system — format of system component configuration
General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the system component configuration.
Repeatable sections/items are marked by
the '*' before section/item name.
Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).
Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.
The following enumerations are used in system configuration directives:
enabling (see common(5))yes-no (see common(5))genesis (see common(5))permission (see common(5))max-setting (see common(5))direction (see common(5))destination (see common(5))ip-version (see common(5))in-out (see common(5))time-cond (see common(5))zip-mode (see common(5))obligation (see common(5))range-op (see common(5))week-day (see time(5))month (see time(5))radius-attr (see radius(5))ldap-tls-reqcert-mode (see ldap(5))ldap-search-scope (see ldap(5))auth-method (see auth(5))oob-authentication-method (see auth(5))antivirus-protocol (see mod-antivirus(5))virus-status (see mod-antivirus(5))accept-deny (see mod-html-filter(5))transparency (see acl(5))user-auth-spec (see acl(5))source-address-mode (see acl(5))doctype-ident-method (see acl(5))header-op (see acl(5))product-type (see license(5))component-group (see license(5))component-type (see license(5))carp-advskew (see interface(5))protocol (see packet-filter(5))icmp-type (see packet-filter(5))bandwidth-mode (see packet-filter(5))interface-mode (see packet-filter(5))pf-scheduler (see packet-filter(5))pf-sc-setting (see packet-filter(5))dns-type (see resolver(5))dns-opcode (see resolver(5))dns-response (see resolver(5))dns-qaction (see resolver(5))dns-raction (see resolver(5))dns-fake (see resolver(5))xfr-mode (see resolver(5))ntp-rest-flag (see ntp(5))dbglev (see log(5))logfail-mode (see log(5))ovpn-protocols (see openvpn(5))ovpn-remote-proto (see openvpn(5))ovpn-comp-lzo-mode (see openvpn(5))ovpn-cert-types (see openvpn(5))ovpn-cipher-algs (see openvpn(5))ovpn-redirect-gateway-flags (see openvpn(5))ovpn-dhcp-option (see openvpn(5))ovpn-local-scope (see openvpn(5))tls-mat-variants (see openvpn(5))ipsec-encryption1 (see ipsec(5))ipsec-encryption2 (see ipsec(5))ipsec-hash1 (see ipsec(5))ipsec-auth2 (see ipsec(5))ipsec-dh-group (see ipsec(5))ipsec-tunnel-sa-mode (see ipsec(5))ipsec-auth-method (see ipsec(5))ipsec-protocol (see ipsec(5))ipsec-remote-mode (see ipsec(5))user-type (name-usage obligatory)Kernun user type.
admin, audit
route-flag (name-usage obligatory)Route flags.
cloning, xresolve, iface, static, nostatic
report-mode (name-usage optional)Process stdout/stderr control.
nothing (0), out (1), err (2), all (3)
ssh-key-type (name-usage obligatory)SSH key types.
ssh-dss, ssh-rsa
ssh-proto (name-usage optional)SSH protocol numbers.
ssh-1 (1), ssh-2 (2)
lock-type (see ipc(5))udp-session-type (see udpserver(5))listen-on-sock (see listen-on(5))ssl-ver (see ssl(5))data-match-action (see mod-match(5))dns-name-type (see dns-proxy(5))nls (see nls(5))language (see nls(5))pass-remove (see ftp-proxy(5))data-type (see ftp-proxy(5))ftp-cmd (see ftp-proxy(5))clear-web-db-category (see clear-web-db(5))clear-web-db-match-mode (see clear-web-db(5))replace-authorization-mode (see http-proxy(5))proxy-via (see http-proxy(5))http-protocol (see http-proxy(5))http-scheme (see http-proxy(5))cookie-table-clean (see http-proxy(5))accept-gzip (see http-proxy(5))content-gzip (see http-proxy(5))smtp-error (see mod-mail-doc(5))imap4-cmd (see imap4-proxy(5))imap4-capa (see imap4-proxy(5))pop3-cmd (see pop3-proxy(5))pop3-capa (see pop3-proxy(5))peer (see sip-proxy(5))smtp-size-usage (see smtp-proxy(5))ssl-startup-mode (see smtp-proxy(5))smtp-err-switch (see smtp-proxy(5))spf-result (see smtp-proxy(5))on-off (see sqlnet-proxy(5))redirection-mode (see sqlnet-proxy(5))ips-action (see ips(5))snort-protocol (see ips(5))snort-rule-types (see ips(5))snort-template-refresh-frequency (see ips(5))Configuration of system library component consists of following prototypes:
* ssh-key2 ... ;
* system name { ... }
ssh-key2 email type key [ignored];SSH Version 2 key.
email (type: str)Owner email address.
type (type: ssh-key-type)key (type: str)ignored (type: str, optional, default: <NULL>)Elem ignored, retained due to backward compatibility.
system name {
product ... ;
admin ... ;
hostname ... ;
domain ... ;
kernun-root ... ;
apply-host ... ;
users { ... }
sysctl { ... }
* interface name { ... }
ipv6-rtadv { ... }
ipv6-router ... ;
ipv6-addrctl { ... }
carp-preemptive ... ;
* carp-monitor name { ... }
cluster-synchronize { ... }
routes { ... }
rc-conf { ... }
hosts-table { ... }
* rotate-log name { ... }
ntp { ... }
dhcp-server { ... }
dhcp6-server { ... }
crontab { ... }
periodic-conf { ... }
local-mailer { ... }
* ssh-server name { ... }
ssh-keys { ... }
watch { ... }
ips { ... }
* acl name { ... }
use-services ... ;
use-resolver ... ;
* resolver name { ... }
* nameserver name { ... }
* ns-list name { ... }
* pf-queue name { ... }
packet-filter { ... }
* ssl-params name { ... }
* html-filter name { ... }
* mail-filter name { ... }
* aproxy name { ... }
* radius-client name { ... }
* ldap-client-auth name { ... }
* oob-auth name { ... }
* antivirus name { ... }
* antispam name { ... }
* smtp-forwarder name { ... }
* web-filter name { ... }
clear-web-db { ... }
* openvpn name { ... }
ipsec-global { ... }
* ipsec-remote name { ... }
* ipsec name { ... }
* data-match name { ... }
* ntlm-auth name { ... }
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
* tcp-proxy name { ... }
* udp-proxy name { ... }
* dns-proxy name { ... }
* ftp-proxy name { ... }
* gk-proxy name { ... }
* h323-proxy name { ... }
* http-proxy name { ... }
* icap-server name { ... }
* imap4-proxy name { ... }
* pop3-proxy name { ... }
* sip-proxy name { ... }
* smtp-proxy name { ... }
* sqlnet-proxy name { ... }
}
Description of one firewall system.
