10a454ad |
1 | .\" -*-nroff-*- |
667fb920 |
2 | .\" |
b69a615b |
3 | .\" $Id$ |
667fb920 |
4 | .\" |
5 | .\" Manual page for fw |
6 | .\" |
7 | .\" (c) 1999 Straylight/Edgeware |
8 | .\" |
9 | . |
10 | .\"----- Licensing notice --------------------------------------------------- |
11 | .\" |
12 | .\" This file is part of the `fw' port forwarder. |
13 | .\" |
14 | .\" `fw' is free software; you can redistribute it and/or modify |
15 | .\" it under the terms of the GNU General Public License as published by |
16 | .\" the Free Software Foundation; either version 2 of the License, or |
17 | .\" (at your option) any later version. |
18 | .\" |
19 | .\" `fw' is distributed in the hope that it will be useful, |
20 | .\" but WITHOUT ANY WARRANTY; without even the implied warranty of |
21 | .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
22 | .\" GNU General Public License for more details. |
23 | .\" |
24 | .\" You should have received a copy of the GNU General Public License |
25 | .\" along with `fw'; if not, write to the Free Software Foundation, |
26 | .\" Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
27 | . |
667fb920 |
28 | .\"----- Various bits of fancy styling -------------------------------------- |
29 | . |
30 | .\" --- Indented paragraphs with right-aligned tags --- |
31 | . |
10a454ad |
32 | .de hP |
33 | .IP |
34 | \h'-\w'\fB\\$1\ \fP'u'\fB\\$1\ \fP\c |
35 | .. |
667fb920 |
36 | . |
37 | .\" --- Verbatim-oid typesetting --- |
38 | .de VS |
39 | .sp 1 |
40 | .RS |
41 | .nf |
42 | .ft B |
43 | .. |
44 | .de VE |
45 | .ft R |
46 | .fi |
47 | .RE |
48 | .sp 1 |
49 | .. |
50 | . |
333c51f4 |
51 | .\" --- Grammar markup --- |
52 | .\" |
53 | .\" This is mainly for the benefit of the automatic scripts which |
54 | .\" generate the grammar summary. |
55 | . |
56 | .de GS |
57 | .PP |
58 | .. |
59 | .de GE |
60 | .PP |
61 | .. |
62 | . |
63 | .de OS |
64 | .PP |
65 | .. |
66 | .de OD |
67 | .RS |
68 | .. |
69 | .de OE |
70 | .RE |
71 | .. |
72 | . |
667fb920 |
73 | .\" --- Other bits of styling --- |
74 | . |
75 | .ie t \{\ |
76 | . ds o \(bu |
77 | . ds ss \s8\u |
78 | . ds se \d\s0 |
79 | . if \n(.g \{\ |
80 | . fam P |
81 | . \} |
82 | .\} |
83 | .el \{\ |
84 | . ds o o |
85 | . ds ss ^ |
86 | . ds se |
87 | .\} |
88 | . |
89 | .\"-------------------------------------------------------------------------- |
90 | . |
d1c182e7 |
91 | .TH fw 1 "1 July 1999" "Straylight/Edgeware" "fw port forwarder" |
667fb920 |
92 | . |
93 | .\"-------------------------------------------------------------------------- |
10a454ad |
94 | .SH NAME |
667fb920 |
95 | . |
10a454ad |
96 | fw \- port forwarder |
667fb920 |
97 | . |
98 | .\"-------------------------------------------------------------------------- |
10a454ad |
99 | .SH SYNOPSIS |
667fb920 |
100 | . |
10a454ad |
101 | .B fw |
370e3c14 |
102 | .RB [ \-dlq ] |
10a454ad |
103 | .RB [ \-f |
104 | .IR file ] |
fc170a33 |
105 | .RB [ \-s |
106 | .IR user ] |
107 | .RB [ \-g |
108 | .IR group ] |
10a454ad |
109 | .IR config-stmt ... |
667fb920 |
110 | . |
111 | .\"-------------------------------------------------------------------------- |
112 | .SH "DESCRIPTION" |
113 | . |
10a454ad |
114 | The |
115 | .B fw |
116 | program is a simple port forwarder. It supports a number of features |
117 | the author hasn't found in similar programs: |
118 | .TP |
119 | .I "Connection logging" |
120 | Each connection attempt to the forwarder is logged, giving the time of |
121 | the connection, the DNS-resolved hostname (if available), and the user |
122 | name resulting from an RFC931 lookup. These lookups are done |
123 | asynchronously to the main forwarder's operation. |
124 | .TP |
125 | .I "Access control" |
126 | Each forwarded port may have an access control list attached to it. |
127 | Only authorized hosts are allowed to connect. Access control checks are |
128 | performed by quick checks on the client's IP address. |
129 | .TP |
130 | .I "Nonblocking single-process design" |
131 | The internal structure of the server is completely nonblocking. The |
132 | connections don't block; the reading and writing don't block; the name |
133 | lookups don't block. This is all done in a single process, with the |
134 | single exception of the DNS resolver. |
667fb920 |
135 | .TP |
136 | .I "Support for Unix-domain sockets" |
137 | Connections from and to Unix-domain sockets can be handled just as |
96bc31ba |
138 | easily as more normal Internet sockets. Access control doesn't work on |
667fb920 |
139 | Unix domain sockets, though. (Yet.) |
10a454ad |
140 | .SS "Command line options" |
141 | The |
142 | .B fw |
143 | program understands a few simple command line options: |
144 | .TP |
145 | .B "\-h, \-\-help" |
146 | Displays a screen of help text on standard output and exits |
147 | successfully. |
148 | .TP |
149 | .B "\-v, \-\-version" |
150 | Writes the version number to standard output and exits successfully. |
151 | .TP |
152 | .B "\-u, \-\-usage" |
153 | Writes a terse usage summary to standard output and exits successfully. |
154 | .TP |
fc170a33 |
155 | .B "\-G, \-\-grammar" |
156 | Writes a summary of the configuration file grammar to standard output |
157 | and exits successfully. |
158 | .TP |
159 | .B "\-O, \-\-options" |
160 | Writes a summary of the source and target options to standard output and |
161 | exits successfully. |
162 | .TP |
10a454ad |
163 | .BI "\-f, \-\-file=" file |
164 | Read configuration information from |
165 | .IR file . |
667fb920 |
166 | Equivalent to an |
167 | .RB ` include |
168 | .IR file ' |
169 | configuration file statement. |
10a454ad |
170 | .TP |
667fb920 |
171 | .B "\-d, \-\-daemon, \-\-fork" |
10a454ad |
172 | Forks into the background after reading the configuration and |
173 | initializing properly. |
667fb920 |
174 | .TP |
370e3c14 |
175 | .B "\-l, \-\-syslog, \-\-log" |
176 | Emit logging information to the system log, rather than standard error. |
177 | .TP |
fc170a33 |
178 | .B "\-q, \-\-quiet" |
667fb920 |
