Name

system — format of system component configuration

DESCRIPTION

General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the system component configuration.

Repeatable sections/items are marked by the '*' before section/item name.

TYPES

Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).

Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.

The following enumerations are used in system configuration directives:

enabling (see common(5))

yes-no (see common(5))

language (see common(5))

nls (see common(5))

on-off (see common(5))

genesis (see common(5))

permission (see common(5))

direction (see common(5))

name-selection (see common(5))

destination (see common(5))

ip-version (see common(5))

osi4-proto (see common(5))

in-out (see common(5))

report-mode (see common(5))

time-cond (see common(5))

zip-mode (see common(5))

obligation (see common(5))

range-op (see common(5))

yes-no-always (see common(5))

task-frequency (see common(5))

week-day (see time(5))

month (see time(5))

lock-type (see ipc(5))

radius-attr (see radius(5))

ldap-tls-reqcert-mode (see ldap(5))

ldap-search-scope (see ldap(5))

ldap-group-match (see ldap(5))

auth-method (see auth(5))

oob-authentication-method (see auth(5))

user-match-mode (see auth(5))

bandwidth-mode (see pf-queue(5))

pf-sc-setting (see pf-queue(5))

antivirus-protocol (see antivirus(5))

virus-status (see antivirus(5))

database-source (see antivirus(5))

source-address-mode (see source-address(5))

source-port-mode (see source-address(5))

accept-deny (see mod-html-filter(5))

transparency (see acl(5))

user-auth-spec (see acl(5))

doctype-ident-method (see acl(5))

header-op (see acl(5))

product-type (see license(5))

component-group (see license(5))

component-type (see license(5))

lagg-protocol (see interface(5))

listen-on-sock (see listen-on(5))

user-type (name-usage obligatory)

Kernun user type.

admin, audit

route-flag (name-usage obligatory)

Route flags.

cloning, xresolve, iface, static, nostatic

usb-auto-setup-policy (name-usage obligatory)

Automatically apply configuration from attached USB devices.

auto_decide, enable, disable

dbglev (see log(5))

logfail-mode (see log(5))

dns-type (see resolver(5))

dns-opcode (see resolver(5))

dns-response (see resolver(5))

dns-qaction (see resolver(5))

dns-raction (see resolver(5))

dns-fake (see resolver(5))

xfr-mode (see resolver(5))

udp-session-type (see udpserver(5))

log-in-vain-proto (see sysctl(5))

blackhole-proto (see sysctl(5))

proc-priority (see application(5))

pf-osi4-proto (see packet-filter(5))

icmp-type (see packet-filter(5))

pf-scheduler (see packet-filter(5))

pf-proc-mode (see packet-filter(5))

ids-agent-log-level (see adaptive-firewall(5))

ids-agent-detection-direction (see adaptive-firewall(5))

ids-agent-protocol (see adaptive-firewall(5))

ids-agent-rule-action (see adaptive-firewall(5))

ids-agent-threshold-type (see adaptive-firewall(5))

ids-agent-threshold-track-by (see adaptive-firewall(5))

ids-agent-rate-filter-track-by (see adaptive-firewall(5))

ids-agent-suppress-direction (see adaptive-firewall(5))

policy-level (see adaptive-firewall(5))

ids-agent-rules-download-type (see update(5))

forward (see nameserver(5))

atr-strategy (see atr(5))

atr-fallback (see atr(5))

pike-control-type (see pike(5))

ntp-rest-flag (see ntp(5))

ovpn-protocols (see openvpn(5))

ovpn-remote-proto (see openvpn(5))

ovpn-comp-lzo-mode (see openvpn(5))

ovpn-cert-types (see openvpn(5))

ovpn-cipher-algs (see openvpn(5))

ovpn-redirect-gateway-flags (see openvpn(5))

ovpn-dhcp-option (see openvpn(5))

ovpn-topology (see openvpn(5))

ovpn-local-scope (see openvpn(5))

tls-mat-variants (see openvpn(5))

ipsec-encryption1 (see ipsec(5))

ipsec-encryption2 (see ipsec(5))

ipsec-hash1 (see ipsec(5))

ipsec-auth2 (see ipsec(5))

ipsec-dh-group (see ipsec(5))

ipsec-tunnel-sa-mode (see ipsec(5))

ipsec-auth-method (see ipsec(5))

ipsec-protocol (see ipsec(5))

ipsec-remote-mode (see ipsec(5))

ipsec-rekey-mode (see ipsec(5))

snmpd-disk-mode (see snmpd(5))

snmpd-source-mode (see snmpd(5))

snmpd-view-type (see snmpd(5))

snmpd-security-level (see snmpd(5))

snmpd-auth-hash (see snmpd(5))

snmpd-encr-alg (see snmpd(5))

ssh-key-type (see ssh(5))

ssh-proto (see ssh(5))

export-import-mode (see router(5))

ospf-authentication (see router(5))

ospf-area-id-mode (see router(5))

ssl-ver (see ssl(5))

extension-op (see ssl(5))

veri-fail-action (see ssl(5))

auth-cert-type (see ssl(5))

distrusted-cert-type (see ssl(5))

data-match-action (see mod-match(5))

dns-name-type (see dns-proxy(5))

pass-remove (see ftp-proxy(5))

data-type (see ftp-proxy(5))

ftp-cmd (see ftp-proxy(5))

clear-web-db-category (see clear-web-db(5))

clear-web-db-match-mode (see clear-web-db(5))

replace-authorization-mode (see http-proxy(5))

proxy-via (see http-proxy(5))

http-protocol (see http-proxy(5))

http-scheme (see http-proxy(5))

cookie-table-clean (see http-proxy(5))

accept-gzip (see http-proxy(5))

content-gzip (see http-proxy(5))

http-redirect (see http-proxy(5))

kerberos-user-match (see http-proxy(5))

ldap-select (see http-proxy(5))

auth-headers (see http-proxy(5))

sni-result (see http-proxy(5))

smtp-error (see mod-mail-doc(5))

mail-reaction (see mod-mail-doc(5))

mail-fallback (see mod-mail-doc(5))

mime-header-check-type (see mod-mail-doc(5))

imap4-cmd (see imap4-proxy(5))

imap4-capa (see imap4-proxy(5))

pop3-cmd (see pop3-proxy(5))

pop3-capa (see pop3-proxy(5))

peer (see sip-proxy(5))

smtp-size-usage (see smtp-proxy(5))

ssl-startup-mode (see smtp-proxy(5))

postfix-security-level (see smtp-proxy(5))

postfix-transport-map-mode (see smtp-proxy(5))

smtp-err-switch (see smtp-proxy(5))

spf-result (see smtp-proxy(5))

spf-modes (see smtp-proxy(5))

redirection-mode (see sqlnet-proxy(5))

session-protocol (see proxy-ng(5))

json-type (see proxy-ng(5))

http-version (see proxy-ng(5))