PRODUCT should be specified.
Some configured components are not licensed.
Hostname must be specified.
Domainname must be specified.
Interfaces must be specified.
Source for /etc/services must be specified.
Name resolver configuration must be specified.
System name resolvers must use standard port.
DEFAULT router allowed only if DHCP-CLIENT not used.
Crontab content must be specified.
All interfaces must use unique device names.
Nameservers must listen on interface addresses.
All configured email domains must be handled by some SMTP-FORWARDER.
At most one interface with DHCP-CLIENT allowed.
Cannot non-transparently listen on dynamic interfaces.
Openvpn sections must refer interface of type TUN or TAP.
IPSEC sections can refer interface of type GIF or GRE only.
Addresses used in OPENVPN section must respect INTERFACE network range.
Address pushing in OPENVPN section must respect INTERFACE type.
Addresses pushing in OPENVPN section must not collide.
For every IPSEC section must exist IPSEC-REMOTE section with proper remote address.
At most one NTLM-AUTH section allowed.
Clear Web database updates should be configured if Clear Web category matching is used.
An IPv4, IPv6, DHCP-CLIENT, or ALIAS must be specified for all interfaces that are not in a LAGG AGGREGATE; no address specification is allowed for an interface in a LAGG AGGREGATE.
An Ethernet interface (an no other interface type) may be a member of at most one LAGG AGGREGATE.
Data MIME database required by DATA-MATCH with MATCH-DATA-MIME set.
product product components [groups groups] [upgrade upgrade];Specification of the product installed on this system.
product (type: product-type)Type of the product.
components (type: component-type-list)List of licensed components.
groups groups (type: component-group-list, optional, default: {})List of licensed component groups.
upgrade upgrade (type: str, optional, default: "unlimited")Upgrade date from a license.
Upgrade must be "unlimited" or a date in format YYYY-MM-DD.
admin system [contact];Firewall administrator and contact e-mail addresses.
system (type: str)The technical administrator(s) of the system; an address or set of comma separated adresses of persons responsible for system maintenance.
contact (type: str, optional, default: <NULL>)The policy administator; an address of person responsible for system configuration. If not defined, the technical administration is used instead.
Administrator contact must comply with RFC.
hostname name;System name.
name (type: str)Hostname should not contain domain part.
domain name;Domain name.
name (type: str)kernun-root [path];Path to Kernun installation root directory.
path (type: str, optional, default: "/usr/local/kernun")Path must be absolute and must not contain punctuation chars.
apply-host addr;Address to connect to by ssh when applying remotely.
If omitted, KAT /APPLY command will force local application.
If used, KAT /APPLY command will use local application only if the machine hostname is exactly HOSTNAME.DOMAIN.
addr (type: sock)users {
* user name { ... }
}
Kernun users.
user name {
role ... ;
full-name ... ;
* ssh-key ... ;
}
User role must be specified.
role type;User role.
There are two kinds of Kernun users:
- ADMINistrators are root-equivalent users
- AUDITors can only view system configuration and logs.
type (type: user-type)full-name [gecos];Full name of user.
gecos (type: str, optional, default: "&")Full name must not contain colon (':').
ssh-key email type key [ignored];SSH Version 2 key.
email (type: str)Owner email address.
type (type: ssh-key-type)key (type: str)ignored (type: str, optional, default: <NULL>)Elem ignored, retained due to backward compatibility.
[End of section system.users.user description.]
[End of section system.users description.]
sysctl {
* variable ... ;
portrange-default ... ;
portrange-high ... ;
portrange-low ... ;
}
sysctl section is derived from
sysctl section prototype.
For detail description of it, see sysctl(5).
interface name {
dev ... ;
ipv4 ... ;
ipv6 ... ;
* aggregate ... ;
tunnel ... ;
dhcp-client ... ;
carp-vhid ... ;
carp-password ... ;
carp-advbase ... ;
carp-priority ... ;
ipv6-rtadv { ... }
* alias name { ... }
* tag ... ;
}
interface section is derived from
interface section prototype.
For detail description of it, see interface(5).
ipv6-rtadv {
managed-address ... ;
other-stateful ... ;
raw ... ;
}
Default settings of IPv6 router advertisements.
ipv6-rtadv section is derived from
ipv6-rtadv section prototype.
For detail description of it, see interface(5).
ipv6-rtadv section:Item enable is not valid.
ipv6-router [enable];Operate as an IPv6 router.
enable (type: yes-no, optional, default: yes)ipv6-addrctl {
* rule ... ;
}
Defines the configuration table for the IPv4/6 address selection algorithm from RFC 3484. The generated address selection table is stored in /etc/ip6addrctl.conf and managed by command ip6addrctl. If this section does not exist, a default table will be generated. Preference of IPv4 or IPv6 addresses in the default table is controlled by item PROTO in the section RESOLVER referenced by SYSTEM.USE-RESOLVER.
rule prefix precedence label;A single policy table entry.
prefix (type: net)precedence (type: uint16)label (type: uint16)[End of section system.ipv6-addrctl description.]
carp-preemptive;Use CARP in preemptive mode.
carp-monitor name {
phase ... ;
* tag ... ;
interfaces ... ;
* ping ... ;
advbase-incr ... ;
down-timeout ... ;
up-timeout ... ;
script ... ;
* set-env ... ;
control ... ;
}
Monitoring state of CARP interfaces.
