10a454ad |
1 | .\" -*-nroff-*- |
667fb920 |
2 | .\" |
723210e6 |
3 | .\" $Id: fw.1,v 1.11 2001/02/05 19:47:11 mdw Exp $ |
667fb920 |
4 | .\" |
5 | .\" Manual page for fw |
6 | .\" |
7 | .\" (c) 1999 Straylight/Edgeware |
8 | .\" |
9 | . |
10 | .\"----- Licensing notice --------------------------------------------------- |
11 | .\" |
12 | .\" This file is part of the `fw' port forwarder. |
13 | .\" |
14 | .\" `fw' is free software; you can redistribute it and/or modify |
15 | .\" it under the terms of the GNU General Public License as published by |
16 | .\" the Free Software Foundation; either version 2 of the License, or |
17 | .\" (at your option) any later version. |
18 | .\" |
19 | .\" `fw' is distributed in the hope that it will be useful, |
20 | .\" but WITHOUT ANY WARRANTY; without even the implied warranty of |
21 | .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
22 | .\" GNU General Public License for more details. |
23 | .\" |
24 | .\" You should have received a copy of the GNU General Public License |
25 | .\" along with `fw'; if not, write to the Free Software Foundation, |
26 | .\" Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
27 | . |
28 | .\" ---- Revision history --------------------------------------------------- |
29 | .\" |
30 | .\" $Log: fw.1,v $ |
723210e6 |
31 | .\" Revision 1.11 2001/02/05 19:47:11 mdw |
32 | .\" Minor fixings to wording. |
33 | .\" |
372a98e2 |
34 | .\" Revision 1.10 2001/02/03 20:30:03 mdw |
35 | .\" Support re-reading config files on SIGHUP. |
36 | .\" |
fc170a33 |
37 | .\" Revision 1.9 2000/03/23 00:37:33 mdw |
38 | .\" Add option to change user and group after initialization. Naughtily |
39 | .\" reassign short equivalents of --grammar and --options. |
40 | .\" |
370e3c14 |
41 | .\" Revision 1.8 1999/12/22 15:44:43 mdw |
42 | .\" Fix some errors, and document new option. |
43 | .\" |
d857515e |
44 | .\" Revision 1.7 1999/10/22 22:45:15 mdw |
45 | .\" Describe new socket connection options. |
46 | .\" |
333c51f4 |
47 | .\" Revision 1.6 1999/10/10 16:46:29 mdw |
48 | .\" Include grammar and options references at the end of the manual. |
49 | .\" |
cdc917d3 |
50 | .\" Revision 1.5 1999/09/26 18:18:05 mdw |
51 | .\" Remove a fixed bug from the list. Fix some nasty formatting |
52 | .\" misfeatures. |
53 | .\" |
e73034b0 |
54 | .\" Revision 1.4 1999/08/19 18:32:48 mdw |
55 | .\" Improve lexical analysis. In particular, `chmod' patterns don't have to |
56 | .\" be quoted any more. |
57 | .\" |
96bc31ba |
58 | .\" Revision 1.3 1999/07/30 06:49:00 mdw |
59 | .\" Minor tidying and typo correction. |
60 | .\" |
667fb920 |
61 | .\" Revision 1.2 1999/07/26 23:31:04 mdw |
62 | .\" Document lots of new features and syntax. |
63 | .\" |
64 | . |
65 | .\"----- Various bits of fancy styling -------------------------------------- |
66 | . |
67 | .\" --- Indented paragraphs with right-aligned tags --- |
68 | . |
10a454ad |
69 | .de hP |
70 | .IP |
71 | \h'-\w'\fB\\$1\ \fP'u'\fB\\$1\ \fP\c |
72 | .. |
667fb920 |
73 | . |
74 | .\" --- Verbatim-oid typesetting --- |
75 | .de VS |
76 | .sp 1 |
77 | .RS |
78 | .nf |
79 | .ft B |
80 | .. |
81 | .de VE |
82 | .ft R |
83 | .fi |
84 | .RE |
85 | .sp 1 |
86 | .. |
87 | . |
333c51f4 |
88 | .\" --- Grammar markup --- |
89 | .\" |
90 | .\" This is mainly for the benefit of the automatic scripts which |
91 | .\" generate the grammar summary. |
92 | . |
93 | .de GS |
94 | .PP |
95 | .. |
96 | .de GE |
97 | .PP |
98 | .. |
99 | . |
100 | .de OS |
101 | .PP |
102 | .. |
103 | .de OD |
104 | .RS |
105 | .. |
106 | .de OE |
107 | .RE |
108 | .. |
109 | . |
667fb920 |
110 | .\" --- Other bits of styling --- |
111 | . |
112 | .ie t \{\ |
113 | . ds o \(bu |
114 | . ds ss \s8\u |
115 | . ds se \d\s0 |
116 | . if \n(.g \{\ |
117 | . fam P |
118 | . \} |
119 | .\} |
120 | .el \{\ |
121 | . ds o o |
122 | . ds ss ^ |
123 | . ds se |
124 | .\} |
125 | . |
126 | .\"-------------------------------------------------------------------------- |
127 | . |
10a454ad |
128 | .TH fw 1 "1 July 1999" fw |
667fb920 |
129 | . |
130 | .\"-------------------------------------------------------------------------- |
10a454ad |
131 | .SH NAME |
667fb920 |
132 | . |
10a454ad |
133 | fw \- port forwarder |
667fb920 |
134 | . |
135 | .\"-------------------------------------------------------------------------- |
10a454ad |
136 | .SH SYNOPSIS |
667fb920 |
137 | . |
10a454ad |
138 | .B fw |
370e3c14 |
139 | .RB [ \-dlq ] |
10a454ad |
140 | .RB [ \-f |
141 | .IR file ] |
fc170a33 |
142 | .RB [ \-s |
143 | .IR user ] |
144 | .RB [ \-g |
145 | .IR group ] |
10a454ad |
146 | .IR config-stmt ... |
667fb920 |
147 | . |
148 | .\"-------------------------------------------------------------------------- |
149 | .SH "DESCRIPTION" |
150 | . |
10a454ad |
151 | The |
152 | .B fw |
153 | program is a simple port forwarder. It supports a number of features |
154 | the author hasn't found in similar programs: |
155 | .TP |
156 | .I "Connection logging" |
157 | Each connection attempt to the forwarder is logged, giving the time of |
158 | the connection, the DNS-resolved hostname (if available), and the user |
159 | name resulting from an RFC931 lookup. These lookups are done |
160 | asynchronously to the main forwarder's operation. |
161 | .TP |
162 | .I "Access control" |
163 | Each forwarded port may have an access control list attached to it. |
164 | Only authorized hosts are allowed to connect. Access control checks are |
165 | performed by quick checks on the client's IP address. |
166 | .TP |
167 | .I "Nonblocking single-process design" |
168 | The internal structure of the server is completely nonblocking. The |
169 | connections don't block; the reading and writing don't block; the name |
