common

common
Prev	Kernun UTM Reference (5)	Next

Name

common — format of common component configuration

DESCRIPTION

General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the common component configuration.

Repeatable sections/items are marked by the '*' before section/item name.

TYPES

Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).

Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.

The following enumerations are used in common configuration directives:

enabling (name-usage obligatory)

General Enabling/Disabling Enumeration.

disable, enable

yes-no (name-usage obligatory)

General Yes/No Enumeration

no, yes

language (name-usage obligatory)

National Language Support - Language Setting.

EN: English
CZ: Czech (UTF-8)

nls (name-usage obligatory)

National Language Support - Language and Charset.

EN: English
CZ: Czech (default charset)
CZ-ASCII: Czech, without diacritics
CZ-ISO-8859-2: Czech, ISO-Latin-2
CZ-WINDOWS-1250: Czech, Windows-1250

on-off (name-usage optional)

Features switching on/off.

off (0), on (1)

genesis (name-usage obligatory)

General Genesis (Static/Dynamic) Enumeration.

static, dynamic

permission (name-usage obligatory)

Permission/Denial Methods.

permit: particular option is permitted
deny: particular option is rejected but ignored
abort: particular option is rejected and session is aborted

max-setting (name-usage obligatory)

Ways to Set Maximum.

max: particular limitation will be set, values have maximum
any: particular limitation will be ignored, any value is valid

direction (name-usage obligatory)

General Traffic Direction Enumeration.

download: Transfer from server to client.
upload: Transfer from client to server.

name-selection (name-usage obligatory)

Methods to select object.

any: Setting of particular object is not required, anyone is correct.
name: Setting of object by its name in configuration.

destination (name-usage obligatory)

Destination (remote peers or nets).

host, net, default

ip-version (name-usage optional)

IP version.

ipv4 (4), ipv6 (6)

address-family (name-usage obligatory)

Socket Address Family.

inet, inet6, unix

osi4-proto (name-usage obligatory)

Transport Layer Protocol.

default, tcp, udp, tcp-udp

in-out (name-usage obligatory)

Interface inbound/outbound Direction.

in, out, both

report-mode (name-usage optional)

Process stdout/stderr control.

nothing (0), out (1), err (2), all (3)

periodicity (name-usage obligatory)

Time period types.

daily, weekly, monthly

time-cond (name-usage obligatory)

Time condition types.

anytime: No condition on time applied
daily, weekly, monthly

zip-mode (name-usage obligatory)

Logfile zipping mode.

plain, gzip, bzip2

obligation (name-usage obligatory)

Modes of special features usage.

This enumeration is used when some feature (like authentication, SSL etc.) can be required or only allowed by admin's decision.

required: Feature is mandatory
allowed: Feature is optional

range-op (name-usage obligatory)

Range Comparison Operator.

unknown: Tested value is not known.
lt: Tested value is lower than the configuration limit.
le: Tested value is lower than or equal to the configuration limit.
eq: Tested value is equal to the configuration limit.
ne: Tested value is not equal to the configuration limit.
gt: Tested value is greater than the configuration limit.
ge: Tested value is greater than or equal to the configuration limit.
in: Tested value is in between the configuration limits (borders OK).
ni: Tested value is not in between the configuration limits (borders OK).

inline-file-format (name-usage obligatory)

In-line File Formats.

text: Regular text, lines will be trimmed and quoted.
raw: Raw text, lines are only quoted, no comments allowed.
native: Native CML values, lines are used as-is.
ip-addr: IP addresses with or without mask, but without brackets.
regexp: Regular expressions without slashes

yes-no-always (name-usage obligatory)

Yes/No Enumeration with Always option.

Represents a YES-NO value that is tied to a certain condition, usually to a component or function being configured.

no: Always NO, even when the condition is true
yes: YES when the condition is true, NO when the condition is false
always: Always YES, even when the condition is false

task-frequency (name-usage obligatory)

Task frequency

daily: Run the task once a day.
hourly: Run the task once an hour.
every: Run the task every PERIOD minutes.
raw: Raw crontab period specification.
manually: No automatically scheduled refresh.

ITEMS AND SECTIONS

Configuration of common library component consists of following prototypes:

  admin ... ;
  ipv6-mode ... ;
  phase ... ;
* cfg-tag ... ;
* range-cond ... ;
* set-var ... ;
* mime-type-check ... ;
* shared-file name { ... }
* shared-dir name { ... }
  rotate-file ... ;
  cron-schedule ... ;

Description:

admin system [contact];

Firewall administrator and contact e-mail addresses.

system (type: str): The technical administrator(s) of the system; an address or set of comma separated adresses of persons responsible for system maintenance.
contact (type: str, optional, default: <NULL>): The policy administator; an address of person responsible for system configuration. If not defined, the technical administration is used instead.
Constraints:: Administrator contact must comply with RFC.

ipv6-mode [status];

Enabling/Disabling IPv6 Mode.

status (type: enabling, optional, default: enable)

phase [number];

Application Startup Phase.

number (type: uint8, optional, default: 50): Phase number; the lower one, the earlier start.

cfg-tag value;

Configuration factorization tag.

