Embeddux Cisclone - Configuration Command Reference

This is a list of directives that can be used in the Embeddux Cisclone configuration file.  This list currently only contains commands that are either working or are being worked on.  More commands will be added as time goes on.

If you are familiar with the Cisco PIX firewalls, this configuration system will seem very familiar to you.  As a number of engineers work with Cisco equipment (particularly the PIX units) on a daily basis, it is the configuration style that most administrators will be accustomed to and prefer. 

The location of this configuration file is on the parent filesystem, along with the kernel itself and the compressed image of the RAM drive.

access-list <list_name> <permit | deny> <proto> <source[/mask]> <destination[/mask]> [port]

Controls access to resources behind (or in front of) the firewall.

list_name - An arbitrary name for the access list.  This name must be alpha-numeric and can not contain spaces or punctuation marks.
permit, deny - Indicates if access should be permitted or denied to the given destination.
proto - The protocol. Typically this would be either "udp" or "tcp".  Can also be a protocol number.
source - The source address for the rule. The mask is optional (to apply the rule to a network rather than host).
destination - The destination address for the rule. The mask is optional (to apply the rule to a network rather than host).
port - An optional port number for the rule.  If this option is not present ALL ports will be permitted or denied.

note: The keyword "any" can be used for a source or destination address.

Examples:

access-list testlist permit tcp any 123.123.123.1 80
access-list testlist permit tcp 192.168.1.0/24 10.0.0.0/8

auto-forward <interface> <protocol> <ports> <destination>

Forwards all incoming traffic of a given protocol type, destined for a certain port (or range of ports) to the specified host.

interface - The incoming interface. This is typically the same as the public interface.
protocol - The protocol. (tcp or udp).
ports - The port or port range to forward. For a range of ports, the starting and ending port should be separated with a colon. (ie: 2000:3000).
destination - The destination IP address.

Examples:

auto-forward eth0 tcp 80 192.168.1.2
auto-forward eth0 udp 900:950 192.168.1.3 

config version <xx.xx>

Specifies the configuration version number.  This directive will eventually be auto-generated by the configuration editor and should not be altered directly.

hostname <hostname> 

Sets the hostname of the firewall

domain-name <domain>

Set the default domain name for the firewall.

domain - The domain name to use

name-server <server_address>

Adds a DNS server address to the list of servers to use for name resolution.

server_address - The IP address of a server to use for name resolution

interface <ifname> <module | address | public> <mod_name | ip_address/netmask | dhcp | pppoe> [down | secondary]

Sets various parameters about the network interfaces that are present in the firewall.

ifname - Specifies the name (eth0, eth1, etc) of a given interface
module - Used to indicate the module (driver) needed by the interface
address - Used to indicate the IP address or method of obtaining an IP address for the interface
public - Defines a given interface as "public". This is typically used to indicate the interface that is attached to the Internet.
mod_name - Used in conjunction with the "module" directive.  Specifies the actual module name (less the .o).
ip_address/netmask - Used in conjunction with the "address" directive.  Specifies the ipv4 address and number of subnet bits for the interface
dhcp - Used in conjunction with the "address" directive. Indicates that the interface should obtain its address using DHCP.
pppoe - Used in conjunction with the "address" directive. Indicates that the interface should obtain its address using PPPoE.
down - Indicates that the specified interface should be kept offline.
secondary - Used in conjunction with the "address" directive.  Indicates that this address is in addition to the "primary" address and should not overwrite any address information that is currently configured.  Do not attempt to assign secondary addresses to an interface that was configured using DHCP or PPPoE as the processes responsible for these types of address assignments do not honor the fact that a secondary address has been assigned during address negotiation (in short, the secondary addresses will get wiped out).

Example interface commands:

interface eth0 module eepro100
interface eth1 module 3c59x
interface eth0 public
interface eth0 address 192.168.1.1/24
interface eth1 address dhcp

Note: The use of the "module" directive must always precede the use of any other interface directives.

ipsec subnet <auto | address/mask>

Specifies IPSEC configuration parameters. This directive is only used in Embeddux Cisclone systems that have IPSEC capabilities installed. As of the writing of this document, all of the development snapshots have IPSEC enabled.

auto - Instructs the configuration parser to attempt to automatically determine which subnets should be made available to remote IPSEC clients. This should only be used in very simple network configurations.
address/mask - A network address and subnet mask specification to add to the IPSEC subnets table.

Examples:

ipsec subnet auto
 - or -
ipsec subnet 192.168.1.0/24

Note: Although the configuration parser will allow the use of both the auto and manual directive modes, this is not advised.

Note 2: If auto subnetting is to be used, this directive should appear before any interface configuration directives.

logging <host>

Specifies a remote host to send syslog data to.  If no logging host is specified, all data will be logged to the console.

nat <ifname> pool <start_address/mask> <end_address/mask>

Sets up a pool of IP addresses to use on the external interface for NAT.

ifname - The name of the external interface for NAT (eth0, eth1, etc)
start_address/mask- The starting address and network mask for the NAT pool.
end_address/mask - The ending address and network mask for the NAT pool.

Note: The starting and ending address must be in the same network.  Maximum pool size is 254 addresses.

nat <ifname> <source[/mask]>

Starts network address translation for the source address or network.  

ifname - The name of the external interface for NAT (eth0, eth1, etc).
source/mask - The source address(es) to translate.  If no network mask is supplied, NAT is only performed for the supplied host address.

password <user | monitor | admin> <data> [encrypted]

Specifies the various passwords for the user, monitor, and admin level security. Currently, only the "admin" level is actually supported. If you set this password, the actual system login is "root" with the password that you specified.

If you want to store encrypted passwords in the configuration file, you can use the utility "cryptpw" in the /sbin directory to generate an encrypted password.  If the password is pre-encrypted, you must specify the encrypted directive on the configuration  line.

route <source/mask> <gateway> [dev ifname] [metric #]

Establishes static routing information.

source/mask - The source network number and bit mask.
gateway - The remote IP address to route traffic through
dev ifname - Specifies the network interface to use for this route.  "ifname" should be the interface identifier (eth0, eth1, etc).
metric # - Specifies a metric for this route. "#" should be the desired route metric number.

snmp <contact | location | host> <data>

Sets various parameters that are passed to the internal SNMP service.

contact - Specifies the contact name for the firewall.
location - Specifies the system location
host - Indicates a host IP address that is allowed to query the SNMP service.
data - A string containing the text data for the above directives

NOTE: In order to use the SNMP server, the domain name and DNS servers must be specified or the SNMP service will fail to start properly. These can either be specified via the "domain-name" and "name-server" directives, or from the automatic specifications provided by using a DHCP assigned Internet address.

telnet <address[/mask]>

Sets allowed hosts for telnet access to the firewall

Notes:

• Commands or directives in red are not yet implemented or are not fully functional
• The use of a "#" on the first character of a configuration line can be used to denote a comment