170 | lookups don't block. This is all done in a single process, with the |
171 | single exception of the DNS resolver. |
667fb920 |
172 | .TP |
173 | .I "Support for Unix-domain sockets" |
174 | Connections from and to Unix-domain sockets can be handled just as |
96bc31ba |
175 | easily as more normal Internet sockets. Access control doesn't work on |
667fb920 |
176 | Unix domain sockets, though. (Yet.) |
10a454ad |
177 | .SS "Command line options" |
178 | The |
179 | .B fw |
180 | program understands a few simple command line options: |
181 | .TP |
182 | .B "\-h, \-\-help" |
183 | Displays a screen of help text on standard output and exits |
184 | successfully. |
185 | .TP |
186 | .B "\-v, \-\-version" |
187 | Writes the version number to standard output and exits successfully. |
188 | .TP |
189 | .B "\-u, \-\-usage" |
190 | Writes a terse usage summary to standard output and exits successfully. |
191 | .TP |
fc170a33 |
192 | .B "\-G, \-\-grammar" |
193 | Writes a summary of the configuration file grammar to standard output |
194 | and exits successfully. |
195 | .TP |
196 | .B "\-O, \-\-options" |
197 | Writes a summary of the source and target options to standard output and |
198 | exits successfully. |
199 | .TP |
10a454ad |
200 | .BI "\-f, \-\-file=" file |
201 | Read configuration information from |
202 | .IR file . |
667fb920 |
203 | Equivalent to an |
204 | .RB ` include |
205 | .IR file ' |
206 | configuration file statement. |
10a454ad |
207 | .TP |
667fb920 |
208 | .B "\-d, \-\-daemon, \-\-fork" |
10a454ad |
209 | Forks into the background after reading the configuration and |
210 | initializing properly. |
667fb920 |
211 | .TP |
370e3c14 |
212 | .B "\-l, \-\-syslog, \-\-log" |
213 | Emit logging information to the system log, rather than standard error. |
214 | .TP |
fc170a33 |
215 | .B "\-q, \-\-quiet" |
667fb920 |
216 | Don't output any logging information. This option is not recommended |
217 | for normal use, although it can make system call traces clearer so I use |
218 | it when debugging. |
fc170a33 |
219 | .TP |
220 | .BI "\-s, \-\-setuid=" user |
221 | Change uid to that of |
222 | .IR user , |
223 | which may be either a user name or uid number, after initializing all |
224 | the sources. This will usually require elevated privileges. |
225 | .TP |
226 | .BI "\-g, \-\-setgid=" group |
227 | Change gid to that of |
228 | .IR group , |
229 | which may be either a group name or gid number, after initializing all |
230 | the sources. If the operating system understands supplementary groups |
231 | then the supplementary groups list is altered to include only |
232 | .IR group . |
10a454ad |
233 | .PP |
234 | Any further command line arguments are interpreted as configuration |
235 | lines to be read. Configuration supplied in command line arguments has |
236 | precisely the same syntax as configuration in files. If there are no |
96bc31ba |
237 | configuration statements on the command line, and no |
10a454ad |
238 | .B \-f |
239 | options were supplied, configuration is read from standard input, if |
240 | stdin is not a terminal. |
667fb920 |
241 | . |
242 | .\"-------------------------------------------------------------------------- |
243 | .SH "CONFIGURATION LANGUAGE" |
244 | . |
245 | The |
246 | .B fw |
247 | program has a fairly sophisticated configuration language to let you |
248 | describe which things should be forwarded where and what special |
249 | features there should be. |
250 | .SS "Lexical structure" |
251 | There are four types of characters. |
252 | .TP |
253 | .I "word constituent characters" |
96bc31ba |
254 | Word constituent characters are gathered together into words. |
667fb920 |
255 | Depending on its surrounding context, a word might act as a keyword or a |
256 | string. All alphanumerics are word constituents, as is the hyphen |
257 | .RB ` \- '. |
258 | Other characters may change their status in future versions. |
259 | .TP |
260 | .I "self-delimiting characters" |
261 | Self-delimiting characters always stand alone. They act as punctuation, |
262 | shaping the sequence of words into more complex grammatical forms. The |
263 | characters |
264 | .RB ` { ', |
265 | .RB ` } ', |
266 | .RB ` [ ', |
267 | .RB ` ] ', |
268 | .RB ` / ', |
269 | .RB ` , ', |
270 | .RB ` = ', |
271 | .RB ` : ', |
272 | .RB ` ; ' |
273 | and |
274 | .RB ` . ' |
275 | are self-delimiting. Note that while some characters, e.g., |
276 | .RB ` [ ' |
277 | and |
278 | .RB ` ; ', |
372a98e2 |
279 | require escaping by the shell, they are mostly optional in the grammar |
280 | and can tend to be omitted in quick hacks at the shell prompt. |
667fb920 |
281 | .TP |
282 | .I "whitespace characters" |
283 | Whitespace characters separate words but are otherwise ignored. All |
284 | `normal' whitespace characters (e.g., space, tab and newline) are |
285 | considered to be whitespace for these purposes. |
286 | .TP |
287 | .I "special characters" |
288 | There are three special characters. The |
289 | .RB ` # ' |
290 | character, if it appears at the start of a word, introduces a |
291 | .I comment |
292 | which extends to the end of the current line or command-line argument. |
293 | Within a word, it behaves like a normal word-constituent character. The |
294 | backslash |
295 | .RB ` \e ' |
296 | escapes the following character causing it to be interpreted as a word |
297 | constituent regardless of its normal type. The double-quote |
298 | .RB ` """" ' |
299 | escapes all characters other than backslashes up to the next |
300 | double-quote and causes them to be regarded as word constituents. Note |
301 | that you don't have to quote a whole word. The backslash can escape a |
