xenial (1) tcprules.1.gz

Provided by: ucspi-tcp-ipv6_0.88-3_amd64 bug

NAME

       tcprules - compile rules for tcpserver

SYNOPSIS

       tcprules rules.cdb rules.tmp

OVERVIEW

       tcpserver optionally follows rules to decide whether a TCP connection is acceptable.  For example, a rule
       of

          18.23.0.32:deny

       prohibits connections from IP address 18.23.0.32.

       tcprules reads rules from its standard input and writes them into rules.cdb in a binary format suited for
       quick access by tcpserver.

       tcprules  can  be  used  while tcpserver is running: it ensures that rules.cdb is updated atomically.  It
       does this by first writing the rules to rules.tmp and then moving rules.tmp  on  top  of  rules.cdb.   If
       rules.tmp  already  exists,  it is destroyed.  The directories containing rules.cdb and rules.tmp must be
       writable to tcprules; they must also be on the same filesystem.

       If there is a problem with the input, tcprules complains and leaves rules.cdb alone.

       The binary rules.cdb format is portable across machines.

RULE FORMAT

       A rule takes up one line.  A file containing rules may also contain comments: lines beginning with #  are
       ignored.

       Each rule contains an address, a colon, and a list of instructions, with no extra spaces.  When tcpserver
       receives a connection from that address, it follows the instructions.

ADDRESSES

       tcpserver starts by looking for a rule with address TCPREMOTEINFO@TCPREMOTEIP.  If it doesn't  find  one,
       or if TCPREMOTEINFO is not set, it tries the address TCPREMOTEIP.  If that doesn't work, it tries shorter
       and shorter prefixes of TCPREMOTEIP ending with a dot.  If none of them work, it tries the empty string.

       For example, here are some rules:

          joe@127.0.0.1:first
          18.23.0.32:second
          127.:third
          :fourth
          ::1:fifth

       If TCPREMOTEIP is 10.119.75.38, tcpserver will follow the fourth instructions.

       If TCPREMOTEIP is ::1, tcpserver will follow the fifth instructions.  Note that you  cannot  detect  IPv4
       mapped addresses by matching "::ffff", as those addresses will be converted to IPv4 before looking at the
       rules.

       If TCPREMOTEIP is 18.23.0.32, tcpserver will follow the second instructions.

       If TCPREMOTEINFO is bill and TCPREMOTEIP is 127.0.0.1, tcpserver will follow the third instructions.

       If TCPREMOTEINFO is joe and TCPREMOTEIP is 127.0.0.1, tcpserver will follow the first instructions.

ADDRESS RANGES

       tcprules treats 1.2.3.37-53:ins as an abbreviation for the rules 1.2.3.37:ins, 1.2.3.38:ins, and so on up
       through 1.2.3.53:ins.  Similarly, 10.2-3.:ins is an abbreviation for 10.2.:ins and 10.3.:ins.

INSTRUCTIONS

       The  instructions  in  a  rule  must  begin  with either allow or deny.  deny tells tcpserver to drop the
       connection without running anything.  For example, the rule

          :deny

       tells tcpserver to drop all connections that aren't handled by more specific rules.

       The instructions may continue with some environment variables, in  the  format  ,VAR="VALUE".   tcpserver
       adds VAR=VALUE to the current environment.  For example,

          10.0.:allow,RELAYCLIENT="@fix.me"

       adds RELAYCLIENT=@fix.me to the environment.  The quotes here may be replaced by any repeated character:

          10.0.:allow,RELAYCLIENT=/@fix.me/

       Any number of variables may be listed:

          127.0.0.1:allow,RELAYCLIENT="",TCPLOCALHOST="movie.edu"

SEE ALSO

       tcprulescheck(1), tcpserver(1), tcp-environ(5)

                                                                                                     tcprules(1)