kernun.cml — format of Kernun configuration file
General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the whole Kernun configuration.
Repeatable sections/items are marked by
the '*' before section/item name.
Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).
Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.
The following enumerations are used in kernun.cml configuration directives:
yes-no (see common(5))language (see common(5))nls (see common(5))on-off (see common(5))genesis (see common(5))permission (see common(5))direction (see common(5))name-selection (see common(5))destination (see common(5))ip-version (see common(5))osi4-proto (see common(5))in-out (see common(5))report-mode (see common(5))time-cond (see common(5))zip-mode (see common(5))obligation (see common(5))range-op (see common(5))inline-file-format (see common(5))yes-no-always (see common(5))task-frequency (see common(5))week-day (see time(5))month (see time(5))lock-type (see ipc(5))radius-attr (see radius(5))ldap-tls-reqcert-mode (see ldap(5))ldap-search-scope (see ldap(5))ldap-group-match (see ldap(5))auth-method (see auth(5))oob-authentication-method (see auth(5))user-match-mode (see auth(5))bandwidth-mode (see pf-queue(5))pf-sc-setting (see pf-queue(5))antivirus-protocol (see antivirus(5))virus-status (see antivirus(5))database-source (see antivirus(5))source-address-mode (see source-address(5))source-port-mode (see source-address(5))accept-deny (see mod-html-filter(5))transparency (see acl(5))user-auth-spec (see acl(5))doctype-ident-method (see acl(5))header-op (see acl(5))product-type (see license(5))component-group (see license(5))component-type (see license(5))lagg-protocol (see interface(5))listen-on-sock (see listen-on(5))user-type (see system(5))route-flag (see system(5))usb-auto-setup-policy (see system(5))dbglev (see log(5))logfail-mode (see log(5))dns-type (see resolver(5))dns-opcode (see resolver(5))dns-response (see resolver(5))dns-qaction (see resolver(5))dns-raction (see resolver(5))dns-fake (see resolver(5))xfr-mode (see resolver(5))udp-session-type (see udpserver(5))log-in-vain-proto (see sysctl(5))blackhole-proto (see sysctl(5))proc-priority (see application(5))pf-osi4-proto (see packet-filter(5))icmp-type (see packet-filter(5))pf-scheduler (see packet-filter(5))pf-proc-mode (see packet-filter(5))ids-agent-log-level (see adaptive-firewall(5))ids-agent-detection-direction (see adaptive-firewall(5))ids-agent-protocol (see adaptive-firewall(5))ids-agent-rule-action (see adaptive-firewall(5))ids-agent-threshold-type (see adaptive-firewall(5))ids-agent-threshold-track-by (see adaptive-firewall(5))ids-agent-rate-filter-track-by (see adaptive-firewall(5))ids-agent-suppress-direction (see adaptive-firewall(5))policy-level (see adaptive-firewall(5))ids-agent-rules-download-type (see update(5))forward (see nameserver(5))atr-strategy (see atr(5))atr-fallback (see atr(5))pike-control-type (see pike(5))ntp-rest-flag (see ntp(5))ovpn-protocols (see openvpn(5))ovpn-remote-proto (see openvpn(5))ovpn-comp-lzo-mode (see openvpn(5))ovpn-cert-types (see openvpn(5))ovpn-cipher-algs (see openvpn(5))ovpn-redirect-gateway-flags (see openvpn(5))ovpn-dhcp-option (see openvpn(5))ovpn-topology (see openvpn(5))ovpn-local-scope (see openvpn(5))tls-mat-variants (see openvpn(5))ipsec-encryption1 (see ipsec(5))ipsec-encryption2 (see ipsec(5))ipsec-hash1 (see ipsec(5))ipsec-auth2 (see ipsec(5))ipsec-dh-group (see ipsec(5))ipsec-tunnel-sa-mode (see ipsec(5))ipsec-auth-method (see ipsec(5))ipsec-protocol (see ipsec(5))ipsec-remote-mode (see ipsec(5))ipsec-rekey-mode (see ipsec(5))snmpd-disk-mode (see snmpd(5))snmpd-source-mode (see snmpd(5))snmpd-view-type (see snmpd(5))snmpd-security-level (see snmpd(5))snmpd-auth-hash (see snmpd(5))snmpd-encr-alg (see snmpd(5))ssh-key-type (see ssh(5))ssh-proto (see ssh(5))export-import-mode (see router(5))ospf-authentication (see router(5))ospf-area-id-mode (see router(5))ssl-ver (see ssl(5))extension-op (see ssl(5))veri-fail-action (see ssl(5))auth-cert-type (see ssl(5))distrusted-cert-type (see ssl(5))data-match-action (see mod-match(5))dns-name-type (see dns-proxy(5))pass-remove (see ftp-proxy(5))data-type (see