179 | Don't output any logging information. This option is not recommended |
180 | for normal use, although it can make system call traces clearer so I use |
181 | it when debugging. |
fc170a33 |
182 | .TP |
183 | .BI "\-s, \-\-setuid=" user |
184 | Change uid to that of |
185 | .IR user , |
186 | which may be either a user name or uid number, after initializing all |
187 | the sources. This will usually require elevated privileges. |
188 | .TP |
189 | .BI "\-g, \-\-setgid=" group |
190 | Change gid to that of |
191 | .IR group , |
192 | which may be either a group name or gid number, after initializing all |
193 | the sources. If the operating system understands supplementary groups |
194 | then the supplementary groups list is altered to include only |
195 | .IR group . |
10a454ad |
196 | .PP |
197 | Any further command line arguments are interpreted as configuration |
198 | lines to be read. Configuration supplied in command line arguments has |
199 | precisely the same syntax as configuration in files. If there are no |
96bc31ba |
200 | configuration statements on the command line, and no |
10a454ad |
201 | .B \-f |
202 | options were supplied, configuration is read from standard input, if |
203 | stdin is not a terminal. |
667fb920 |
204 | . |
205 | .\"-------------------------------------------------------------------------- |
206 | .SH "CONFIGURATION LANGUAGE" |
207 | . |
208 | The |
209 | .B fw |
210 | program has a fairly sophisticated configuration language to let you |
211 | describe which things should be forwarded where and what special |
212 | features there should be. |
213 | .SS "Lexical structure" |
214 | There are four types of characters. |
215 | .TP |
216 | .I "word constituent characters" |
96bc31ba |
217 | Word constituent characters are gathered together into words. |
667fb920 |
218 | Depending on its surrounding context, a word might act as a keyword or a |
219 | string. All alphanumerics are word constituents, as is the hyphen |
220 | .RB ` \- '. |
221 | Other characters may change their status in future versions. |
222 | .TP |
223 | .I "self-delimiting characters" |
224 | Self-delimiting characters always stand alone. They act as punctuation, |
225 | shaping the sequence of words into more complex grammatical forms. The |
226 | characters |
227 | .RB ` { ', |
228 | .RB ` } ', |
229 | .RB ` [ ', |
230 | .RB ` ] ', |
231 | .RB ` / ', |
232 | .RB ` , ', |
233 | .RB ` = ', |
234 | .RB ` : ', |
235 | .RB ` ; ' |
236 | and |
237 | .RB ` . ' |
238 | are self-delimiting. Note that while some characters, e.g., |
239 | .RB ` [ ' |
240 | and |
241 | .RB ` ; ', |
372a98e2 |
242 | require escaping by the shell, they are mostly optional in the grammar |
243 | and can tend to be omitted in quick hacks at the shell prompt. |
667fb920 |
244 | .TP |
245 | .I "whitespace characters" |
246 | Whitespace characters separate words but are otherwise ignored. All |
247 | `normal' whitespace characters (e.g., space, tab and newline) are |
248 | considered to be whitespace for these purposes. |
249 | .TP |
250 | .I "special characters" |
251 | There are three special characters. The |
252 | .RB ` # ' |
253 | character, if it appears at the start of a word, introduces a |
254 | .I comment |
255 | which extends to the end of the current line or command-line argument. |
256 | Within a word, it behaves like a normal word-constituent character. The |
257 | backslash |
258 | .RB ` \e ' |
259 | escapes the following character causing it to be interpreted as a word |
260 | constituent regardless of its normal type. The double-quote |
261 | .RB ` """" ' |
262 | escapes all characters other than backslashes up to the next |
263 | double-quote and causes them to be regarded as word constituents. Note |
264 | that you don't have to quote a whole word. The backslash can escape a |
265 | quote character allowing you to insert it into a word if really |
266 | necessary. |
267 | . |
268 | .SS "Basic syntax" |
269 | The overall syntax looks a bit like this: |
333c51f4 |
270 | .GS "Basic syntax" |
667fb920 |
271 | .I file |
10a454ad |
272 | ::= |
667fb920 |
273 | .I empty |
274 | | |
275 | .I file |
276 | .I stmt |
277 | .RB [ ; ] |
10a454ad |
278 | .br |
279 | .I stmt |
280 | ::= |
667fb920 |
281 | .I option-stmt |
282 | | |
283 | .I fw-stmt |
284 | .br |
285 | .I fw-stmt |
286 | ::= |
287 | .B fw |
288 | .I source |
289 | .I options |
290 | .RB [ to | \-> ] |
291 | .I target |
292 | .I options |
293 | .br |
294 | .I options |
295 | ::= |
296 | .B { |
297 | .I option-seq |
298 | .B } |
299 | .br |
300 | .I option-seq |
301 | ::= |
302 | .I empty |
303 | | |
304 | .I option-stmt |
305 | .RB [ ; ] |
306 | .I option-seq |
333c51f4 |
307 | .GE |
667fb920 |
308 | If you prefer, the keyword |
309 | .RB ` fw ' |
310 | may be spelt |
311 | .RB ` forward ' |
312 | or |
313 | .RB ` from '. |
314 | All are equivalent. |
315 | . |
316 | .SS "Sources and targets" |
317 | Forwarding is set up by attaching |
318 | .I targets |
319 | to |
320 | .IR sources . |
321 | Sources are things which are capable of |
322 | .I initiating |
323 | one end of a data flow on their own, while targets are things which are |
324 | capable of setting up the other end on demand. In the case of a TCP |
325 | port forwarder, the part which listens for incoming client connections |
326 | is the source, while the part which sets up outgoing connections to the |
327 | destination server is the target. |
328 | .PP |
329 | Essentially, all |
330 | .B fw |
331 | does is set up a collection of sources and targets based on your |
332 | configuration file so that when a source decides to initiate a data |
333 | flow, it tells its target to set its end up, and then squirts data back |
334 | and forth between the two until there's no more. |
335 | .PP |
336 | Some sources are |
337 | .IR persistent : |
338 | they stay around indefinitely setting up multiple attachments to |
339 | targets. Others are |
340 | .IR transient : |
341 | they set up one connection and then disappear. If all the sources |
