Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ netctrl(1M) — DG/UX R4.11MU05

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

netctrl.config(4M)



netctrl(1M)              DG/UX B2 Security R4.12MU02             netctrl(1M)


NAME
       netctrl - Network control configuration program

SYNOPSIS
   Filter/Pool Management via Config File:
       netctrl -a [ -nD ] -c ConfigFile
       netctrl -d [ -nD ] -c ConfigFile

   List Operations:
       netctrl [ -npqD ] IfName

   Flush Operations:
       netctrl -f [ -pnD ] IfName

   General Filter Management:
       netctrl [ -adinoqDOTU ][ -N num ] IfName SrcFilter DstFilter Actions
       netctrl -d [ -nD ][ -N num ] IfName

   General Pool Management:
       netctrl -ap [ -nD ] IfName PoolAddr
       netctrl -dp [ -nD ] IfName PoolAddr


   where:
       num         The position to insert the new filter or the existing
                   filter number to delete.  If unspecified, netctrl will
                   assume the first position.
       IfName      The network interface name associated with this filter or
                   pool address.  The network interface is specified by
                   giving the name of the device file in the /dev directory.
       SrcFilter   The source address/mask or AddrRangeSpec (and optionally,
                   a port number or PortRangeSpec) to match.  If the port is
                   not specified, all port numbers are matched.
       DstFilter   The destination address/mask or AddrRangeSpec (and
                   optionally, a port number or PortRangeSpec to match.  If
                   the port is not specified, all port numbers are matched.
       ConfigFile  The pathname to the netctrl configuration file
                   (typically, /etc/netctrl.config).  If a filename (rather
                   than a complete pathname) is provided, it is assumed that
                   ConfigFile is located in the /etc directory.  Note that
                   filters are installed in the same order that they appear
                   in ConfigFile.
       PoolAddr    An address (or PoolRangeSpec) specifying IP addresses to
                   utilize for dynamic address translation on the specified
                   interface.
       Actions     Zero or more operations which are performed on packets
                   matching the filter specifications.

DESCRIPTION
       The netctrl command provides administrative control over the TCP/IP
       NAT (Network Address Translation), proxy redirects, and service load
       distribution features.

       Typically, the system administrator will perform NAT/PROXY management
       as follows:

       ·    NAT/PROXY filters and pool addresses will be specified in
            ConfigFile (see the netctrl.config(4M) man page for details) and
            then managed via the syntax shown in section 'Filter/Pool
            Management via Config File'.

       ·    The administrator will list existing filters and pool addresses
            via the syntax shown above in section 'List Operations'.

       ·    The administrator will flush the existing filters and pool
            addresses via the syntax shown above in section 'Flush
            Operations'.

       The netctrl syntax shown in the 'General..Management' sections above
       provide for the interactive management of individual filter/pool
       entries and are typically used when prototyping a new firewall setup.

   Options:
       -a   Add an entry.  If specified with the -c option, all entries in
            the ConfigFile will be added.  May not be used in combination
            with the -d option.

       -d   Delete an entry.  If specified with the -c option, all entries
            in the ConfigFile will be deleted.  May not be used in
            combination with the -a option.

       -f   Perform a flush (remove all) operation on existing filters or
            pool addresses associated with IfName.

       -i   In-bound orientation.  All in-bound packets on IfName will be
            compared against SrcFilter and DstFilter to determine if the
            packet is a candidate for performing Actions.  May not be used
            in combination with the -o option.

       -n   Do not perform address-to-name translation.

       -o   Out-bound orientation.  All out-bound packets on IfName will be
            compared against SrcFilter and DstFilter to determine if the
            packet is a candidate for performing Actions.  May not be used
            in combination with the -i option.

       -p   Specifies that the operation is to be performed on pool entries
            associated with IfName.

       -q   Quiet mode.  All information header output will be suppressed.

       -D   Debug mode.

       -O   Match OTHER (non TCP or UDP) protocol packets.

       -T   Match TCP protocol packets.

       -U   Match UDP protocol packets.

   SrcFilter and DstFilter
       The SrcFilter field specifies the source addresses and port numbers
       to match; the DstFilter field specifies the destination addresses and
       port numbers to match.  Both the SrcFilter and DstFilter fields are
       of the format AddrRangeSpec[:PortRangeSpec], where address A and port
       P match the filter if A is one of the addresses specified by
       AddrRangeSpec and P is in range of ports specified by PortRangeSpec.
       If the PortRangeSpec is omitted, a port range of 0-65535 is assumed.