302 | quote character allowing you to insert it into a word if really |
303 | necessary. |
304 | . |
305 | .SS "Basic syntax" |
306 | The overall syntax looks a bit like this: |
333c51f4 |
307 | .GS "Basic syntax" |
667fb920 |
308 | .I file |
10a454ad |
309 | ::= |
667fb920 |
310 | .I empty |
311 | | |
312 | .I file |
313 | .I stmt |
314 | .RB [ ; ] |
10a454ad |
315 | .br |
316 | .I stmt |
317 | ::= |
667fb920 |
318 | .I option-stmt |
319 | | |
320 | .I fw-stmt |
321 | .br |
322 | .I fw-stmt |
323 | ::= |
324 | .B fw |
325 | .I source |
326 | .I options |
327 | .RB [ to | \-> ] |
328 | .I target |
329 | .I options |
330 | .br |
331 | .I options |
332 | ::= |
333 | .B { |
334 | .I option-seq |
335 | .B } |
336 | .br |
337 | .I option-seq |
338 | ::= |
339 | .I empty |
340 | | |
341 | .I option-stmt |
342 | .RB [ ; ] |
343 | .I option-seq |
333c51f4 |
344 | .GE |
667fb920 |
345 | If you prefer, the keyword |
346 | .RB ` fw ' |
347 | may be spelt |
348 | .RB ` forward ' |
349 | or |
350 | .RB ` from '. |
351 | All are equivalent. |
352 | . |
353 | .SS "Sources and targets" |
354 | Forwarding is set up by attaching |
355 | .I targets |
356 | to |
357 | .IR sources . |
358 | Sources are things which are capable of |
359 | .I initiating |
360 | one end of a data flow on their own, while targets are things which are |
361 | capable of setting up the other end on demand. In the case of a TCP |
362 | port forwarder, the part which listens for incoming client connections |
363 | is the source, while the part which sets up outgoing connections to the |
364 | destination server is the target. |
365 | .PP |
366 | Essentially, all |
367 | .B fw |
368 | does is set up a collection of sources and targets based on your |
369 | configuration file so that when a source decides to initiate a data |
370 | flow, it tells its target to set its end up, and then squirts data back |
371 | and forth between the two until there's no more. |
372 | .PP |
373 | Some sources are |
374 | .IR persistent : |
375 | they stay around indefinitely setting up multiple attachments to |
376 | targets. Others are |
377 | .IR transient : |
378 | they set up one connection and then disappear. If all the sources |
379 | defined are transient, then |
380 | .B fw |
381 | will quit when no more active sources remain and all connections have |
382 | terminated. |
383 | .PP |
384 | The |
385 | .B fw |
386 | program is fairly versatile. It allows you to attach any supported type |
387 | of source to any supported type of target. This will, I hope, be the |
388 | case in all future versions. |
389 | .PP |
390 | The syntax of a |
391 | .I source |
392 | or |
393 | .I target |
394 | depend on the source or target type, and are therefore described in the |
395 | sections specific to the various types. |
396 | . |
397 | .SS "Options structure" |
398 | Most of the objects that |
399 | .B fw |
400 | knows about (including sources and targets, but also other more specific |
401 | things such as socket address types) can have their behaviour modified |
402 | by |
403 | .IR options . |
404 | The options available at a particular point in the configuration depend |
405 | on the |
406 | .IR context . |
407 | A global option, outside of a |
408 | .I fw-stmt |
409 | has no context unless it is explicitly qualified, and affects global |
723210e6 |
410 | behaviour. A local option, applied to a source or target in a |
411 | .IR fw-stmt , |
667fb920 |
412 | has the context of the type of source or target to which it is applied, |
413 | and affects only that source or target. |
414 | .PP |
415 | Note that it's important to distinguish between an option's context |
416 | (which is affected by its qualification) and its local or global |
417 | status. No matter how qualified, a global option will always control |
418 | default options for objects, and a local option will only affect a |
419 | specific source or target. |
420 | .PP |
421 | The syntax for qualifying options is like this: |
333c51f4 |
422 | .GS "Option syntax" |
667fb920 |
423 | .I option-stmt |
424 | ::= |
425 | .I q-option |
426 | .br |
427 | .I q-option |
428 | ::= |
429 | .I option |
430 | .br |
431 | | |
432 | .I prefix |
433 | .B . |
434 | .I q-option |
435 | .br |
436 | | |
437 | .I prefix |
438 | .B { |
439 | .I option-seq |
440 | .B } |
441 | .br |
442 | .I prefix |
443 | ::= |
444 | .I word |
333c51f4 |
445 | .GE |
667fb920 |
446 | Thus, you may qualify either an individual option or a sequence of |
447 | options. The two are equivalent; for example, |
448 | .VS |
449 | exec.rlimit { |
450 | core = 0; |
451 | cpu = 60; |
452 | } |
453 | .VE |
723210e6 |
454 | means the same as |
667fb920 |
455 | .VS |
456 | exec.rlimit.core = 0; |
457 | exec.rlimit.cpu = 0; |
458 | .VE |
459 | For each option, there is a sequence of prefixes which maximally qualify |
460 | that option. An option prefixed with this sequence is |
461 | .IR "fully qualified" . |
462 | In actual use, some or all of those prefixes may be omitted. However, |
463 | it's possible for the option to become |
464 | .I ambiguous |
465 | if you do this. For example, the option |
466 | .B fattr.owner |
467 | may refer either to |
468 | .B file.fattr.owner |
469 | or to |
470 | .BR socket.unix.fattr.owner . |
471 | In this case, the ambiguity is benign: a local option will have as its |
472 | context an appropriate source or target, and both global options |
473 | actually control the same default. However, the option |
474 | .B logging |
475 | may mean either |
476 | .B socket.logging |
477 | or |
478 | .BR exec.logging , |
479 | which have separate defaults, and which one you actually get depends on |
480 | the exact implementation of |
481 | .BR fw 's |
482 | option parser. (Currently this would resolve to |