ftp-proxy(5))ftp-cmd (see ftp-proxy(5))clear-web-db-category (see clear-web-db(5))clear-web-db-match-mode (see clear-web-db(5))replace-authorization-mode (see http-proxy(5))proxy-via (see http-proxy(5))http-protocol (see http-proxy(5))http-scheme (see http-proxy(5))cookie-table-clean (see http-proxy(5))accept-gzip (see http-proxy(5))content-gzip (see http-proxy(5))http-redirect (see http-proxy(5))kerberos-user-match (see http-proxy(5))ldap-select (see http-proxy(5))auth-headers (see http-proxy(5))sni-result (see http-proxy(5))smtp-error (see mod-mail-doc(5))mail-reaction (see mod-mail-doc(5))mail-fallback (see mod-mail-doc(5))mime-header-check-type (see mod-mail-doc(5))imap4-cmd (see imap4-proxy(5))imap4-capa (see imap4-proxy(5))pop3-cmd (see pop3-proxy(5))pop3-capa (see pop3-proxy(5))peer (see sip-proxy(5))smtp-size-usage (see smtp-proxy(5))ssl-startup-mode (see smtp-proxy(5))postfix-security-level (see smtp-proxy(5))postfix-transport-map-mode (see smtp-proxy(5))smtp-err-switch (see smtp-proxy(5))spf-result (see smtp-proxy(5))spf-modes (see smtp-proxy(5))redirection-mode (see sqlnet-proxy(5))session-protocol (see proxy-ng(5))json-type (see proxy-ng(5))http-version (see proxy-ng(5))Program cml recognizes following items and sections:
* shared-file name { ... }
* shared-dir name { ... }
* system name { ... }
shared-file name {
path ... ;
format ... ;
}
shared-file section is derived from
shared-file section prototype.
For detail description of it, see common(5).
shared-dir name {
path ... ;
}
shared-dir section is derived from
shared-dir section prototype.
For detail description of it, see common(5).
system name {
product ... ;
admin ... ;
hostname ... ;
domain ... ;
kernun-root ... ;
usb-auto-setup ... ;
apply-host ... ;
config-sync ... ;
users { ... }
sysctl { ... }
* interface name { ... }
ipv6-router ... ;
ipv6-addrctl { ... }
pikemon { ... }
routes { ... }
rc-conf { ... }
hosts-table { ... }
* rotate-log name { ... }
ntp { ... }
dhcp-server { ... }
dhcp6-server { ... }
crontab { ... }
periodic-conf { ... }
local-mailer { ... }
* ssh-server name { ... }
ssh-keys { ... }
ica-auto ... ;
icamd { ... }
icasd { ... }
watch { ... }
* acl name { ... }
use-services ... ;
use-resolver ... ;
* resolver name { ... }
* nameserver name { ... }
* ns-list name { ... }
* atrmon name { ... }
* pf-queue name { ... }
packet-filter { ... }
adaptive-firewall { ... }
alertd { ... }
bird4 { ... }
bird6 { ... }
rtadvd { ... }
* ssl-params name { ... }
* fake-cert name { ... }
* html-filter name { ... }
* mail-filter name { ... }
* aproxy name { ... }
* radius-client name { ... }
* ldap-client-auth name { ... }
* oob-auth name { ... }
* antivirus name { ... }
* antispam name { ... }
* smtp-forwarder name { ... }
* web-filter name { ... }
clear-web-db { ... }
* openvpn name { ... }
ipsec-global { ... }
* ipsec-remote name { ... }
* ipsec name { ... }
* data-match name { ... }
* ntlm-auth name { ... }
* kerberos-auth name { ... }
cwcatd { ... }
snmpd { ... }
http-cache { ... }
update { ... }
feedback { ... }
stats { ... }
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
* tcp-proxy name { ... }
* udp-proxy name { ... }
* dns-proxy name { ... }
* ftp-proxy name { ... }
* gk-proxy name { ... }
* h323-proxy name { ... }
* http-proxy name { ... }
* icap-server name { ... }
* imap4-proxy name { ... }
* pop3-proxy name { ... }
* sip-proxy name { ... }
* smtp-proxy name { ... }
* sqlnet-proxy name { ... }
* proxy-ng name { ... }
proxy-ng-transp-ports ... ;
}
system section is derived from
system section prototype.
For detail description of it, see system(5).
configuration(7), acl(5), adaptive-firewall(5), antivirus(5), application(5), atr(5), auth(5), clear-web-db(5), common(5), dns-proxy(5), ftp-proxy(5), http-proxy(5), imap4-proxy(5), interface(5), ipc(5), ipsec(5), ldap(5), license(5), listen-on(5), log(5), mod-html-filter(5), mod-mail-doc(5), mod-match(5), nameserver(5), ntp(5), openvpn(5), packet-filter(5), pf-queue(5), pike(5), pop3-proxy(5), proxy-ng(5), radius(5), resolver(5), router(5), sip-proxy(5), smtp-proxy(5), snmpd(5), source-address(5), sqlnet-proxy(5), ssh(5), ssl(5), sysctl(5), system(5), time(5), udpserver(5), update(5)