       AddrRangeSpec has two possible formats.  The first is:
       IPAddress:Mask.  This specification includes all addresses A for
       which A & Mask equals IPAddress & Mask.  The second format of
       AddrRangeSpec is: A.B.C.D where any component of the dotted quad can
       be a single digit or a range of digits.  For example, 1.2.3.1-12
       includes addresses 1.2.3.1 through 1.2.3.12.  This format is actually
       converted internally to the first format, which is then equivalent to
       1.2.3.0:0xfffffff0.  Note that 1.2.3.1-12 actually includes addresses
       1.2.3.0 through 1.2.3.15.

       The PortRangeSpec specification can be of the form, MinPort-MaxPort,
       denoting a range of ports, or a single number which means the minimum
       and maximum port numbers are equal.

       For example, if SrcFilter is 1.2.3.4:0xffffffff:0-1024, then the
       source address must must equal 1.2.3.4 and the source port must be
       1024 or less in order to match the filter.  Or, if DstFilter is
       0:0:23, then the destination address can be anything but the
       destination port must be 23 (i.e. the telnet port).

       The wildcard character is '*' and may be used to match any address
       and port number.

   Actions
       Once a filter is matched, 0 or more of the following Actions can be
       performed on the packet.  The order in which they appear in the
       configuration file does not matter; they are always performed in the
       following order.

              DENY   Deny or drop the packet.  This action precludes all
                     other actions.

              TSA={ NewAddrRangeSpec | POOL }
                     The "Translate Source Address" command.  If
                     NewAddrRangeSpec is specified, the source address is
                     staticly translated to the new address.  The format of
                     NewAddrRangeSpec is the same as AddrRangeSpec which is
                     described in the SrcFilter and DstFilter section above.
                     The first address specified by the SrcFilter is
                     translated to the first address specified by the
                     NewAddrRangeSpec, the second address is translated to
                     the second, the third address is translated to the
                     third, etc.  Therefore, there should be the same number
                     of addresses specified by both address specifications.

                     If the keyword POOL is specified, the source address is
                     translated to one of the available pool addresses on
                     IfName.  Note: pool addresses are managed with the
                     netctrl -p option.

                     Reverse translation is automatically performed by the
                     system; therefore, you need only specify a filter for a
                     single direction.  Typically, you should specify the
                     translation that should take place for incoming packets
                     on an internal network interface (i.e. the network
                     interface which corresponds to the private network
                     whose addresses need translation).

              TDA={ NewAddrRangeSpec | POOL }
                     The "Translate Destination Address" command.  This
                     command is analogous to the TSA command above.  If
                     NewAddrRangeSpec is specified, the destination address
                     is staticly translated to the new address.  The format
                     of NewAddrRangeSpec is the same as AddrRangeSpec which
                     is described in the SrcFilter and DstFilter section
                     above.  The first address specified by the DstFilter is
                     translated to the first address specified by the
                     NewAddrRangeSpec, the second address is translated to
                     the second, the third address is translated to the
                     third, etc.  Therefore, there should be the same number
                     of addresses specified by both address specifications.

                     If the keyword POOL is specified, the destination
                     address is translated to one of the available pool
                     addresses on IfName.  Note: pool addresses are managed
                     with the netctrl -p option.

                     Reverse translation is automatically performed by the
                     system; therefore, you need only specify a filter for a
                     single direction.  Typically, you should specify the
                     translation that should take place for incoming packets
                     on an internal network interface (i.e. the network
                     interface which corresponds to the private network
                     whose addresses need translation).

              TSP=NewPort
                     The "Translate Source Port" command.  This command
                     changes the source port number to NewPort.  Reverse
                     translation is automatically performed by the system;
                     therefore, you need only specify a filter for a single
                     direction.  When performing reverse translation,
                     however, the NewPort value is translated to the minimum
                     port specified in the PortRangeSpec of the SrcFilter.
                     Therefore, the PortRangeSpec should specify a single
                     port value in order to correctly perform reverse
                     translation for this command.  For example,

                     netctrl -aiT dpen0 0:0:5000-5010 '\*' TSP=1000

                     matches all incoming TCP packets on dpen0 whose source
                     port is between 5000 and 5010 inclusive, and translates
                     the source port to 1000.  However, for all outgoing
                     packets on dpen0 whose destination port is 1000, the
                     destination port will be translated to 5000.  A single-
                     valued source port range is therefore needed if the TSP
                     action is used.

              TDP=NewPort
                     The "Translate Destination Port" command.  This command
                     changes the destination port number to NewPort, and is
                     analogous to the TSP command above.  Reverse
                     translation is automatically performed by the system;
                     therefore, you need only specify a filter for a single
                     direction.  When performing reverse translation,
                     however, the NewPort value is translated to the minimum
                     port specified in the PortRangeSpec of the DstFilter.
                     Therefore, the PortRangeSpec should specify a single
                     port value in order to correctly perform reverse
                     translation for this command.  See the example in the
                     TSP command above.