483 | .BR exec.logging , |
484 | although this may change in a later version.) |
485 | .PP |
486 | In this manual, options are usually shown in their fully-qualified form. |
487 | . |
333c51f4 |
488 | .SS "File attributes for created files: `fattr'" |
489 | Both the |
490 | .B file |
491 | and |
492 | .B socket |
493 | sources and targets can create new filesystem objects. The |
494 | .B fattr |
495 | options allow control over the attributes of the newly-created objects. |
496 | Both |
497 | .B file |
498 | and |
499 | .B socket |
500 | use the same set of defaults, so a prefix of |
501 | .B fattr |
502 | is good enough for setting global options, and the implicit context |
503 | disambiguates local options. |
504 | .PP |
505 | The following file attribute options are supported: |
506 | .OS "File attribute options (`fattr')" |
507 | .IB prefix .fattr.mode |
508 | .RB [ = ] |
509 | .I mode |
510 | .OD |
511 | Sets the permissions mode for a new file. The |
512 | .I mode |
513 | argument may be either an octal number or a |
514 | .BR chmod (1)-style |
515 | string which acts on the default permissions established by the |
516 | prevailing |
517 | .BR umask (2) |
518 | setting. The characters |
519 | .RB ` = ' |
520 | and |
521 | .RB ` , ' |
522 | do not have to be quoted within the mode string. |
523 | .OE |
524 | .OS "File attribute options (`fattr')" |
525 | .IB prefix .fattr.owner |
526 | .RB [ = ] |
527 | .I user |
528 | .OD |
529 | Sets the owner for newly created files. On non-broken systems you will |
530 | need to be the superuser to set the owner on a file. The |
531 | .I user |
532 | may either be a numeric uid or a username. The default is not to change |
533 | the owner of the file once it's created. The synonyms |
534 | .B uid |
535 | and |
536 | .B user |
537 | are accepted in place of |
538 | .BR owner . |
539 | .OE |
540 | .OS "File attribute options (`fattr')" |
541 | .IB prefix .fattr.group |
542 | .RB [ = ] |
543 | .I group |
544 | .OD |
545 | Sets the group for newly created files. You will usually need to be a |
546 | member of the group in question order to set the group of a file. The |
547 | .I group |
548 | may either be a numeric gid or a group name. The default is not to |
549 | change the group of the file once it's created. The synonym |
550 | .B gid |
551 | is accepted in place of |
552 | .BR group . |
553 | .OE |
554 | . |
667fb920 |
555 | .SS "The `file' source and target types" |
556 | The |
557 | .B file |
558 | source and target allow data to move to and from objects other |
559 | than sockets within the Unix filesystem. (Unix-domain sockets are |
560 | handled using the |
561 | .B socket |
562 | source and target.) |
563 | .PP |
564 | If a |
565 | .B file |
566 | is used as a source, it is set up immediately. |
567 | .PP |
568 | The syntax of |
569 | .B file |
570 | sources and targets is like this: |
333c51f4 |
571 | .GS "File sources and targets" |
667fb920 |
572 | .I source |
573 | ::= |
574 | .I file |
575 | .br |
576 | .I target |
577 | ::= |
578 | .I file |
579 | .br |
580 | .I file |
581 | ::= |
582 | .B file |
583 | .RB [ . ] |
584 | .I fspec |
585 | .RB [ , |
586 | .IR fspec ] |
587 | .br |
588 | .I fspec |
589 | ::= |
590 | .I fd-spec |
591 | | |
592 | .I name-spec |
593 | | |
594 | .I null-spec |
595 | .br |
596 | .I fd-spec |
597 | ::= |
598 | .RB [[ : ] fd [ : ]] |
599 | .IR number \c |
600 | .RB | stdin | stdout |
601 | .br |
602 | .I name-spec |
603 | ::= |
604 | .RB [[ : ] file [ : ]] |
605 | .I file-name |
606 | .br |
607 | .I file-name |
608 | ::= |
609 | .I path-seq |
610 | | |
611 | .B [ |
612 | .I path-seq |
613 | .B ] |
614 | .br |
615 | .I path-seq |
616 | ::= |
617 | .I path-elt |
618 | | |
619 | .I path-seq |
620 | .I path-elt |
621 | .br |
622 | .I path-elt |
623 | ::= |
624 | .B / |
625 | | |
626 | .I word |
627 | .br |
628 | .I null-spec |
629 | ::= |
e73034b0 |
630 | .RB [ : ] null [ : ] |
333c51f4 |
631 | .GE |
667fb920 |
632 | The |
633 | .I file |
634 | specification describes two files, the first to be used as input, the |
635 | second to be used as output, each described by an |
636 | .IR fspec . |
637 | .PP |
638 | If none of the keywords |
639 | .RB ` fd ', |
640 | .RB ` name ' |
641 | or |
642 | .RB ` null ' |
643 | are given, the type of an |
644 | .I fspec |
645 | is deduced from its nature: if it matches one of the strings |
646 | .RB ` stdin ' |
647 | or |
648 | .RB ` stdout ', |
649 | or begins with a digit, it's considered to be a file descriptor; |
650 | otherwise it's interpreted as a filename. |
651 | .PP |
652 | A |
653 | .RB ` name ' |
654 | spec describes a file by its name within the filesystem. It is opened |
655 | when needed and closed again after use. For output files, the precise |
656 | behaviour is controlled by options described below. |
657 | .PP |
658 | A |
659 | .RB ` null ' |
660 | spec attaches the input or output of the source or target to |
661 | .BR /dev/null . |
662 | .PP |
663 | An |
664 | .RB ` fd ' |
665 | spec uses an existing open file descriptor, given either by number or a |
666 | symbolic name. The name |
667 | .RB ` stdin ' |
668 | refers to standard input (file descriptor 0 on normal systems) and |
669 | .RB ` stdout ' |
670 | refers to standard output (file descriptor 1). The names work in |
671 | exactly the same way as the equivalent file descriptor numbers. |
672 | .PP |
673 | If the output |
674 | .I fspec |
675 | is omitted, the input |
676 | .I fspec |
677 | is used for both input and output. Exception: if the input refers to |
678 | standard input then the output will refer to standard output instead. |
679 | .PP |
680 | All |
681 | .B file |
682 | options apply equally to sources and targets. The options are as |
