Name

tcp-proxy — format of tcp-proxy component configuration

DESCRIPTION

General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the tcp-proxy component configuration.

Repeatable sections/items are marked by the '*' before section/item name.

TYPES

Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).

Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.

The following enumerations are used in tcp-proxy configuration directives:

yes-no (see common(5))

direction (see common(5))

ip-version (see common(5))

osi4-proto (see common(5))

time-cond (see common(5))

zip-mode (see common(5))

obligation (see common(5))

dbglev (see log(5))

logfail-mode (see log(5))

week-day (see time(5))

month (see time(5))

lock-type (see ipc(5))

auth-method (see auth(5))

source-address-mode (see source-address(5))

transparency (see acl(5))

user-auth-spec (see acl(5))

doctype-ident-method (see acl(5))

listen-on-sock (see listen-on(5))

ITEMS AND SECTIONS

Configuration of tcp-proxy library component consists of following prototypes:


* tcp-proxy name { ... }
    

Description:

tcp-proxy name {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  monitoring { ... }
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  idle-timeout ... ;
  run-block-sigalrm ... ;
  listen-on { ... }
  tcpserver { ... }
  source-address ... ;
  doctype-identification { ... }
  client-conn { ... }
  server-conn { ... }
  err-reset ... ;
  ssl-session-cache { ... }
  client-ssl ... ;
  client-ssl-timeout ... ;
  data-mime-db ... ;
  auth ... ;
* session-acl name { ... }
}

        

Generic TCP proxy configuration.

The tcp-proxy section is derived from proxy section prototype. For detail description of it, see application(5).

Changes to the tcp-proxy section:

Section udpserver is not valid.

At least one SESSION-ACL must be specified (proxy must be named in some SYSTEM.ACL.SERVICES).

Section monitoring (see monitoring(5))

Item aproxy-user is not valid.

Item data is not valid.

Item idle-timeout (see application(5))

Element seconds is optional, default: 2d.

Item listen-on.non-transparent (see listen-on(5))

Element proto is optional, default: tcp.

Item listen-on.transparent (see listen-on(5))

Element proto is optional, default: tcp.

Added items & subsections:

client-conn {


  recv-bufsize ... ;
  close-timeout ... ;
  send-bufsize ... ;
  log-limit ... ;
}

            

Connection to client options.

The client-conn section is derived from sock-opt section prototype. For detail description of it, see netio(5).

Changes to the client-conn section:

Item conn-timeout is not valid.

Item recv-timeout is not valid.

Item send-timeout is not valid.

server-conn {


  conn-timeout ... ;
  recv-bufsize ... ;
  close-timeout ... ;
  send-bufsize ... ;
  log-limit ... ;
}

            

Connection to server options.

The server-conn section is derived from sock-opt section prototype. For detail description of it, see netio(5).

Changes to the server-conn section:

Item recv-timeout is not valid.

Item send-timeout is not valid.

err-reset;

If set, reset connection on error (otherwise use normal TCP close).

ssl-session-cache {


  capacity ... ;
  dir ... ;
  lock ... ;
}

            

The ssl-session-cache section is derived from ssl-session-cache section prototype. For detail description of it, see ssl(5).

client-ssl params;

Use SSL/TLS on the connection from a client.

params (type: name of ssl-params, see ssl(5))

client-ssl-timeout seconds;

Timeout for SSL/TLS handshake with client.

seconds (type: uint32)

data-mime-db filename;

Data MIME type mapping file.

filename (type: name of shared-file, see common(5))

auth none;

auth passwd file;

auth radius client;

auth ldap ldap;

auth ext file;

auth oob oob [mode [loose]];

Authentication method and attributes specification.

For more details, see auth(7).