              PROXY[=ProxyPort]
                     This action applies only to incoming packets, and
                     causes the the packet to be redirected to the local
                     host even if it was not intended for the local host.
                     This action does not cause the destination address or
                     port number to be changed, but simply redirects the
                     packet as if they had been changed.  If a ProxyPort is
                     specified, the packet is redirected to port number
                     ProxyPort on the local host; otherwise, the packet is
                     redirected to the port specified by the destination
                     port in the packet.

                     Since the destination address and port numbers are not
                     actually changed in the packet, a proxy server
                     listening on port ProxyPort can retrieve the intended
                     destination address and port number with the
                     getsockname for TCP endpoints or with the
                     IPRECVDSTSOCKADDR option for UDP endpoints.

   PoolRangeSpec
       The PoolRangeSpec field is of the format: A.B.C.D where any component
       of the dotted quad can be a single digit or a range of digits.  For
       example,

       netctrl -ap dpen1 1.2.3.1-10

       puts addresses 1.2.3.1 through 1.2.3.10 into the pool of addresses
       associated with dpen1.

EXAMPLES
       In the following examples, assume dpen0 is the external interface
       which is attached to the internet, and assume dpen1 is the internal
       interface which is attached to the private network.

   Static address translation
       Translate the source address on packets coming from the internal
       network from a private 10.0.0.x address to 1.2.3.x.  Note that
       packets going to the internal network are also translated.  This
       provides both private-to-internet as well as internet-to-private
       connectivity.

       netctrl -aiTUO dpen1 10.0.0.1-255 '\*' TSA=1.2.3.1-255

       Alternatively, the following entry may be added to
       /etc/netctrl.config:

       FILTER iTUO dpen1 10.0.0.1-255 * TSA=1.2.3.1-255

       and installed via the following netctrl command:

       netctrl -ac /etc/netctrl.config

   Dynamic address translation
       Translate the source address on packets coming from the internal
       network from a private 10.0.0.x address to one of the pool addresses:
       1.2.3.1 to 1.2.3.15.  Note that packets going to the internal network
       are also translated.  This provides private-to-internet connectivity
       only.

       netctrl -aiTUO dpen1 10.0.0.1-255 '\*' TSA=POOL
       netctrl -ap dpen1 1.2.3.1-15

       Alternatively, the following entries may be added to
       /etc/netctrl.config:

       FILTER iTUO dpen1 10.0.0.1-255 * TSA=POOL
       POOLADDRS dpen1 1.2.3.1-15

       and installed via the following netctrl command:

       netctrl -ac /etc/netctrl.config

   Proxy and address hiding configuration
       Proxy all TCP and UDP traffic to the proxy servers running on TCP and
       UDP port 1000, respectively.

       netctrl -aiTU dpen1 '\*' '\*' PROXY=1000

       Alternatively, the following entry may be added to
       /etc/netctrl.config:

       FILTER iTU dpen1 * * PROXY=1000

       and installed via the following netctrl command:

       netctrl -ac /etc/netctrl.config

       Since all connections go through a proxy, the source address of the
       system hosting the proxy server appears on the internet instead of
       any internal addresses.  The internal addresses are therefore hidden.
       See the man page for the generic proxy daemon, netgpd, for more
       information.

   Load balance configuration
       Send all http requests (i.e. to port 80) from odd addresses to
       1.2.3.4 and all other http requests to 1.2.3.5.

       netctrl -aiT -N 0 dpen1 1:1 0:0:80 TDA=1.2.3.4
       netctrl -aiT -N 1 dpen1 '\*' 0:0:80 TDA=1.2.3.5

       Alternatively, the following entries may be added to
       /etc/netctrl.config:

       FILTER iT dpen1 1:1 0:0:80 TDA=1.2.3.4
       FILTER iT dpen1 * 0:0:80 TDA=1.2.3.5

       and installed via the following netctrl command:

       netctrl -ac /etc/netctrl.config

DIAGNOSTICS
   Warnings
       ·      debug: WARNING, no ACTION specified...assuming NO-OP action

   Errors
       ·      Open failed to network device /dev/tcp

       ·      ioctl failed

       ·      Can't open ConfigFile

       ·      Translation netmask overflow!..from_mask=xxx, to_mask=xxx

   Exit Codes
       0      The operation was successful.

       1      The operation was unsuccessful.

FILES
       /etc/netctrl.config

SEE ALSO
       netctrl.config(4M).


Licensed material--property of copyright holder(s)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026