filtering, routing), and Open VPN servers. A running component is denoted by green icon background , whereas the background of a stopped component is red . There are several icon overlays that indicate further information concerning the component's state:

Not up-to-date configuration — the configuration of the component has changed; reload it, so that the changes can take effect.
Parent exiting flag — the proxy is in a special state: it does not accept new connections, but only waits for the already active sessions to finish. For example, this state may appear when a proxy is reloaded, some sessions remain open in the old proxy instance, and only the new instance accepts new connections. Total restart of the proxy stops the old proxy instance and starts another, so no sessions remain open.
Not in configuration — the system component is not in the configuration. Kill the component to solve the problem.
Component's state changing — this overlay is displayed while the component's state (started/stopped/restarted/reloaded) is being changed. It disappears immediately after the action is finished.

In the situation depicted in Figure 4.3, “GKAT — Kernun management console” we know that all proxies are running, even though the Proxies subtree is collapsed. The IPS component is stopped, which is why the System Components and Kernun icons are partially green and red. Kernun has four network interfaces, the packet filter and the routing table running. No Open VPN server is configured. You can click on a component, group, or the whole Kernun icon in the proxy tree to select it and display its details in the right-hand part of the window. The information about the RTT (Round Trip Time) in milliseconds between the GUI and Kernun is displayed next to the Kernun name.

1.2.1. Kernun Details

On the Manage page of the whole Kernun (that is, with the top-level Kernun node selected from the component list in the left-hand part of the window), the administrator can easily manage (start/stop/reload/restart) the whole Kernun, as depicted in Figure 4.4, “Kernun Manage Page”.

Figure 4.4. Kernun Manage Page

The selected action can be applied either to all components, or to the components marked with a tag in the configuration. The tag or the All components option can be selected from a combo box. A change in the configuration takes effect only after the system state is synchronized with the updated configuration. This can be always done by rebooting, restarting, or reloading the whole Kernun, but it often suffices to restart only a subset of components, while the remaining parts of Kernun may be left running. The Synchronize system button automates this process. It displays a window (depicted in Figure 4.5, “System state synchronization dialog”) that lists the actions required to bring all the components into sync with the configuration. You can manually alter the proposed actions by clicking on a component in the Action column. When you are satisfied, click OK and all the selected actions will be executed.

Figure 4.5. System state synchronization dialog

The Process List page (Figure 4.6, “Process List page”) contains the list of the running parent proxy processes^[12].

Figure 4.6. Process List page

The context menu in the process list (Figure 4.7, “Process List context menu”) can be used to send the TERM (Kill parent process) or KILL (Kill -9 parent process) signals to the particular process, to copy the contents of the process list to the clipboard or to save them to a file.

Figure 4.7. Process List context menu

The Graphs page contains graphs of various system parameters, see Figure 4.8, “Graphs page”. There are many monitored parameters of the operating system (CPU load, used memory and disk space, etc.), hardware (temperature measurement, if supported by the hardware), and cluster behavior (switches between the cluster master and backup). Kernun collects parameter values and creates graphs depicting how they evolve in time, with several time scales available. The most detailed graphs show only the recent history, while coarse-grained graphs extend further into the past. Right-click on a graph to open a context menu that makes it possible i.a. to save the graph to a file or to add it to Favorite graphs.

Figure 4.8. Graphs page

The Top page (Figure 4.9, “Top page”) shows the output of the popular top(1) command. The Misc page (Figure 4.10, “Misc page”) displays the output of several commands, showing i.a. the disk space (the df -hi command), the network state (netstat) or the uptime and current load of Kernun (w | head -n 1). The Version page (Figure 4.11, “Version”) shows the version of Kernun and of the FreeBSD system used by Kernun.

Figure 4.9. Top page

Figure 4.10. Misc page

Figure 4.11. Version

1.2.2. Proxy Details

When the Proxies node or a particular proxy is selected in the component tree, it is possible to control and monitor all proxies or the single proxy, respectively. The set of pages is simil