ITEMS AND SECTIONS

Configuration of system library component consists of following prototypes:


* system name { ... }
    

Description:

system name {


  product ... ;
  admin ... ;
  hostname ... ;
  domain ... ;
  kernun-root ... ;
  usb-auto-setup ... ;
  apply-host ... ;
  config-sync ... ;
  users { ... }
  sysctl { ... }
* interface name { ... }
  ipv6-router ... ;
  ipv6-addrctl { ... }
  pikemon { ... }
  routes { ... }
  rc-conf { ... }
  hosts-table { ... }
* rotate-log name { ... }
  ntp { ... }
  dhcp-server { ... }
  dhcp6-server { ... }
  crontab { ... }
  periodic-conf { ... }
  local-mailer { ... }
* ssh-server name { ... }
  ssh-keys { ... }
  ica-auto ... ;
  icamd { ... }
  icasd { ... }
  watch { ... }
* acl name { ... }
  use-services ... ;
  use-resolver ... ;
* resolver name { ... }
* nameserver name { ... }
* ns-list name { ... }
* atrmon name { ... }
* pf-queue name { ... }
  packet-filter { ... }
  adaptive-firewall { ... }
  alertd { ... }
  bird4 { ... }
  bird6 { ... }
  rtadvd { ... }
* ssl-params name { ... }
* fake-cert name { ... }
* html-filter name { ... }
* mail-filter name { ... }
* aproxy name { ... }
* radius-client name { ... }
* ldap-client-auth name { ... }
* oob-auth name { ... }
* antivirus name { ... }
* antispam name { ... }
* smtp-forwarder name { ... }
* web-filter name { ... }
  clear-web-db { ... }
* openvpn name { ... }
  ipsec-global { ... }
* ipsec-remote name { ... }
* ipsec name { ... }
* data-match name { ... }
* ntlm-auth name { ... }
* kerberos-auth name { ... }
  cwcatd { ... }
  snmpd { ... }
  http-cache { ... }
  update { ... }
  feedback { ... }
  stats { ... }
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
* tcp-proxy name { ... }
* udp-proxy name { ... }
* dns-proxy name { ... }
* ftp-proxy name { ... }
* gk-proxy name { ... }
* h323-proxy name { ... }
* http-proxy name { ... }
* icap-server name { ... }
* imap4-proxy name { ... }
* pop3-proxy name { ... }
* sip-proxy name { ... }
* smtp-proxy name { ... }
* sqlnet-proxy name { ... }
* proxy-ng name { ... }
  proxy-ng-transp-ports ... ;
}

        

Description of one firewall system.

Constraints:

PRODUCT should be specified.

Some configured components are not licensed.

Hostname must be specified.

Domainname must be specified.

Interfaces must be specified.

Source for /etc/services must be specified.

Name resolver configuration must be specified.

System name resolvers must use standard port.

DEFAULT router allowed only if DHCP-CLIENT not used.

Crontab content must be specified.

All interfaces must use unique device names.

All configured email domains must be handled by some SMTP-FORWARDER.

At most one interface with DHCP-CLIENT allowed.

Cannot non-transparently listen on dynamic interfaces.

Openvpn sections must refer interface of type TUN or TAP.

IPSEC sections can refer interface of type GIF or GRE only.

Addresses used in OPENVPN section must respect INTERFACE network range.

Address pushing in OPENVPN section must respect INTERFACE type.

Addresses pushing in OPENVPN section must not collide.

For every IPSEC section must exist IPSEC-REMOTE section with proper remote address.

NTLM-AUTH and KERBEROS-AUTH are mutually exclusive.

At most one NTLM-AUTH section allowed.

At most one KERBEROS-AUTH section allowed.

Clear Web database updates should be configured if Clear Web category matching is used.

Data MIME database required by DATA-MATCH with MATCH-DATA-MIME set.

Item ICA-AUTO is mutually exclusive with sections ICASD or ICAMD.

Item ICA-AUTO can be used with PIKEMON only.

LISTEN-SOCKET-ID must be consistent within PF and PROXY-NG.

Item ADAPTIVE-FIREWALL.IDS-AGENT.RULES.MODIFY-RULES requires item UPDATE.ADAPTIVE-FIREWALL to be enabled.

Item ADAPTIVE-FIREWALL.IDS-AGENT.RULES.ENABLE-RULES requires item UPDATE.ADAPTIVE-FIREWALL to be enabled.

Item ADAPTIVE-FIREWALL.IDS-AGENT.RULES.DISABLE-RULES requires item UPDATE.ADAPTIVE-FIREWALL to be enabled.

Item ADAPTIVE-FIREWALL.IDS-AGENT.RULES.CHANGE-RULES-TO-BLOCK requires item UPDATE.ADAPTIVE-FIREWALL to be enabled.

Section SYSTEM.ADAPTIVE-FIREWALL requires section SYSTEM.PACKET-FILTER.

Section ADAPTIVE-FIREWALL.STATS-DAILY requires section PACKET-FILTER.STATS-DAILY to be enabled because AF is technically part of Packet Filter.

Section ADAPTIVE-FIREWALL.STATS-WEEKLY requires section PACKET-FILTER.STATS-WEEKLY to be enabled because AF is technically part of Packet Filter.

Section ADAPTIVE-FIREWALL.STATS-MONTHLY requires section PACKET-FILTER.STATS-MONTHLY to be enabled because AF is technically part of Packet Filter.

Items & subsections:

product product components [groups groups] [upgrade upgrade];

Specification of the product installed on this system.

product (type: product-type)

Type of the product.

components (type: component-type-list)

List of licensed components.

groups groups (type: component-group-list, optional, default: {})

List of licensed component groups.

upgrade upgrade (type: str, optional, default: "unlimited")

Upgrade date from a license.

Constraints:

Upgrade must be "unlimited" or a date in format YYYY-MM-DD.

admin system [contact];

Firewall administrator and contact e-mail addresses.

system (type: str)

The technical administrator(s) of the system; an address or set of comma separated adresses of persons responsible for system maintenance.

contact (type: str, optional, default: <NULL>)

The policy administator; an address of person responsible for system configuration. If not defined, the technical administration is used instead.

Constraints:

Administrator contact must comply with RFC.

hostname name;

System name.

name (type: str)

Constraints:

Hostname should not contain domain part.

domain name;

Domain name.

name (type: str)

kernun-root [path];

Path to Kernun installation root directory.

path (type: str, optional, default: "/usr/local/kernun")

Constraints:

Path must be absolute and must not contain punctuation chars.

usb-auto-setup [value];

Policy for automatic configuration application from attached USB devices

value (type: usb-auto-setup-policy, optional, default: auto_decide)

apply-host addr;

Address to connect to by ssh when applying remotely.

If omitted, KAT /APPLY command will force local application.

If used, KAT /APPLY command will use local application only if the machine hostname is exactly HOSTNAME.DOMAIN.

addr (type: sock)

config-sync systems;

Keep configuration synchronized among the listed systems

systems (type: str-list)

users {


* user name { ... }
}

            

Kernun users.

Items & subsections:

user name {


  role ... ;
  full-name ... ;
* ssh-key ... ;
}

                

Constraints:

User role must be specified.

Items & subsections:

role type;

User role.

There are two kinds of Kernun users:

- ADMINistrators are root-equivalent users

- AUDITors can only view system configuration and logs.

type (type: user-type)

full-name [gecos];

Full name of user.

gecos (type: str, optional, default: "&")

Constraints:

Full name must not contain colon (':').

ssh-key email type key [ignored];

SSH Version 2 key.

email (type: str)

Owner email address.

type (type: ssh-key-type)

key (type: str)

ignored (type: str, optional, default: <NULL>)

Elem ignored, retained due to backward compatibility.

[End of section system.users.user description.]

[End of section system.users description.]

sysctl {


* variable ... ;
  portrange-default ... ;
  portrange-high ... ;
  portrange-low ... ;
  portrange-reserved ... ;
  somaxconn ... ;
  log-in-vain ... ;
  blackhole ... ;
}

            

The sysctl section is derived from sysctl section prototype. For detail description of it, see sysctl(5).

interface name {


  dev ... ;
  ipv4 ... ;
  ipv6 ... ;
  mac ... ;
  aggregate ... ;
  pike ... ;
  vlan ... ;
  tunnel ... ;
  dhcp-client ... ;
  ipv6-rtadv { ... }
* alias name { ... }
* tag ... ;
}

            

The interface section is derived from interface section prototype. For detail description of it, see interface(5).

ipv6-router [enable];

Operate as an IPv6 router.

enable (type: yes-no, optional, default: yes)

ipv6-addrctl {


* rule ... ;
}

            

Defines the configuration table for the IPv4/6 address selection algorithm from RFC 3484. The generated address selection table is stored in /etc/ip6addrctl.conf and managed by command ip6addrctl. If this section does not exist, a default table will be generated. Preference of IPv4 or IPv6 addresses in the default table is controlled by item PROTO in the section RESOLVER referenced by SYSTEM.USE-RESOLVER.

Items & subsections:

rule prefix precedence label;

A single policy table entry.

prefix (type: net)

precedence (type: uint16)

label (type: uint16)

[End of section system.ipv6-addrctl description.]

pikemon {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  monitoring { ... }
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  idle-timeout ... ;
  run-block-sigalrm ... ;
  listen-on { ... }
  udpserver { ... }
  priority ... ;
  status-file ... ;
  hmac ... ;
  devd-socket ... ;
  garp-keepalive ... ;
* virtual-cluster name { ... }
}

            

The pikemon section is derived from pikemon section prototype. For detail description of it, see pike(5).

routes {


  default ... ;
  default6 ... ;
* static name { ... }
}

            

Routing table definition.

Items & subsections:

default gw;

Default route.

gw (type: host)

Router IP address.

default6 gw;

Default IPv6 route.

gw (type: host)

Router IP address.

static name {


  dest ... ;
  gw ... ;
  flags ... ;
}

                

Static route.

Constraints:

Route destination must be specified.

Router address must be specified.

Dest and gateway must be of the same internet family.

Items & subsections:

dest dst;

Route destination.

dst (type: net)

gw gw;

Router (gateway).

gw (type: host)

Router IP address.

flags set;

Route flags.

set (type: route-flag-list)

[End of section system.routes.static description.]

[End of section system.routes description.]

rc-conf {


  no-kld-list ... ;
* set-env ... ;
* append-env ... ;
}

            

Additional settings to /etc/rc.conf.

By default, CML generates to rc.conf file following variables:

  • kld_list (for network transparency modules used by proxy-ng)

  • hostname (from HOSTNAME and DOMAIN items)

  • network_interfaces (from INTERFACE sections)

  • default_router (from ROUTES section)

  • static_routes (from ROUTES.STATIC sections)

  • syslogd_flags ("-ss" and sockets for CHROOT-DIRs)

  • devfs_set_rulesets and devfs_system_ruleset

  • local_startup (adds Kernun rc.d directory)

  • pf_enable (YES)

  • sendmail_enable (NONE)

  • sendmail_msp_queue_enable (NO)

  • postfix_enable (YES)

  • fsck_y_enable (YES)

Additional variables can be specified in this section.

Even the predefined variables can be modified by adding variable redefinition like SET-ENV var "$var ...";.

Items & subsections:

no-kld-list;

Do not generate kld_list variable.

After changing this, it is necessary to manually load or unload kernel modules mac_bindany and pf_transp

set-env name value;

Set rc-conf variable.

name (type: str)

Variable name.

value (type: str)

Variable value.

Constraints:

Variable name must contain alphanumeric chars only.

append-env name value;

Modify rc-conf variable.

Variable value is just extended (appending the new value), not replaced.

name (type: str)

Variable name.

value (type: str)

Variable value.

Constraints:

Variable name must contain alphanumeric chars only.

[End of section system.rc-conf description.]

hosts-table {


* host ... ;
}

            

Host table.

This section defines known machines and their addresses. It servers primarily as a source for the /etc/hosts file. If the DHCP-SERVER is enabled in particular SYSTEM, all hosts with an IPv4 address and a MAC address in this table are included into dhcpd.conf. If the DHCP6-SERVER is enabled in particular SYSTEM, all hosts with an IPv6 address and a DUID in this table are included into dhcpd6.conf. If a NAMESERVER with a ZONE is enabled in particular SYSTEM, all hosts with a proper name are included into proper files.

Items & subsections:

host address names [mac [dhcp-opt]];

address (type: addr)

Host IP address.

names (type: str-list)

Host name and aliases.

mac (type: str, optional, default: <NULL>)

MAC address (for IPv4) or client's DUID (for IPv6). The acceptable formats are "xx:xx:xx:xx:xx:xx", "xx-xx-xx-xx-xx-xx" and "xxxx.xxxx.xxxx".

dhcp-opt (type: str, optional, default: <NULL>)

DHCP options.

Constraints:

Name list must not be empty.

Hostnames must comply RFC1034.

MAC address must be in colon, dash or dot separated format.

[End of section system.hosts-table description.]

rotate-log name {


  rotate ... ;
* file ... ;
}

            

Standard system log files rotation description.

All files referenced in one ROTATE-LOG section use the same rotation policy defined by the ROTATE item. The default policy (if ROTATE item omitted) is daily rotation.

Files not referenced in any ROTATE-LOG section (neither elsewhere in the CML) are rotated according to the /etc/newsyslog.conf file.

Items & subsections:

rotate [user user] [group group] [mode mode] [count count] [size size] [when [zip]];

Log file rotation description.

