The configuration editor is the primary command-line tool for creating and manipulating the objects that control the operation of a Screen.
The following table lists the data types that compose the Data Model as maintained by the configuration editor (ssadm edit) and the ssadm policy command.
Table B-4 Configuration Editor Object Type Name Summary
Object Type Name |
Storage |
Access Method |
Description |
---|---|---|---|
address |
common |
named |
Describe addresses of network elements |
screen |
common |
named |
Describe Screen objects and their relationships |
state engine |
common (read-only) |
named |
Describe filtering capabilities of packet filter engine. |
service |
common |
named |
Define network services that can be filtered |
interface |
common |
named |
Describe network interfaces of a Screen. |
certificate |
common |
named |
Refer to certificate used for SKIP connections |
time |
common |
named |
Define time intervals for time-dependent rules |
authuser |
external |
named |
Describe users for administration and/or proxy access |
proxyuser |
external |
named |
Describe users for proxy access |
jar_hash |
external |
named |
Describe Java archive hash (for HTTP proxy applet filtering) |
jar_sig |
external |
named |
Describe Java archive signature (for HTTP proxy applet filtering) |
logmacro |
|
|
|
mail_relay |
external |
named |
Describe mail relays (for SMTP proxy mail filtering) |
mail_spam |
external |
named |
Describe spam domains (for SMTP proxy mail filtering) |
policy |
policy list |
named |
Create, delete, rename, or list the defined policies |
filter rule |
policy |
ordered |
Describe network traffic flow policy |
nat rule |
policy |
ordered |
Describe NAT translations (read-only) |
local access rule |
policy |
ordered |
Describe who can access the Screen for local administration and what they can do. |
remote access rule |
policy |
ordered |
Describe who can access the Screen for remote administration and what they can do. |
VPN gateway |
policy |
ordered |
Describe how VPN hosts are protected behind certificates and tunnels |
VPN |
policy |
ordered |
Virtual object representing a collection of VPN gateways |
Object types marked as having "common" storage in the table are normally stored in the common objects registry that is not part of any particular policy. These objects are used by all policies, so changes to the common objects can affect the behavior of multiple policies. To edit the common objects, it is necessary to specify a policy name when starting the configuration editor even if you are not modifying any policy objects.
Object types marked as having "policy" storage in the table are stored as part of a policy. Policy objects often refer to common objects and therefore can have different meaning depending on the value of common objects. for example, a policy can contain a rule object that allows address A to communicate with address B. The address objects A and B are defined in the common objects.
Object types marked as having "external" storage in the table are almost equivalent to "common" objects, but they are stored in a separate database that is not affected by the "quit," "reload," or "save" commands. Changes to these objects are always immediate, and persist even if the "save" command is not used.
Object types marked as having "policy list" storage in the table represents the names of the policies themselves. Minimal capabilities are provided by the configuration editor to manage the policy. A policy currently being edited can be saved or "cloned" (or portions of it) into a new policy. Other policy requests, such as add, delete, and rename are provided by the ssadm policy command.
The ssadm edit commands are used when running the configuration editor, which is responsible for maintaining the SunScreen EFS 3.0 configuration database.
The following table lists the SunScreen EFS 3.0 configuration editor ssadm edit sub-commands and their descriptions. Many sub-commands duplicate administration GUI functions, while others provide a context for other sub-commands.
Table B-5 SunScreen EFS 3.0 Configuration Editor ssadm edit Sub-Command Summary
edit Sub-Command |
Description |
---|---|
add |
Create or redefine an entry. |
add_member |
Add member to an Address, Certificate, or Service group. |
authuser |
Manipulates the list of authorized users. |
del[ete] |
Delete the specified entry of the given TYPE. |
del[ete]_member |
Delete member from an Address, Certificate, or Service group. |
insert |
Insert a new object of one of the ordered (indexed) types in a specified position in the corresponding list. |
jar_hash |
Manipulates the list of JAR hashes used by the HTTP proxy. |
jar_sig |
Manipulates the list of JAR signatures used by the HTTP proxy. |
list |
Display all data for all entries or a specific entry of a give TYPE. |
list_name |
Display the set of unique basenames and sub-type of all of a given TYPE. |
load |
Load a policy into the configuration editor. |
lock |
Lock the Registry and policy in anticipation of performing edits. |
lock_status |
Return the status of the lock relative to this editor. |
mail_relay |
Manipulates the list of mail relays used by the SMTP proxy. |
mail_spam |
Manipulates the list of spam domains used by the SMTP proxy. |
move |
Move an indexed entry from its current location in the ordered list to the new location. |
proxyuser |
Manipulates the list of proxy users.
