acl — format of acl component configuration
General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the acl component configuration.
Repeatable sections/items are marked by
the '*' before section/item name.
Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).
Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.
The following enumerations are used in acl configuration directives:
direction (see common(5))obligation (see common(5))range-op (see common(5))week-day (see time(5))month (see time(5))auth-method (see auth(5))virus-status (see antivirus(5))source-address-mode (see source-address(5))transparency (name-usage obligatory)Transparency mode.
non-transparent, transparent
user-auth-spec (name-usage obligatory)Firewall user authentication mode.
noneNo user authentication is presented or required.
nameAuthorized users can be specified in the configuration.
doctype-ident-method (name-usage obligatory)Methods for document type recognition.
content-typeMIME type defined in Content-Type header is used.
extensionType is derived from URI/filename suffix.
magicType is recognized according to real content.
header-op (name-usage obligatory)Header modification operation
deleteHeader(s) will be removed.
addNew header will be added. If header is not repeatable, old occurence will be removed.
replaceHeader(s) will be removed and new one will be added.
Configuration of acl library component consists of following prototypes:
* user ... ;
plug-to ... ;
hand-off ... ;
* doctype-ident-order ... ;
* acl name { ... }
* acl-1 name { ... }
* acl-2 name { ... }
* acl-3 name { ... }
user none;user [name] [name [group group]];User and group specification.
user-auth-spec, optional, default: name)name (type: str-set, optional, default: *)user name (authenticated on firewall)
group group (type: str-set, optional, default: *)list of groups, if present, both NAME and GROUP must match
plug-to addr;Final destination server.
addr (type: sock)Address/port of final destination server.
If port is zero, then original port is used.
hand-off addr;Next-hop proxy.
addr (type: sock)doctype-ident-order [for for] order;Order of document type recognition methods.
This item defines order in which different methods of document type recognition methods are used. Item can be defined at several places - globally for the proxy and in some ACLs. The most specific occurence is used, if no specification is found, just CONTENT-TYPE method is used.
for for (type: direction-set, optional, default: *)Document transfer direction set.
This element defines directions for which the order is specified by this item.
For some proxies, both directions can be used while for others either direction is not applicable; consult proxy man page.
order (type: doctype-ident-method-list)Methods are used in given order unless type is recognized.
For some proxies, some methods are not applicable, consult proxy man page.
Only 3 methods can be specified.
acl name {
* from ... ;
* to ... ;
* server ... ;
* user ... ;
* time ... ;
time-period-set { ... }
* parent-acl ... ;
deny ... ;
accept ... ;
* doctype-ident-order ... ;
rule ... ;
}
Access Control List.
General form of specification of firewall services limitation. In each proxy configurations, this general model is adapted and renamed, even more than once - if it needs different approach for different phases of its work. For this purpose, more precized prototypes ACL-1 and ACL-2 are derived from this general prototype.
In general, ACL consists of several categories of limitations (or entry conditions) controling which connections or operations will be handled according to particular ACL. Then, ACL defines wheter connections or operations being handled by this ACL will be accepted or denied by the proxy (items ACCEPT and DENY). Finally, ACL defines details of protocol behavior.
This prototype defines basic entry conditions applicable to most of proxies. Each proxy can exclude some features from this general concept and add several proxy specific limitations - see proxy configuration man page to check these changes.
General entry conditions:
FROM (connection/request source IP address/name)
TO (connection/request destination IP address/name)
SERVER (logical target server's IP address/name)
USER (proxy-authenticated user name)
TIME or TIME-PERIOD-SET (actual time)
PARENT-ACL (name of acl used in previous phase)
Each category can be used more than once in one ACL; then they are checked in disjunction (OR). If omitted, category is not checked in particular ACL.
Different categories are checked in conjunction (AND).
Exactly one of DENY and ACCEPT must be specified.
TIME and TIME-PERIOD-SET are mutually exclusive.
from addr;Entry condition - client (source) address.
addr (type: host-set)Set of client IP addresses or hostnames.
Regexps are not allowed in host set.
to mode destinations [port port];Entry condition - physical destination address.
This item is used to match the TCP connection or UDP request destination address. In the transparent case, this is actual server targeted by the client, while otherwise this is an address and port at the firewall where particular proxy is bound.
mode (type: transparency)Select mode allowed for connections/requests.
destinations (type: host-set)Set of destination adresses/names.
In transparent case, destination is equal to target server. In non-transparent case, destination is equal to proxy address/port.
port port (type: port-set, optional, default: *)Set of destination service names/port numbers.
Regexps are not allowed in host set.
server [addr [port port]];Entry condition - logical target server.
