netctrl(1M) DG/UX B2 Security R4.12MU02 netctrl(1M)
NAME
netctrl - Network control configuration program
SYNOPSIS
Filter/Pool Management via Config File:
netctrl -a [ -nD ] -c ConfigFile
netctrl -d [ -nD ] -c ConfigFile
List Operations:
netctrl [ -npqD ] IfName
Flush Operations:
netctrl -f [ -pnD ] IfName
General Filter Management:
netctrl [ -adinoqDOTU ][ -N num ] IfName SrcFilter DstFilter Actions
netctrl -d [ -nD ][ -N num ] IfName
General Pool Management:
netctrl -ap [ -nD ] IfName PoolAddr
netctrl -dp [ -nD ] IfName PoolAddr
where:
num The position to insert the new filter or the existing
filter number to delete. If unspecified, netctrl will
assume the first position.
IfName The network interface name associated with this filter or
pool address. The network interface is specified by
giving the name of the device file in the /dev directory.
SrcFilter The source address/mask or AddrRangeSpec (and optionally,
a port number or PortRangeSpec) to match. If the port is
not specified, all port numbers are matched.
DstFilter The destination address/mask or AddrRangeSpec (and
optionally, a port number or PortRangeSpec to match. If
the port is not specified, all port numbers are matched.
ConfigFile The pathname to the netctrl configuration file
(typically, /etc/netctrl.config). If a filename (rather
than a complete pathname) is provided, it is assumed that
ConfigFile is located in the /etc directory. Note that
filters are installed in the same order that they appear
in ConfigFile.
PoolAddr An address (or PoolRangeSpec) specifying IP addresses to
utilize for dynamic address translation on the specified
interface.
Actions Zero or more operations which are performed on packets
matching the filter specifications.
DESCRIPTION
The netctrl command provides administrative control over the TCP/IP
NAT (Network Address Translation), proxy redirects, and service load
distribution features.
Typically, the system administrator will perform NAT/PROXY management
as follows:
· NAT/PROXY filters and pool addresses will be specified in
ConfigFile (see the netctrl.config(4M) man page for details) and
then managed via the syntax shown in section 'Filter/Pool
Management via Config File'.
· The administrator will list existing filters and pool addresses
via the syntax shown above in section 'List Operations'.
· The administrator will flush the existing filters and pool
addresses via the syntax shown above in section 'Flush
Operations'.
The netctrl syntax shown in the 'General..Management' sections above
provide for the interactive management of individual filter/pool
entries and are typically used when prototyping a new firewall setup.
Options:
-a Add an entry. If specified with the -c option, all entries in
the ConfigFile will be added. May not be used in combination
with the -d option.
-d Delete an entry. If specified with the -c option, all entries
in the ConfigFile will be deleted. May not be used in
combination with the -a option.
-f Perform a flush (remove all) operation on existing filters or
pool addresses associated with IfName.
-i In-bound orientation. All in-bound packets on IfName will be
compared against SrcFilter and DstFilter to determine if the
packet is a candidate for performing Actions. May not be used
in combination with the -o option.
-n Do not perform address-to-name translation.
-o Out-bound orientation. All out-bound packets on IfName will be
compared against SrcFilter and DstFilter to determine if the
packet is a candidate for performing Actions. May not be used
in combination with the -i option.
-p Specifies that the operation is to be performed on pool entries
associated with IfName.
-q Quiet mode. All information header output will be suppressed.
-D Debug mode.
-O Match OTHER (non TCP or UDP) protocol packets.
-T Match TCP protocol packets.
-U Match UDP protocol packets.
SrcFilter and DstFilter
The SrcFilter field specifies the source addresses and port numbers
to match; the DstFilter field specifies the destination addresses and
port numbers to match. Both the SrcFilter and DstFilter fields are
of the format AddrRangeSpec[:PortRangeSpec], where address A and port
P match the filter if A is one of the addresses specified by
AddrRangeSpec and P is in range of ports specified by PortRangeSpec.
If the PortRangeSpec is omitted, a port range of 0-65535 is assumed.