This function is provided by either carp-monitor.sh script, or by admin's own script, running as a regular Kernun component undef the control of KAT commands start, stop, ps, kill etc.
The script periodically tries to ping to set of groups of hosts, whereas from each group at least one host must respond. If all groups are "alive", the script brings all monitored interfaces "up", i.e. it sets the advbase value of interface to the basic value. Otherwise it increases the value of a penalty (ADVBASE-INCR). Bringing the interfaces up and down is not done immediately, however, the monitored hosts must be in "new" state for UP-TIMEOUT or DOWN-TIMEOUT respectively.
CARP interfaces must be specified.
An address for ping must be specified.
Variables can be set only if own script is active.
phase [number];Application Startup Phase.
number (type: uint8, optional, default: 50)Phase number; the lower one, the earlier start.
tag value;Configuration factorization tag.
This feature allows admin to create groups of Kernun applications (specially proxies and servers) according to various aspects (belonging to one customer, applications of particular network traffic etc.).
Each application can have several tag attributes and the KAT tool can run some commands (like 'ps', 'start' atc.) for applications with or without given tag.
value (type: str)Tag must contain letters, digits, hyphens and dots, only.
interfaces names;Set of names of CARP interfaces controlled by this monitor.
names (type: name-list of interface, see interface(5))List of CARP interfaces must not be empty.
ping ip timeout;Single group of hosts being pinged.
At least one of these hosts must respond within given timeout, this group to be recognized as "alive". Every defined group within a CARP-MONITOR section must be alive to bring monitored interfaces "up".
ip (type: host-list)IP address list to ping
timeout (type: uint16)timeout for ping in seconds
advbase-incr [penalty];Interface-down advbase penalty.
Value for incrementing the advbase value of all monitored interfaces to bring them "down".
penalty (type: uint8, optional, default: 1)down-timeout [sec];At least one tested IP group must be inaccessible for this time (in seconds) in order to switch the CARP interfaces "down".
sec (type: uint32, optional, default: 0)up-timeout [sec];All tested IP groups must be accessible for this time (in seconds) in order to switch the CARP interfaces "up".
sec (type: uint32, optional, default: 0)script name;Script to call for actual monitoring. If not set, default function run_carp_rc from rc-cluster.monitor.sh is used.
name (type: str)set-env name value;Set variable for script.
name (type: str)Variable name.
value (type: str)Variable value.
Variable name must contain alphanumeric chars only.
control tag;Tag denoting components that will be stopped when the CARP iterfaces are switched down and started when the interfaces are switched up.
tag (type: str)[End of section system.carp-monitor description.]
cluster-synchronize {
backup ... ;
* lock ... ;
* files ... ;
}
Files/dirs synchronization between the master and backup cluster node. This section should only be included in the system section of the master node of the cluster.
Backup host IP address must be specified.
backup addr addr;Address of the backup node of the cluster.User 'kernun' is expected to be able to connect via ssh from the master system (i.e., system that contains cluster-synchronize section) onto the backup node.
addr addr (type: sock)lock filename;Lock(s) being locked by the synchronization script before the synchronization is performed
filename (type: str)files filenames;List of files/directories to be synchronized
filenames (type: str-list)[End of section system.cluster-synchronize description.]
routes {
default ... ;
default6 ... ;
* static name { ... }
}
Routing table definition.
default gw;Default route.
gw (type: host)Router IP address.
default6 gw;Default IPv6 route.
gw (type: host)Router IP address.
static name {
dest ... ;
gw ... ;
flags ... ;
}
Static route.
Route destination must be specified.
Router address must be specified.
Dest and gateway must be of the same internet family.
dest dst;Route destination.
dst (type: net)gw gw;Router (gateway).
gw (type: host)Router IP address.
flags set;Route flags.
set (type: route-flag-list)[End of section system.routes.static description.]
[End of section system.routes description.]
rc-conf {
* set-env ... ;
* append-env ... ;
}
Additional settings to /etc/rc.conf.
By default, CML generates to rc.conf file following variables:
hostname (from HOSTNAME and DOMAIN items)
network_interfaces (from INTERFACE sections)
default_router (from ROUTES section)
static_routes (from ROUTES.STATIC sections)
syslogd_flags ("-ss" and sockets for CHROOT-DIRs)
devfs_set_rulesets and devfs_system_ruleset
local_startup (adds Kernun rc.d directory)
pf_enable (YES)
sendmail_enable (NONE)
sendmail_msp_queue_enable (NO)
postfix_enable (YES)
fsck_y_enable (YES)
Additional variables can be specified in this section.
Even the predefined variables can be modified by adding variable redefinition like SET-ENV var "$var ...";.
set-env name value;Set rc-conf variable.
name (type: str)Variable name.
value (type: str)Variable value.
Variable name must contain alphanumeric chars only.
append-env name value;Modify rc-conf variable.
Variable value is just extended (appending the new value), not replaced.
name (type: str)Variable name.
value (type: str)Variable value.
Variable name must contain alphanumeric chars only.
[End of section system.rc-conf description.]
hosts-table {
* host ... ;
}
Host table.
This section defines known machines and their addresses. It servers primarily as a source for the /etc/hosts file. If the DHCP-SERVER is enabled in particular SYSTEM, all hosts with an IPv4 address and a MAC address in this table are included into dhcpd.conf. If the DHCP6-SERVER is enabled in particular SYSTEM, all hosts with an IPv6 address and a DUID in this table are included into dhcpd6.conf. If a NAMESERVER with a ZONE is enabled in particular SYSTEM, all hosts with a proper name are included into proper files.
host address names [mac [dhcp-opt]];address (type: addr)Host IP address.
names (type: str-list)Host name and aliases.
mac (type: str, optional, default: <NULL>)MAC address (for IPv4) or client's DUID (for IPv6). The acceptable formats are "xx:xx:xx:xx:xx:xx", "xx-xx-xx-xx-xx-xx" and "xxxx.xxxx.xxxx".
dhcp-opt (type: str, optional, default: <NULL>)DHCP options.