Use the SIZE elem if log file size criterion required. Use the WHEN elem if periodical rotation required. If used both SIZE and WHEN elems, the log file is rotated at a proper time only if size limit is reached.

user user (type: str, optional, default: "root")

Log file owner - user.

group group (type: str, optional, default: "wheel")

Log file owner - group.

mode mode (type: uint16, optional, default: 640)

Log file permissions.

count count (type: uint16, optional, default: 31)

Number of days being archived.

size size (type: uint16, optional, default: 0)

Size limit for rotation in KB (ignore log file size if omitted).

when (type: time-cond, optional, default: anytime)

Rotation periodicity (use SIZE condition if omitted).

zip (type: zip-mode, optional, default: bzip2)

Zipping mode.

Constraints:

Use either size criterion or defined periodicity.

file name [pidfile [signo]];

Particular log file description.

For the PIDFILE and SIGNO elems description, see the newsyslog.conf(5) manual page.

name (type: str)

pidfile (type: str, optional, default: <NULL>)

signo (type: uint8, optional, default: 0)

Constraints:

Log file name must be absolute and must not contain punctuation chars.

PID file name must be absolute and must not contain punctuation chars.

[End of section system.rotate-log description.]

ntp {


  phase ... ;
* tag ... ;
  cfg-resolution ... ;
  drift-file ... ;
* peer ... ;
* server ... ;
* clock ... ;
* restrict ... ;
}

            

The ntp section is derived from ntp section prototype. For detail description of it, see ntp(5).

dhcp-server {


  phase ... ;
* tag ... ;
  lease-file ... ;
  default-lease-time ... ;
  max-lease-time ... ;
* domain ... ;
* name-server ... ;
* time-server ... ;
* router ... ;
* raw ... ;
* subnet name { ... }
  failover { ... }
}

            

The dhcp-server section is derived from dhcp-server section prototype. For detail description of it, see dhcp-server(5).

dhcp6-server {


  phase ... ;
* tag ... ;
  lease-file ... ;
  default-lease-time ... ;
  max-lease-time ... ;
* domain ... ;
* name-server ... ;
* raw ... ;
* subnet name { ... }
}

            

The dhcp6-server section is derived from dhcp6-server section prototype. For detail description of it, see dhcp-server(5).

crontab {


  mailto ... ;
* set-env ... ;
* plan ... ;
* monthly ... ;
* weekly ... ;
* daily ... ;
* hourly ... ;
* every ... ;
}

            

Cron table definition.

No "default content" of crontab is preserved, all table items must be specified here. Typical content of crontab can be found in file samples/crontab.cml that you can include into your configuration and use here. See instructions in the file.

Items & subsections:

mailto addr;

Set MAILTO crontab variable.

This address is used by cron to send skripts output. Setting via SET-ENV is allowed, however, setting by this item should be prefererred. If undefined, the SYSTEM.ADMIN value is used.

addr (type: str)

Email address(es).

set-env name value;

Set crontab variable.

name (type: str)

Variable name.

value (type: str)

Variable value.

Constraints:

Variable name must contain alphanumeric chars only.

plan line;

Crontab (raw) line.

line (type: str)

monthly at at [by by] cmd [report report];

Run task every month.

at at (type: time)

Starting time of task (hhmm).

by by (type: str, optional, default: "root")

cmd (type: str)

report report (type: report-mode, optional, default: nothing=0)

Task output (stdout and stderr) delivery.

weekly on on at at [by by] cmd [report report];

Run task every week.

on on (type: week-day)

Weekday of execution.

at at (type: time)

Starting time of task (hhmm).

by by (type: str, optional, default: "root")

cmd (type: str)

report report (type: report-mode, optional, default: nothing=0)

Task output (stdout and stderr) delivery.

daily at at [by by] cmd [report report];

Run task every day.

at at (type: time)

Starting time of task (hhmm).

by by (type: str, optional, default: "root")

cmd (type: str)

report report (type: report-mode, optional, default: nothing=0)

Task output (stdout and stderr) delivery.

hourly at at [by by] cmd [report report];

Run task every hour.

at at (type: time)

Starting time of task (mm, hours ignored).

by by (type: str, optional, default: "root")

cmd (type: str)

report report (type: report-mode, optional, default: nothing=0)

Task output (stdout and stderr) delivery.

every min at at [by by] cmd [report report];

Run task every time range given in minutes.

min (type: time)

Period (mm, hours ignored).

at at (type: time)

Starting time of task (mm, hours ignored).

by by (type: str, optional, default: "root")

cmd (type: str)

report report (type: report-mode, optional, default: nothing=0)

Task output (stdout and stderr) delivery.

[End of section system.crontab description.]

periodic-conf {


  mailto ... ;
* set-env ... ;
}

            

Periodic job configuration information.

The /etc/periodic.conf file content (see periodic.conf(5)) is defined here. Typical content of the file can be found in file samples/crontab.cml that you can include into your configuration and use here. See instructions in the file.

If undefined, the file remains untouched.

Items & subsections:

mailto addr;

Set MAILTO crontab variable.

This address will be used as value of several variables 'daily_output', 'weekly_output', 'monthly_output', 'daily_status_security_output', 'weekly_status_security_output' and 'monthly_status_security_output'.

If undefined, the SYSTEM.ADMIN value is used.

addr (type: str)

Email address(es).

set-env name value;

Set periodic.conf variable.

name (type: str)

Variable name.

value (type: str)

Variable value.

Constraints:

Variable name must contain alphanumeric chars only.

[End of section system.periodic-conf description.]

local-mailer {


  phase ... ;
* tag ... ;
  relayhost ... ;
  source-address ... ;
  myhostname ... ;
  smtp-helo-name ... ;
  myorigin ... ;
  inet-protocol ... ;
  relay-domains ... ;
  mydestinations ... ;
  mynetworks ... ;
  message-size-limit ... ;
  bounce-size-limit ... ;
  bounce-queue-lifetime ... ;
  delay-warning-time ... ;
  tls { ... }
* set-var ... ;
  master-cf ... ;
  smtpd-option ... ;
  transport-map ... ;
}

            

MTA used for sending mails originated at firewall.

The local-mailer section is derived from smtp-agent section prototype. For detail description of it, see smtp-proxy(5).

Changes to the local-mailer section:

Cannost use automatic transport map for local-mailer.

ssh-server name {


  phase ... ;
* tag ... ;
  listen-on { ... }
  protocol ... ;
  passwd-auth ... ;
  ciphers ... ;
  kex-algorithms ... ;
  macs ... ;
* option ... ;
* subsystem ... ;
}

            

The ssh-server section is derived from ssh-server section prototype. For detail description of it, see ssh(5).

ssh-keys {


* key2 ... ;
}

            

SSH keys definition.

Items & subsections:

key2 email type key [ignored];

SSH Version 2 key.

email (type: str)

Owner email address.

type (type: ssh-key-type)

key (type: str)

ignored (type: str, optional, default: <NULL>)

Elem ignored, retained due to backward compatibility.