342 | defined are transient, then |
343 | .B fw |
344 | will quit when no more active sources remain and all connections have |
345 | terminated. |
346 | .PP |
347 | The |
348 | .B fw |
349 | program is fairly versatile. It allows you to attach any supported type |
350 | of source to any supported type of target. This will, I hope, be the |
351 | case in all future versions. |
352 | .PP |
353 | The syntax of a |
354 | .I source |
355 | or |
356 | .I target |
357 | depend on the source or target type, and are therefore described in the |
358 | sections specific to the various types. |
359 | . |
360 | .SS "Options structure" |
361 | Most of the objects that |
362 | .B fw |
363 | knows about (including sources and targets, but also other more specific |
364 | things such as socket address types) can have their behaviour modified |
365 | by |
366 | .IR options . |
367 | The options available at a particular point in the configuration depend |
368 | on the |
369 | .IR context . |
370 | A global option, outside of a |
371 | .I fw-stmt |
372 | has no context unless it is explicitly qualified, and affects global |
723210e6 |
373 | behaviour. A local option, applied to a source or target in a |
374 | .IR fw-stmt , |
667fb920 |
375 | has the context of the type of source or target to which it is applied, |
376 | and affects only that source or target. |
377 | .PP |
378 | Note that it's important to distinguish between an option's context |
379 | (which is affected by its qualification) and its local or global |
380 | status. No matter how qualified, a global option will always control |
381 | default options for objects, and a local option will only affect a |
382 | specific source or target. |
383 | .PP |
384 | The syntax for qualifying options is like this: |
333c51f4 |
385 | .GS "Option syntax" |
667fb920 |
386 | .I option-stmt |
387 | ::= |
388 | .I q-option |
389 | .br |
390 | .I q-option |
391 | ::= |
392 | .I option |
393 | .br |
394 | | |
395 | .I prefix |
23be5eb0 |
396 | .B .\& |
667fb920 |
397 | .I q-option |
398 | .br |
399 | | |
400 | .I prefix |
401 | .B { |
402 | .I option-seq |
403 | .B } |
404 | .br |
405 | .I prefix |
406 | ::= |
407 | .I word |
333c51f4 |
408 | .GE |
667fb920 |
409 | Thus, you may qualify either an individual option or a sequence of |
410 | options. The two are equivalent; for example, |
411 | .VS |
412 | exec.rlimit { |
413 | core = 0; |
414 | cpu = 60; |
415 | } |
416 | .VE |
723210e6 |
417 | means the same as |
667fb920 |
418 | .VS |
419 | exec.rlimit.core = 0; |
420 | exec.rlimit.cpu = 0; |
421 | .VE |
422 | For each option, there is a sequence of prefixes which maximally qualify |
423 | that option. An option prefixed with this sequence is |
424 | .IR "fully qualified" . |
425 | In actual use, some or all of those prefixes may be omitted. However, |
426 | it's possible for the option to become |
427 | .I ambiguous |
428 | if you do this. For example, the option |
429 | .B fattr.owner |
430 | may refer either to |
431 | .B file.fattr.owner |
432 | or to |
433 | .BR socket.unix.fattr.owner . |
434 | In this case, the ambiguity is benign: a local option will have as its |
435 | context an appropriate source or target, and both global options |
436 | actually control the same default. However, the option |
437 | .B logging |
438 | may mean either |
439 | .B socket.logging |
440 | or |
441 | .BR exec.logging , |
442 | which have separate defaults, and which one you actually get depends on |
443 | the exact implementation of |
444 | .BR fw 's |
445 | option parser. (Currently this would resolve to |
446 | .BR exec.logging , |
447 | although this may change in a later version.) |
448 | .PP |
449 | In this manual, options are usually shown in their fully-qualified form. |
450 | . |
333c51f4 |
451 | .SS "File attributes for created files: `fattr'" |
452 | Both the |
453 | .B file |
454 | and |
455 | .B socket |
456 | sources and targets can create new filesystem objects. The |
457 | .B fattr |
458 | options allow control over the attributes of the newly-created objects. |
459 | Both |
460 | .B file |
461 | and |
462 | .B socket |
463 | use the same set of defaults, so a prefix of |
464 | .B fattr |
465 | is good enough for setting global options, and the implicit context |
466 | disambiguates local options. |
467 | .PP |
468 | The following file attribute options are supported: |
469 | .OS "File attribute options (`fattr')" |
470 | .IB prefix .fattr.mode |
471 | .RB [ = ] |
472 | .I mode |
473 | .OD |
474 | Sets the permissions mode for a new file. The |
475 | .I mode |
476 | argument may be either an octal number or a |
477 | .BR chmod (1)-style |
478 | string which acts on the default permissions established by the |
479 | prevailing |
480 | .BR umask (2) |
481 | setting. The characters |
482 | .RB ` = ' |
483 | and |
484 | .RB ` , ' |
485 | do not have to be quoted within the mode string. |
486 | .OE |
487 | .OS "File attribute options (`fattr')" |
488 | .IB prefix .fattr.owner |
489 | .RB [ = ] |
490 | .I user |
491 | .OD |
492 | Sets the owner for newly created files. On non-broken systems you will |
493 | need to be the superuser to set the owner on a file. The |
494 | .I user |
495 | may either be a numeric uid or a username. The default is not to change |
496 | the owner of the file once it's created. The synonyms |
497 | .B uid |
498 | and |
499 | .B user |
500 | are accepted in place of |
501 | .BR owner . |
502 | .OE |
503 | .OS "File attribute options (`fattr')" |
504 | .IB prefix .fattr.group |
505 | .RB [ = ] |
506 | .I group |
507 | .OD |
508 | Sets the group for newly created files. You will usually need to be a |
509 | member of the group in question order to set the group of a file. The |
510 | .I group |
511 | may either be a numeric gid or a group name. The default is not to |
512 | change the group of the file once it's created. The synonym |
513 | .B gid |
514 | is accepted in place of |
515 | .BR group . |
516 | .OE |
517 | . |
667fb920 |
518 | .SS "The `file' source and target types" |