AddrRangeSpec has two possible formats. The first is:
IPAddress:Mask. This specification includes all addresses A for
which A & Mask equals IPAddress & Mask. The second format of
AddrRangeSpec is: A.B.C.D where any component of the dotted quad can
be a single digit or a range of digits. For example, 1.2.3.1-12
includes addresses 1.2.3.1 through 1.2.3.12. This format is actually
converted internally to the first format, which is then equivalent to
1.2.3.0:0xfffffff0. Note that 1.2.3.1-12 actually includes addresses
1.2.3.0 through 1.2.3.15.
The PortRangeSpec specification can be of the form, MinPort-MaxPort,
denoting a range of ports, or a single number which means the minimum
and maximum port numbers are equal.
For example, if SrcFilter is 1.2.3.4:0xffffffff:0-1024, then the
source address must must equal 1.2.3.4 and the source port must be
1024 or less in order to match the filter. Or, if DstFilter is
0:0:23, then the destination address can be anything but the
destination port must be 23 (i.e. the telnet port).
The wildcard character is '*' and may be used to match any address
and port number.
Actions
Once a filter is matched, 0 or more of the following Actions can be
performed on the packet. The order in which they appear in the
configuration file does not matter; they are always performed in the
following order.
DENY Deny or drop the packet. This action precludes all
other actions.
TSA={ NewAddrRangeSpec | POOL }
The "Translate Source Address" command. If
NewAddrRangeSpec is specified, the source address is
staticly translated to the new address. The format of
NewAddrRangeSpec is the same as AddrRangeSpec which is
described in the SrcFilter and DstFilter section above.
The first address specified by the SrcFilter is
translated to the first address specified by the
NewAddrRangeSpec, the second address is translated to
the second, the third address is translated to the
third, etc. Therefore, there should be the same number
of addresses specified by both address specifications.
If the keyword POOL is specified, the source address is
translated to one of the available pool addresses on
IfName. Note: pool addresses are managed with the
netctrl -p option.
Reverse translation is automatically performed by the
system; therefore, you need only specify a filter for a
single direction. Typically, you should specify the
translation that should take place for incoming packets
on an internal network interface (i.e. the network
interface which corresponds to the private network
whose addresses need translation).
TDA={ NewAddrRangeSpec | POOL }
The "Translate Destination Address" command. This
command is analogous to the TSA command above. If
NewAddrRangeSpec is specified, the destination address
is staticly translated to the new address. The format
of NewAddrRangeSpec is the same as AddrRangeSpec which
is described in the SrcFilter and DstFilter section
above. The first address specified by the DstFilter is
translated to the first address specified by the
NewAddrRangeSpec, the second address is translated to
the second, the third address is translated to the
third, etc. Therefore, there should be the same number
of addresses specified by both address specifications.
If the keyword POOL is specified, the destination
address is translated to one of the available pool
addresses on IfName. Note: pool addresses are managed
with the netctrl -p option.
Reverse translation is automatically performed by the
system; therefore, you need only specify a filter for a
single direction. Typically, you should specify the
translation that should take place for incoming packets
on an internal network interface (i.e. the network
interface which corresponds to the private network
whose addresses need translation).
TSP=NewPort
The "Translate Source Port" command. This command
changes the source port number to NewPort. Reverse
translation is automatically performed by the system;
therefore, you need only specify a filter for a single
direction. When performing reverse translation,
however, the NewPort value is translated to the minimum
port specified in the PortRangeSpec of the SrcFilter.
Therefore, the PortRangeSpec should specify a single
port value in order to correctly perform reverse
translation for this command. For example,
netctrl -aiT dpen0 0:0:5000-5010 '\*' TSP=1000
matches all incoming TCP packets on dpen0 whose source
port is between 5000 and 5010 inclusive, and translates
the source port to 1000. However, for all outgoing
packets on dpen0 whose destination port is 1000, the
destination port will be translated to 5000. A single-
valued source port range is therefore needed if the TSP
action is used.
TDP=NewPort
The "Translate Destination Port" command. This command
changes the destination port number to NewPort, and is
analogous to the TSP command above. Reverse
translation is automatically performed by the system;
therefore, you need only specify a filter for a single
direction. When performing reverse translation,
however, the NewPort value is translated to the minimum
port specified in the PortRangeSpec of the DstFilter.
Therefore, the PortRangeSpec should specify a single
port value in order to correctly perform reverse
translation for this command. See the example in the
TSP command above.
