Name

common — format of common component configuration

DESCRIPTION

General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the common component configuration.

Repeatable sections/items are marked by the '*' before section/item name.

TYPES

Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).

Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.

The following enumerations are used in common configuration directives:

enabling (name-usage obligatory)

General Enabling/Disabling Enumeration.

disable, enable

yes-no (name-usage obligatory)

General Yes/No Enumeration

no, yes

language (name-usage obligatory)

National Language Support - Language Setting.

EN

English

CZ

Czech (UTF-8)

nls (name-usage obligatory)

National Language Support - Language and Charset.

EN

English

CZ

Czech (default charset)

CZ-ASCII

Czech, without diacritics

CZ-ISO-8859-2

Czech, ISO-Latin-2

CZ-WINDOWS-1250

Czech, Windows-1250

on-off (name-usage optional)

Features switching on/off.

off (0), on (1)

genesis (name-usage obligatory)

General Genesis (Static/Dynamic) Enumeration.

static, dynamic

permission (name-usage obligatory)

Permission/Denial Methods.

permit

particular option is permitted

deny

particular option is rejected but ignored

abort

particular option is rejected and session is aborted

max-setting (name-usage obligatory)

Ways to Set Maximum.

max

particular limitation will be set, values have maximum

any

particular limitation will be ignored, any value is valid

direction (name-usage obligatory)

General Traffic Direction Enumeration.

download

Transfer from server to client.

upload

Transfer from client to server.

name-selection (name-usage obligatory)

Methods to select object.

any

Setting of particular object is not required, anyone is correct.

name

Setting of object by its name in configuration.

destination (name-usage obligatory)

Destination (remote peers or nets).

host, net, default

ip-version (name-usage optional)

IP version.

ipv4 (4), ipv6 (6)

address-family (name-usage obligatory)

Socket Address Family.

inet, inet6, unix

osi4-proto (name-usage obligatory)

Transport Layer Protocol.

default, tcp, udp, tcp-udp

in-out (name-usage obligatory)

Interface inbound/outbound Direction.

in, out, both

report-mode (name-usage optional)

Process stdout/stderr control.

nothing (0), out (1), err (2), all (3)

periodicity (name-usage obligatory)

Time period types.

daily, weekly, monthly

time-cond (name-usage obligatory)

Time condition types.

anytime

No condition on time applied

daily, weekly, monthly

zip-mode (name-usage obligatory)

Logfile zipping mode.

plain, gzip, bzip2

obligation (name-usage obligatory)

Modes of special features usage.

This enumeration is used when some feature (like authentication, SSL etc.) can be required or only allowed by admin's decision.

required

Feature is mandatory

allowed

Feature is optional

range-op (name-usage obligatory)

Range Comparison Operator.

unknown

Tested value is not known.

lt

Tested value is lower than the configuration limit.

le

Tested value is lower than or equal to the configuration limit.

eq

Tested value is equal to the configuration limit.

ne

Tested value is not equal to the configuration limit.

gt

Tested value is greater than the configuration limit.

ge

Tested value is greater than or equal to the configuration limit.

in

Tested value is in between the configuration limits (borders OK).

ni

Tested value is not in between the configuration limits (borders OK).

inline-file-format (name-usage obligatory)

In-line File Formats.

text

Regular text, lines will be trimmed and quoted.

raw

Raw text, lines are only quoted, no comments allowed.

native

Native CML values, lines are used as-is.

ip-addr

IP addresses with or without mask, but without brackets.

regexp

Regular expressions without slashes

yes-no-always (name-usage obligatory)

Yes/No Enumeration with Always option.

Represents a YES-NO value that is tied to a certain condition, usually to a component or function being configured.

no

Always NO, even when the condition is true

yes

YES when the condition is true, NO when the condition is false

always

Always YES, even when the condition is false

task-frequency (name-usage obligatory)

Task frequency

daily

Run the task once a day.

hourly

Run the task once an hour.

every

Run the task every PERIOD minutes.

raw

Raw crontab period specification.

manually

No automatically scheduled refresh.

ITEMS AND SECTIONS

Configuration of common library component consists of following prototypes:


  admin ... ;
  ipv6-mode ... ;
  phase ... ;
* cfg-tag ... ;
* range-cond ... ;
* set-var ... ;
* mime-type-check ... ;
* shared-file name { ... }
* shared-dir name { ... }
  rotate-file ... ;
  cron-schedule ... ;
    

Description:

admin system [contact];

Firewall administrator and contact e-mail addresses.

system (type: str)

The technical administrator(s) of the system; an address or set of comma separated adresses of persons responsible for system maintenance.

contact (type: str, optional, default: <NULL>)

The policy administator; an address of person responsible for system configuration. If not defined, the technical administration is used instead.

