Section: User Commands (1)
tcprules - compiles rules for
optionally follows rules to decide whether a TCP connection is acceptable. For
example, the rule
prohibits connections from IP address 220.127.116.11.
reads rules from its standard input and writes them into
in a binary format suited for quick access by
can be used while
is running. It ensures that
is updated atomically. It does this by first writing the rules to
and then moving
on top of
already exists, it is destroyed. The directories containing
must be writable to
they must also be on the same filesystem.
If there is a problem with the input or with
complains and leaves
format is portable across machines.
A rule is one line. A file containing rules may also contain comments: lines
beginning with # are ignored.
Each rule contains an address, a colon, and a list of instructions, with no
extra spaces. When
receives a connection from that address, it follows the instructions.
looks for rules with various addresses:
$TCPREMOTEINFO@$TCPREMOTEIP, if $TCPREMOTEINFO is set;
$TCPREMOTEINFO@=$TCPREMOTEHOST, if $TCPREMOTEINFO is set and $TCPREMOTEHOST is
=$TCPREMOTEHOST, if $TCPREMOTEHOST is set;
shorter and shorter prefixes of $TCPREMOTEIP ending with a dot;
shorter and shorter suffixes of $TCPREMOTEHOST starting with a dot, preceded
by =, if $TCPREMOTEHOST is set;
=, if $TCPREMOTEHOST is set; and finally
the empty string.
uses the first rule it finds. You should use the
if you rely on $TCPREMOTEHOST here.
For example, here are some rules:
If $TCPREMOTEIP is 10.119.75.38,
will follow the third instructions.
If $TCPREMOTEIP is 18.104.22.168,
will follow the second instructions.
If $TCPREMOTEIP is 127.0.0.1 and $TCPREMOTEINFO is bill,
will follow the fourth instructions.
If $TCPREMOTEIP is 127.0.0.1 and $TCPREMOTEINFO is joe,
will follow the first instructions.
You can use
to see how tcpserver will interpret rules in
treats 22.214.171.124-53:ins as an abbreviation for the rules 126.96.36.199:ins,
188.8.131.52:ins, and so on up through 184.108.40.206:ins. Similarly, 10.2-3.:ins is an
abbreviation for 10.2.:ins and 10.3.:ins.
The instructions in a rule must begin with either allow or deny. deny tells
to drop the connection without running anything. For example, the rule
to drop all connections that aren't handled by more specific rules.
The instructions may continue with some environment variables, in the form
adds an environment variable $var with value x. For example,
adds an environment variable $RELAYCLIENT with value @fix.me. The quotes may
be replaced by any repeated character:
Any number of variables may be listed: