Name

source-address — format of source-address component configuration

DESCRIPTION

General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the source-address component configuration.

Repeatable sections/items are marked by the '*' before section/item name.

TYPES

Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).

Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.

The following enumerations are used in source-address configuration directives:

source-address-mode (name-usage obligatory)

Source address (for server connection) mode specification.

cluster

Cluster virtual address is used.

physical

Physical interface address is used.

no-fallback

If no source address is acceptable, reject connection.

default

Default address selection.

source-port-mode (name-usage obligatory)

Source port (for server connection) mode specification.

client

Source port of the client is used.

force

Source port is forced by configuration.

ITEMS AND SECTIONS

Configuration of source-address library component consists of following prototypes:


  source-address ... ;
  source-port ... ;
    

Description:

source-address [client] [addr4 addr4] [addr6 addr6] cluster [cluster];

source-address [client] [addr4 addr4] [addr6 addr6] [physical];

source-address [client] [addr4 addr4] [addr6 addr6] no-fallback;

Source address for outgoing connections to servers.

If omitted, the proper address of the proxy will be used, i.e. in the case of a cluster, the cluster address will be used.

If not specified by the SOURCE-PORT item, a generic port will be used.

The elements entered within this item will be used by the proxy until the first of them is applicable:

- The CLIENT keyword means the original client IP address is used. This mode will be succesful in all cases except mismatch of IP address families.

- The ADDR4/ADDR6 keyword-value pairs mean that the specified address is used for a connection of corresponding address family.

- The CLUSTER keyword means that one of cluster addresses will be used. By default, the main address of the bridge is used, however, any preferred alias address can be listed in the cluster list.- The PHYSICAL option means that the address of the physical interface is used instead of the cluster one.

- The DEFAULT option means the default behavior - i.e. using of the physical address.

- The NO-FALLBACK option means that if no other way of setting the address is acceptable, the session is rejected. Without this option, the system tries to find a suitable source IP address automatically.

client (type: key, optional)

addr4 addr4 (type: host, optional, default: [0.0.0.0])

addr6 addr6 (type: host, optional, default: [::])

<branching element> (type: source-address-mode, optional, default: physical)

cluster (type: host-list, optional, default: {})

Constraints:

Address family must respect the element's address family..

source-port client;

source-port [force] port;

Source port for outgoing connections to server.

Can be used only with SOURCE-ADDRESS CLIENT.

If omitted, generic port will be used.

<branching element> (type: source-port-mode, optional, default: force)

port (type: port)

Use specified port.

SEE ALSO

configuration(7)