Name list must not be empty.
MAC address must be in colon, dash or dot separated format.
[End of section system.hosts-table description.]
rotate-log name {
rotate ... ;
* file ... ;
}
Standard system log files rotation description.
All files referenced in one ROTATE-LOG section use the same rotation policy defined by the ROTATE item. The default policy (if ROTATE item omitted) is daily rotation.
Files not referenced in any ROTATE-LOG section (neither elsewhere in the CML) are rotated according to the /etc/newsyslog.conf file.
rotate [user user] [group group] [mode mode] [count count] [size size] [when [zip]];Log file rotation description.
Use the SIZE elem if log file size criterion required. Use the WHEN elem if periodical rotation required. If used both SIZE and WHEN elems, the log file is rotated at a proper time only if size limit is reached.
user user (type: str, optional, default: "root")Log file owner - user.
group group (type: str, optional, default: "wheel")Log file owner - group.
mode mode (type: uint16, optional, default: 640)Log file permissions.
count count (type: uint16, optional, default: 31)Number of files being archived.
size size (type: uint16, optional, default: 0)Size limit for rotation in KB (ignore log file size if omitted).
when (type: time-cond, optional, default: anytime)Rotation periodicity (use SIZE condition if omitted).
zip (type: zip-mode, optional, default: bzip2)Zipping mode.
Use either size criterion or defined periodicity.
file name;name (type: str)File name must be absolute and must not contain punctuation chars.
[End of section system.rotate-log description.]
ntp {
phase ... ;
* tag ... ;
cfg-resolution ... ;
drift-file ... ;
* peer ... ;
* server ... ;
* clock ... ;
* restrict ... ;
}
ntp section is derived from
ntp section prototype.
For detail description of it, see ntp(5).
dhcp-server {
phase ... ;
* tag ... ;
lease-file ... ;
default-lease-time ... ;
max-lease-time ... ;
domain ... ;
* name-server ... ;
* time-server ... ;
* router ... ;
* subnet name { ... }
}
dhcp-server section is derived from
dhcp-server section prototype.
For detail description of it, see dhcp-server(5).
dhcp6-server {
phase ... ;
* tag ... ;
lease-file ... ;
default-lease-time ... ;
max-lease-time ... ;
* domain-search ... ;
* name-server ... ;
* subnet name { ... }
}
dhcp6-server section is derived from
dhcp6-server section prototype.
For detail description of it, see dhcp-server(5).
crontab {
mailto ... ;
* set-env ... ;
* plan ... ;
* monthly ... ;
* weekly ... ;
* daily ... ;
* hourly ... ;
* every ... ;
}
Cron table definition.
No "default content" of crontab is preserved, all table items must be specified here. Typical content of crontab can be found in file samples/crontab.cml that you can include into your configuration and use here. See instructions in the file.
mailto addr;Set MAILTO crontab variable.
This address is used by cron to send skripts output. Setting via SET-ENV is allowed, however, setting by this item should be prefererred. If undefined, the SYSTEM.ADMIN value is used.
addr (type: str)Email address(es).
set-env name value;Set crontab variable.
name (type: str)Variable name.
value (type: str)Variable value.
Variable name must contain alphanumeric chars only.
plan line;Crontab (raw) line.
line (type: str)monthly at at [by by] cmd [report report];Run task every month.
at at (type: time)Starting time of task (hhmm).
by by (type: str, optional, default: "root")cmd (type: str)report report (type: report-mode, optional, default: nothing=0)Task output (stdout and stderr) delivery.
weekly on on at at [by by] cmd [report report];Run task every week.
on on (type: week-day)Weekday of execution.
at at (type: time)Starting time of task (hhmm).
by by (type: str, optional, default: "root")cmd (type: str)report report (type: report-mode, optional, default: nothing=0)Task output (stdout and stderr) delivery.
daily at at [by by] cmd [report report];Run task every day.
at at (type: time)Starting time of task (hhmm).
by by (type: str, optional, default: "root")cmd (type: str)report report (type: report-mode, optional, default: nothing=0)Task output (stdout and stderr) delivery.
hourly at at [by by] cmd [report report];Run task every hour.
at at (type: time)Starting time of task (mm, hours ignored).
by by (type: str, optional, default: "root")cmd (type: str)report report (type: report-mode, optional, default: nothing=0)Task output (stdout and stderr) delivery.
every min at at [by by] cmd [report report];Run task every time range given in minutes.
min (type: time)Period (mm, hours ignored).
at at (type: time)Starting time of task (mm, hours ignored).
by by (type: str, optional, default: "root")cmd (type: str)report report (type: report-mode, optional, default: nothing=0)Task output (stdout and stderr) delivery.
[End of section system.crontab description.]
periodic-conf {
mailto ... ;
* set-env ... ;
}
Periodic job configuration information.
The /etc/periodic.conf file content (see periodic.conf(5)) is defined here. Typical content of the file can be found in file samples/crontab.cml that you can include into your configuration and use here. See instructions in the file.
If undefined, the file remains untouched.
mailto addr;Set MAILTO crontab variable.
This address will be used as value of several variables 'daily_output', 'weekly_output', 'monthly_output' and 'daily_status_security_output'.
If undefined, the SYSTEM.ADMIN value is used.
addr (type: str)Email address(es).
set-env name value;Set periodic.conf variable.
name (type: str)Variable name.
value (type: str)Variable value.
Variable name must contain alphanumeric chars only.