|
refer |
Determine if a named-object of a given TYPE is referred to in the Registry or the current policy. |
referlist |
Display a list of all entries in the Registry or the current policy that refer to a specified named-object of a given TYPE. |
reload |
Discard any and all edits, if made, and reload the data into the editor from the database. |
rename |
Rename a specified named-object of a given TYPE. |
renamereference |
Renames all references to a specified named-object of a given TYPE. |
replace |
Replace an object at a specified index. |
save |
Save all current edits to the Registry and policy. |
search |
Search the Registry for objects that match specified criteria. |
vars |
Manipulates variables used for RADIUS configuration. |
verify |
Takes no arguments and verifies the currently loaded policy. |
quit |
Cause the editor to terminate if there are no unsaved changes. |
QUIT |
Cause the editor to terminate even if there are unsaved changes. |
In the following command descriptions, when the name of an object of a particular TYPE is required, it is indicated by name_TYPE. If an index is needed, it is indicated by #. A keyword that was required in previous SunScreen releases but is now optional, is indicated by KEYWORD.
Creates or re-defines an entry.
Usage:
add TYPE parameters...
If a named-type is specified and an entry with that name already exists, it is replaced with the new entry. If it does not exist, one is created with the new name. All of the following have a similar request of add_nocheck, which does not perform consistency checking.
add address "name_ADDRESS" <HOST> #.#.#.#
add address "name_ADDRESS" <RANGE> #.#.#.# #.#.#.#
add address "name_ADDRESS" <GROUP> { "name_ADDRESS" ... } { "name_ADDRESS" ... } { "name_ADDRESS" ... }
The following fields are optional and can be specified in any order after the "address" keyword:
SCREEN "name_SCREEN"
COMMENT "comment string"
The addresses "*" and "localhost" are reserved and cannot be edited.
add screen "name_SCREEN"
The following fields are optional and can be specified in any order after the "screen" keyword:
MASTER "name_SCREEN"
HA_PRIMARY
HA_SECONDARY
TIMEOUT #
SNMP #.#.#.# ... (list can be empty; not output if empty list)
CDP {"on" if present, "off" otherwise}
ROUTING {"on" if present, "off" otherwise}
DNS {"on" if present, "off" otherwise}
NIS {"on" if present, "off" otherwise}
LOGSIZE # {default is 100MB if not present}
SPF #.#.#.# #.#.#.# {Network and Netmask for stealth type Interfaces}
HA_IP #.#.#.# (required if HA_PRIMARY is set)
HA_ETHER xx:xx:xx:xx:xx:xx (required if HA_PRIMARY is set)
COMMENT "comment string"
If the Screen is to be a part of an HA cluster, and administered remotely, then the following fields must be specified as well. They can be specified in any order after the "screen" keyword:
ADMIN_IP #.#.#.#
ADMIN_CERTIFICATE "name_CERTIFICATE"
KEY "name_KEY_ALGORITHM"
DATA "name_DATA_ALGORITHM"
MAC "name_MAC_ALGORITHM"
COMPRESSION "name_COMPRESSION_ALGORITHM"
TUNNEL "name_ADDRESS"
The screen "*" is reserved and cannot be edited.
add service "name_SERVICE" <SINGLE> filter ...
add service "name_SERVICE" GROUP "name_SERVICE" ...
For SINGLE services, a list of Filters follows the SINGLE keyword. The list must not be empty, and each Discriminator list must also not be empty. A Filter is of the form:
FORWARD "name_STATEENGINE" discriminator ...
REVERSE "name_STATEENGINE" discriminator ...
An individual discriminator is as follows:
PORT #
PORT #-# (Note, no space is allowed before or after the "-" character)
BROADCAST #
BROADCAST #-#
An optional parameter for discriminators, which appears immediately after the number or range it modifies, is:
PARAMETERS space-separated list of #
For GROUP services, a space-separated list of "name_SERVICE" entries follows the GROUP keyword.
The following fields are optional and can be specified in any order after the "service" keyword:
SCREEN "name_SCREEN"
COMMENT "comment string"
add interface "name_INTERFACE" type "name_ADDRESS"
type must be one of ADMIN, DISABLED, EFS, HA, or SPF.
The following fields are optional for stealth interface types and can be specified in any order after the "interface" keyword. Up to 5 ROUTERs per stealth interface can be specified. More can be specified, but only 5 (no guarantee which ones) are used by the system.
ROUTER #.#.#.#
The following fields are optional for all interface types and can be specified in any order after the "interface" keyword:
SCREEN "name_SCREEN"
COMMENT "comment string"
The following fields are optional for all interface types except DISABLED and can be specified in any order after the "interface" keyword.
LOG NONE {default if no LOG is specified}
LOG SUMMARY
LOG DETAIL
ICMP NONE
ICMP NET_UNREACHABLE
ICMP HOST_UNREACHABLE
ICMP PORT_UNREACHABLE
ICMP NET_FORBIDDEN
ICMP HOST_FORBIDDEN
SNMP {"on" if present, "off" otherwise}
add certificate "name_CERTIFICATE" SINGLE NSID # MKID "#"
add certificate "name_CERTIFICATE" GROUP "name_CERTIFICATE" ...
For GROUP certificates, a space-separated list of "name_CERTIFICATE" entries follows the GROUP keyword.
The following fields are optional for SINGLE entries and may be specified in any order after the "certificate" keyword:
G #
P #
KEY_LENGTH #
LOCAL "name_SCREEN"
The following fields are optional and can be specified in any order after the "certificate" keyword:
SCREEN "name_SCREEN"
COMMENT "comment string"
add time "name_TIME"
The following fields are optional and can be specified in any order after the "time" keyword:
EVERYDAY
SUNDAY
MONDAY
TUESDAY
WEDNESDAY
THURSDAY
FRIDAY
SATURDAY
SCREEN "name_SCREEN"
COMMENT "comment string"
Following any of the *DAY keywords can be a time of day specification in the form {timespec ...} . timespec is a time range in the form:
Start Hour:Start Minute Stop Hour:Stop Minute
Examples are: "{ 1:00 2:30 }" and "{ 1:00 2:30 4:00 6:00 }". 24-hour time format is used, so the valid times are 0:00 (starting at midnight) through 24:00 (ending at midnight).
add rule "name_SERVICE" name_ADDRESS
Appends the rule to the end of the list of rules in the policy. "insert rule" should be used to position a new rule into an existing policy.
The following fields are optional and can be specified in any order after the "rule" keyword:
ALLOW {default if no ACTION specified}
DENY
LOG NONE {also LOG_NONE, default if no LOG is specified}
LOG SUMMARY {also LOG_SUMMARY}
LOG DETAILED {also LOG_DETAILED}
LOG SESSION {also LOG_SESSION, only valid for ALLOW rules, will be error for DENY}
SNMP {"on" if present, "off" otherwise}
USER "name_USER" {only used if PROXY_FTP or PROXY_Telnet set below }
TIME "name_TIME"
SCREEN "name_SCREEN"
COMMENT "comment string"
The following combo-field is optional and only valid in a rule that has ALLOW specified. It can be specified anywhere after the "rule" keyword:
SKIP_VERSION_1 "name_CERTIFICATE" "name_CERTIFICATE" "name_KEY_ALGORITHM" "name_DATA_ALGORITHM"
SKIP_VERSION_2 "name_CERTIFICATE" "name_CERTIFICATE" "name_KEY_ALGORITHM" "name_DATA_ALGORITHM" "name_MAC_ALGORITHM" "name_COMPRESSION_ALGORITHM"
The following fields are optional and only valid within a SKIP_VERSION_1 or SKIP_VERSION_2 combo-field. They can be specified in any order after the SKIP_VERSION_# keyword:
SOURCE_TUNNEL "name_ADDRESS"
DESTINATION_TUNNEL "name_ADDRESS"
The following field is optional and only valid in a rule that has DENY specified. It can be specified anywhere after the "rule" keyword:
ICMP NONE {also ICMP_NONE, default if nothing is specified}
ICMP NET_UNREACHABLE {also ICMP_NET_UNREACHABLE}
ICMP HOST_UNREACHABLE {also ICMP_HOST_UNREACHABLE}
ICMP PORT_UNREACHABLE {also ICMP_PORT_UNREACHABLE}
ICMP NET_FORBIDDEN {also ICMP_NET_FORBIDDEN}
ICMP HOST_FORBIDDEN {also ICMP_HOST_FORBIDDEN}
The following field is optional and only valid in a rule that has ALLOW specified and NO SKIP information. It can be specified anywhere after the "rule" keyword:
VPN "name_VPN"
The following fields are optional and only valid in a rule that has not specified any SKIP information and no VPN. They can be specified anywhere after the "rule" keyword. Only one of them can be specified in a given rule.