[End of section system.ssh-keys description.]

ica-auto port priv-key pub-key;

Configure the icamd/icasd automatically. Uses the addresses defined for pikemon

port (type: port)

The port that icamd listens on and icasd connects to.

priv-key (type: name of shared-file, see common(5))

The private ssh key used for authentication

pub-key (type: name of shared-file, see common(5))

The public ssh key used for authentication

icamd {


  phase ... ;
* tag ... ;
  listen-on { ... }
  priv-key ... ;
* slave name { ... }
}

            

The icamd section is derived from icamd section prototype. For detail description of it, see ica(5).

icasd {


  phase ... ;
* tag ... ;
  priv-key ... ;
* master name { ... }
}

            

The icasd section is derived from icasd section prototype. For detail description of it, see ica(5).

watch {


  disable ... ;
}

            

Watching system parameters by RRD.

Items & subsections:

disable;

Disable watching.

[End of section system.watch description.]

acl name {


* from ... ;
* to ... ;
* time ... ;
  time-period-set { ... }
  deny ... ;
  accept ... ;
* doctype-ident-order ... ;
  rule ... ;
  auth ... ;
  idle-timeout ... ;
  source-address ... ;
  plug-to ... ;
  service ... ;
}

            

General ACL definition.

The acl section is derived from acl-1 section prototype. For detail description of it, see acl(5).

Changes to the acl section:

Item user is not valid.

Item idle-timeout-peer is not valid.

Item SERVICE must be specified.

Added items & subsections:

service list;

List of proxies where this ACL is applicable.

list (type: str-set)

[End of section system.acl description.]

use-services file;

Source for /etc/services file.

file (type: name of shared-file, see common(5))

use-resolver name;

Resolver Section Specification.

This item defines name of global (system) resolver section used in particular configuration environment. Namely, it is applicable within SYSTEM section and within any section derived from PROXY prototype. The former usage defines system-wide values, the latter one values valid for particular proxy.

name (type: name of resolver, see resolver(5))

resolver name {


* server ... ;
  search ... ;
  preference ... ;
  edns ... ;
  conf-timeout ... ;
  initial-timeout ... ;
  final-timeout ... ;
  conn-timeout ... ;
  disable-deresolution ... ;
}

            

The resolver section is derived from resolver section prototype. For detail description of it, see resolver(5).

nameserver name {


  phase ... ;
* tag ... ;
  use-ipv4-only ... ;
  listen-on { ... }
  forward ... ;
* forwarder ... ;
* from ... ;
  dnssec { ... }
  send-cookie ... ;
* option ... ;
* raw ... ;
* zone name { ... }
}

            

The nameserver section is derived from nameserver section prototype. For detail description of it, see nameserver(5).

ns-list name {


* server ... ;
}

            

The ns-list section is derived from ns-list section prototype. For detail description of it, see resolver(5).

atrmon name {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  monitoring { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  run-block-sigalrm ... ;
  listen-on { ... }
  client-conn { ... }
* session-acl name { ... }
* request-acl name { ... }
}

            

The atrmon section is derived from atrmon section prototype. For detail description of it, see atr(5).

pf-queue name {


  parent ... ;
  bandwidth ... ;
  priority ... ;
  qlimit ... ;
  cbq { ... }
  priq { ... }
  hfsc { ... }
}

            

The pf-queue section is derived from pf-queue section prototype. For detail description of it, see pf-queue(5).

packet-filter {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  idle-timeout ... ;
  run-block-sigalrm ... ;
  pflog ... ;
  pfsync ... ;
  comm-dir ... ;
  ignore-iface ... ;
  pcap-timeout ... ;
  buffer-size ... ;
* set-option ... ;
  timeouts { ... }
  limits { ... }
  logging-frequence ... ;
* altq name { ... }
* scrub-acl name { ... }
* rdr-acl name { ... }
* nat-acl name { ... }
* binat-acl name { ... }
* filter-acl name { ... }
* load-anchor ... ;
}

            

The packet-filter section is derived from packet-filter section prototype. For detail description of it, see packet-filter(5).

adaptive-firewall {


  ids-agent { ... }
* watchdog name { ... }
  honeypot { ... }
  auto-blocking { ... }
  adaptive-database { ... }
  address-groups { ... }
  port-groups { ... }
  whitelist ... ;
  blacklist ... ;
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
}

            

The adaptive-firewall section is derived from adaptive-firewall section prototype. For detail description of it, see adaptive-firewall(5).

alertd {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  monitoring { ... }
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  idle-timeout ... ;
  run-block-sigalrm ... ;
* snmp-manager name { ... }
}

            

The alertd section is derived from alertd section prototype. For detail description of it, see alertd(5).

bird4 {


  phase ... ;
* tag ... ;
  use-id ... ;
  direct { ... }
  kernel { ... }
  device { ... }
  static { ... }
  ospf { ... }
* raw ... ;
}

            

The bird4 section is derived from bird4 section prototype. For detail description of it, see router(5).

bird6 {


  phase ... ;
* tag ... ;
  use-id ... ;
  direct { ... }
  kernel { ... }
  device { ... }
  static { ... }
  ospf { ... }
* raw ... ;
}

            

The bird6 section is derived from bird6 section prototype. For detail description of it, see router(5).

rtadvd {


  phase ... ;
* tag ... ;
  default-params { ... }
}

            

The rtadvd section is derived from rtadvd section prototype. For detail description of it, see rtadvd(5).

ssl-params name {


  versions ... ;
  ciphers ... ;
  tcp-eof ... ;
  id ... ;
* auth-cert ... ;
  distrusted-certs ... ;
  dont-check-crl ... ;
* crl ... ;
  verify-peer ... ;
  cache-timeout ... ;
  use-ticket ... ;
  enable-renegotiation ... ;
  fake-cert ... ;
  prefer_server_ciphers ... ;
  enable-ecdh ... ;
}

            

The ssl-params section is derived from ssl-params section prototype. For detail description of it, see ssl(5).

fake-cert name {


  key ... ;
  auth-ca ... ;
  fail-ca ... ;
* extension ... ;
  purge ... ;
}

            

The fake-cert section is derived from fake-cert section prototype. For detail description of it, see ssl(5).

html-filter name {


* script-tag-language ... ;
  replace-head-script-tags ... ;
  replace-body-script-tags ... ;
* style-tag-type ... ;
  replace-style-tags ... ;
* iframe-tag-src ... ;
  replace-iframe-tags ... ;
* intrinsic-language ... ;
* intrinsic-hack ... ;
  replace-intrinsic ... ;
* macro-language ... ;
* macro-hack ... ;
  replace-macros ... ;
* uri ... ;
  replace-uri ... ;
* embed-tag-type ... ;
* embed-src-hack ... ;
* embed-plugin-hack ... ;
  replace-head-embed-tags ... ;
  replace-body-embed-tags ... ;
* applet ... ;
  replace-applets ... ;
* object ... ;
* object-classid-hack ... ;
* object-data-hack ... ;
  replace-head-object-tags ... ;
  replace-body-object-tags ... ;
* param-tags ... ;
  replace-param ... ;
  script-end-hack ... ;
}

