tcp-proxy — format of tcp-proxy component configuration
General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the tcp-proxy component configuration.
Repeatable sections/items are marked by
the '*' before section/item name.
Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).
Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.
The following enumerations are used in tcp-proxy configuration directives:
yes-no (see common(5))direction (see common(5))ip-version (see common(5))osi4-proto (see common(5))time-cond (see common(5))zip-mode (see common(5))obligation (see common(5))dbglev (see log(5))logfail-mode (see log(5))week-day (see time(5))month (see time(5))lock-type (see ipc(5))auth-method (see auth(5))source-address-mode (see source-address(5))transparency (see acl(5))user-auth-spec (see acl(5))doctype-ident-method (see acl(5))listen-on-sock (see listen-on(5))Configuration of tcp-proxy library component consists of following prototypes:
* tcp-proxy name { ... }
tcp-proxy name {
phase ... ;
* tag ... ;
log-debug { ... }
log-stats { ... }
use-resolver ... ;
cfg-resolution ... ;
monitoring { ... }
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
nodaemon ... ;
singleproc ... ;
app-user ... ;
idle-timeout ... ;
run-block-sigalrm ... ;
listen-on { ... }
tcpserver { ... }
source-address ... ;
doctype-identification { ... }
client-conn { ... }
server-conn { ... }
err-reset ... ;
ssl-session-cache { ... }
client-ssl ... ;
client-ssl-timeout ... ;
data-mime-db ... ;
auth ... ;
* session-acl name { ... }
}
Generic TCP proxy configuration.
tcp-proxy section is derived from
proxy section prototype.
For detail description of it, see application(5).
tcp-proxy section:Section udpserver is not valid.
At least one SESSION-ACL must be specified (proxy must be named in some SYSTEM.ACL.SERVICES).
monitoring (see monitoring(5))Item aproxy-user is not valid.
Item data is not valid.
idle-timeout (see application(5))Element seconds is optional, default: 2d.
listen-on.non-transparent (see listen-on(5))Element proto is optional, default: tcp.
listen-on.transparent (see listen-on(5))Element proto is optional, default: tcp.
client-conn {
recv-bufsize ... ;
close-timeout ... ;
send-bufsize ... ;
log-limit ... ;
}
Connection to client options.
client-conn section is derived from
sock-opt section prototype.
For detail description of it, see netio(5).
client-conn section:Item conn-timeout is not valid.
Item recv-timeout is not valid.
Item send-timeout is not valid.
server-conn {
conn-timeout ... ;
recv-bufsize ... ;
close-timeout ... ;
send-bufsize ... ;
log-limit ... ;
}
Connection to server options.
server-conn section is derived from
sock-opt section prototype.
For detail description of it, see netio(5).
server-conn section:Item recv-timeout is not valid.
Item send-timeout is not valid.
err-reset;If set, reset connection on error (otherwise use normal TCP close).
ssl-session-cache {
capacity ... ;
dir ... ;
lock ... ;
}
ssl-session-cache section is derived from
ssl-session-cache section prototype.
For detail description of it, see ssl(5).
client-ssl params;Use SSL/TLS on the connection from a client.
params (type: name of ssl-params, see ssl(5))client-ssl-timeout seconds;Timeout for SSL/TLS handshake with client.
seconds (type: uint32)data-mime-db filename;Data MIME type mapping file.
filename (type: name of shared-file, see common(5))auth none;auth passwd file;auth radius client;auth ldap ldap;auth ext file;auth oob oob [mode [loose]];Authentication method and attributes specification.
For more details, see auth(7).
auth-method)file (type: str)Password/utility file name.
client (type: name of radius-client, see radius(5))RADIUS client configuration name.
ldap (type: name of ldap-client-auth, see ldap(5))LDAP client configuration parameters.
oob (type: name of oob-auth, see auth(5))OOB authentication parameters.
mode (type: obligation, optional, default: allowed)loose (type: key, optional)Only out-of-band authentication is supported in this proxy.
session-acl name {
* from ... ;
* to ... ;
* user ... ;
* time ... ;
time-period-set { ... }
deny ... ;
accept ... ;
* doctype-ident-order ... ;
rule ... ;
idle-timeout ... ;
idle-timeout-peer ... ;
source-address ... ;
plug-to ... ;
* client-cert-match ... ;
* ip-tos-from-client ... ;
max-bytes-in ... ;
max-bytes-out ... ;
max-time ... ;
cl2srv-halfclosed-time ... ;
srv2cl-halfclosed-time ... ;
server-ssl ... ;
data-filter-client ... ;
data-filter-server ... ;
* server-cert-match ... ;
client-altq ... ;
server-altq ... ;
ip-tos-to-client { ... }
ip-tos-to-server { ... }
}
session-acl section is derived from
acl-1 section prototype.
For detail description of it, see acl(5).
session-acl section:Item auth is not valid.
SSL/TLS required on connection in order to match server certificates.
client-cert-match [subject subject] [issuer issuer];Select an ACL according to a client certificate.
subject subject (type: str-set, optional, default: *)acceptable certificate subjects
issuer issuer (type: str-set, optional, default: *)acceptable certificate issuers
ip-tos-from-client val;Testing an IP TOS value of received packets.
val (type: uint8-set)max-bytes-in bytes;Maximum number of bytes from server to client.
bytes (type: uint64)max-bytes-out bytes;Maximum number of bytes from client to server.
bytes (type: uint64)max-time seconds;Maximum time of session
seconds (type: uint32)cl2srv-halfclosed-time seconds;Maximum duration of client to server communication after the connection is half-closed in server to client direction.
seconds (type: uint32)srv2cl-halfclosed-time seconds;Maximum duration of server to client communication after the connection is half-closed in client to server direction.
seconds (type: uint32)server-ssl params;Use SSL/TLS on the connection to a server.
params (type: name of ssl-params, see ssl(5))data-filter-client rules;Client data filtering.
rules (type: name of data-match, see mod-match(5))data-filter-server rules;Server data filtering.
rules (type: name of data-match, see mod-match(5))server-cert-match [subject subject] [issuer issuer];Requirements for server certificate.
subject subject (type: str-set, optional, default: *)acceptable certificate subjects
issuer issuer (type: str-set, optional, default: *)acceptable certificate issuers
client-altq altq [paltq paltq];ALTQ queues for data sent to client.
altq (type: name of pf-queue, see pf-queue(5))queue name
paltq paltq (type: name of pf-queue, see pf-queue(5), optional, default: NULL)priority queue name (if set, used for TCP ACK without data)
server-altq altq [paltq paltq];ALTQ queues for data sent to server.
altq (type: name of pf-queue, see pf-queue(5))queue name
paltq paltq (type: name of pf-queue, see pf-queue(5), optional, default: NULL)priority queue name (if set, used for TCP ACK without data)
ip-tos-to-client {
fixed ... ;
received ... ;
other ... ;
}
ip-tos-to-client section is derived from
ip-tos-to-client section prototype.
For detail description of it, see netio(5).
ip-tos-to-server {
fixed ... ;
received ... ;
other ... ;
}
ip-tos-to-server section is derived from
ip-tos-to-server section prototype.
For detail description of it, see netio(5).
[End of section tcp-proxy.session-acl description.]
[End of section tcp-proxy description.]