This item is used to match the logical target of service requested by the client. In the transparent case, it should be equal to the physical destination server. However, in many proxies the server address or name is known to the proxy only when it recognizes an initial protocol command sequence.
addr (type: host-set, optional, default: *)Set of logical target IP addresses or hostnames.
port port (type: port-set, optional, default: *)Set of logical target service names/port numbers.
user none;user [name] [name [group group]];Entry condition - proxy-user name.
user-auth-spec, optional, default: name)name (type: str-set, optional, default: *)user name (authenticated on firewall)
group group (type: str-set, optional, default: *)list of groups, if present, both NAME and GROUP must match
time [day day] [month month] [wday [hhmm]];Entry condition - date/time.
day day (type: uint8-set, optional, default: *)day of month (1 - 31)
month month (type: month-set, optional, default: *)month (Jan - Dec or 1 - 12)
wday (type: week-day-set, optional, default: *)week-day (Sun - Sat or 0 - 6)
hhmm (type: time-set, optional, default: *)time (in form hhmm)
time-period-set {
exclude ... ;
* time-spec name { ... }
}
Entry condition - date/time.
time-period-set section is derived from
time-period-set section prototype.
For detail description of it, see time(5).
parent-acl name;Entry condition - parent ACL name.
This item is used only for proxies with multi-phase ACL, name of this item is changed to real name of previous phase ACL. See proxy man page for details.
name (type: str-set)(name of ACL used in the previous phase)
deny;This item is obligatory if particular ACL is to deny connections or operations satisfying entry conditions. Specific proxy ACLs derived from this prototype add some details of denial procedure depending on protocol.
accept;This item is obligatory if particular ACL is to accept connections or operations satisfying entry conditions. Specific proxy ACLs derived from this prototype add some details of futher behavior depending on protocol.
doctype-ident-order [for for] order;Order of document type recognition methods.
This item defines order in which different methods of document type recognition methods are used. Item can be defined at several places - globally for the proxy and in some ACLs. The most specific occurence is used, if no specification is found, just CONTENT-TYPE method is used.
for for (type: direction-set, optional, default: *)Document transfer direction set.
This element defines directions for which the order is specified by this item.
For some proxies, both directions can be used while for others either direction is not applicable; consult proxy man page.
order (type: doctype-ident-method-list)Methods are used in given order unless type is recognized.
For some proxies, some methods are not applicable, consult proxy man page.
Only 3 methods can be specified.
rule rule;The identifier of the high-level rule which is implemented by this acl.
rule (type: str)The rule identifier
[End of section acl description.]
acl-1 name {
* from ... ;
* to ... ;
* user ... ;
* time ... ;
time-period-set { ... }
deny ... ;
accept ... ;
* doctype-ident-order ... ;
rule ... ;
auth ... ;
idle-timeout ... ;
idle-timeout-peer ... ;
source-address ... ;
plug-to ... ;
}
Access Control List, Phase 1.
This prototype is derived from the general ACL by excluding some attributes not used in initial phase of proxy operation. Besides, several general phase 1 features are added:
AUTH (authentication mode used)
IDLE-TIMEOUT (forcing of session idle-timeout)
SOURCE-ADDRESS (forcing of source address towards server)
PLUG-TO (forcing of destination server)
acl-1 section is derived from
acl section prototype.
For detail description of it, see above.
acl-1 section:Item server is not valid.
Item parent-acl is not valid.
DENY and AUTH are mutually exclusive.
DENY and IDLE-TIMEOUT are mutually exclusive.
DENY and SOURCE-ADDRESS are mutually exclusive.
DENY and PLUG-TO are mutually exclusive.
auth none;auth passwd file;auth radius client;auth ldap ldap;auth ext file;auth oob oob [mode [loose]];Authentication method and attributes specification.
For more details, see auth(7).
auth-method)file (type: str)Password/utility file name.
client (type: name of radius-client, see radius(5))RADIUS client configuration name.
ldap (type: name of ldap-client-auth, see ldap(5))LDAP client configuration parameters.
oob (type: name of oob-auth, see auth(5))OOB authentication parameters.
mode (type: obligation, optional, default: required)loose (type: key, optional)idle-timeout [seconds];Session inactivity timeout.
If no data is transmitted for this session in the period of idle-timeout seconds, the connection is closed.
If omitted, value of proxy.idle-timeout is used.
seconds (type: uint31, optional, default: 0)Timeout for datagrams in any direction (any packet resets the timer), zero means unlimited.
idle-timeout-peer [client [server]];Peer inactivity timeout.
If no data is transmitted by peer in the period of idle-timeout seconds, the connection is closed.
If omitted, the inactivity is controlled by the idle-timeout item.
client (type: uint31, optional, default: 0)Timeout for datagrams from client to server (in seconds, zero means unlimited).
server (type: uint31, optional, default: 0)Timeout for datagrams from server to client (in seconds, zero means unlimited).
source-address [client] [addr4 addr4] [addr6 addr6] cluster [cluster];source-address [client] [addr4 addr4] [addr6 addr6] [physical];source-address [client] [addr4 addr4] [addr6 addr6] no-fallback;Source address for outgoing connections to servers.
If omitted, the proper address of the proxy will be used, i.e. in the case of a cluster, the cluster address will be used.
If not specified by the SOURCE-PORT item, a generic port will be used.
The elements entered within this item will be used by the proxy until the first of them is applicable:
- The CLIENT keyword means the original client IP address is used. This mode will be succesful in all cases except mismatch of IP address families.