            

The html-filter section is derived from html-filter section prototype. For detail description of it, see mod-html-filter(5).

mail-filter name {


  stamp-limit ... ;
  stamp-filter ... ;
* unflagged-8bit ... ;
* bad-end-of-line ... ;
* invalid-header ... ;
* long-header-lines ... ;
* invalid-chars ... ;
* header-8bit-chars ... ;
* bad-boundary-chars ... ;
* bad-boundary-length ... ;
* long-body-lines ... ;
* long-encoded-lines ... ;
  enc-line-len ... ;
* bad-mime-struct ... ;
* invalid-encoding ... ;
  treat-rfc822-as-text ... ;
}

            

The mail-filter section is derived from mail-filter section prototype. For detail description of it, see mod-mail-doc(5).

aproxy name {


  auth ... ;
  insecure-cookies ... ;
  oob-auth ... ;
  cookie-name ... ;
  logout ... ;
  timeout-idle ... ;
  timeout-unauth ... ;
  bufsz ... ;
}

            

The aproxy section is derived from aproxy section prototype. For detail description of it, see http-proxy(5).

radius-client name {


  nas ... ;
  groups ... ;
* server ... ;
}

            

The radius-client section is derived from radius-client section prototype. For detail description of it, see radius(5).

ldap-client-auth name {


  server ... ;
  ssl { ... }
  bindinfo ... ;
  kerberos ... ;
  users ... ;
  groups ... ;
  active-directory ... ;
}

            

The ldap-client-auth section is derived from ldap-client-auth section prototype. For detail description of it, see ldap(5).

oob-auth name {


  method ... ;
  max-sessions ... ;
  max-user ... ;
  max-groups ... ;
  truncate-groups ... ;
  file ... ;
  lock ... ;
}

            

The oob-auth section is derived from oob-auth section prototype. For detail description of it, see auth(5).

antivirus name {


  connection ... ;
  sock-opt { ... }
  timeout ... ;
  comm-dir ... ;
  altq ... ;
  max-checked-size ... ;
  icap-pass-200-with-pure-body ... ;
  persistent-stream ... ;
  clamav-agent { ... }
}

            

The antivirus section is derived from antivirus section prototype. For detail description of it, see antivirus(5).

antispam name {


  connection ... ;
  sock-opt { ... }
  altq ... ;
}

            

The antispam section is derived from antispam section prototype. For detail description of it, see mod-antispam(5).

smtp-forwarder name {


* server ... ;
  agent { ... }
  timeouts { ... }
  hostname ... ;
  size ... ;
  source-address ... ;
* domain ... ;
  server-ssl ... ;
* server-cert-match ... ;
  altq ... ;
}

            

The smtp-forwarder section is derived from smtp-forwarder section prototype. For detail description of it, see smtp-proxy(5).

web-filter name {


  connection ... ;
  fail-ok ... ;
  sock-opt { ... }
}

            

The web-filter section is derived from web-filter section prototype. For detail description of it, see http-proxy(5).

clear-web-db {


  internal-servers ... ;
  db ... ;
  lock ... ;
  local-db { ... }
}

            

The clear-web-db section is derived from clear-web-db section prototype. For detail description of it, see clear-web-db(5).

openvpn name {


  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  interface ... ;
  topology ... ;
  local ... ;
  nobind ... ;
  user ... ;
  group ... ;
  persist-tun ... ;
  persist-key ... ;
  log-debug { ... }
  log-stats { ... }
  mute ... ;
  ping-timer-rem ... ;
  keepalive ... ;
  proto ... ;
  tls-mat ... ;
  dh ... ;
  secret ... ;
  crl-verify ... ;
  server ... ;
  max-clients ... ;
  duplicate-cn ... ;
  client-to-client ... ;
  ccd-exclusive ... ;
  mlock ... ;
  float ... ;
  push { ... }
  ifconfig-pool ... ;
  ifconfig-ipv6-pool ... ;
  tls-server ... ;
  tls-client ... ;
  tls-auth ... ;
* remote ... ;
  remote-random ... ;
  comp-lzo ... ;
  verify-x509-name ... ;
  remote-cert-ku ... ;
  remote-cert-eku ... ;
  remote-cert-tls ... ;
  cipher ... ;
  data-ciphers ... ;
  data-ciphers-fallback ... ;
  client ... ;
  pull ... ;
  route-nopull ... ;
  no-ifconfig-noexec ... ;
  ifconfig-pool-persist ... ;
  client-connect ... ;
  client-connect-socket ... ;
* ccd name { ... }
* raw ... ;
  phase ... ;
* tag ... ;
  socket-root ... ;
  fast-io ... ;
}

            

The openvpn section is derived from openvpn section prototype. For detail description of it, see openvpn(5).

ipsec-global {


  phase ... ;
* tag ... ;
}

            

The ipsec-global section is derived from ipsec-global section prototype. For detail description of it, see ipsec(5).

ipsec-remote name {


  peer ... ;
  lifetime ... ;
  encryption ... ;
  hash ... ;
  dh-group ... ;
  authentication ... ;
  dpd ... ;
  rekey ... ;
  ike-frag ... ;
  esp-frag ... ;
}

            

The ipsec-remote section is derived from ipsec-remote section prototype. For detail description of it, see ipsec(5).

ipsec name {


  phase ... ;
* tag ... ;
  transport-mode ... ;
  tunnel-mode { ... }
  phase2 { ... }
}

            

The ipsec section is derived from ipsec section prototype. For detail description of it, see ipsec(5).

data-match name {


  max-size ... ;
  init-match ... ;
  max-match ... ;
  step-size ... ;
  step-match ... ;
* test ... ;
}

            

The data-match section is derived from data-match section prototype. For detail description of it, see mod-match(5).

ntlm-auth name {


  domain ... ;
  workgroup ... ;
* ad-controller ... ;
  interfaces { ... }
  ldap ... ;
  timeout ... ;
  timeout-idle ... ;
  timeout-unauth ... ;
}

            

The ntlm-auth section is derived from ntlm-auth section prototype. For detail description of it, see http-proxy(5).

kerberos-auth name {


  domain ... ;
  user-match ... ;
  kinit ... ;
  keytab ... ;
  proxy-host ... ;
* ad-controller ... ;
  ldap ... ;
  timeout-idle ... ;
  timeout-unauth ... ;
  lock ... ;
  lock-ldap ... ;
  one-per-session ... ;
}

            

The kerberos-auth section is derived from kerberos-auth section prototype. For detail description of it, see http-proxy(5).

cwcatd {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  monitoring { ... }
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  idle-timeout ... ;
  run-block-sigalrm ... ;
  wakeup ... ;
  retry ... ;
}

            

Clear Web automatic categorization daemon.

The cwcatd section is derived from alone-application section prototype. For detail description of it, see application(5).