[End of section system.periodic-conf description.]
local-mailer {
phase ... ;
* tag ... ;
use-resolver ... ;
relayhost ... ;
source-address ... ;
smtp-helo-name ... ;
myorigin ... ;
message-size-limit ... ;
bounce-size-limit ... ;
bounce-queue-lifetime ... ;
delay-warning-time ... ;
* set-var ... ;
master-cf ... ;
}
MTA used for sending mails originated at firewall.
local-mailer section is derived from
smtp-agent section prototype.
For detail description of it, see smtp-proxy(5).
ssh-server name {
phase ... ;
* tag ... ;
* listen-sock ... ;
protocol ... ;
passwd-auth ... ;
* option ... ;
* subsystem ... ;
}
SSH server definition.
Each configured ssh server is started via standard Kernun startup mechanism (e.g. has its own rc-script) and as such will be handled by KAT program like regular proxy.
The ssh server configuration created by CML is based on values of this section configuration items. Additionally, following options are hardcoded as changes of default values:
PermitRootLogin without-password
ChallengeResponseAuthentication no
LISTEN-SOCK must be specified.
phase [number];Application Startup Phase.
number (type: uint8, optional, default: 30)Phase number; the lower one, the earlier start.
tag value;Configuration factorization tag.
This feature allows admin to create groups of Kernun applications (specially proxies and servers) according to various aspects (belonging to one customer, applications of particular network traffic etc.).
Each application can have several tag attributes and the KAT tool can run some commands (like 'ps', 'start' atc.) for applications with or without given tag.
value (type: str)Tag must contain letters, digits, hyphens and dots, only.
listen-sock addr;Socket address.
addr (type: sock)protocol list;Protocol ordering.
list (type: ssh-proto-list)List of protocol numbers.
Protocol list must contain one or two items of ssh-1/2.
passwd-auth;Enable password authentication for non-root users.
This item affects setting of PasswordAuthentication option to YES.
option name value;Additional server configuration options.
name (type: str)Option name.
value (type: str)Option value.
subsystem name cmd;External subsystem definition.
name (type: str)Subsystem name.
cmd (type: str)Command to execute.
[End of section system.ssh-server description.]
ssh-keys {
* key2 ... ;
}
SSH keys definition.
key2 email type key [ignored];SSH Version 2 key.
email (type: str)Owner email address.
type (type: ssh-key-type)key (type: str)ignored (type: str, optional, default: <NULL>)Elem ignored, retained due to backward compatibility.
[End of section system.ssh-keys description.]
watch {
disable ... ;
}
Watching system parameters by RRD.
disable;Disable watching.
[End of section system.watch description.]
ips {
phase ... ;
* tag ... ;
mode ... ;
pass-ssh ... ;
license ... ;
* iface ... ;
* modifysid ... ;
rules { ... }
templates { ... }
}
ips section is derived from
ips section prototype.
For detail description of it, see ips(5).
acl name {
* from ... ;
* to ... ;
* time ... ;
time-period-set { ... }
deny ... ;
accept ... ;
* doctype-ident-order ... ;
auth ... ;
idle-timeout ... ;
source-address ... ;
plug-to ... ;
service ... ;
}
General ACL definition.
acl section is derived from
acl-1 section prototype.
For detail description of it, see acl(5).
acl section:Item user is not valid.
Item SERVICE must be specified.
service list;List of proxies where this ACL is applicable.
list (type: str-set)[End of section system.acl description.]
use-services file;Source for /etc/services file.
file (type: name of shared-file, see common(5))use-resolver name;Resolver Section Specification.
This item defines name of global (system) resolver section used in particular configuration environment. Namely, it is applicable within SYSTEM section and within any section derived from PROXY prototype. The former usage defines system-wide values, the latter one values valid for particular proxy.
name (type: name of resolver, see resolver(5))resolver name {
search ... ;
* server ... ;
preference ... ;
conf-timeout ... ;
initial-timeout ... ;
final-timeout ... ;
conn-timeout ... ;
}
resolver section is derived from
resolver section prototype.
For detail description of it, see resolver(5).
nameserver name {
phase ... ;
* tag ... ;
* listen-sock ... ;
* forwarder ... ;
* from ... ;
* option ... ;
* raw ... ;
* zone name { ... }
}
nameserver section is derived from
nameserver section prototype.
For detail description of it, see nameserver(5).
ns-list name {
* server ... ;
}
ns-list section is derived from
ns-list section prototype.
For detail description of it, see resolver(5).
pf-queue name {
parent ... ;
on ... ;
bandwidth ... ;
priority ... ;
qlimit ... ;
cbq { ... }
priq { ... }
hfsc { ... }
}
pf-queue section is derived from
pf-queue section prototype.
For detail description of it, see packet-filter(5).
packet-filter {
* set-option ... ;
timeouts { ... }
* altq name { ... }
* scrub-acl name { ... }
* rdr-acl name { ... }
* nat-acl name { ... }
* binat-acl name { ... }
* filter-acl name { ... }
* load-anchor ... ;
}
packet-filter section is derived from
packet-filter section prototype.
For detail description of it, see packet-filter(5).
ssl-params name {
versions ... ;
ciphers ... ;
id ... ;
auth-cert ... ;
dont-check-crl ... ;
* crl ... ;
verify-peer ... ;
cache-timeout ... ;
enable-renegotiation ... ;
}
ssl-params section is derived from
ssl-params section prototype.
For detail description of it, see ssl(5).
html-filter name {
* script-tag-language ... ;
replace-head-script-tags ... ;
replace-body-script-tags ... ;
* style-tag-type ... ;
replace-style-tags ... ;
* iframe-tag-src ... ;
replace-iframe-tags ... ;
* intrinsic-language ... ;
* intrinsic-hack ... ;
replace-intrinsic ... ;
* macro-language ... ;
* macro-hack ... ;
replace-macros ... ;
* uri ... ;
replace-uri ... ;
* embed-tag-type ... ;
* embed-src-hack ... ;
* embed-plugin-hack ... ;
replace-head-embed-tags ... ;
replace-body-embed-tags ... ;
* applet ... ;
replace-applets ... ;
* object ... ;
* object-classid-hack ... ;
* object-data-hack ... ;
replace-head-object-tags ... ;
replace-body-object-tags ... ;
* param-tags ... ;
replace-param ... ;
script-end-hack ... ;
}
html-filter section is derived from
html-filter section prototype.
