udp-proxy — format of udp-proxy component configuration
General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the udp-proxy component configuration.
Repeatable sections/items are marked by
the '*' before section/item name.
Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).
Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.
The following enumerations are used in udp-proxy configuration directives:
yes-no (see common(5))direction (see common(5))ip-version (see common(5))osi4-proto (see common(5))time-cond (see common(5))zip-mode (see common(5))obligation (see common(5))week-day (see time(5))month (see time(5))auth-method (see auth(5))source-address-mode (see source-address(5))source-port-mode (see source-address(5))transparency (see acl(5))user-auth-spec (see acl(5))doctype-ident-method (see acl(5))dbglev (see log(5))logfail-mode (see log(5))udp-session-type (see udpserver(5))listen-on-sock (see listen-on(5))Configuration of udp-proxy library component consists of following prototypes:
* udp-proxy name { ... }
udp-proxy name {
phase ... ;
* tag ... ;
log-debug { ... }
log-stats { ... }
use-resolver ... ;
cfg-resolution ... ;
monitoring { ... }
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
nodaemon ... ;
singleproc ... ;
app-user ... ;
run-block-sigalrm ... ;
listen-on { ... }
udpserver { ... }
source-address ... ;
doctype-identification { ... }
auth ... ;
* session-acl name { ... }
}
Generic UDP proxy configuration.
udp-proxy section is derived from
proxy section prototype.
For detail description of it, see application(5).
udp-proxy section:Item idle-timeout is not valid.
Section tcpserver is not valid.
Section UDPSERVER required.
At least one SESSION-ACL must be specified (proxy must be named in some SYSTEM.ACL.SERVICES).
monitoring (see monitoring(5))Item aproxy-user is not valid.
Item data is not valid.
listen-on.non-transparent (see listen-on(5))Element proto is optional, default: udp.
listen-on.transparent (see listen-on(5))Element proto is optional, default: udp.
auth none;auth passwd file;auth radius client;auth ldap ldap;auth ext file;auth oob oob [mode [loose]];Authentication method and attributes specification.
For more details, see auth(7).
auth-method)file (type: str)Password/utility file name.
client (type: name of radius-client, see radius(5))RADIUS client configuration name.
ldap (type: name of ldap-client-auth, see ldap(5))LDAP client configuration parameters.
oob (type: name of oob-auth, see auth(5))OOB authentication parameters.
mode (type: obligation, optional, default: allowed)loose (type: key, optional)Only out-of-band authentication is supported in this proxy.
session-acl name {
* from ... ;
* to ... ;
* user ... ;
* time ... ;
time-period-set { ... }
deny ... ;
accept ... ;
* doctype-ident-order ... ;
rule ... ;
idle-timeout ... ;
idle-timeout-peer ... ;
source-address ... ;
plug-to ... ;
source-port ... ;
max-dgrams-in ... ;
max-dgrams-out ... ;
max-dgram-sz-in ... ;
max-dgram-sz-out ... ;
max-bytes-in ... ;
max-bytes-out ... ;
session-timeout ... ;
session ... ;
client-altq ... ;
server-altq ... ;
}
session-acl section is derived from
acl-1 section prototype.
For detail description of it, see acl(5).
session-acl section:Item auth is not valid.
SOURCE-PORT can be used with SOURCE-ADDRESS CLIENT only.
idle-timeout (see acl(5))Element seconds is optional, default: 60.
source-port client;source-port [force] port;Source port for outgoing connections to server.
Can be used only with SOURCE-ADDRESS CLIENT.
If omitted, generic port will be used.
source-port-mode, optional, default: force)port (type: port)Use specified port.
max-dgrams-in number;Maximum number of datagrams from server to client (0 = unlimited).
number (type: uint64)max-dgrams-out number;Maximum number of datagrams from client to server (0 = unlimited).
number (type: uint64)max-dgram-sz-in [bytes];Maximum size of a datagram from server to client.
bytes (type: uint16, optional, default: 65535)max-dgram-sz-out [bytes];Maximum size of a datagram from client to server.
bytes (type: uint16, optional, default: 65535)max-bytes-in bytes;Maximum number of bytes from server to client.
bytes (type: uint64)max-bytes-out bytes;Maximum number of bytes from client to server.
bytes (type: uint64)session-timeout [seconds];Maximum duration of session.
seconds (type: uint31, optional, default: 0)Duration in seconds (0 = unlimited).
session one-way;session [normal];session any-port;session any-sock;session broadcast [bits];Type of session establishment.
udp-session-type, optional, default: normal)bits (type: uint8, optional, default: 24)Mask size for correct responder recognition.
Number of bits must be at most 32.
client-altq altq;ALTQ queue for data sent to client.
altq (type: name of pf-queue, see pf-queue(5))queue name
server-altq altq;ALTQ queue for data sent to server.
altq (type: name of pf-queue, see pf-queue(5))queue name
[End of section udp-proxy.session-acl description.]
[End of section udp-proxy description.]