Added items & subsections:

wakeup [sec];

Period (in seconds) of waking up of the categorization daemon and checking the queue of categorization requests. In addition, the daemon is awaken by a signal immediately after a new request is enqueued.

sec (type: uint16, optional, default: 60)

retry [sec];

Time (in seconds) after which a failed automatic categorization will be retried.

sec (type: uint32, optional, default: 3600)

[End of section system.cwcatd description.]

snmpd {


  phase ... ;
* tag ... ;
  listen-on { ... }
* user ... ;
  location ... ;
* group name { ... }
* proc ... ;
* exec ... ;
* disk ... ;
  load ... ;
  swap ... ;
* raw ... ;
}

            

The snmpd section is derived from snmpd section prototype. For detail description of it, see snmpd(5).

http-cache {


  phase ... ;
* tag ... ;
  listen-on { ... }
  hand-off ... ;
  cache-size ... ;
  max-object-size ... ;
* raw ... ;
}

            

The http-cache section is derived from http-cache section prototype. For detail description of it, see http-cache(5).

update {


  adaptive-firewall { ... }
  clear-web { ... }
}

            

The update section is derived from update section prototype. For detail description of it, see update(5).

feedback {


  adaptive-firewall { ... }
  clear-web { ... }
  system-status ... ;
  reporter ... ;
  errors ... ;
}

            

The feedback section is derived from feedback section prototype. For detail description of it, see feedback(5).

stats {


  keep-days ... ;
  disable ... ;
}

            

Parameters for generating statistics.

Items & subsections:

keep-days [val];

How many days of log data are kept in the Kernun Reporter database. Older data will be deleted automatically. If set to zero, no data will be deleted from the database.

val (type: uint16, optional, default: 31)

disable;

Do not generate the REPORTER component. This item is intended mainly for testing purposes.

[End of section system.stats description.]

stats-daily {


  top-clients ... ;
  top-users ... ;
  top-servers ... ;
}

            

The stats-daily section is derived from summary section prototype. For detail description of it, see application(5).

Changes to the stats-daily section:

Item top-groups is not valid.

Item top-categories is not valid.

Item top-senders is not valid.

Item top-recipients is not valid.

Item top-mime-types is not valid.

Item top-qnames is not valid.

Item top-qtypes is not valid.

Item top-callers is not valid.

Item top-receivers is not valid.

Item top-sids is not valid.

Item top-server-ports is not valid.

Item spam-threshold is not valid.

Section activity-report is not valid.

Item top-src-ips is not valid.

Item top-dst-ips is not valid.

Item top-rules is not valid.

stats-weekly {


  top-clients ... ;
  top-users ... ;
  top-servers ... ;
}

            

The stats-weekly section is derived from summary section prototype. For detail description of it, see application(5).

Changes to the stats-weekly section:

Item top-groups is not valid.

Item top-categories is not valid.

Item top-senders is not valid.

Item top-recipients is not valid.

Item top-mime-types is not valid.

Item top-qnames is not valid.

Item top-qtypes is not valid.

Item top-callers is not valid.

Item top-receivers is not valid.

Item top-sids is not valid.

Item top-server-ports is not valid.

Item spam-threshold is not valid.

Section activity-report is not valid.

Item top-src-ips is not valid.

Item top-dst-ips is not valid.

Item top-rules is not valid.

stats-monthly {


  top-clients ... ;
  top-users ... ;
  top-servers ... ;
}

            

The stats-monthly section is derived from summary section prototype. For detail description of it, see application(5).

Changes to the stats-monthly section:

Item top-groups is not valid.

Item top-categories is not valid.

Item top-senders is not valid.

Item top-recipients is not valid.

Item top-mime-types is not valid.

Item top-qnames is not valid.

Item top-qtypes is not valid.

Item top-callers is not valid.

Item top-receivers is not valid.

Item top-sids is not valid.

Item top-server-ports is not valid.

Item spam-threshold is not valid.

Section activity-report is not valid.

Item top-src-ips is not valid.

Item top-dst-ips is not valid.

Item top-rules is not valid.

tcp-proxy name {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  monitoring { ... }
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  idle-timeout ... ;
  run-block-sigalrm ... ;
  listen-on { ... }
  tcpserver { ... }
  source-address ... ;
  doctype-identification { ... }
  client-conn { ... }
  server-conn { ... }
  err-reset ... ;
  ssl-session-cache { ... }
  client-ssl ... ;
  client-ssl-timeout ... ;
  data-mime-db ... ;
  auth ... ;
* session-acl name { ... }
}

            

The tcp-proxy section is derived from tcp-proxy section prototype. For detail description of it, see tcp-proxy(5).

udp-proxy name {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  monitoring { ... }
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  run-block-sigalrm ... ;
  listen-on { ... }
  udpserver { ... }
  source-address ... ;
  doctype-identification { ... }
  auth ... ;
* session-acl name { ... }
}

            

The udp-proxy section is derived from udp-proxy section prototype. For detail description of it, see udp-proxy(5).

dns-proxy name {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  monitoring { ... }
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  idle-timeout ... ;
  run-block-sigalrm ... ;
  listen-on { ... }
  doctype-identification { ... }
  queue-size ... ;
  edns ... ;
  dnssec ... ;
  cache { ... }
  request-timeout ... ;
  response-timeout ... ;
  query-timeout ... ;
  server-dead ... ;
  server-retry ... ;
  server-proto ... ;
  requests-table-size ... ;
  sockets-table-size ... ;
  internal-request-depth ... ;
  adr-reply-limit ... ;
  ptr-reply-limit ... ;
  client-conn { ... }
  server-conn { ... }
* session-acl name { ... }
* request-acl name { ... }
}

            

The dns-proxy section is derived from dns-proxy section prototype. For detail description of it, see dns-proxy(5).

ftp-proxy name {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  monitoring { ... }
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  idle-timeout ... ;
  run-block-sigalrm ... ;
  listen-on { ... }
  tcpserver { ... }
  source-address ... ;
  doctype-identification { ... }
  client-ctrl { ... }
  server-ctrl { ... }
  client-data { ... }
  server-data { ... }
  init-timeout ... ;
  init-cmdlimit ... ;
* data-transfer ... ;
  retry-data ... ;
* session-acl name { ... }
* command-acl name { ... }
* doc-acl name { ... }
}

            

The ftp-proxy section is derived from ftp-proxy section prototype. For detail description of it, see ftp-proxy(5).

gk-proxy name {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  monitoring { ... }
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  idle-timeout ... ;
  run-block-sigalrm ... ;
  listen-on { ... }
  udpserver { ... }
  source-address ... ;
  doctype-identification { ... }
  map-file ... ;
* session-acl name { ... }
}

            

The gk-proxy section is derived from gk-proxy section prototype. For detail description of it, see gk-proxy(5).