For detail description of it, see mod-html-filter(5).
mail-filter name {
stamp-limit ... ;
stamp-filter ... ;
correct-8bit-body ... ;
accept-8bit-header ... ;
correct-bad-char ... ;
correct-quoting ... ;
correct-boundary ... ;
keep-bad-header-params ... ;
keep-signed-wrapping ... ;
treat-binary-as-8bit ... ;
treat-rfc822-as-text ... ;
}
mail-filter section is derived from
mail-filter section prototype.
For detail description of it, see mod-mail-doc(5).
aproxy name {
auth ... ;
insecure-cookies ... ;
oob-auth ... ;
cookie-name ... ;
logout ... ;
timeout-idle ... ;
timeout-unauth ... ;
bufsz ... ;
}
aproxy section is derived from
aproxy section prototype.
For detail description of it, see http-proxy(5).
radius-client name {
nas ... ;
groups ... ;
* server ... ;
}
radius-client section is derived from
radius-client section prototype.
For detail description of it, see radius(5).
ldap-client-auth name {
server ... ;
ssl { ... }
bindinfo ... ;
users ... ;
groups ... ;
active-directory ... ;
}
ldap-client-auth section is derived from
ldap-client-auth section prototype.
For detail description of it, see ldap(5).
oob-auth name {
method ... ;
max-sessions ... ;
max-user ... ;
max-groups ... ;
truncate-groups ... ;
file ... ;
}
oob-auth section is derived from
oob-auth section prototype.
For detail description of it, see auth(5).
antivirus name {
connection ... ;
sock-opt { ... }
comm-dir ... ;
altq ... ;
max-checked-size ... ;
}
antivirus section is derived from
antivirus section prototype.
For detail description of it, see mod-antivirus(5).
antispam name {
connection ... ;
sock-opt { ... }
altq ... ;
}
antispam section is derived from
antispam section prototype.
For detail description of it, see mod-antispam(5).
smtp-forwarder name {
* server ... ;
agent { ... }
timeouts { ... }
hostname ... ;
size ... ;
source-address ... ;
* domain ... ;
ssl ... ;
* server-cert-match ... ;
altq ... ;
}
smtp-forwarder section is derived from
smtp-forwarder section prototype.
For detail description of it, see smtp-proxy(5).
web-filter name {
connection ... ;
fail-ok ... ;
sock-opt { ... }
}
web-filter section is derived from
web-filter section prototype.
For detail description of it, see http-proxy(5).
clear-web-db {
db ... ;
db-download ... ;
credentials ... ;
no-sig-check ... ;
}
clear-web-db section is derived from
clear-web-db section prototype.
For detail description of it, see clear-web-db(5).
openvpn name {
interface ... ;
local ... ;
nobind ... ;
user ... ;
group ... ;
persist-tun ... ;
persist-key ... ;
log { ... }
mute ... ;
ping-timer-rem ... ;
keepalive ... ;
proto ... ;
tls-mat ... ;
dh ... ;
secret ... ;
crl-verify ... ;
server ... ;
max-clients ... ;
duplicate-cn ... ;
client-to-client ... ;
ccd-exclusive ... ;
mlock ... ;
float ... ;
push { ... }
ifconfig-pool ... ;
ifconfig-ipv6-pool ... ;
tls-server ... ;
tls-client ... ;
* remote ... ;
remote-random ... ;
comp-lzo ... ;
tls-remote ... ;
ns-cert-type ... ;
remote-cert-ku ... ;
remote-cert-eku ... ;
remote-cert-tls ... ;
cipher ... ;
client ... ;
pull ... ;
route-nopull ... ;
no-ifconfig-noexec ... ;
client-connect ... ;
* ccd name { ... }
* raw ... ;
phase ... ;
* tag ... ;
socket-root ... ;
}
openvpn section is derived from
openvpn section prototype.
For detail description of it, see openvpn(5).
ipsec-global {
phase ... ;
* tag ... ;
}
ipsec-global section is derived from
ipsec-global section prototype.
For detail description of it, see ipsec(5).
ipsec-remote name {
peer ... ;
lifetime ... ;
encryption ... ;
hash ... ;
dh-group ... ;
authentication ... ;
}
ipsec-remote section is derived from
ipsec-remote section prototype.
For detail description of it, see ipsec(5).
ipsec name {
phase ... ;
* tag ... ;
transport-mode ... ;
tunnel-mode { ... }
phase2 { ... }
}
ipsec section is derived from
ipsec section prototype.
For detail description of it, see ipsec(5).
data-match name {
max-size ... ;
init-match ... ;
max-match ... ;
step-size ... ;
step-match ... ;
* test ... ;
}
data-match section is derived from
data-match section prototype.
For detail description of it, see mod-match(5).
ntlm-auth name {
domain ... ;
workgroup ... ;
* ad-controller ... ;
interfaces { ... }
ldap ... ;
timeout ... ;
timeout-idle ... ;
timeout-unauth ... ;
}
ntlm-auth section is derived from
ntlm-auth section prototype.
For detail description of it, see http-proxy(5).
stats-daily {
top-clients ... ;
top-users ... ;
top-servers ... ;
}
stats-daily section is derived from
summary section prototype.
For detail description of it, see proxy(5).
stats-daily section:Item top-groups is not valid.
Item top-categories is not valid.
Item top-senders is not valid.
Item top-recipients is not valid.
Item top-mime-types is not valid.
Item top-qnames is not valid.
Item top-qtypes is not valid.
Item top-callers is not valid.
Item top-receivers is not valid.