PROXY[=ProxyPort]
This action applies only to incoming packets, and
causes the the packet to be redirected to the local
host even if it was not intended for the local host.
This action does not cause the destination address or
port number to be changed, but simply redirects the
packet as if they had been changed. If a ProxyPort is
specified, the packet is redirected to port number
ProxyPort on the local host; otherwise, the packet is
redirected to the port specified by the destination
port in the packet.
Since the destination address and port numbers are not
actually changed in the packet, a proxy server
listening on port ProxyPort can retrieve the intended
destination address and port number with the
getsockname for TCP endpoints or with the
IPRECVDSTSOCKADDR option for UDP endpoints.
PoolRangeSpec
The PoolRangeSpec field is of the format: A.B.C.D where any component
of the dotted quad can be a single digit or a range of digits. For
example,
netctrl -ap dpen1 1.2.3.1-10
puts addresses 1.2.3.1 through 1.2.3.10 into the pool of addresses
associated with dpen1.
EXAMPLES
In the following examples, assume dpen0 is the external interface
which is attached to the internet, and assume dpen1 is the internal
interface which is attached to the private network.
Static address translation
Translate the source address on packets coming from the internal
network from a private 10.0.0.x address to 1.2.3.x. Note that
packets going to the internal network are also translated. This
provides both private-to-internet as well as internet-to-private
connectivity.
netctrl -aiTUO dpen1 10.0.0.1-255 '\*' TSA=1.2.3.1-255
Alternatively, the following entry may be added to
/etc/netctrl.config:
FILTER iTUO dpen1 10.0.0.1-255 * TSA=1.2.3.1-255
and installed via the following netctrl command:
netctrl -ac /etc/netctrl.config
Dynamic address translation
Translate the source address on packets coming from the internal
network from a private 10.0.0.x address to one of the pool addresses:
1.2.3.1 to 1.2.3.15. Note that packets going to the internal network
are also translated. This provides private-to-internet connectivity
only.
netctrl -aiTUO dpen1 10.0.0.1-255 '\*' TSA=POOL
netctrl -ap dpen1 1.2.3.1-15
Alternatively, the following entries may be added to
/etc/netctrl.config:
FILTER iTUO dpen1 10.0.0.1-255 * TSA=POOL
POOLADDRS dpen1 1.2.3.1-15
and installed via the following netctrl command:
netctrl -ac /etc/netctrl.config
Proxy and address hiding configuration
Proxy all TCP and UDP traffic to the proxy servers running on TCP and
UDP port 1000, respectively.
netctrl -aiTU dpen1 '\*' '\*' PROXY=1000
Alternatively, the following entry may be added to
/etc/netctrl.config:
FILTER iTU dpen1 * * PROXY=1000
and installed via the following netctrl command:
netctrl -ac /etc/netctrl.config
Since all connections go through a proxy, the source address of the
system hosting the proxy server appears on the internet instead of
any internal addresses. The internal addresses are therefore hidden.
See the man page for the generic proxy daemon, netgpd, for more
information.
Load balance configuration
Send all http requests (i.e. to port 80) from odd addresses to
1.2.3.4 and all other http requests to 1.2.3.5.
netctrl -aiT -N 0 dpen1 1:1 0:0:80 TDA=1.2.3.4
netctrl -aiT -N 1 dpen1 '\*' 0:0:80 TDA=1.2.3.5
Alternatively, the following entries may be added to
/etc/netctrl.config:
FILTER iT dpen1 1:1 0:0:80 TDA=1.2.3.4
FILTER iT dpen1 * 0:0:80 TDA=1.2.3.5
and installed via the following netctrl command:
netctrl -ac /etc/netctrl.config
DIAGNOSTICS
Warnings
· debug: WARNING, no ACTION specified...assuming NO-OP action
Errors
· Open failed to network device /dev/tcp
· ioctl failed
· Can't open ConfigFile
· Translation netmask overflow!..from_mask=xxx, to_mask=xxx
Exit Codes
0 The operation was successful.
1 The operation was unsuccessful.
FILES
/etc/netctrl.config
SEE ALSO
netctrl.config(4M).
Licensed material--property of copyright holder(s)