683 | follows: |
333c51f4 |
684 | .OS "File options" |
667fb920 |
685 | .B file.create |
686 | .RB [ = ] |
687 | .BR yes | no |
333c51f4 |
688 | .OD |
667fb920 |
689 | Whether to create the output file if it doesn't exist. If |
690 | .B no |
691 | (the default), an error is reported if the file doesn't exist. If |
692 | .BR yes , |
693 | the file is created if it doesn't exist. |
333c51f4 |
694 | .OE |
695 | .OS "File options" |
667fb920 |
696 | .B file.open |
697 | .RB [ = ] |
698 | .BR no | truncate | append |
333c51f4 |
699 | .OD |
667fb920 |
700 | Controls the behaviour if the output file already exists. If |
701 | .BR no , |
702 | an error is reported. If |
703 | .B truncate |
704 | (the default), the existing file is replaced by the new data. If |
705 | .BR append , |
706 | the new data is appended to the file. |
333c51f4 |
707 | .OE |
708 | .OS "File options" |
709 | .BR file.fattr.* |
710 | .OD |
667fb920 |
711 | The |
712 | .B file |
713 | source and target also accept |
714 | .B fattr |
333c51f4 |
715 | options for controlling the attributes of the created file. |
716 | .OE |
667fb920 |
717 | .PP |
333c51f4 |
718 | Under no circumstances will |
719 | .B fw |
720 | create a file through a `dangling' symbolic link. |
667fb920 |
721 | . |
722 | .SS "The `exec' source and target types" |
723 | The |
724 | .B exec |
725 | source and target execute programs and allow access to their standard |
726 | input and output streams. Both source and target have the same syntax, |
727 | which is as follows: |
333c51f4 |
728 | .GS "Exec source and target" |
667fb920 |
729 | .I source |
730 | ::= |
731 | .I exec |
732 | .br |
733 | .I target |
734 | ::= |
735 | exec |
736 | .br |
737 | .I exec |
738 | ::= |
739 | .BR exec |
740 | .RB [ . ] |
741 | .I cmd-spec |
742 | .br |
743 | .I cmd-spec |
744 | ::= |
745 | .I shell-cmd |
10a454ad |
746 | | |
667fb920 |
747 | .RI [ prog-name ] |
748 | .B [ |
749 | .I argv0 |
750 | .I arg-seq |
751 | .B ] |
752 | .br |
753 | .I arg-seq |
754 | ::= |
755 | .I word |
756 | | |
757 | .I arg-seq |
758 | .I word |
759 | .br |
760 | .I shell-cmd |
761 | ::= |
762 | .I word |
763 | .br |
764 | .I argv0 |
765 | ::= |
766 | .I word |
333c51f4 |
767 | .GE |
667fb920 |
768 | If a single word is given, it is a |
769 | .I shell-cmd |
770 | and will be passed to the Bourne shell for execution. If a |
771 | bracket-enclosed sequence of words is given, it is considered to be a |
772 | list of arguments to pass to the program: if a |
773 | .I prog-name |
774 | is also supplied, it names the file containing the program to execute; |
775 | otherwise the file named by the first argument |
776 | .RI ( argv0 ) |
777 | is used. |
778 | .PP |
779 | The standard input and output of the program are forwarded to the other |
780 | end of the connection. The standard error stream is caught by |
781 | .B fw |
782 | and logged. |
783 | .PP |
784 | The |
785 | .B exec |
786 | source and target both understand the same set of options. The list of |
787 | options supported is as follows: |
333c51f4 |
788 | .OS "Exec options" |
667fb920 |
789 | .B exec.logging |
790 | .RB [ = ] |
791 | .BR yes | no |
333c51f4 |
792 | .OD |
667fb920 |
793 | Whether to log the start and end of executed programs. If |
794 | .B yes |
795 | (the default), a log message is emitted when the program is started |
796 | listing its process id, and another is emitted when the program finishes |
797 | giving its process id and exit status. If |
798 | .BR no , |
799 | these messages are not emitted. However the standard error stream is |
800 | still logged. The |
801 | .B log |
802 | abbreviation is accepted as a synonym for |
803 | .BR logging . |
333c51f4 |
804 | .OE |
805 | .OS "Exec options" |
667fb920 |
806 | .B exec.dir |
807 | .RB [ = ] |
808 | .I file-name |
333c51f4 |
809 | .OD |
667fb920 |
810 | Sets the current directory from which the the program should be run. |
811 | The default is not to change directory. The synonyms |
812 | .BR cd , |
813 | .B chdir |
814 | and |
815 | .B cwd |
816 | are accepted in place of |
817 | .BR dir . |
333c51f4 |
818 | .OE |
819 | .OS "Exec options" |
667fb920 |
820 | .B exec.root |
821 | .RB [ = ] |
822 | .I file-name |
333c51f4 |
823 | .OD |
667fb920 |
824 | Sets the root directory for the program, using the |
825 | .BR chroot (2) |
826 | system call. You must be the superuser for this option to work. The |
372a98e2 |
827 | default is not to set a root directory. The synonym |
828 | .B chroot |
829 | is accepted in place of |
830 | .BR root . |
333c51f4 |
831 | .OE |
832 | .OS "Exec options" |
667fb920 |
833 | .B exec.user |
834 | .RB [ = ] |
835 | .I user |
333c51f4 |
836 | .OD |
667fb920 |
837 | Sets the user (real and effective uid) to run the program as. This will |
838 | usually require superuser privileges to work. The default is not to |
839 | change uid. The synonym |
840 | .B uid |
841 | is accepted in place of |
842 | .BR user . |
333c51f4 |
843 | .OE |
844 | .OS "Exec options" |
667fb920 |
845 | .B exec.group |
846 | .RB [ = ] |
847 | .I group |
333c51f4 |
848 | .OD |
667fb920 |
849 | Sets the group (real and effective gid) to run the program as. If |
850 | running with superuser privileges, the supplementary groups list is |
851 | cleared at the same time. The default is not to change gid (or clear |
852 | the supplementary groups list). The synonym |
853 | .B gid |
854 | is accepted in place of |
855 | .BR group . |
333c51f4 |
856 | .OE |
857 | .OS "Exec options" |
667fb920 |
858 | .BI exec.rlimit. limit \c |
859 | .RB [ .hard | .soft ] |
860 | .RB [ = ] |
861 | .I value |
333c51f4 |
862 | .OD |
667fb920 |
863 | Set resource limits for the program. The |
864 | .I limit |