This feature allows admin to create groups of Kernun applications (specially proxies and servers) according to various aspects (belonging to one customer, applications of particular network traffic etc.).

Each application can have several tag attributes and the KAT tool can run some commands (like 'ps', 'start' atc.) for applications with or without given tag.

value (type: str)
Constraints:: Tag must contain letters, digits, hyphens and dots, only.

range-cond unknown;

range-cond lt limit;

range-cond le limit;

range-cond eq limit;

range-cond ne limit;

range-cond gt limit;

range-cond ge limit;

range-cond in lower upper;

range-cond ni lower upper;

Range Testing Condition.

<branching element> (type: range-op)
limit (type: uint64): Tested value limitation.
lower (type: uint64): Tested value lower bound.
upper (type: uint64): Tested value upper bound.

set-var name value;

Shell-like variable setting.

name (type: str): Variable name.
value (type: str): Variable value.
Constraints:: Variable name must contain alphanumeric chars only.

mime-type-check type;

Document MIME Type and Subtype Testing Checking.

type (type: str-set)

Set of type/subtype string definition.

If a regexp is part of the set, then this regexp is checked to match with type/subtype specification. Beware of escaping the slash, if present (write /...\/.../).

If a string is part of the set, then it must contain at most one slash. If the slash is not present, string is compared with document type only (not the subtype). If the slash is present, then pattern is checked to match with type/subtype specification.

shared-file name {

  path ... ;
  format ... ;
}

Shared file definition.

Constraints:

Pathname must be specified.

Items & subsections:

path name;

Path specification.

This path is valid in the environment, where applied:

within CML it means path on the filesystem where run; if relative, it is related to the configuration directory
within firewall configuration files it means path on the firewall (cannot be relative).

Thus, value of this item can differ between source CML file and target CFG files and CML command /GENERATE copies these files into destination SYSTEM-* tree.

name (type: str): Path to the file.

format [type];

Inline file format.

If the shared file is used as inline file ("< NAME" in list) this item defines line modifications.

type (type: inline-file-format, optional, default: text)

[End of section shared-file description.]

shared-dir name {

path ... ;
}

Shared directory definition.

Constraints:

Pathname must be specified.

Items & subsections:

path name;

Path specification.

This path is valid in the environment, where applied:

within CML it means path on the filesystem where run; if relative, it is related to the configuration directory
within firewall configuration files it means path on the firewall (cannot be relative).

Thus, value of this item can differ between source CML file and target CFG files and CML command /GENERATE copies these directories into destination SYSTEM-* tree.

name (type: str): Path to the directory.

[End of section shared-dir description.]

rotate-file [user user] [group group] [mode mode] [count count] [size size] [when [zip]];

Log file rotation description.

Use the SIZE elem if log file size criterion required. Use the WHEN elem if periodical rotation required. If used both SIZE and WHEN elems, the log file is rotated at a proper time only if size limit is reached.

user user (type: str, optional, default: <NULL>): Log file owner - user.
group group (type: str, optional, default: "wheel"): Log file owner - group.
mode mode (type: uint16, optional, default: 640): Log file permissions.
count count (type: uint16, optional, default: 31): Number of days being archived.
size size (type: uint16, optional, default: 0): Size limit for rotation in KB (ignore log file size if omitted).
when (type: time-cond, optional, default: anytime): Rotation periodicity (use SIZE condition if omitted).
zip (type: zip-mode, optional, default: bzip2): Zipping mode.
Constraints:: Use either size criterion or defined periodicity.

cron-schedule daily [time time] [report report];

cron-schedule hourly [minute minute] [report report];

cron-schedule [every] [period period] [at at] [report report];

cron-schedule raw raw raw [report report];

cron-schedule manually;

Parameters for scheduling a cron task.

<branching element> (type: task-frequency, optional, default: every)
raw raw (type: str): Raw line to be placed into crontab. First 5 columns (the time specification) must be specified.
minute minute (type: time, optional, default: 0): Starting time of task (mm, hour ignored).
time time (type: time, optional, default: 415): Starting time of task (hhmm).
period period (type: uint8, optional, default: 15): Run the task every PERIOD minutes (mm, hours ignored).
at at (type: uint8, optional, default: 0): Starting time of task (mm, hours ignored)
report report (type: report-mode, optional, default: nothing=0): Task output (stdout and stderr) delivery.

Prev	Up	Next
clear-web-db	Home	cwcatd.cfg

Name

DESCRIPTION

TYPES

ITEMS AND SECTIONS

SEE ALSO