519 | The |
520 | .B file |
521 | source and target allow data to move to and from objects other |
522 | than sockets within the Unix filesystem. (Unix-domain sockets are |
523 | handled using the |
524 | .B socket |
525 | source and target.) |
526 | .PP |
527 | If a |
528 | .B file |
529 | is used as a source, it is set up immediately. |
530 | .PP |
531 | The syntax of |
532 | .B file |
533 | sources and targets is like this: |
333c51f4 |
534 | .GS "File sources and targets" |
667fb920 |
535 | .I source |
536 | ::= |
537 | .I file |
538 | .br |
539 | .I target |
540 | ::= |
541 | .I file |
542 | .br |
543 | .I file |
544 | ::= |
545 | .B file |
23be5eb0 |
546 | .RB [ .\& ] |
667fb920 |
547 | .I fspec |
548 | .RB [ , |
549 | .IR fspec ] |
550 | .br |
551 | .I fspec |
552 | ::= |
553 | .I fd-spec |
554 | | |
555 | .I name-spec |
556 | | |
557 | .I null-spec |
558 | .br |
559 | .I fd-spec |
560 | ::= |
561 | .RB [[ : ] fd [ : ]] |
562 | .IR number \c |
563 | .RB | stdin | stdout |
564 | .br |
565 | .I name-spec |
566 | ::= |
b69a615b |
567 | .RB [[ : ] name [ : ]] |
667fb920 |
568 | .I file-name |
569 | .br |
570 | .I file-name |
571 | ::= |
572 | .I path-seq |
573 | | |
574 | .B [ |
575 | .I path-seq |
576 | .B ] |
577 | .br |
578 | .I path-seq |
579 | ::= |
580 | .I path-elt |
581 | | |
582 | .I path-seq |
583 | .I path-elt |
584 | .br |
585 | .I path-elt |
586 | ::= |
587 | .B / |
588 | | |
589 | .I word |
590 | .br |
591 | .I null-spec |
592 | ::= |
e73034b0 |
593 | .RB [ : ] null [ : ] |
333c51f4 |
594 | .GE |
667fb920 |
595 | The |
596 | .I file |
597 | specification describes two files, the first to be used as input, the |
598 | second to be used as output, each described by an |
599 | .IR fspec . |
600 | .PP |
601 | If none of the keywords |
602 | .RB ` fd ', |
603 | .RB ` name ' |
604 | or |
605 | .RB ` null ' |
606 | are given, the type of an |
607 | .I fspec |
608 | is deduced from its nature: if it matches one of the strings |
609 | .RB ` stdin ' |
610 | or |
611 | .RB ` stdout ', |
612 | or begins with a digit, it's considered to be a file descriptor; |
613 | otherwise it's interpreted as a filename. |
614 | .PP |
615 | A |
616 | .RB ` name ' |
617 | spec describes a file by its name within the filesystem. It is opened |
618 | when needed and closed again after use. For output files, the precise |
619 | behaviour is controlled by options described below. |
620 | .PP |
621 | A |
622 | .RB ` null ' |
623 | spec attaches the input or output of the source or target to |
624 | .BR /dev/null . |
625 | .PP |
626 | An |
627 | .RB ` fd ' |
628 | spec uses an existing open file descriptor, given either by number or a |
629 | symbolic name. The name |
630 | .RB ` stdin ' |
631 | refers to standard input (file descriptor 0 on normal systems) and |
632 | .RB ` stdout ' |
633 | refers to standard output (file descriptor 1). The names work in |
634 | exactly the same way as the equivalent file descriptor numbers. |
635 | .PP |
636 | If the output |
637 | .I fspec |
638 | is omitted, the input |
639 | .I fspec |
640 | is used for both input and output. Exception: if the input refers to |
641 | standard input then the output will refer to standard output instead. |
642 | .PP |
643 | All |
644 | .B file |
645 | options apply equally to sources and targets. The options are as |
646 | follows: |
333c51f4 |
647 | .OS "File options" |
667fb920 |
648 | .B file.create |
649 | .RB [ = ] |
650 | .BR yes | no |
333c51f4 |
651 | .OD |
667fb920 |
652 | Whether to create the output file if it doesn't exist. If |
653 | .B no |
654 | (the default), an error is reported if the file doesn't exist. If |
655 | .BR yes , |
656 | the file is created if it doesn't exist. |
333c51f4 |
657 | .OE |
658 | .OS "File options" |
667fb920 |
659 | .B file.open |
660 | .RB [ = ] |
661 | .BR no | truncate | append |
333c51f4 |
662 | .OD |
667fb920 |
663 | Controls the behaviour if the output file already exists. If |
664 | .BR no , |
665 | an error is reported. If |
666 | .B truncate |
667 | (the default), the existing file is replaced by the new data. If |
668 | .BR append , |
669 | the new data is appended to the file. |
333c51f4 |
670 | .OE |
671 | .OS "File options" |
672 | .BR file.fattr.* |
673 | .OD |
667fb920 |
674 | The |
675 | .B file |
676 | source and target also accept |
677 | .B fattr |
333c51f4 |
678 | options for controlling the attributes of the created file. |
679 | .OE |
667fb920 |
680 | .PP |
333c51f4 |
681 | Under no circumstances will |
682 | .B fw |
683 | create a file through a `dangling' symbolic link. |
667fb920 |
684 | . |
685 | .SS "The `exec' source and target types" |
686 | The |
687 | .B exec |
688 | source and target execute programs and allow access to their standard |
689 | input and output streams. Both source and target have the same syntax, |
690 | which is as follows: |
333c51f4 |
691 | .GS "Exec source and target" |
667fb920 |
692 | .I source |
693 | ::= |
694 | .I exec |
695 | .br |
696 | .I target |
697 | ::= |
698 | exec |
699 | .br |
700 | .I exec |
701 | ::= |
702 | .BR exec |
23be5eb0 |
703 | .RB [ .\& ] |
667fb920 |
704 | .I cmd-spec |
705 | .br |
706 | .I cmd-spec |
707 | ::= |
708 | .I shell-cmd |
10a454ad |
709 | | |
667fb920 |
710 | .RI [ prog-name ] |
711 | .B [ |
712 | .I argv0 |
713 | .I arg-seq |
714 | .B ] |
715 | .br |
716 | .I arg-seq |
717 | ::= |
718 | .I word |
719 | | |
720 | .I arg-seq |
721 | .I word |
722 | .br |
723 | .I shell-cmd |
724 | ::= |
725 | .I word |
726 | .br |
727 | .I argv0 |
728 | ::= |
729 | .I word |
333c51f4 |
730 | .GE |
667fb920 |
731 | If a single word is given, it is a |
732 | .I shell-cmd |
733 | and will be passed to the Bourne shell for execution. If a |
734 | bracket-enclosed sequence of words is given, it is considered to be a |
735 | list of arguments to pass to the program: if a |
736 | .I prog-name |
737 | is also supplied, it names the file containing the program to execute; |
738 | otherwise the file named by the first argument |
739 | .RI ( argv0 ) |