865 | may be one of the resource limit names described in |
866 | .BR setrlimit (2), |
867 | in lower-case and without the |
868 | .B RLIMIT_ |
869 | prefix; for example, |
870 | .B RLIMIT_CORE |
871 | becomes simply |
872 | .BR core . |
873 | The |
874 | .I value |
875 | is a number, followed optionally by |
876 | .B k |
877 | to multiply by 1024 (2\*(ss10\*(se), |
878 | .B m |
879 | to multiply by 1048576 (2\*(ss20\*(se), or |
880 | .B g |
881 | to multiply by 1073741824 (2\*(ss30\*(se); purists can use upper-case |
882 | versions of these if they want. If |
883 | .B .hard |
884 | or |
885 | .B .soft |
886 | was specified, only the hard or soft limit is set; otherwise both are |
887 | set to the same value. Only the superuser can raise the hard limit. |
888 | The soft limit cannot be set above the hard limit. |
333c51f4 |
889 | .OE |
890 | .OS "Exec options" |
667fb920 |
891 | .B exec.env.clear |
333c51f4 |
892 | .OD |
667fb920 |
893 | Clears the program's environment. |
333c51f4 |
894 | .OE |
667fb920 |
895 | .PP |
896 | .B exec.env.unset |
897 | .I var |
333c51f4 |
898 | .OD |
667fb920 |
899 | Removes |
900 | .I var |
901 | from the program's environment. It is not an error if no variable named |
902 | .I var |
903 | exists. |
333c51f4 |
904 | .OE |
905 | .OS "Exec options" |
667fb920 |
906 | .BR exec.env. [ set ] |
907 | .I var |
908 | .RB [ = ] |
909 | .I value |
333c51f4 |
910 | .OD |
96bc31ba |
911 | Assigns the variable |
667fb920 |
912 | .I var |
913 | the value |
914 | .I value |
915 | in the program's environment, possibly replacing the existing value. |
916 | The |
917 | .B set |
918 | may be omitted if the |
919 | .B env |
920 | qualifier is present. |
333c51f4 |
921 | .OE |
667fb920 |
922 | .PP |
923 | Note that environment variable modifications are performed in order, |
924 | global modifications before local ones. |
925 | . |
926 | .SS "The `socket' source and target types" |
927 | The |
928 | .B socket |
929 | source and target provide access to network services. Support is |
930 | currently provided for TCP/IP and Unix-domain sockets, although other |
931 | address types can be added with reasonable ease. |
932 | .PP |
933 | The syntax for socket sources and targets is: |
333c51f4 |
934 | .GS "Socket source and target" |
667fb920 |
935 | .ll +8i |
936 | .I source |
937 | ::= |
938 | .I socket-source |
10a454ad |
939 | .br |
667fb920 |
940 | .I target |
941 | ::= |
942 | .I socket-target |
943 | .br |
944 | .I socket-source |
945 | ::= |
946 | .RB [ socket [ . ]] |
947 | .RB [[ : ] \c |
948 | .IR addr-type \c |
949 | .RB [ : ]] |
950 | .I source-addr |
951 | .br |
952 | .I socket-target |
953 | ::= |
954 | .RB [ socket [ . ]] |
955 | .RB [[ : ] \c |
956 | .IR addr-type \c |
957 | .RB [ : ]] |
958 | .I target-addr |
959 | .ll -8i |
333c51f4 |
960 | .GE |
667fb920 |
961 | The syntax of the source and target addresses depend on the address |
962 | types, which are described below. The default address type, if no |
963 | .I addr-type |
964 | is given, is |
965 | .BR inet . |
966 | .PP |
967 | Socket sources support options; socket targets do not. The source |
968 | options provided are: |
333c51f4 |
969 | .OS "Socket options" |
667fb920 |
970 | .B socket.conn |
971 | .RB [ = ] |
d857515e |
972 | .IR number | \c |
973 | .BR unlimited | one-shot |
333c51f4 |
974 | .OD |
d857515e |
975 | Controls the behaviour of the source when it receives connections. A |
667fb920 |
976 | .I number |
d857515e |
977 | limits the number of simultaneous connections. The value |
978 | .B unlimited |
979 | (or |
980 | .BR infinite ) |
981 | removes any limit on the number of connections possible. The value |
982 | .B one-shot |
983 | will remove the socket source after a single successful connection. |
984 | (Connections refused by access control systems don't count here.) |
985 | The default is to apply a limit of 256 concurrent connections. Use of |
986 | the |
987 | .B unlimited |
988 | option is not recommended. |
333c51f4 |
989 | .OE |
990 | .OS "Socket options" |
667fb920 |
991 | .B socket.logging |
992 | .RB [ = ] |
993 | .BR yes | no |
333c51f4 |
994 | .OD |
667fb920 |
995 | Whether to log incoming connections. If |
996 | .B yes |
997 | (the default) incoming connections are logged, together with information |
998 | about the client (where available) and whether the connection was |
999 | accepted or refused. If |
1000 | .BR no , |
1001 | log messages are not generated. |
333c51f4 |
1002 | .OE |
667fb920 |
1003 | .PP |
1004 | Address types also provide their own options. |
1005 | . |
1006 | .SS "The `inet' socket address type" |
1007 | The |
1008 | .B inet |
1009 | address type provides access to TCP ports. The |
1010 | .B inet |
1011 | source and target addresses have the following syntax: |
333c51f4 |
1012 | .GS "Socket source and target" |
667fb920 |
1013 | .I inet-source-addr |
10a454ad |
1014 | ::= |
10a454ad |
1015 | .RB [ port ] |
1016 | .I port |
667fb920 |
1017 | .br |
1018 | .I inet-target-addr |
1019 | ::= |
1020 | .I address |
10a454ad |
1021 | .RB [ : ] |
1022 | .I port |
10a454ad |
1023 | .br |
667fb920 |
1024 | .I address |
10a454ad |
1025 | ::= |
667fb920 |
1026 | .I addr-elt |
1027 | | |
1028 | .I address |
1029 | .I addr-elt |
10a454ad |
1030 | .br |
667fb920 |
1031 | .I addr-elt |
10a454ad |
1032 | ::= |
667fb920 |
1033 | .B . |
10a454ad |
1034 | | |
667fb920 |
1035 | .I word |
333c51f4 |
1036 | .GE |
667fb920 |
1037 | A |
1038 | .I port |
1039 | may be given as a port number or a service name from the |
1040 | .B /etc/services |
1041 | file (or YP map if you do that sort of thing). A |
1042 | .B hostname |
1043 | may be a textual hostname or a numerical IP address. |
1044 | .PP |
1045 | The |
1046 | .B inet |
