Skip to content

tcprules.1

Manvendra Bhangui edited this page May 7, 2023 · 4 revisions

NAME

tcprules - compiles rules for tcpserver(1).

SYNOPSIS

tcprules cdb tmp

DESCRIPTION

tcpserver(1) optionally follows rules to decide whether a TCP connection is acceptable.

IPv4 ADDRESSES

For example, the rule

18.23.0.32:deny

prohibits connections from IP address 18.23.0.32. Ranges of IPv4 addresses can defined in a class-dependend manner

18.:deny

or by means of a range of contiguous addresses

18.23.0.1-22:ins

Rather a CIDR notation can be used instead. The rule

127.0/8:allow

accepts any connections from the loopback net.

The bit-lenth of the given IP address has at least to match number of net-prefix bits. Otherwise, a syntax error is displayed.

Note: Always IP addresses with the longest matching prefix are considered.

IPv6 ADDRESSES

tcprules understands compactified IPv6 addresses in standard CIDR notation. The rule

2001:de01:2:3:4:a:b:c:deny

rejects any IPv6 packet from a single host while

2002::/48:deny

can be used to block an entire IPv6 (sub-)net in case the net-prefix (here: /48) is provided.

Note: Since the IPv6 address on input is evaluated in it's compactified format, simply include the final '::' for convenience. The resulting address is truncated to the number of provided prefix bits.

IPv6 MAPPED IPv4 ADDRESSES

tcprules does currently not understand IPv6 mapped IPv4 addresses

::ffff:a.b.c.d

where

a.b.c.d

is the mapped IPv4 addresses.

tcprules reads rules from its standard input and writes them into cdb in a binary format suited for quick access by tcpserver(1).

tcprules can be used while tcpserver(1) is running. It ensures that cdb is updated atomically. It does this by first writing the rules to tmp and then moving tmp on top of cdb. If tmp already exists, it is destroyed. The directories containing cdb and tmp must be writable to tcprules; they must also be on the same filesystem.

If there is a problem with the input or with tmp, tcprules complains and leaves cdb alone.

The binary cdb format is portable across machines.

RULE FORMAT

A rule is one line. A file containing rules may also contain comments: lines beginning with # are ignored.

Each rule contains an address, a colon, and a list of instructions, with no extra spaces. When tcpserver(1) receives a connection from that address, it follows the instructions.

ADDRESSES

tcpserver(1) looks for rules with various addresses:

  1. $TCPREMOTEINFO@$TCPREMOTEIP, if $TCPREMOTEINFO is set;

  2. $TCPREMOTEINFO@=$TCPREMOTEHOST, if $TCPREMOTEINFO is set and $TCPREMOTEHOST is set;

  3. $TCPREMOTEIP;

  4. =$TCPREMOTEHOST, if $TCPREMOTEHOST is set;

  5. shorter and shorter prefixes of $TCPREMOTEIP ending with a dot;

  6. shorter and shorter suffixes of $TCPREMOTEHOST starting with a dot, preceded by =, if $TCPREMOTEHOST is set;

  7. =, if $TCPREMOTEHOST is set; and finally

  8. the empty string.

tcpserver(1) uses the first rule it finds. You should use the -p option to tcpserver(1) if you rely on $TCPREMOTEHOST here.

For example, here are some rules:

joe@127.0.0.1:first 18.23.0.32:second :third 127.:fourth,!GREYIP

If $TCPREMOTEIP is 10.119.75.38, tcpserver(1) will follow the third instructions.

If $TCPREMOTEIP is 18.23.0.32, tcpserver(1) will follow the second instructions.

If $TCPREMOTEIP is 127.0.0.1 and $TCPREMOTEINFO is bill, tcpserver(1) will follow the fourth instructions and GREYIP will be removed from the environment.

If $TCPREMOTEIP is 127.0.0.1 and $TCPREMOTEINFO is joe, tcpserver(1) will follow the first instructions.

  • Compact IPv6 host addresses in the format:
fe80::a:b:cd:1234
  • Classless IPv4/IPv6 net addresses declared in the common CIDR /prefix notation:
127.0/8:allow
fe80::/64:allow

Note: You have to declare (implicitly) that many address bytes as required by the prefix. Longer addresses are automatically truncated.

  • Evaluation of the CIDR addresses considers the longest matching prefix. Thus, you can specify:
2001:a::/48:deny
2001:a:b:c::/64:allow

You can use tcprulescheck(1) to see how tcpserver will interpret rules in cdb.

ADDRESS RANGES

tcprules treats 1.2.3.37-53:ins as an abbreviation for the rules 1.2.3.37:ins, 1.2.3.38:ins, and so on up through 1.2.3.53:ins. Similarly, 10.2-3.:ins is an abbreviation for 10.2.:ins and 10.3.:ins.

CIDR Notation

tcprules understands CIDR notation. The rule

127.0/8:allow

accepts any connections from the loopback net. Note: Always IP addresses with the longest matching prefix are considered.

IPv6 ADDRESSES

tcprules understands compact IPv6 addresses in standard CIDR notation. The rule

2001:de01:2:3:4:a:b:c:deny

rejects any IPv6 packet from a single host while

2002::/48:deny

can be used to block an entire IPv6 (sub-)net, in case the net-prefix (here: /48) is provided. Note: Since the IPv6 address on input is evaluated in it's compacted format, simply include the final '::' for convenience. The resulting address is truncated to the number of provided prefix bits.

INSTRUCTIONS

The instructions in a rule must begin with either allow or deny. deny tells tcpserver(1) to drop the connection without running anything. For example, the rule

:deny

tells tcpserver(1) to drop all connections that aren't handled by more specific rules.

The instructions may continue with some environment variables, in the form var="x". tcpserver(1) adds an environment variable $var with value x. For example,

10.0.:allow,RELAYCLIENT="@fix.me"

adds an environment variable $RELAYCLIENT with value @fix.me. The quotes may be replaced by any repeated character:

10.0.:allow,RELAYCLIENT=/@fix.me/

Any number of variables may be listed:

127.0.0.1:allow,RELAYCLIENT="",TCPLOCALHOST="movie.edu" ::1:allow,RELAYCLIENT="",TCPLOCALHOST="movie.edu"

The instructions may continue with removal of environment variables, in the form !var. tcpserver(1) removes an environment variable $var. For example,

10.0.:allow,!RELAYCLIENT=

removes an environment variable $RELAYCLIENT.

SEE ALSO

tcpserver(1), tcprulescheck(1), argv0(1), fixcrio(1), recordio(1), rblsmtpd(1), tcpclient(1), who@(1), date@(1), finger@(1), http@(1), tcpcat(1), mconnect(1), tcp-environ(5), http://cr.yp.to/ucspi-tcp.html

Clone this wiki locally