h323-proxy name {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  monitoring { ... }
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  idle-timeout ... ;
  run-block-sigalrm ... ;
  listen-on { ... }
  tcpserver { ... }
  doctype-identification { ... }
  client-ctrl { ... }
  server-ctrl { ... }
  data-channel { ... }
  map-file ... ;
* session-acl name { ... }
  max-channel-ports ... ;
}

            

The h323-proxy section is derived from h323-proxy section prototype. For detail description of it, see h323-proxy(5).

http-proxy name {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  monitoring { ... }
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  idle-timeout ... ;
  run-block-sigalrm ... ;
  listen-on { ... }
  tcpserver { ... }
  source-address ... ;
  doctype-identification { ... }
  client-conn { ... }
  server-conn { ... }
  document-root ... ;
  hdr-line-len ... ;
  blacklist-db ... ;
  connect-data-mime-db ... ;
  ftp-proxy ... ;
  max-aproxy-sessions ... ;
  max-bypass-sessions ... ;
  oob-auth-srv ... ;
  ssl-session-cache { ... }
  aproxy-lock ... ;
  cookie-table { ... }
  extended-status ... ;
* session-acl name { ... }
* request-acl name { ... }
* doc-acl name { ... }
}

            

The http-proxy section is derived from http-proxy section prototype. For detail description of it, see http-proxy(5).

icap-server name {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  monitoring { ... }
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  idle-timeout ... ;
  run-block-sigalrm ... ;
  listen-on { ... }
  tcpserver { ... }
  doctype-identification { ... }
  client-conn { ... }
  document-root ... ;
  hdr-line-len ... ;
  preview ... ;
  blacklist-db ... ;
  max-bypass-sessions ... ;
  ssl-session-cache { ... }
  ldap-cache { ... }
* session-acl name { ... }
* service-acl name { ... }
* request-acl name { ... }
* doc-acl name { ... }
}

            

The icap-server section is derived from icap-server section prototype. For detail description of it, see icap-server(5).

imap4-proxy name {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  monitoring { ... }
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  idle-timeout ... ;
  run-block-sigalrm ... ;
  listen-on { ... }
  tcpserver { ... }
  source-address ... ;
  doctype-identification { ... }
  client-conn { ... }
  server-conn { ... }
  ssl-session-cache { ... }
  mail-pool ... ;
* session-acl name { ... }
* command-acl name { ... }
* mail-acl name { ... }
* doc-acl name { ... }
}

            

The imap4-proxy section is derived from imap4-proxy section prototype. For detail description of it, see imap4-proxy(5).

pop3-proxy name {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  monitoring { ... }
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  idle-timeout ... ;
  run-block-sigalrm ... ;
  listen-on { ... }
  tcpserver { ... }
  source-address ... ;
  doctype-identification { ... }
  client-conn { ... }
  server-conn { ... }
  ssl-session-cache { ... }
  mail-pool ... ;
* session-acl name { ... }
* command-acl name { ... }
* mail-acl name { ... }
* doc-acl name { ... }
}

            

The pop3-proxy section is derived from pop3-proxy section prototype. For detail description of it, see pop3-proxy(5).

sip-proxy name {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  monitoring { ... }
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  idle-timeout ... ;
  run-block-sigalrm ... ;
  listen-on { ... }
  source-address ... ;
  doctype-identification { ... }
  queue-size ... ;
  hash-salt ... ;
  ctrl-conn { ... }
  data-conn { ... }
  map-file ... ;
  timeouts { ... }
  sessions-table-size ... ;
  sockets-table-size ... ;
* keepalive ... ;
* session-acl name { ... }
* request-acl name { ... }
}

            

The sip-proxy section is derived from sip-proxy section prototype. For detail description of it, see sip-proxy(5).

smtp-proxy name {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  monitoring { ... }
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  idle-timeout ... ;
  run-block-sigalrm ... ;
  listen-on { ... }
  tcpserver { ... }
  doctype-identification { ... }
  client-conn { ... }
  server-conn { ... }
  mail-pool ... ;
  quarantine ... ;
  postmaster ... ;
  hostname ... ;
  init-timeout ... ;
  bad-commands ... ;
  bad-recipients ... ;
  dsn-mail-copy ... ;
  use-antivirus ... ;
  use-antispam ... ;
  ssl-session-cache { ... }
  grey-listing { ... }
* session-acl name { ... }
* delivery-acl name { ... }
* mail-acl name { ... }
* doc-acl name { ... }
}

            

The smtp-proxy section is derived from smtp-proxy section prototype. For detail description of it, see smtp-proxy(5).

sqlnet-proxy name {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  monitoring { ... }
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  idle-timeout ... ;
  run-block-sigalrm ... ;
  listen-on { ... }
  tcpserver { ... }
  doctype-identification { ... }
  client-conn { ... }
  server-conn { ... }
  init-timeout ... ;
  protocol-version ... ;
  max-service-name-len ... ;
  check-reserved-bits ... ;
  connect-string-charset ... ;
  connect-packet-sizelimit ... ;
* session-acl name { ... }
* service-acl name { ... }
}

            

The sqlnet-proxy section is derived from sqlnet-proxy section prototype. For detail description of it, see sqlnet-proxy(5).

proxy-ng name {


  phase ... ;
* tag ... ;
  use-resolver ... ;
  nodaemon ... ;
  app-user ... ;
  log-debug { ... }
  log-stats { ... }
  resolver-ng { ... }
  listen-on { ... }
  tcpserver { ... }
* cfg-begin ... ;
* cfg-end ... ;
* jval ... ;
  log-audit { ... }
* session-acl name { ... }
  http-proxy { ... }
}

            

The proxy-ng section is derived from proxy-ng section prototype. For detail description of it, see proxy-ng(5).

proxy-ng-transp-ports ports;

ports (type: uint16-list)

TCP ports to be used for transparent listening sockets of the PROXY-NG. Defaults to ports {2, 3, 4, 5, 6, 7}.

[End of section system description.]

SEE ALSO

configuration(7), acl(5), adaptive-firewall(5), alertd(5), antivirus(5), application(5), atr(5), auth(5), clear-web-db(5), common(5), dhcp-server(5), dns-proxy(5), feedback(5), ftp-proxy(5), gk-proxy(5), h323-proxy(5), http-cache(5), http-proxy(5), ica(5), icap-server(5), imap4-proxy(5), interface(5), ipc(5), ipsec(5), ldap(5), license(5), listen-on(5), log(5), mod-antispam(5), mod-html-filter(5), mod-mail-doc(5), mod-match(5), nameserver(5), newsyslog.conf(5), ntp(5), openvpn(5), packet-filter(5), periodic.conf(5), pf-queue(5), pike(5), pop3-proxy(5), proxy-ng(5), radius(5), resolver(5), router(5), rtadvd(5), sip-proxy(5), smtp-proxy(5), snmpd(5), source-address(5), sqlnet-proxy(5), ssh(5), ssl(5), sysctl(5), tcp-proxy(5), time(5), udp-proxy(5), udpserver(5), update(5), cml(8), kat(8)