Item spam-threshold is not valid.
stats-weekly {
top-clients ... ;
top-users ... ;
top-servers ... ;
}
stats-weekly section is derived from
summary section prototype.
For detail description of it, see proxy(5).
stats-weekly section:Item top-groups is not valid.
Item top-categories is not valid.
Item top-senders is not valid.
Item top-recipients is not valid.
Item top-mime-types is not valid.
Item top-qnames is not valid.
Item top-qtypes is not valid.
Item top-callers is not valid.
Item top-receivers is not valid.
Item spam-threshold is not valid.
stats-monthly {
top-clients ... ;
top-users ... ;
top-servers ... ;
}
stats-monthly section is derived from
summary section prototype.
For detail description of it, see proxy(5).
stats-monthly section:Item top-groups is not valid.
Item top-categories is not valid.
Item top-senders is not valid.
Item top-recipients is not valid.
Item top-mime-types is not valid.
Item top-qnames is not valid.
Item top-qtypes is not valid.
Item top-callers is not valid.
Item top-receivers is not valid.
Item spam-threshold is not valid.
tcp-proxy name {
phase ... ;
* tag ... ;
log { ... }
use-resolver ... ;
cfg-resolution ... ;
monitoring { ... }
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
nodaemon ... ;
singleproc ... ;
proxy-user ... ;
chroot-dir ... ;
run-block-sigalrm ... ;
listen-on { ... }
tcpserver { ... }
doctype-identification { ... }
client-conn { ... }
server-conn { ... }
err-reset ... ;
ssl-session-cache { ... }
client-ssl-params ... ;
client-ssl-timeout ... ;
data-mime-db ... ;
auth ... ;
* session-acl name { ... }
}
tcp-proxy section is derived from
tcp-proxy section prototype.
For detail description of it, see tcp-proxy(5).
udp-proxy name {
phase ... ;
* tag ... ;
log { ... }
use-resolver ... ;
cfg-resolution ... ;
monitoring { ... }
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
nodaemon ... ;
singleproc ... ;
proxy-user ... ;
chroot-dir ... ;
run-block-sigalrm ... ;
listen-on { ... }
udpserver { ... }
doctype-identification { ... }
auth ... ;
* session-acl name { ... }
}
udp-proxy section is derived from
udp-proxy section prototype.
For detail description of it, see udp-proxy(5).
dns-proxy name {
phase ... ;
* tag ... ;
log { ... }
use-resolver ... ;
cfg-resolution ... ;
monitoring { ... }
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
nodaemon ... ;
singleproc ... ;
proxy-user ... ;
chroot-dir ... ;
idle-timeout ... ;
run-block-sigalrm ... ;
listen-on { ... }
doctype-identification { ... }
queue-size ... ;
cache { ... }
request-timeout ... ;
query-timeout ... ;
server-dead ... ;
server-retry ... ;
server-proto ... ;
requests-table-size ... ;
sockets-table-size ... ;
internal-request-depth ... ;
adr-reply-limit ... ;
ptr-reply-limit ... ;
client-conn { ... }
server-conn { ... }
* session-acl name { ... }
* request-acl name { ... }
}
dns-proxy section is derived from
dns-proxy section prototype.
For detail description of it, see dns-proxy(5).
ftp-proxy name {
phase ... ;
* tag ... ;
log { ... }
use-resolver ... ;
cfg-resolution ... ;
monitoring { ... }
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
nodaemon ... ;
singleproc ... ;
proxy-user ... ;
chroot-dir ... ;
idle-timeout ... ;
run-block-sigalrm ... ;
listen-on { ... }
tcpserver { ... }
doctype-identification { ... }
client-ctrl { ... }
server-ctrl { ... }
client-data { ... }
server-data { ... }
init-timeout ... ;
init-cmdlimit ... ;
* data-transfer ... ;
retry-data ... ;
* session-acl name { ... }
* command-acl name { ... }
* doc-acl name { ... }
}
ftp-proxy section is derived from
ftp-proxy section prototype.
For detail description of it, see ftp-proxy(5).
gk-proxy name {
phase ... ;
* tag ... ;
log { ... }
use-resolver ... ;
cfg-resolution ... ;
monitoring { ... }
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
nodaemon ... ;
singleproc ... ;
proxy-user ... ;
chroot-dir ... ;
idle-timeout ... ;
run-block-sigalrm ... ;
listen-on { ... }
udpserver { ... }
doctype-identification { ... }
map-file ... ;
* session-acl name { ... }
}
gk-proxy section is derived from
gk-proxy section prototype.
For detail description of it, see gk-proxy(5).
h323-proxy name {
phase ... ;
* tag ... ;
log { ... }
use-resolver ... ;
cfg-resolution ... ;
monitoring { ... }
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
nodaemon ... ;
singleproc ... ;
proxy-user ... ;
chroot-dir ... ;
idle-timeout ... ;
run-block-sigalrm ... ;
listen-on { ... }
tcpserver { ... }
udpserver { ... }
doctype-identification { ... }
client-ctrl { ... }
server-ctrl { ... }
data-channel { ... }
map-file ... ;
* session-acl name { ... }
max-channel-ports ... ;
}
h323-proxy section is derived from
h323-proxy section prototype.
For detail description of it, see h323-proxy(5).
http-proxy name {
phase ... ;
* tag ... ;
log { ... }
use-resolver ... ;
cfg-resolution ... ;
monitoring { ... }
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
nodaemon ... ;
singleproc ... ;
proxy-user ... ;
chroot-dir ... ;
idle-timeout ... ;
run-block-sigalrm ... ;
listen-on { ... }
tcpserver { ... }
doctype-identification { ... }
client-conn { ... }
server-conn { ... }
document-root ... ;
hdr-line-len ... ;
blacklist-db ... ;
connect-data-mime-db ... ;
ftp-proxy ... ;
max-aproxy-sessions ... ;
max-bypass-sessions ... ;
oob-auth-srv ... ;
ssl-session-cache { ... }
aproxy-lock ... ;
cookie-table { ... }
* session-acl name { ... }
* request-acl name { ... }
* doc-acl name { ... }
}
http-proxy section is derived from
http-proxy section prototype.