1047 | source address accepts the following options: |
333c51f4 |
1048 | .OS "Socket options" |
667fb920 |
1049 | .BR socket.inet. [ allow | deny ] |
10a454ad |
1050 | .RB [ from ] |
667fb920 |
1051 | .I address |
10a454ad |
1052 | .RB [ / |
667fb920 |
1053 | .IR address ] |
333c51f4 |
1054 | .OD |
667fb920 |
1055 | Adds an entry to the source's access control list. If only one |
1056 | .I address |
1057 | is given, the entry applies only to that address; if two are given, the |
1058 | first is a network address and the second is a netmask either in |
1059 | dotted-quad format or a simple number of bits (e.g., |
1060 | .B /255.255.255.192 |
1061 | and |
1062 | .B /26 |
1063 | mean the same), and the entry applies to any address which, when masked |
1064 | by the netmask, is equal to the masked network address. |
333c51f4 |
1065 | .OE |
10a454ad |
1066 | .PP |
333c51f4 |
1067 | The access control rules are examined in the order: local entries first, |
1068 | then global ones, each in the order given in the configuration file. |
1069 | The first matching entry is used. If no entries match, the behaviour is |
1070 | the |
667fb920 |
1071 | .I opposite |
1072 | of the last entry tried. If there are no entries defined, the default |
1073 | is to allow all clients. |
667fb920 |
1074 | . |
1075 | .SS "The `unix' socket address type" |
10a454ad |
1076 | The |
667fb920 |
1077 | .B unix |
1078 | address type allows access to Unix-domain sockets. The syntax for |
1079 | .B unix |
1080 | source and target addresses is like this: |
333c51f4 |
1081 | .GS "Socket source and target" |
1082 | .I unix-source-addr |
667fb920 |
1083 | ::= |
333c51f4 |
1084 | .I file-name |
667fb920 |
1085 | .br |
333c51f4 |
1086 | .I unix-target-addr |
667fb920 |
1087 | ::= |
1088 | .I file-name |
333c51f4 |
1089 | .GE |
1090 | The following options are supported by the |
1091 | .B unix |
1092 | source address type: |
1093 | .OS "Socket options" |
1094 | .BR socket.unix.fattr. * |
1095 | .OD |
667fb920 |
1096 | The |
1097 | .B unix |
1098 | source address accepts |
1099 | .B fattr |
333c51f4 |
1100 | options to control the attributes of the socket file created. |
1101 | .OE |
1102 | .PP |
1103 | Sockets are removed if |
10a454ad |
1104 | .B fw |
667fb920 |
1105 | exits normally (which it will do if it runs out of sources or |
372a98e2 |
1106 | connections, or if |
1107 | .B fw |
1108 | shuts down in a clean way). |
667fb920 |
1109 | .SH "EXAMPLES" |
1110 | To forward the local port 25 to a main mail server: |
1111 | .VS |
1112 | from 25 to mailserv:25 |
1113 | .VE |
1114 | To attach a fortune server to a Unix-domain socket: |
1115 | .VS |
1116 | from unix:/tmp/fortunes |
1117 | to exec [/usr/games/fortune] { user nobody } |
1118 | .VE |
1119 | To fetch a fortune from the server: |
1120 | .VS |
1121 | from file stdin, stdout to unix:/tmp/fortunes |
1122 | .VE |
1123 | To emulate |
1124 | .BR cat (1): |
1125 | .VS |
1126 | from stdin, null to null, stdout |
1127 | .VE |
1128 | . |
1129 | .\"-------------------------------------------------------------------------- |
372a98e2 |
1130 | .SH "SIGNAL HANDLING" |
1131 | . |
1132 | The |
1133 | .B fw |
1134 | program responds to various signals when it's running. If it receives |
1135 | .B SIGTERM |
1136 | or |
1137 | .BR SIGINT , |
1138 | .B fw |
1139 | performs a |
1140 | .I graceful |
1141 | shutdown: it removes all of its sources, and will exit when no more |
1142 | connections are running. (Note that if the disposition |
1143 | .B SIGINT |
1144 | was to ignore it, |
1145 | .B fw |
1146 | does not re-enable the signal. You'll have to send |
1147 | .B SIGTERM |
1148 | in that case.) If |
1149 | .B fw |
1150 | receives |
1151 | .BR SIGQUIT , |
1152 | it performs an |
1153 | .I abrupt |
1154 | shutdown: it removes all sources and extant connections and closes down |
1155 | more-or-less immediately. |
1156 | .PP |
1157 | Finally, if any configuration files (other than standard input) were |
1158 | provided to |
1159 | .B fw |
1160 | on its command line using the |
1161 | .B \-f |
1162 | option, a |
1163 | .B SIGHUP |
1164 | signal may be sent to instruct |
1165 | .B fw |
1166 | to reload its configuration. Any existing connections are allowed to |
1167 | run their course. If no such configuration files are available, |
1168 | .B fw |
1169 | just logs a message about the signal and continues. |
1170 | .PP |
1171 | . |
1172 | .\"-------------------------------------------------------------------------- |
333c51f4 |
1173 | .SH "GRAMMAR SUMMARY" |
1174 | . |
1175 | .SS "Basic syntax" |
1176 | .I file |
1177 | ::= |
1178 | .I empty |
1179 | | |
1180 | .I file |
1181 | .I stmt |
1182 | .RB [ ; ] |
1183 | .br |
1184 | .I stmt |
1185 | ::= |
1186 | .I option-stmt |
1187 | | |
1188 | .I fw-stmt |
1189 | .br |
1190 | .I fw-stmt |
1191 | ::= |
1192 | .B fw |
1193 | .I source |
1194 | .I options |
1195 | .RB [ to | \-> ] |
1196 | .I target |
1197 | .I options |
1198 | .br |
1199 | .I options |
1200 | ::= |
1201 | .B { |
1202 | .I option-seq |
1203 | .B } |
1204 | .br |
1205 | .I option-seq |
1206 | ::= |
1207 | .I empty |
1208 | | |
1209 | .I option-stmt |
1210 | .RB [ ; ] |
1211 | .I option-seq |
1212 | . |
1213 | .SS "Option syntax" |
1214 | .I option-stmt |
1215 | ::= |
1216 | .I q-option |
1217 | .br |
1218 | .I q-option |
1219 | ::= |
1220 | .I option |
1221 | .br |
1222 | | |
1223 | .I prefix |
1224 | .B . |
1225 | .I q-option |
1226 | .br |
1227 | | |
1228 | .I prefix |
1229 | .B { |
1230 | .I option-seq |
1231 | .B } |
1232 | .br |
1233 | .I prefix |
1234 | ::= |
1235 | .I word |
1236 | . |
1237 | .SS "File source and target" |
1238 | .I source |
1239 | ::= |
1240 | .I file |
1241 | .br |
1242 | .I target |
1243 | ::= |
1244 | .I file |
