NAME

appjail-expose — Port forwarding from host port to jail port

SYNOPSIS

DESCRIPTION

The appjail expose utility configures, lists, enables, and disables rules to perform port forwarding from a host port to a jail port.

The options are as follows:

get [-eHIipt] -n nro jail [keyword ...]

Get information about current rules, that is, the keyword that represent the information to be obtained. Multiple keywords can be specified, which are displayed as a table-like interface in the order in which they are specified. If no keyword is specified, the defaults are nro, enabled, name, ports, protocol and network_name.

See KEYWORDS for a list of available keywords.

-e

Not required when using -p. The \t character is used to delimit columns, so as not to show strange values, this option shows <TAB> instead of \t in the case that a value contains the latter.

-H

Shows the name of the columns.

-I

Include empty values. By default, a minus sign is displayed when a value is empty.

-i

Don't complain when nro doesn't exist.

-p

Columnate the list.

-t

Tabulate columns and values.

-n nro

Identifier.

list [-eHIipt] [-n nro] jail [keyword ...]

Similar to get but shows each keyword for each rule in a nice table.

-e, -H, -I, -p, -t

All of these options perform the opposite task of the options described in get.

-i

Perform the same task as described in get.

-n nro

Only show information for nro.

off jail

Flush the rules currently in use.

on jail

Load enabled rules configured by set.

remove [all|nro nro] jail

Remove a given rule.

all

Remove all rules.

nro nro

Remove the rule specified by nro.

set -k network -p hport[:jport] [[-E|-e]] [-t|-u] [-I address] [-i interface] [-l [-|options]] [-N name] [-n [auto|nro]] [-o interface] jail

Configure a new or existing rule.

-k network

Get the jail's IPv4 address from network, required for the rule.

If you are configuring a rule that already has this value, it becomes optional, so you can ignore it if you wish.

-p hport[:jport]

Forward the hport port to the jport port.

hport is the host or external port and jport if the port currently listening to the application within the jail. If not set, hport is used.

Both hport and jport can be specified using symbolic names as described in services(5).

If you are configuring a rule that already has this value, it becomes optional, so you can ignore it if you wish.

[-E|-e]

Enable (-E) or disable (-e) this rule.

-t|-u

Use TCP (-t) or UDP (-u). By default is TCP

-I address

Use address as the external IPv4 address instead of the first matching IPv4 address. The IPv4 address must exist on the specified external interface before executing this command.

-i interface

Interface to obtain the external IPv4 address. If not set, the interface specified by the EXT_IF parameter is used.

-l [-|options]

Firewall-specific logging options. Use a minus sign to enable logging, but without options.

-N name

Service description.

-n [auto|nro]

Identifier. An identifier is composed of a positive number. Use auto (default) to get the lowest identifier value.

-o interface

Apply rules to packets coming in on, or going out through, this interface. If not set, the interface specified by the ON_IF parameter is used.

status jail

Shows the rule that is currently in use or an error if it is not yet applied.

KEYWORDS

enabled

Shows 1 if the rule is enabled, 0 if it is not.

name

Service description.

hport

External port.

jport

Internal port.

ext_if

Interface to obtain the external IPv4 address.

on_if

Apply rules to packets coming in on, or going out through, this interface.

network_name

Network used to obtain the jail's IPv4 address.

nro

Identifier.

ports

Exposed ports.

protocol

Protocol, i.e. TCP or UDP in lowercase.

rule

The rule that will be applied.

EXIT STATUS

The appjail expose utility exits 0 on success, and >0 if an error occurs.

SEE ALSO

appjail-quick(1) sysexits(3)

AUTHORS

Jesús Daniel Colmenares Oviedo <DtxdF@disroot.org>