| |
man : tcprules(1)
tcprules(1) tcprules(1)
NAME
tcprules - compiles rules for tcpserver(1).
SYNOPSIS
tcprules cdb tmp
DESCRIPTION
tcpserver(1) optionally follows rules to decide whether a
TCP connection is acceptable. For example, the rule
18.23.0.32:deny
prohibits connections from IP address 18.23.0.32.
tcprules reads rules from its standard input and writes
them into cdb in a binary format suited for quick access
by tcpserver(1).
tcprules can be used while tcpserver(1) is running. It
ensures that cdb is updated atomically. It does this by
first writing the rules to tmp and then moving tmp on top
of cdb. If tmp already exists, it is destroyed. The
directories containing cdb and tmp must be writable to
tcprules; they must also be on the same filesystem.
If there is a problem with the input or with tmp, tcprules
complains and leaves cdb alone.
The binary cdb format is portable across machines.
RULE FORMAT
A rule is one line. A file containing rules may also con-
tain comments: lines beginning with # are ignored.
Each rule contains an address, a colon, and a list of
instructions, with no extra spaces. When tcpserver(1)
receives a connection from that address, it follows the
instructions.
ADDRESSES
tcpserver(1) looks for rules with various addresses:
1. $TCPREMOTEINFO@$TCPREMOTEIP, if $TCPREMOTEINFO is
set;
2. $TCPREMOTEINFO@=$TCPREMOTEHOST, if $TCPREMOTEINFO
is set and $TCPREMOTEHOST is set;
3. $TCPREMOTEIP;
4. =$TCPREMOTEHOST, if $TCPREMOTEHOST is set;
5. shorter and shorter prefixes of $TCPREMOTEIP ending
with a dot;
1
tcprules(1) tcprules(1)
6. shorter and shorter suffixes of $TCPREMOTEHOST
starting with a dot, preceded by =, if $TCPREMOTE-
HOST is set;
7. =, if $TCPREMOTEHOST is set; and finally
8. the empty string.
tcpserver(1) uses the first rule it finds. You should use
the -p option to tcpserver(1) if you rely on $TCPREMOTE-
HOST here.
For example, here are some rules:
joeAT127.1:first
18.23.0.32:second
:third
127.:fourth
If $TCPREMOTEIP is 10.119.75.38, tcpserver(1) will follow
the third instructions.
If $TCPREMOTEIP is 18.23.0.32, tcpserver(1) will follow
the second instructions.
If $TCPREMOTEIP is 127.0.0.1 and $TCPREMOTEINFO is bill,
tcpserver(1) will follow the fourth instructions.
If $TCPREMOTEIP is 127.0.0.1 and $TCPREMOTEINFO is joe,
tcpserver(1) will follow the first instructions.
You can use tcprulescheck(1) to see how tcpserver will
interpret rules in cdb.
ADDRESS RANGES
tcprules treats 1.2.3.37-53:ins as an abbreviation for the
rules 1.2.3.37:ins, 1.2.3.38:ins, and so on up through
1.2.3.53:ins. Similarly, 10.2-3.:ins is an abbreviation
for 10.2.:ins and 10.3.:ins.
INSTRUCTIONS
The instructions in a rule must begin with either allow or
deny. deny tells tcpserver(1) to drop the connection with-
out running anything. For example, the rule
:deny
tells tcpserver(1) to drop all connections that aren't
handled by more specific rules.
The instructions may continue with some environment vari-
ables, in the form var="x". tcpserver(1) adds an environ-
ment variable $var with value x. For example,
2
tcprules(1) tcprules(1)
10.0.:allow,RELAYCLIENT="@fix.me"
adds an environment variable $RELAYCLIENT with value
@fix.me. The quotes may be replaced by any repeated char-
acter:
10.0.:allow,RELAYCLIENT=/@fix.me/
Any number of variables may be listed:
127.0.0.1:allow,RELAYCLIENT="",TCPLOCAL-
HOST="movie.edu"
SEE ALSO
tcpserver(1), tcprulescheck(1), argv0(1), fixcrio(1),
recordio(1), rblsmtpd(1), tcpclient(1), who@(1), date@(1),
finger@(1), http@(1), tcpcat(1), mconnect(1), tcp-envi-
ron(5)
http://cr.yp.to/ucspi-tcp.html
3
|