Constraints:

Administrator contact must comply with RFC.

ipv6-mode [status];

Enabling/Disabling IPv6 Mode.

status (type: enabling, optional, default: enable)

phase [number];

Application Startup Phase.

number (type: uint8, optional, default: 50)

Phase number; the lower one, the earlier start.

cfg-tag value;

Configuration factorization tag.

This feature allows admin to create groups of Kernun applications (specially proxies and servers) according to various aspects (belonging to one customer, applications of particular network traffic etc.).

Each application can have several tag attributes and the KAT tool can run some commands (like 'ps', 'start' atc.) for applications with or without given tag.

value (type: str)

Constraints:

Tag must contain letters, digits, hyphens and dots, only.

range-cond unknown;

range-cond lt limit;

range-cond le limit;

range-cond eq limit;

range-cond ne limit;

range-cond gt limit;

range-cond ge limit;

range-cond in lower upper;

range-cond ni lower upper;

Range Testing Condition.

<branching element> (type: range-op)

limit (type: uint64)

Tested value limitation.

lower (type: uint64)

Tested value lower bound.

upper (type: uint64)

Tested value upper bound.

set-var name value;

Shell-like variable setting.

name (type: str)

Variable name.

value (type: str)

Variable value.

Constraints:

Variable name must contain alphanumeric chars only.

mime-type-check type;

Document MIME Type and Subtype Testing Checking.

type (type: str-set)

Set of type/subtype string definition.

If a regexp is part of the set, then this regexp is checked to match with type/subtype specification. Beware of escaping the slash, if present (write /...\/.../).

If a string is part of the set, then it must contain at most one slash. If the slash is not present, string is compared with document type only (not the subtype). If the slash is present, then pattern is checked to match with type/subtype specification.

shared-file name {


  path ... ;
  format ... ;
}

        

Shared file definition.

Constraints:

Pathname must be specified.

Items & subsections:

path name;

Path specification.

This path is valid in the environment, where applied:

  • within CML it means path on the filesystem where run; if relative, it is related to the configuration directory

  • within firewall configuration files it means path on the firewall (cannot be relative).

Thus, value of this item can differ between source CML file and target CFG files and CML command /GENERATE copies these files into destination SYSTEM-* tree.

name (type: str)

Path to the file.

format [type];

Inline file format.

If the shared file is used as inline file ("< NAME" in list) this item defines line modifications.

type (type: inline-file-format, optional, default: text)

[End of section shared-file description.]

shared-dir name {


  path ... ;
}

        

Shared directory definition.

Constraints:

Pathname must be specified.

Items & subsections:

path name;

Path specification.

This path is valid in the environment, where applied:

  • within CML it means path on the filesystem where run; if relative, it is related to the configuration directory

  • within firewall configuration files it means path on the firewall (cannot be relative).

Thus, value of this item can differ between source CML file and target CFG files and CML command /GENERATE copies these directories into destination SYSTEM-* tree.

name (type: str)

Path to the directory.

[End of section shared-dir description.]

rotate-file [user user] [group group] [mode mode] [count count] [size size] [when [zip]];

Log file rotation description.

Use the SIZE elem if log file size criterion required. Use the WHEN elem if periodical rotation required. If used both SIZE and WHEN elems, the log file is rotated at a proper time only if size limit is reached.

user user (type: str, optional, default: <NULL>)

Log file owner - user.

group group (type: str, optional, default: "wheel")

Log file owner - group.

mode mode (type: uint16, optional, default: 640)

Log file permissions.

count count (type: uint16, optional, default: 31)

Number of days being archived.

size size (type: uint16, optional, default: 0)

Size limit for rotation in KB (ignore log file size if omitted).

when (type: time-cond, optional, default: anytime)

Rotation periodicity (use SIZE condition if omitted).

zip (type: zip-mode, optional, default: bzip2)

Zipping mode.

Constraints:

Use either size criterion or defined periodicity.

cron-schedule daily [time time] [report report];

cron-schedule hourly [minute minute] [report report];

cron-schedule [every] [period period] [at at] [report report];

cron-schedule raw raw raw [report report];

cron-schedule manually;

Parameters for scheduling a cron task.

<branching element> (type: task-frequency, optional, default: every)

raw raw (type: str)

Raw line to be placed into crontab. First 5 columns (the time specification) must be specified.

minute minute (type: time, optional, default: 0)

Starting time of task (mm, hour ignored).

time time (type: time, optional, default: 415)

Starting time of task (hhmm).

period period (type: uint8, optional, default: 15)

Run the task every PERIOD minutes (mm, hours ignored).

at at (type: uint8, optional, default: 0)

Starting time of task (mm, hours ignored)

report report (type: report-mode, optional, default: nothing=0)

Task output (stdout and stderr) delivery.

SEE ALSO

configuration(7), logging(7)