For detail description of it, see http-proxy(5).
icap-server name {
phase ... ;
* tag ... ;
log { ... }
use-resolver ... ;
cfg-resolution ... ;
monitoring { ... }
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
nodaemon ... ;
singleproc ... ;
proxy-user ... ;
chroot-dir ... ;
idle-timeout ... ;
run-block-sigalrm ... ;
listen-on { ... }
tcpserver { ... }
doctype-identification { ... }
client-conn { ... }
document-root ... ;
hdr-line-len ... ;
preview ... ;
blacklist-db ... ;
max-bypass-sessions ... ;
ssl-session-cache { ... }
* session-acl name { ... }
* service-acl name { ... }
* request-acl name { ... }
* doc-acl name { ... }
}
icap-server section is derived from
icap-server section prototype.
For detail description of it, see icap-server(5).
imap4-proxy name {
phase ... ;
* tag ... ;
log { ... }
use-resolver ... ;
cfg-resolution ... ;
monitoring { ... }
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
nodaemon ... ;
singleproc ... ;
proxy-user ... ;
chroot-dir ... ;
idle-timeout ... ;
run-block-sigalrm ... ;
listen-on { ... }
tcpserver { ... }
doctype-identification { ... }
client-conn { ... }
server-conn { ... }
ssl-session-cache { ... }
mail-pool ... ;
* session-acl name { ... }
* command-acl name { ... }
* mail-acl name { ... }
* doc-acl name { ... }
}
imap4-proxy section is derived from
imap4-proxy section prototype.
For detail description of it, see imap4-proxy(5).
pop3-proxy name {
phase ... ;
* tag ... ;
log { ... }
use-resolver ... ;
cfg-resolution ... ;
monitoring { ... }
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
nodaemon ... ;
singleproc ... ;
proxy-user ... ;
chroot-dir ... ;
idle-timeout ... ;
run-block-sigalrm ... ;
listen-on { ... }
tcpserver { ... }
doctype-identification { ... }
client-conn { ... }
server-conn { ... }
ssl-session-cache { ... }
mail-pool ... ;
* session-acl name { ... }
* command-acl name { ... }
* mail-acl name { ... }
* doc-acl name { ... }
}
pop3-proxy section is derived from
pop3-proxy section prototype.
For detail description of it, see pop3-proxy(5).
sip-proxy name {
phase ... ;
* tag ... ;
log { ... }
use-resolver ... ;
cfg-resolution ... ;
monitoring { ... }
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
nodaemon ... ;
singleproc ... ;
proxy-user ... ;
chroot-dir ... ;
idle-timeout ... ;
run-block-sigalrm ... ;
listen-on { ... }
doctype-identification { ... }
queue-size ... ;
hash-salt ... ;
ctrl-conn { ... }
data-conn { ... }
map-file ... ;
timeouts { ... }
sessions-table-size ... ;
sockets-table-size ... ;
* keepalive ... ;
* session-acl name { ... }
* request-acl name { ... }
}
sip-proxy section is derived from
sip-proxy section prototype.
For detail description of it, see sip-proxy(5).
smtp-proxy name {
phase ... ;
* tag ... ;
log { ... }
use-resolver ... ;
cfg-resolution ... ;
monitoring { ... }
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
nodaemon ... ;
singleproc ... ;
proxy-user ... ;
chroot-dir ... ;
idle-timeout ... ;
run-block-sigalrm ... ;
listen-on { ... }
tcpserver { ... }
doctype-identification { ... }
client-conn { ... }
server-conn { ... }
mail-pool ... ;
quarantine ... ;
postmaster ... ;
hostname ... ;
init-timeout ... ;
bad-commands ... ;
bad-recipients ... ;
dsn-mail-copy ... ;
use-antivirus ... ;
use-antispam ... ;
ssl-session-cache { ... }
grey-listing { ... }
* session-acl name { ... }
* delivery-acl name { ... }
* mail-acl name { ... }
* doc-acl name { ... }
}
smtp-proxy section is derived from
smtp-proxy section prototype.
For detail description of it, see smtp-proxy(5).
sqlnet-proxy name {
phase ... ;
* tag ... ;
log { ... }
use-resolver ... ;
cfg-resolution ... ;
monitoring { ... }
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
nodaemon ... ;
singleproc ... ;
proxy-user ... ;
chroot-dir ... ;
idle-timeout ... ;
run-block-sigalrm ... ;
listen-on { ... }
tcpserver { ... }
doctype-identification { ... }
client-conn { ... }
server-conn { ... }
init-timeout ... ;
protocol-version ... ;
max-service-name-len ... ;
check-reserved-bits ... ;
connect-string-charset ... ;
connect-packet-sizelimit ... ;
* session-acl name { ... }
* service-acl name { ... }
}
sqlnet-proxy section is derived from
sqlnet-proxy section prototype.
For detail description of it, see sqlnet-proxy(5).
[End of section system description.]
configuration(7), acl(5), auth(5), clear-web-db(5), common(5), dhcp-server(5), dns-proxy(5), ftp-proxy(5), gk-proxy(5), h323-proxy(5), http-proxy(5), icap-server(5), imap4-proxy(5), interface(5), ipc(5), ips(5), ipsec(5), ldap(5), license(5), listen-on(5), log(5), mod-antispam(5), mod-antivirus(5), mod-html-filter(5), mod-mail-doc(5), mod-match(5), nameserver(5), nls(5), ntp(5), openvpn(5), packet-filter(5), periodic.conf(5), pop3-proxy(5), proxy(5), radius(5), resolver(5), sip-proxy(5), smtp-proxy(5), sqlnet-proxy(5), ssl(5), sysctl(5), tcp-proxy(5), time(5), udp-proxy(5), udpserver(5), cml(8), kat(8)