740 | is used. |
741 | .PP |
49f5947b |
742 | Note that the shell command or program name string must, if present, |
743 | have any delimiter characters (including |
744 | .RB ` / ' |
745 | and |
746 | .RB ` . ') |
747 | quoted; this is not required in the |
748 | .RB ` [ '-enclosed |
749 | argument list. |
750 | .PP |
667fb920 |
751 | The standard input and output of the program are forwarded to the other |
752 | end of the connection. The standard error stream is caught by |
753 | .B fw |
754 | and logged. |
755 | .PP |
756 | The |
757 | .B exec |
758 | source and target both understand the same set of options. The list of |
759 | options supported is as follows: |
333c51f4 |
760 | .OS "Exec options" |
667fb920 |
761 | .B exec.logging |
762 | .RB [ = ] |
763 | .BR yes | no |
333c51f4 |
764 | .OD |
667fb920 |
765 | Whether to log the start and end of executed programs. If |
766 | .B yes |
767 | (the default), a log message is emitted when the program is started |
768 | listing its process id, and another is emitted when the program finishes |
769 | giving its process id and exit status. If |
770 | .BR no , |
771 | these messages are not emitted. However the standard error stream is |
772 | still logged. The |
773 | .B log |
774 | abbreviation is accepted as a synonym for |
775 | .BR logging . |
333c51f4 |
776 | .OE |
777 | .OS "Exec options" |
667fb920 |
778 | .B exec.dir |
779 | .RB [ = ] |
780 | .I file-name |
333c51f4 |
781 | .OD |
667fb920 |
782 | Sets the current directory from which the the program should be run. |
783 | The default is not to change directory. The synonyms |
784 | .BR cd , |
785 | .B chdir |
786 | and |
787 | .B cwd |
788 | are accepted in place of |
789 | .BR dir . |
333c51f4 |
790 | .OE |
791 | .OS "Exec options" |
667fb920 |
792 | .B exec.root |
793 | .RB [ = ] |
794 | .I file-name |
333c51f4 |
795 | .OD |
667fb920 |
796 | Sets the root directory for the program, using the |
797 | .BR chroot (2) |
798 | system call. You must be the superuser for this option to work. The |
372a98e2 |
799 | default is not to set a root directory. The synonym |
800 | .B chroot |
801 | is accepted in place of |
802 | .BR root . |
333c51f4 |
803 | .OE |
804 | .OS "Exec options" |
667fb920 |
805 | .B exec.user |
806 | .RB [ = ] |
807 | .I user |
333c51f4 |
808 | .OD |
667fb920 |
809 | Sets the user (real and effective uid) to run the program as. This will |
810 | usually require superuser privileges to work. The default is not to |
811 | change uid. The synonym |
812 | .B uid |
813 | is accepted in place of |
814 | .BR user . |
333c51f4 |
815 | .OE |
816 | .OS "Exec options" |
667fb920 |
817 | .B exec.group |
818 | .RB [ = ] |
819 | .I group |
333c51f4 |
820 | .OD |
667fb920 |
821 | Sets the group (real and effective gid) to run the program as. If |
822 | running with superuser privileges, the supplementary groups list is |
823 | cleared at the same time. The default is not to change gid (or clear |
824 | the supplementary groups list). The synonym |
825 | .B gid |
826 | is accepted in place of |
827 | .BR group . |
333c51f4 |
828 | .OE |
829 | .OS "Exec options" |
667fb920 |
830 | .BI exec.rlimit. limit \c |
831 | .RB [ .hard | .soft ] |
832 | .RB [ = ] |
833 | .I value |
333c51f4 |
834 | .OD |
667fb920 |
835 | Set resource limits for the program. The |
836 | .I limit |
837 | may be one of the resource limit names described in |
838 | .BR setrlimit (2), |
839 | in lower-case and without the |
840 | .B RLIMIT_ |
841 | prefix; for example, |
842 | .B RLIMIT_CORE |
843 | becomes simply |
844 | .BR core . |
845 | The |
846 | .I value |
847 | is a number, followed optionally by |
848 | .B k |
849 | to multiply by 1024 (2\*(ss10\*(se), |
850 | .B m |
851 | to multiply by 1048576 (2\*(ss20\*(se), or |
852 | .B g |
853 | to multiply by 1073741824 (2\*(ss30\*(se); purists can use upper-case |
854 | versions of these if they want. If |
855 | .B .hard |
856 | or |
857 | .B .soft |
858 | was specified, only the hard or soft limit is set; otherwise both are |
859 | set to the same value. Only the superuser can raise the hard limit. |
860 | The soft limit cannot be set above the hard limit. |
333c51f4 |
861 | .OE |
862 | .OS "Exec options" |
667fb920 |
863 | .B exec.env.clear |
333c51f4 |
864 | .OD |
667fb920 |
865 | Clears the program's environment. |
333c51f4 |
866 | .OE |
667fb920 |
867 | .PP |
868 | .B exec.env.unset |
869 | .I var |
333c51f4 |
870 | .OD |
667fb920 |
871 | Removes |
872 | .I var |
873 | from the program's environment. It is not an error if no variable named |
874 | .I var |
875 | exists. |
333c51f4 |
876 | .OE |
877 | .OS "Exec options" |
667fb920 |
878 | .BR exec.env. [ set ] |
879 | .I var |
880 | .RB [ = ] |
881 | .I value |
333c51f4 |
882 | .OD |
96bc31ba |
883 | Assigns the variable |
667fb920 |
884 | .I var |
885 | the value |
886 | .I value |
887 | in the program's environment, possibly replacing the existing value. |
888 | The |
889 | .B set |
890 | may be omitted if the |
891 | .B env |
892 | qualifier is present. |
333c51f4 |
893 | .OE |
667fb920 |
894 | .PP |
895 | Note that environment variable modifications are performed in order, |
896 | global modifications before local ones. |
897 | . |
898 | .SS "The `socket' source and target types" |
899 | The |
900 | .B socket |
901 | source and target provide access to network services. Support is |
902 | currently provided for TCP/IP and Unix-domain sockets, although other |
903 | address types can be added with reasonable ease. |
904 | .PP |
905 | The syntax for socket sources and targets is: |
333c51f4 |
906 | .GS "Socket source and target" |
667fb920 |
907 | .ll +8i |
908 | .I source |
909 | ::= |
910 | .I socket-source |
10a454ad |
911 | .br |
667fb920 |
912 | .I target |
913 | ::= |
914 | .I socket-target |
915 | .br |
916 | .I socket-source |
917 | ::= |
23be5eb0 |
918 | .RB [ socket [ .\& ]] |
667fb920 |
919 | .RB [[ : ] \c |
920 | .IR addr-type \c |
921 | .RB [ : ]] |
922 | .I source-addr |
923 | .br |
924 | .I socket-target |
925 | ::= |