1245 | .br |
1246 | .I file |
1247 | ::= |
1248 | .B file |
1249 | .RB [ . ] |
1250 | .I fspec |
1251 | .RB [ , |
1252 | .IR fspec ] |
1253 | .br |
1254 | .I fspec |
1255 | ::= |
1256 | .I fd-spec |
1257 | | |
1258 | .I name-spec |
1259 | | |
1260 | .I null-spec |
1261 | .br |
1262 | .I fd-spec |
1263 | ::= |
1264 | .RB [[ : ] fd [ : ]] |
1265 | .IR number \c |
1266 | .RB | stdin | stdout |
1267 | .br |
1268 | .I name-spec |
1269 | ::= |
1270 | .RB [[ : ] file [ : ]] |
1271 | .I file-name |
1272 | .br |
1273 | .I file-name |
1274 | ::= |
1275 | .I path-seq |
1276 | | |
1277 | .B [ |
1278 | .I path-seq |
1279 | .B ] |
1280 | .br |
1281 | .I path-seq |
1282 | ::= |
1283 | .I path-elt |
1284 | | |
1285 | .I path-seq |
1286 | .I path-elt |
1287 | .br |
1288 | .I path-elt |
1289 | ::= |
1290 | .B / |
1291 | | |
1292 | .I word |
1293 | .br |
1294 | .I null-spec |
1295 | ::= |
1296 | .RB [ : ] null [ : ] |
1297 | . |
1298 | .SS "Exec source and target" |
1299 | .I source |
1300 | ::= |
1301 | .I exec |
1302 | .br |
1303 | .I target |
1304 | ::= |
1305 | exec |
1306 | .br |
1307 | .I exec |
1308 | ::= |
1309 | .BR exec |
1310 | .RB [ . ] |
1311 | .I cmd-spec |
1312 | .br |
1313 | .I cmd-spec |
1314 | ::= |
1315 | .I shell-cmd |
1316 | | |
1317 | .RI [ prog-name ] |
1318 | .B [ |
1319 | .I argv0 |
1320 | .I arg-seq |
1321 | .B ] |
1322 | .br |
1323 | .I arg-seq |
1324 | ::= |
1325 | .I word |
1326 | | |
1327 | .I arg-seq |
1328 | .I word |
1329 | .br |
1330 | .I shell-cmd |
1331 | ::= |
1332 | .I word |
1333 | .br |
1334 | .I argv0 |
1335 | ::= |
1336 | .I word |
1337 | . |
1338 | .SS "Socket source and target" |
1339 | .ll +8i |
1340 | .I source |
1341 | ::= |
1342 | .I socket-source |
1343 | .br |
1344 | .I target |
1345 | ::= |
1346 | .I socket-target |
1347 | .br |
1348 | .I socket-source |
1349 | ::= |
1350 | .RB [ socket [ . ]] |
1351 | .RB [[ : ] \c |
1352 | .IR addr-type \c |
1353 | .RB [ : ]] |
1354 | .I source-addr |
1355 | .br |
1356 | .I socket-target |
1357 | ::= |
1358 | .RB [ socket [ . ]] |
1359 | .RB [[ : ] \c |
1360 | .IR addr-type \c |
1361 | .RB [ : ]] |
1362 | .I target-addr |
1363 | .ll -8i |
1364 | .PP |
1365 | .I inet-source-addr |
1366 | ::= |
1367 | .RB [ port ] |
1368 | .I port |
1369 | .br |
1370 | .I inet-target-addr |
1371 | ::= |
1372 | .I address |
1373 | .RB [ : ] |
1374 | .I port |
1375 | .br |
1376 | .I address |
1377 | ::= |
1378 | .I addr-elt |
1379 | | |
1380 | .I address |
1381 | .I addr-elt |
1382 | .br |
1383 | .I addr-elt |
1384 | ::= |
1385 | .B . |
1386 | | |
1387 | .I word |
1388 | .PP |
1389 | .I unix-source-addr |
1390 | ::= |
1391 | .I file-name |
1392 | .br |
1393 | .I unix-target-addr |
1394 | ::= |
1395 | .I file-name |
1396 | . |
1397 | .\"-------------------------------------------------------------------------- |
1398 | .SH "OPTION SUMMARY" |
1399 | . |
1400 | .SS "File attributes (`fattr')" |
1401 | .IB prefix .fattr.mode |
1402 | .RB [ = ] |
1403 | .I mode |
1404 | .br |
1405 | .IB prefix .fattr.owner |
1406 | .RB [ = ] |
1407 | .I user |
1408 | .br |
1409 | .IB prefix .fattr.group |
1410 | .RB [ = ] |
1411 | .I group |
1412 | . |
1413 | .SS "File options" |
1414 | .B file.create |
1415 | .RB [ = ] |
1416 | .BR yes | no |
1417 | .br |
1418 | .B file.open |
1419 | .RB [ = ] |
1420 | .BR no | truncate | append |
1421 | .br |
1422 | .BR file.fattr. * |
1423 | . |
1424 | .SS "Exec options" |
1425 | .B exec.logging |
1426 | .RB [ = ] |
1427 | .BR yes | no |
1428 | .br |
1429 | .B exec.dir |
1430 | .RB [ = ] |
1431 | .I file-name |
1432 | .br |
1433 | .B exec.root |
1434 | .RB [ = ] |
1435 | .I file-name |
1436 | .br |
1437 | .B exec.user |
1438 | .RB [ = ] |
1439 | .I user |
1440 | .br |
1441 | .B exec.group |
1442 | .RB [ = ] |
1443 | .I group |
1444 | .br |
1445 | .BI exec.rlimit. limit \c |
1446 | .RB [ .hard | .soft ] |
1447 | .RB [ = ] |
1448 | .I value |
1449 | .br |
1450 | .B exec.env.clear |
1451 | .br |
1452 | .B exec.env.unset |
1453 | .I var |
1454 | .br |
1455 | .BR exec.env. [ set ] |
1456 | .I var |
1457 | .RB [ = ] |
1458 | .I value |
1459 | . |
1460 | .SS "Socket options" |
1461 | .B socket.conn |
1462 | .RB [ = ] |
d857515e |
1463 | .IR number | \c |
1464 | .BR unlimited | one-shot |
333c51f4 |
1465 | .br |
1466 | .B socket.logging |
1467 | .RB [ = ] |
1468 | .BR yes | no |
1469 | .PP |
1470 | .BR socket.inet. [ allow | deny ] |
1471 | .RB [ from ] |
1472 | .I address |
1473 | .RB [ / |
1474 | .IR address ] |
1475 | .PP |
1476 | .BR socket.unix.fattr. * |
1477 | . |
1478 | .\"-------------------------------------------------------------------------- |
10a454ad |
1479 | .SH "BUGS" |
667fb920 |
1480 | . |
cdc917d3 |
1481 | The syntax for IP addresses and filenames is nasty. |
10a454ad |
1482 | .PP |
d857515e |
1483 | IPv6 is not supported yet. Because of |
1484 | .BR fw 's |
1485 | socket address architecture, it's probably not a major piece of work to |
667fb920 |
1486 | add. |
10a454ad |
1487 | .PP |
667fb920 |
1488 | Please inform me of any security problems you think you've identified in |
1489 | this program. I take security very seriously, and I will fix security |
1490 | holes as a matter of priority when I find out about them. I will be |
1491 | annoyed if I have to read about problems on Bugtraq because they weren't |
1492 | mailed to me first. |
723210e6 |
1493 | .PP |
1494 | The program is too complicated, and this manual page is too long. |
667fb920 |
1495 | . |
1496 | .\"-------------------------------------------------------------------------- |
10a454ad |
1497 | .SH "AUTHOR" |
667fb920 |
1498 | . |
10a454ad |
1499 | Mark Wooding, <mdw@nsict.org> |
667fb920 |
1500 | . |
1501 | .\"----- That's all, folks -------------------------------------------------- |