listen-on — format of listen-on component configuration
General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the listen-on component configuration.
Repeatable sections/items are marked by
the '*' before section/item name.
Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).
Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.
The following enumerations are used in listen-on configuration directives:
Configuration of listen-on library component consists of following prototypes:
listen-on { ... }
listen-on {
* non-transparent ... ;
* transparent ... ;
}
Addresses to listen on (both for transparent and non-transparent traffic).
non-transparent [address] addr [version version] port port [to to] [proto proto];non-transparent iface iface [alias alias] [version version] port port [to to] [proto proto];Sockets to bind for non-transparent connections.
Socket can be defined by an IP address. However, in this case, the proxy cannot be started if the interface is not ready in the time when the proxy is started.
The second way is to specify the interface section name. In this case, the proxy takes interface address and bind it.
Using of an alias address instead of the interface main one can be specified by an ALIAS element.
listen-on-sock, optional, default: address)addr (type: host)Address to be bound
iface (type: name of interface, see interface(5))Interface to be bound
alias alias (type: str-set, optional, default: {})Aliases names
version version (type: ip-version, optional, default: undefined)IP version selection
port port (type: port)Port to be bound (lowest)
to to (type: port, optional, default: 0)Highest port to be bound
proto proto (type: osi4-proto, optional, default: default)TCP/UDP selection
Port number must be positive.
Port upper bound must be higher than lower one.
transparent [address] addr [version version] port port [to to] [proto proto] [server-addr server-addr];transparent iface iface [version version] port port [to to] [proto proto] [server-addr server-addr];Sockets to bind for transparent connections.
Socket can be defined by an IP address. In this case, the proxy derives the proper interface name from it to detect traffic that should be processed by the proxy.
The second way is to specify the interface section name directly.
listen-on-sock, optional, default: address)addr (type: host)Address to be bound
iface (type: name of interface, see interface(5))Interface to be bound
version version (type: ip-version, optional, default: undefined)IP version selection
port port (type: port)Port to be bound (lowest)
to to (type: port, optional, default: 0)Highest port to be bound
proto proto (type: osi4-proto, optional, default: default)TCP/UDP selection
server-addr server-addr (type: host, optional, default: [0.0.0.0])Server's IP address
Port number must be positive.
Port upper bound must be higher than lower one.
[End of section listen-on description.]