23be5eb0 |
926 | .RB [ socket [ .\& ]] |
667fb920 |
927 | .RB [[ : ] \c |
928 | .IR addr-type \c |
929 | .RB [ : ]] |
930 | .I target-addr |
931 | .ll -8i |
333c51f4 |
932 | .GE |
667fb920 |
933 | The syntax of the source and target addresses depend on the address |
934 | types, which are described below. The default address type, if no |
935 | .I addr-type |
936 | is given, is |
937 | .BR inet . |
938 | .PP |
939 | Socket sources support options; socket targets do not. The source |
940 | options provided are: |
333c51f4 |
941 | .OS "Socket options" |
667fb920 |
942 | .B socket.conn |
943 | .RB [ = ] |
d857515e |
944 | .IR number | \c |
945 | .BR unlimited | one-shot |
333c51f4 |
946 | .OD |
d857515e |
947 | Controls the behaviour of the source when it receives connections. A |
667fb920 |
948 | .I number |
d857515e |
949 | limits the number of simultaneous connections. The value |
950 | .B unlimited |
951 | (or |
952 | .BR infinite ) |
953 | removes any limit on the number of connections possible. The value |
954 | .B one-shot |
955 | will remove the socket source after a single successful connection. |
956 | (Connections refused by access control systems don't count here.) |
957 | The default is to apply a limit of 256 concurrent connections. Use of |
958 | the |
959 | .B unlimited |
960 | option is not recommended. |
333c51f4 |
961 | .OE |
962 | .OS "Socket options" |
6f427571 |
963 | .B socket.listen |
964 | .RB [ = ] |
965 | .I number |
966 | .OD |
967 | Sets the maximum of the kernel incoming connection queue for this socket |
968 | source. This is the number given to the |
969 | .BR listen (2) |
970 | system call. The default is 5. |
971 | .OE |
972 | .OS "Socket options" |
667fb920 |
973 | .B socket.logging |
974 | .RB [ = ] |
975 | .BR yes | no |
333c51f4 |
976 | .OD |
667fb920 |
977 | Whether to log incoming connections. If |
978 | .B yes |
979 | (the default) incoming connections are logged, together with information |
980 | about the client (where available) and whether the connection was |
981 | accepted or refused. If |
982 | .BR no , |
983 | log messages are not generated. |
333c51f4 |
984 | .OE |
667fb920 |
985 | .PP |
986 | Address types also provide their own options. |
987 | . |
988 | .SS "The `inet' socket address type" |
989 | The |
990 | .B inet |
991 | address type provides access to TCP ports. The |
992 | .B inet |
993 | source and target addresses have the following syntax: |
333c51f4 |
994 | .GS "Socket source and target" |
667fb920 |
995 | .I inet-source-addr |
10a454ad |
996 | ::= |
10a454ad |
997 | .RB [ port ] |
998 | .I port |
667fb920 |
999 | .br |
1000 | .I inet-target-addr |
1001 | ::= |
1002 | .I address |
10a454ad |
1003 | .RB [ : ] |
1004 | .I port |
10a454ad |
1005 | .br |
667fb920 |
1006 | .I address |
10a454ad |
1007 | ::= |
667fb920 |
1008 | .I addr-elt |
1009 | | |
1010 | .I address |
1011 | .I addr-elt |
10a454ad |
1012 | .br |
667fb920 |
1013 | .I addr-elt |
10a454ad |
1014 | ::= |
23be5eb0 |
1015 | .B .\& |
10a454ad |
1016 | | |
667fb920 |
1017 | .I word |
333c51f4 |
1018 | .GE |
667fb920 |
1019 | A |
1020 | .I port |
1021 | may be given as a port number or a service name from the |
1022 | .B /etc/services |
1023 | file (or YP map if you do that sort of thing). A |
1024 | .B hostname |
1025 | may be a textual hostname or a numerical IP address. |
1026 | .PP |
1027 | The |
1028 | .B inet |
1029 | source address accepts the following options: |
333c51f4 |
1030 | .OS "Socket options" |
1c2054c7 |
1031 | .B socket.inet.source.addr |
1032 | .RB [ = ] |
1033 | .RR any | \c |
1034 | .I addr |
1035 | .OD |
1036 | Specify the IP address on which to listen for incoming connections. The |
1037 | default is |
1038 | .BR any , |
1039 | which means to listen on all addresses, though it may be useful to |
1040 | specify this explicitly, if the global setting is different. |
1041 | .OE |
1042 | .OS "Socket options" |
1043 | .BR socket.inet.source. [ allow | deny ] |
1044 | .RB [ host ] |
1045 | .I addr |
10a454ad |
1046 | .RB [ / |
1c2054c7 |
1047 | .IR addr ] |
333c51f4 |
1048 | .OD |
667fb920 |
1049 | Adds an entry to the source's access control list. If only one |
1050 | .I address |
1051 | is given, the entry applies only to that address; if two are given, the |
1052 | first is a network address and the second is a netmask either in |
1053 | dotted-quad format or a simple number of bits (e.g., |
1054 | .B /255.255.255.192 |
1055 | and |
1056 | .B /26 |
1057 | mean the same), and the entry applies to any address which, when masked |
1058 | by the netmask, is equal to the masked network address. |
333c51f4 |
1059 | .OE |
1c2054c7 |
1060 | .OS "Socket options" |
1061 | .BR socket.inet.source. [ allow | deny ] |
1062 | .B priv-port |
1063 | .OD |
1064 | Accept or reject connections from low-numbered `privileged' ports, in |
1065 | the range 0--1023. |
1066 | .OE |
1067 | .OS "Socket options" |
1068 | .B socket.inet.dest.addr |
1069 | .RB [ = ] |
1070 | .RR any | \c |
1071 | .I addr |
1072 | .OD |
1073 | Specify the IP address to bind the local socket to when making an |
1074 | outbound connection. The default is |
1075 | .BR any , |
1076 | which means to use whichever address the kernel thinks is most |
1077 | convenient. This option is useful if the destination is doing |
1078 | host-based access control and your server is multi-homed. |
1079 | .OE |
ee599f55 |
1080 | .OS "Socket options" |
1081 | .B socket.inet.dest.priv-port |
1082 | .RB [=] |
1083 | .BR yes | no |
1084 | .OD |
1085 | Make a privileged connection (i.e., from a low-numbered port) to the |
1086 | target. This only works if |
1087 | .B fw |
1088 | was started with root privileges. However, it still works if |
1089 | .B fw |
1090 | has |
1091 | .I dropped |
1092 | privileges after initialization (the |
1093 | .B \-s |
1094 | option). Before dropping privileges, |
1095 | .B fw |
1096 | forks off a separate process which continues to run with root |
1097 | privileges, and on demand passes sockets bound to privileged ports and |