<branching element> (type: auth-method)

file (type: str)

Password/utility file name.

client (type: name of radius-client, see radius(5))

RADIUS client configuration name.

ldap (type: name of ldap-client-auth, see ldap(5))

LDAP client configuration parameters.

oob (type: name of oob-auth, see auth(5))

OOB authentication parameters.

mode (type: obligation, optional, default: allowed)

loose (type: key, optional)

Constraints:

Only out-of-band authentication is supported in this proxy.

session-acl name {


* from ... ;
* to ... ;
* user ... ;
* time ... ;
  time-period-set { ... }
  deny ... ;
  accept ... ;
* doctype-ident-order ... ;
  rule ... ;
  idle-timeout ... ;
  idle-timeout-peer ... ;
  source-address ... ;
  plug-to ... ;
* client-cert-match ... ;
* ip-tos-from-client ... ;
  max-bytes-in ... ;
  max-bytes-out ... ;
  max-time ... ;
  cl2srv-halfclosed-time ... ;
  srv2cl-halfclosed-time ... ;
  server-ssl ... ;
  data-filter-client ... ;
  data-filter-server ... ;
* server-cert-match ... ;
  client-altq ... ;
  server-altq ... ;
  ip-tos-to-client { ... }
  ip-tos-to-server { ... }
}

            

The session-acl section is derived from acl-1 section prototype. For detail description of it, see acl(5).

Changes to the session-acl section:

Item auth is not valid.

SSL/TLS required on connection in order to match server certificates.

Added items & subsections:

client-cert-match [subject subject] [issuer issuer];

Select an ACL according to a client certificate.

subject subject (type: str-set, optional, default: *)

acceptable certificate subjects

issuer issuer (type: str-set, optional, default: *)

acceptable certificate issuers

ip-tos-from-client val;

Testing an IP TOS value of received packets.

val (type: uint8-set)

max-bytes-in bytes;

Maximum number of bytes from server to client.

bytes (type: uint64)

max-bytes-out bytes;

Maximum number of bytes from client to server.

bytes (type: uint64)

max-time seconds;

Maximum time of session

seconds (type: uint32)

cl2srv-halfclosed-time seconds;

Maximum duration of client to server communication after the connection is half-closed in server to client direction.

seconds (type: uint32)

srv2cl-halfclosed-time seconds;

Maximum duration of server to client communication after the connection is half-closed in client to server direction.

seconds (type: uint32)

server-ssl params;

Use SSL/TLS on the connection to a server.

params (type: name of ssl-params, see ssl(5))

data-filter-client rules;

Client data filtering.

rules (type: name of data-match, see mod-match(5))

data-filter-server rules;

Server data filtering.

rules (type: name of data-match, see mod-match(5))

server-cert-match [subject subject] [issuer issuer];

Requirements for server certificate.

subject subject (type: str-set, optional, default: *)

acceptable certificate subjects

issuer issuer (type: str-set, optional, default: *)

acceptable certificate issuers

client-altq altq [paltq paltq];

ALTQ queues for data sent to client.

altq (type: name of pf-queue, see pf-queue(5))

queue name

paltq paltq (type: name of pf-queue, see pf-queue(5), optional, default: NULL)

priority queue name (if set, used for TCP ACK without data)

server-altq altq [paltq paltq];

ALTQ queues for data sent to server.

altq (type: name of pf-queue, see pf-queue(5))

queue name

paltq paltq (type: name of pf-queue, see pf-queue(5), optional, default: NULL)

priority queue name (if set, used for TCP ACK without data)

ip-tos-to-client {


  fixed ... ;
  received ... ;
  other ... ;
}

                

The ip-tos-to-client section is derived from ip-tos-to-client section prototype. For detail description of it, see netio(5).

ip-tos-to-server {


  fixed ... ;
  received ... ;
  other ... ;
}

                

The ip-tos-to-server section is derived from ip-tos-to-server section prototype. For detail description of it, see netio(5).

[End of section tcp-proxy.session-acl description.]

[End of section tcp-proxy description.]

SEE ALSO

configuration(7), acl(5), application(5), auth(5), common(5), ipc(5), ldap(5), listen-on(5), log(5), mod-match(5), monitoring(5), netio(5), pf-queue(5), radius(5), source-address(5), ssl(5), time(5), auth(7)