PROXY_FTP
PROXY_HTTP
PROXY_SMTP
PROXY_Telnet
The following fields are optional and only valid in a rule that has specified PROXY_FTP. They can be specified anywhere after the "PROXY_FTP" keyword:
FTP_GET
NO_FTP_GET {default if FTP_GET not specified}
FTP_PUT
NO_FTP_PUT (default if FTP_PUT not specified}
FTP_CHDIR
NO_FTP_CHDIR {default if FTP_CHDIR not specified}
FTP_MKDIR
NO_FTP_MKDIR {default if FTP_MKDIR not specified}
FTP_RENAME
NO_FTP_RENAME {default if FTP_RENAME not specified}
FTP_REMOVE_DIR
NO_FTP_REMOVE_DIR {default if FTP_REMOVE_DIR not specified}
FTP_DELETE
NO_FTP_DELETE {default if FTP_DELETE not specified}
The following fields are optional and only valid in a rule that has specified PROXY_HTTP. They can be specified anywhere after the "PROXY_HTTP" keyword:
COOKIES
NO_COOKIES {default if COOKIES not specified}
ACTIVE_X
NO_ACTIVE_X {default if ACTIVE_X not specified}
SSL
NO_SSL {default if SSL not specified}
JAVA_SIGNATURE
JAVA_HASH
JAVA_SIGNATURE_HASH
JAVA
NO_JAVA {default if no other JAVA setting is specified}
The following fields are optional and only valid in a rule that has specified PROXY_SMTP. They can be specified anywhere after the "PROXY_SMTP" keyword: RELAY
NO_RELAY {default if RELAY not specified}
add nat STATIC "name_ADDRESS" "name_ADDRESS" "name_ADDRESS" "name_ADDRESS"
add nat DYNAMIC "name_ADDRESS" "name_ADDRESS" "name_ADDRESS" "name_ADDRESS"
The following fields are optional and can be specified in any order after the "nat" keyword:
SCREEN "name_SCREEN"
COMMENT "comment string"
add accesslocal USER "name_USER"
The following fields are optional and can be specified in any order after the "accesslocal" keyword:
SCREEN "name_SCREEN"
COMMENT "comment string"
add accessremote USER "name_USER" "name_ADDRESS" SKIP_VERSION_1 "name_CERTIFICATE" "name_KEY_ALGORITHM" "name_DATA_ALGORITHM"
add accessremote USER "name_USER" "name_ADDRESS" SKIP_VERSION_2 "name_CERTIFICATE" "name_KEY_ALGORITHM" "name_DATA_ALGORITHM" "name_MAC_ALGORITHM" "name_COMPRESSION_ALGORITHM"
The following field is optional for accessremote entries. It can be specified in any order after the "accessremote" keyword:
TUNNEL "name_ADDRESS" { if the remote machine is using tunneling }
The following fields are optional and can be specified in any order after the "accesslocal/accessremote" keyword:
PERMISSION ALL
PERMISSION WRITE
PERMISSION READ
PERMISSION STATUS
PERMISSION NONE { default if no PERMISSION is specified }
SCREEN "name_SCREEN"
COMMENT "comment string"
add vpngateway "name_VPN" "name_ADDRESS" SKIP "name_CERTIFICATE"
The following fields are required and can be specified in any order after the "vpngateway" keyword:
KEY "name_KEY_ALGORITHM"
DATA "name_DATA_ALGORITHM"
MAC "name_MAC_ALGORITHM"
COMPRESSION "name_COMPRESSION_ALGORITHM"
The following fields are optional and can be specified in any order after the "vpngateway" keyword:
TUNNEL "name_ADDRESS"
COMMENT "comment string"
Adds a member to a group or list.
