tcprules(1) [osx man page]
tcprules(1) General Commands Manual tcprules(1) NAME
tcprules - compile rules for tcpserver SYNOPSIS
tcprules rules.cdb rules.tmp OVERVIEW
tcpserver optionally follows rules to decide whether a TCP connection is acceptable. For example, a rule of 18.23.0.32:deny prohibits connections from IP address 18.23.0.32. tcprules reads rules from its standard input and writes them into rules.cdb in a binary format suited for quick access by tcpserver. tcprules can be used while tcpserver is running: it ensures that rules.cdb is updated atomically. It does this by first writing the rules to rules.tmp and then moving rules.tmp on top of rules.cdb. If rules.tmp already exists, it is destroyed. The directories containing rules.cdb and rules.tmp must be writable to tcprules; they must also be on the same filesystem. If there is a problem with the input, tcprules complains and leaves rules.cdb alone. The binary rules.cdb format is portable across machines. RULE FORMAT
A rule takes up one line. A file containing rules may also contain comments: lines beginning with # are ignored. Each rule contains an address, a colon, and a list of instructions, with no extra spaces. When tcpserver receives a connection from that address, it follows the instructions. ADDRESSES
tcpserver starts by looking for a rule with address TCPREMOTEINFO@TCPREMOTEIP. If it doesn't find one, or if TCPREMOTEINFO is not set, it tries the address TCPREMOTEIP. If that doesn't work, it tries shorter and shorter prefixes of TCPREMOTEIP ending with a dot. If none of them work, it tries the empty string. For example, here are some rules: joe@127.0.0.1:first 18.23.0.32:second 127.:third :fourth ::1:fifth If TCPREMOTEIP is 10.119.75.38, tcpserver will follow the fourth instructions. If TCPREMOTEIP is ::1, tcpserver will follow the fifth instructions. Note that you cannot detect IPv4 mapped addresses by matching "::ffff", as those addresses will be converted to IPv4 before looking at the rules. If TCPREMOTEIP is 18.23.0.32, tcpserver will follow the second instructions. If TCPREMOTEINFO is bill and TCPREMOTEIP is 127.0.0.1, tcpserver will follow the third instructions. If TCPREMOTEINFO is joe and TCPREMOTEIP is 127.0.0.1, tcpserver will follow the first instructions. ADDRESS RANGES
tcprules treats 1.2.3.37-53:ins as an abbreviation for the rules 1.2.3.37:ins, 1.2.3.38:ins, and so on up through 1.2.3.53:ins. Similarly, 10.2-3.:ins is an abbreviation for 10.2.:ins and 10.3.:ins. INSTRUCTIONS
The instructions in a rule must begin with either allow or deny. deny tells tcpserver to drop the connection without running anything. For example, the rule :deny tells tcpserver to drop all connections that aren't handled by more specific rules. The instructions may continue with some environment variables, in the format ,VAR="VALUE". tcpserver adds VAR=VALUE to the current envi- ronment. For example, 10.0.:allow,RELAYCLIENT="@fix.me" adds RELAYCLIENT=@fix.me to the environment. The quotes here may be replaced by any repeated character: 10.0.:allow,RELAYCLIENT=/@fix.me/ Any number of variables may be listed: 127.0.0.1:allow,RELAYCLIENT="",TCPLOCALHOST="movie.edu" SEE ALSO
tcprulescheck(1), tcpserver(1), tcp-environ(5) tcprules(1)
Check Out this Related Man Page
tcpserver(1) General Commands Manual tcpserver(1) NAME
tcpserver - accept incoming TCP connections SYNOPSIS
tcpserver [ -146jpPhHrRoOdDqQv ] [ -climit ] [ -xrules.cdb ] [ -Bbanner ] [ -ggid ] [ -uuid ] [ -bbacklog ] [ -llocalname ] [ -ttimeout ] [ -Iinterface ] host port program [ arg ... ] DESCRIPTION
tcpserver waits for connections from TCP clients. For each connection, it runs program with the given arguments, with descriptor 0 reading from the network and descriptor 1 writing to the network. The server's address is given by host and port. host can be 0, allowing connections from any host; or a particular IP address, allowing connections only to that address; or a host name, allowing connections to the first IP address for that host. port may be a numeric port number or a port name. If port is 0, tcpserver will choose a free port. tcpserver sets up several environment variables, as described in tcp-environ(5). tcpserver exits when it receives SIGTERM. OPTIONS
-climit Do not handle more than limit simultaneous connections. If there are limit simultaneous copies of program running, defer acceptance of a new connection until one copy finishes. limit must be a positive integer. Default: 40. -xrules.cdb Follow the rules compiled into rules.cdb by tcprules. These rules may specify setting environment variables or rejecting connec- tions from bad sources. tcpserver does not read rules.cdb into memory; you can rerun tcprules to change tcpserver's behavior on the fly. -Bbanner Write banner to the network immediately after each connection is made. tcpserver writes banner before looking up TCPREMOTEHOST, before looking up TCPREMOTEINFO, and before checking rules.cdb. This feature can be used to reduce latency in protocols where the client waits for a greeting from the server. -ggid Switch group ID to gid after preparing to receive connections. gid must be a positive integer. -uuid Switch user ID to uid after preparing to receive connections. uid must be a positive integer. -1 After preparing to receive connections, print the local port number to standard output. -4 Fall back to IPv4 sockets. This is necessary for terminally broken systems like OpenBSD which will not let IPv6 sockets connect to V4-mapped IPv6 addresses. Please note that this also applies to DNS lookups, so you will have to use an DNS resolver with an IPv6 address to accept IPv6 connections. Use DNSCACHEIP to set the DNS resolver IP dynamically. -6 Force IPv6 mode in UCSPI environment variables, even for IPv4 connections. This will set $PROTO to TCP6 and put IPv4-mapped IPv6 addresses in TCPLOCALIP and TCPREMOTEIP. -Iinterface Bind to the network interface interface ("eth0" on Linux, for example). This is only defined and needed for IPv6 link-local addresses. -bbacklog Allow up to backlog simultaneous SYN_RECEIVEDs. Default: 20. On some systems, backlog is silently limited to 5. See listen(2) for more details. -o Leave IP options alone. If the client is sending packets along an IP source route, send packets back along the same route. -O (Default.) Kill IP options. A client can still use source routing to connect and to send data, but packets will be sent back along the default route. -d (Default.) Delay sending data for a fraction of a second whenever the remote host is responding slowly, to make better use of the network. -D Never delay sending data; enable TCP_NODELAY. This is appropriate for interactive connections. -q Quiet. Do not print any messages. -Q (Default.) Print error messages. -v Verbose. Print all available messages. DATA-GATHERING OPTIONS -p Paranoid. After looking up the remote host name, look up the IP addresses for that name, and make sure one of them matches TCPRE- MOTEIP. If none of them do, unset TCPREMOTEHOST. -P (Default.) Not paranoid. -h (Default.) Look up the remote host name and set TCPREMOTEHOST. -H Do not look up the remote host name. -llocalname Do not look up the local host name; use localname for TCPLOCALHOST. -r (Default.) Attempt to obtain TCPREMOTEINFO from the remote host. -R Do not attempt to obtain TCPREMOTEINFO from the remote host. -ttimeout Give up on the TCPREMOTEINFO connection attempt after timeout seconds. Default: 26. SEE ALSO
argv0(1), fixcr(1), recordio(1), tcpclient(1), tcprules(1), listen(2), tcp-environ(5) tcpserver(1)