- The ADDR4/ADDR6 keyword-value pairs mean that the specified address is used for a connection of corresponding address family.
- The CLUSTER keyword means that one of cluster addresses will be used. By default, the main address of the bridge is used, however, any preferred alias address can be listed in the cluster list.- The PHYSICAL option means that the address of the physical interface is used instead of the cluster one.
- The DEFAULT option means the default behavior - i.e. using of the physical address.
- The NO-FALLBACK option means that if no other way of setting the address is acceptable, the session is rejected. Without this option, the system tries to find a suitable source IP address automatically.
client (type: key, optional)addr4 addr4 (type: host, optional, default: [0.0.0.0])addr6 addr6 (type: host, optional, default: [::])source-address-mode, optional, default: physical)cluster (type: host-list, optional, default: {})Address family must respect the element's address family..
plug-to addr;Final destination server.
addr (type: sock)Address/port of final destination server.
If port is zero, then original port is used.
[End of section acl-1 description.]
acl-2 name {
* from ... ;
* server ... ;
* user ... ;
* time ... ;
time-period-set { ... }
* parent-acl ... ;
deny ... ;
accept ... ;
* doctype-ident-order ... ;
rule ... ;
}
Access Control List, Phase 2.
This prototype is derived from the general ACL by excluding some attributes not used for proxy command control.
acl-2 section is derived from
acl section prototype.
For detail description of it, see above.
acl-2 section:Item to is not valid.
acl-3 name {
* from ... ;
* server ... ;
* user ... ;
* time ... ;
time-period-set { ... }
* parent-acl ... ;
deny ... ;
accept ... ;
rule ... ;
direction ... ;
* size ... ;
* content-type ... ;
* mime-type ... ;
virus-status ... ;
* modify-header ... ;
force-doctype-ident ... ;
replace ... ;
html-filter ... ;
}
Access Control List, Phase 3.
This prototype is derived from the general ACL by excluding some attributes not used in document-processing phase of proxy operation. Besides, several general phase 3 features are added:
DIRECTION (entry condition - document transfer direction)
SIZE (entry condition - document size)
MIME-TYPE (entry condition - document type)
VIRUS-STATUS (entry condition - antivirus check result)
REPLACE (accepting action - replacing document by file)
HTML-FILTER (accepting action - filtering document)
acl-3 section is derived from
acl section prototype.
For detail description of it, see above.
acl-3 section:Item to is not valid.
Item doctype-ident-order is not valid.
Filtration items (REPLACE, HTML-FILTER, FORCE-DOCTYPE-IDENT) are not allowed if DENY is on.
Items HTML-FILTER/FORCE-DOCTYPE-IDENT and REPLACE are mutually exclusive.
direction [dir];Entry condition - document transfer direction.
dir (type: direction-set, optional, default: *)size unknown;size lt limit;size le limit;size eq limit;size ne limit;size gt limit;size ge limit;size in lower upper;size ni lower upper;Entry condition - document size.
range-op)limit (type: uint64)Tested value limitation.
lower (type: uint64)Tested value lower bound.
upper (type: uint64)Tested value upper bound.
Value UNKNOWN is not allowed.
content-type type;Entry condition - original Content-Type.
type (type: str-set)Set of type/subtype string definition.
If a regexp is part of the set, then this regexp is checked to match with type/subtype specification. Beware of escaping the slash, if present (write /...\/.../).
If a string is part of the set, then it must contain at most one slash. If the slash is not present, string is compared with document type only (not the subtype). If the slash is present, then pattern is checked to match with type/subtype specification.
mime-type type;Entry condition - recognized MIME type.
type (type: str-set)Set of type/subtype string definition.
If a regexp is part of the set, then this regexp is checked to match with type/subtype specification. Beware of escaping the slash, if present (write /...\/.../).
If a string is part of the set, then it must contain at most one slash. If the slash is not present, string is compared with document type only (not the subtype). If the slash is present, then pattern is checked to match with type/subtype specification.
virus-status [status];Entry condition - virus detection status.
status (type: virus-status-set, optional, default: *)modify-header delete names;modify-header add name text;modify-header replace name text;Document headers modified.
header-op)Action to be done with header(s).
names (type: str-set)Names of headers to be deleted.
name (type: str)Name of header(s) to be modified or added.
text (type: str)New header text.
Header modification text must comply with RFC.
force-doctype-ident [apply];Change Content-Type header to recognized one.
This item forces change of original Content-Type header in the document to the new one recognized by means of the DOCTYPE-IDENTIFICATION tool.
apply (type: str-set, optional, default: *)Set of original Content-Type values that will be changed by this item. Values NOT MATCHING tis set will be preserved.
replace filename [mime-type];Document is removed and replaced by new text.
filename (type: name of shared-file, see common(5))Replacement file.
mime-type (type: str, optional, default: "text/plain")Document Content-Type.
MIME type of replacement must comply with RFC.
html-filter htmlf;Document is filtered.
htmlf (type: name of html-filter, see mod-html-filter(5))[End of section acl-3 description.]