1098 | connected to the appropriate peer back to the main program. The |
1099 | privileged child only passes back sockets connected to peer addresses |
1100 | named in the configuration; even if the |
1101 | .B fw |
1102 | process is compromised, it can't make privileged connections to other |
1103 | addresses. Note that because of this privilege separation, it's also |
1104 | not possible to reconfigure |
1105 | .B fw |
69c8e834 |
1106 | to make privileged connections to different peer addresses later by |
ee599f55 |
1107 | changing configuration files and sending the daemon a |
1108 | .BR SIGHUP . |
1109 | .OE |
10a454ad |
1110 | .PP |
333c51f4 |
1111 | The access control rules are examined in the order: local entries first, |
1112 | then global ones, each in the order given in the configuration file. |
1113 | The first matching entry is used. If no entries match, the behaviour is |
1114 | the |
667fb920 |
1115 | .I opposite |
1116 | of the last entry tried. If there are no entries defined, the default |
1117 | is to allow all clients. |
667fb920 |
1118 | . |
1119 | .SS "The `unix' socket address type" |
10a454ad |
1120 | The |
667fb920 |
1121 | .B unix |
1122 | address type allows access to Unix-domain sockets. The syntax for |
1123 | .B unix |
1124 | source and target addresses is like this: |
333c51f4 |
1125 | .GS "Socket source and target" |
1126 | .I unix-source-addr |
667fb920 |
1127 | ::= |
333c51f4 |
1128 | .I file-name |
667fb920 |
1129 | .br |
333c51f4 |
1130 | .I unix-target-addr |
667fb920 |
1131 | ::= |
1132 | .I file-name |
333c51f4 |
1133 | .GE |
1134 | The following options are supported by the |
1135 | .B unix |
1136 | source address type: |
1137 | .OS "Socket options" |
1138 | .BR socket.unix.fattr. * |
1139 | .OD |
667fb920 |
1140 | The |
1141 | .B unix |
1142 | source address accepts |
1143 | .B fattr |
333c51f4 |
1144 | options to control the attributes of the socket file created. |
1145 | .OE |
1146 | .PP |
1147 | Sockets are removed if |
10a454ad |
1148 | .B fw |
667fb920 |
1149 | exits normally (which it will do if it runs out of sources or |
372a98e2 |
1150 | connections, or if |
1151 | .B fw |
1152 | shuts down in a clean way). |
667fb920 |
1153 | .SH "EXAMPLES" |
1154 | To forward the local port 25 to a main mail server: |
1155 | .VS |
1156 | from 25 to mailserv:25 |
1157 | .VE |
1158 | To attach a fortune server to a Unix-domain socket: |
1159 | .VS |
1160 | from unix:/tmp/fortunes |
1161 | to exec [/usr/games/fortune] { user nobody } |
1162 | .VE |
1163 | To fetch a fortune from the server: |
1164 | .VS |
1165 | from file stdin, stdout to unix:/tmp/fortunes |
1166 | .VE |
1167 | To emulate |
1168 | .BR cat (1): |
1169 | .VS |
49f5947b |
1170 | from file stdin, null to file null, stdout |
667fb920 |
1171 | .VE |
69c8e834 |
1172 | .sp -1 \" undo final space |
667fb920 |
1173 | . |
1174 | .\"-------------------------------------------------------------------------- |
372a98e2 |
1175 | .SH "SIGNAL HANDLING" |
1176 | . |
1177 | The |
1178 | .B fw |
1179 | program responds to various signals when it's running. If it receives |
1180 | .B SIGTERM |
1181 | or |
1182 | .BR SIGINT , |
1183 | .B fw |
1184 | performs a |
1185 | .I graceful |
1186 | shutdown: it removes all of its sources, and will exit when no more |
1187 | connections are running. (Note that if the disposition |
1188 | .B SIGINT |
1189 | was to ignore it, |
1190 | .B fw |
1191 | does not re-enable the signal. You'll have to send |
1192 | .B SIGTERM |
1193 | in that case.) If |
1194 | .B fw |
1195 | receives |
1196 | .BR SIGQUIT , |
1197 | it performs an |
1198 | .I abrupt |
1199 | shutdown: it removes all sources and extant connections and closes down |
1200 | more-or-less immediately. |
1201 | .PP |
1202 | Finally, if any configuration files (other than standard input) were |
1203 | provided to |
1204 | .B fw |
1205 | on its command line using the |
1206 | .B \-f |
1207 | option, a |
1208 | .B SIGHUP |
1209 | signal may be sent to instruct |
1210 | .B fw |
1211 | to reload its configuration. Any existing connections are allowed to |
1212 | run their course. If no such configuration files are available, |
1213 | .B fw |
1214 | just logs a message about the signal and continues. |
372a98e2 |
1215 | . |
1216 | .\"-------------------------------------------------------------------------- |
333c51f4 |
1217 | .SH "GRAMMAR SUMMARY" |
1218 | . |
1219 | .SS "Basic syntax" |
1220 | .I file |
1221 | ::= |
1222 | .I empty |
1223 | | |
1224 | .I file |
1225 | .I stmt |
1226 | .RB [ ; ] |
1227 | .br |
1228 | .I stmt |
1229 | ::= |
1230 | .I option-stmt |
1231 | | |
1232 | .I fw-stmt |
1233 | .br |
1234 | .I fw-stmt |
1235 | ::= |
1236 | .B fw |
1237 | .I source |
1238 | .I options |
1239 | .RB [ to | \-> ] |
1240 | .I target |
1241 | .I options |
1242 | .br |
1243 | .I options |
1244 | ::= |
1245 | .B { |
1246 | .I option-seq |
1247 | .B } |
1248 | .br |
1249 | .I option-seq |
1250 | ::= |
1251 | .I empty |
1252 | | |
1253 | .I option-stmt |
1254 | .RB [ ; ] |
1255 | .I option-seq |
1256 | . |
1257 | .SS "Option syntax" |
1258 | .I option-stmt |
1259 | ::= |
1260 | .I q-option |
1261 | .br |
1262 | .I q-option |
1263 | ::= |
1264 | .I option |
1265 | .br |
1266 | | |
1267 | .I prefix |
23be5eb0 |
1268 | .B .\& |
333c51f4 |
1269 | .I q-option |
1270 | .br |
1271 | | |
1272 | .I prefix |
1273 | .B { |
1274 | .I option-seq |
1275 | .B } |
1276 | .br |
1277 | .I prefix |
1278 | ::= |
1279 | .I word |
1280 | . |
1281 | .SS "File source and target" |
1282 | .I source |
1283 | ::= |
1284 | .I file |
1285 | .br |
1286 | .I target |
1287 | ::= |
1288 | .I file |
1289 | .br |
1290 | .I file |
1291 | ::= |
1292 | .B file |
23be5eb0 |
1293 | .RB [ .\& ] |
333c51f4 |
1294 | .I fspec |
1295 | .RB [ , |
1296 | .IR fspec ] |
1297 | .br |
1298 | .I fspec |
1299 | ::= |
1300 | .I fd-spec |
1301 | | |
1302 | .I name-spec |
1303 | | |
1304 | .I null-spec |
1305 | .br |
1306 | .I fd-spec |
1307 | ::= |
1308 | .RB [[ : ] fd [ : ]] |
1309 | .IR number \c |
1310 | .RB | stdin | stdout |
1311 | .br |
1312 | .I name-spec |
1313 | ::= |
b69a615b |
1314 | .RB [[ : ] name [ : ]] |
333c51f4 |
1315 | .I file-name |
1316 | .br |
1317 | .I file-name |
1318 | ::= |
1319 | .I path-seq |
1320 | | |
1321 | .B [ |
1322 | .I path-seq |
1323 | .B ] |
1324 | .br |
1325 | .I path-seq |
1326 | ::= |
1327 | .I path-elt |
1328 | | |
1329 | .I path-seq |
1330 | .I path-elt |
1331 | .br |
1332 | .I path-elt |
1333 | ::= |
1334 | .B / |
1335 | | |
1336 | .I word |
1337 | .br |
1338 | .I null-spec |
1339 | ::= |
1340 | .RB [ : ] null [ : ] |
1341 | . |
1342 | .SS "Exec source and target" |
1343 | .I source |
1344 | ::= |
1345 | .I exec |
1346 | .br |
1347 | .I target |
1348 | ::= |
1349 | exec |
1350 | .br |
1351 | .I exec |
1352 | ::= |
1353 | .BR exec |
23be5eb0 |
1354 | .RB [ .\& ] |
333c51f4 |
1355 | .I cmd-spec |
1356 | .br |
1357 | .I cmd-spec |
1358 | ::= |
1359 | .I shell-cmd |
1360 | | |
1361 | .RI [ prog-name ] |
1362 | .B [ |
1363 | .I argv0 |
1364 | .I arg-seq |
1365 | .B ] |
1366 | .br |
1367 | .I arg-seq |
1368 | ::= |
1369 | .I word |
1370 | | |
1371 | .I arg-seq |
1372 | .I word |
1373 | .br |
1374 | .I shell-cmd |
1375 | ::= |
1376 | .I word |
1377 | .br |
1378 | .I argv0 |
1379 | ::= |
1380 | .I word |
1381 | . |
1382 | .SS "Socket source and target" |
1383 | .ll +8i |
1384 | .I source |
1385 | ::= |
1386 | .I socket-source |
1387 | .br |
1388 | .I target |
1389 | ::= |
1390 | .I socket-target |
1391 | .br |
1392 | .I socket-source |
1393 | ::= |
23be5eb0 |
1394 | .RB [ socket [ .\& ]] |
333c51f4 |
1395 | .RB [[ : ] \c |
1396 | .IR addr-type \c |
1397 | .RB [ : ]] |
1398 | .I source-addr |
1399 | .br |
1400 | .I socket-target |
1401 | ::= |
23be5eb0 |
1402 | .RB [ socket [ .\& ]] |
333c51f4 |
1403 | .RB [[ : ] \c |
1404 | .IR addr-type \c |
1405 | .RB [ : ]] |
1406 | .I target-addr |
1407 | .ll -8i |
1408 | .PP |
1409 | .I inet-source-addr |
1410 | ::= |
1411 | .RB [ port ] |
1412 | .I port |
1413 | .br |
1414 | .I inet-target-addr |
1415 | ::= |
1416 | .I address |
1417 | .RB [ : ] |
1418 | .I port |
1419 | .br |
1420 | .I address |
1421 | ::= |
1422 | .I addr-elt |
1423 | | |
1424 | .I address |
1425 | .I addr-elt |
1426 | .br |
1427 | .I addr-elt |
1428 | ::= |
23be5eb0 |
1429 | .B .\& |
333c51f4 |
1430 | | |
1431 | .I word |
1432 | .PP |
1433 | .I unix-source-addr |
1434 | ::= |
1435 | .I file-name |
1436 | .br |
1437 | .I unix-target-addr |
1438 | ::= |
1439 | .I file-name |
1440 | . |
1441 | .\"-------------------------------------------------------------------------- |
1442 | .SH "OPTION SUMMARY" |
1443 | . |
1444 | .SS "File attributes (`fattr')" |
1445 | .IB prefix .fattr.mode |
1446 | .RB [ = ] |
1447 | .I mode |
1448 | .br |
1449 | .IB prefix .fattr.owner |
1450 | .RB [ = ] |
1451 | .I user |
1452 | .br |
1453 | .IB prefix .fattr.group |
1454 | .RB [ = ] |
1455 | .I group |
1456 | . |
1457 | .SS "File options" |
1458 | .B file.create |
1459 | .RB [ = ] |
1460 | .BR yes | no |
1461 | .br |
1462 | .B file.open |
1463 | .RB [ = ] |
1464 | .BR no | truncate | append |
1465 | .br |
1466 | .BR file.fattr. * |
1467 | . |
1468 | .SS "Exec options" |
1469 | .B exec.logging |
1470 | .RB [ = ] |
1471 | .BR yes | no |
1472 | .br |
1473 | .B exec.dir |
1474 | .RB [ = ] |
1475 | .I file-name |
1476 | .br |
1477 | .B exec.root |
1478 | .RB [ = ] |
1479 | .I file-name |
1480 | .br |
1481 | .B exec.user |
1482 | .RB [ = ] |
1483 | .I user |
1484 | .br |
1485 | .B exec.group |
1486 | .RB [ = ] |
1487 | .I group |
1488 | .br |
1489 | .BI exec.rlimit. limit \c |
1490 | .RB [ .hard | .soft ] |
1491 | .RB [ = ] |
1492 | .I value |
1493 | .br |
1494 | .B exec.env.clear |
1495 | .br |
1496 | .B exec.env.unset |
1497 | .I var |
1498 | .br |
1499 | .BR exec.env. [ set ] |
1500 | .I var |
1501 | .RB [ = ] |
1502 | .I value |
1503 | . |
1504 | .SS "Socket options" |
1505 | .B socket.conn |
1506 | .RB [ = ] |
d857515e |
1507 | .IR number | \c |
1508 | .BR unlimited | one-shot |
333c51f4 |
1509 | .br |
6f427571 |
1510 | .B socket.listen |
1511 | .RB [ = ] |
1512 | .I number |
1513 | .br |
333c51f4 |
1514 | .B socket.logging |
1515 | .RB [ = ] |
1516 | .BR yes | no |
1517 | .PP |
1c2054c7 |
1518 | .BR socket.inet.source. [ allow | deny ] |
1519 | .RB [ host ] |
1520 | .I addr |
333c51f4 |
1521 | .RB [ / |
1c2054c7 |
1522 | .IR addr ] |
1523 | .br |
1524 | .BR socket.inet.source. [ allow | deny ] |
1525 | .B priv-port |
1526 | .br |
1527 | .B socket.inet.source.addr |
1528 | .RB [ = ] |
1529 | .BR any | \c |
1530 | .I addr |
1531 | .br |
1532 | .B socket.inet.dest.addr |
1533 | .RB [ = ] |
1534 | .BR any | \c |
1535 | .I addr |
ee599f55 |
1536 | .br |
1537 | .B socket.inet.dest.priv-port |
1538 | .RB [=] |
1539 | .BR yes | no |
333c51f4 |
1540 | .PP |
1541 | .BR socket.unix.fattr. * |
1542 | . |
1543 | .\"-------------------------------------------------------------------------- |
10a454ad |
1544 | .SH "BUGS" |
667fb920 |
1545 | . |
cdc917d3 |
1546 | The syntax for IP addresses and filenames is nasty. |
10a454ad |
1547 | .PP |
d857515e |
1548 | IPv6 is not supported yet. Because of |
1549 | .BR fw 's |
1550 | socket address architecture, it's probably not a major piece of work to |
667fb920 |
1551 | add. |
10a454ad |
1552 | .PP |
667fb920 |
1553 | Please inform me of any security problems you think you've identified in |
1554 | this program. I take security very seriously, and I will fix security |
1555 | holes as a matter of priority when I find out about them. I will be |
1556 | annoyed if I have to read about problems on Bugtraq because they weren't |
1557 | mailed to me first. |
723210e6 |
1558 | .PP |
1559 | The program is too complicated, and this manual page is too long. |
667fb920 |
1560 | . |
1561 | .\"-------------------------------------------------------------------------- |
10a454ad |
1562 | .SH "AUTHOR" |
667fb920 |
1563 | . |
10a454ad |
1564 | Mark Wooding, <mdw@nsict.org> |
667fb920 |
1565 | . |
1566 | .\"----- That's all, folks -------------------------------------------------- |