Usage:
add_member address "name_ADDRESS" "name_ADDRESS"* { add to include list }
add_member address "name_ADDRESS" EXCLUDE "name_ADDRESS"* { add to exclude list }
add_member service "name_SERVICE" "name_SERVICE"*
add_member certificate "name_CERTIFICATE" "name_CERTIFICATE"*
"*" denotes that multiple space-separated names can be specified in a single request.
The following field may be necessary to uniquely identify an entry. If so, it can be specified after the TYPE keyword:
SCREEN "name_SCREEN"
Manipulates the list of authorized users.
Usage:
authuser add name parameters...
authuser delete name
authuser print
Deletes the specified entry of the given TYPE.
Usage:
del[ete] address "name_ADDRESS"
*del[ete] screen "name_SUNSCREEN"
del[ete] service "name_SERVICE"
del[ete] interface "name_INTERFACE"
del[ete] certificate "name_CERTIFICATE"
del[ete] time "name_TIME"
*del[ete] rule #
*del[ete] nat #
*del[ete] accesslocal #
*del[ete] accessremote #
*del[ete] vpngateway #
The following field may be necessary to uniquely identify an entry. If so it can be specified after the TYPE keyword, except for the entries preceded by an "*" above:
SCREEN "name_SCREEN"
Deletes a member from a group or list.
Usage:
del[ete]_member address "name_ADDRESS" "name_ADDRESS"* { from include list }
del[ete]_member address "name_ADDRESS" EXCLUDE "name_ADDRESS"* { from exclude list }
del[ete]_member service "name_SERVICE" "name_SERVICE"*
del[ete]_member certificate "name_CERTIFICATE" "name_CERTIFICATE"*
"*" denotes that multiple space-separated names can be specified in a single request.
The following field may be necessary to uniquely identify an entry. If so it can be specified after the TYPE keyword:
SCREEN "name_SCREEN"
Inserts a new object of one of the ordered (indexed) types in a specified position in the corresponding list.
Usage:
insert rule # parameters...
insert nat # parameters...
insert accesslocal # parameters...
insert accessremote # parameters...
insert vpngateway # parameters...
Index indicates the position the new entry holds in the list after it is inserted. The same syntax used for add is used for insert, with the index coming immediately after the TYPE keyword.
Manipulates the list of JAR hashes used by the HTTP proxy.
Usage:
jar_hash add name hash
jar_hash delete name
jar_hash rename oldname newname
jar_hash list
jar_hash list_names
Functions:
add -- Add an entry to the jar_hash database.
del -- Delete an entry from the jar_hash database.
rename -- Rename an entry in the jar_hash database.
list -- List the entries in the jar_hash database.
list_names -- List the names of the entries in the jar_hash database.
Manipulates the list of JAR signatures used by the HTTP proxy.
Usage:
jar_sig add name sig-hash
jar_sig delete name
jar_sig rename oldname newname
jar_sig list
jar_sig list_names
Functions:
add -- Add an entry to the jar_sig database.
del -- Delete an entry from the jar_sig database.
rename -- Rename an entry in the jar_sig database.
list -- List the entries in the jar_sig database.
list_names -- List the names of the entries in the jar_sig database.
Displays all data for all entries or a specific entry of a given TYPE. The format of the output is the same as the syntax of the corresponding Add TYPE request.
Usage:
*list address
list address "name_ADDRESS"
*list screen
*list screen "name_SCREEN"
*list service
list service "name_SERVICE"
*list stateengine
*list stateengine "name_STATEENGINE"
*list interface
list interface "name_INTERFACE"
*list certificate
list certificate "name_CERTIFICATE"
*list time
list time "name_TIME"
*list rule
*list rule #
*list nat
*list nat #
*list accesslocal
*list accesslocal #
*list accessremote
*list accessremote #
*list vpngateway
*list vpngateway #
The following field is optional and can be specified after the TYPE keyword in any of the above requests except those which are preceded by an "*".
SCREEN "name_SCREEN"
If no SCREEN option is present, only entries not associated with a specific SCREEN are listed. If the SCREEN option value is "*", then all entries that otherwise match are displayed. Requests that do not specify a name always display all entries of the given type.
Displays the set of unique basenames and sub-type of all of a given TYPE. These are the values that can be used when another object refers to an object of the specified TYPE.
Usage:
list_name TYPE
TYPE can be any of address, screen, service, stateengine, interface, certificate, time, or vpn.
Loads a policy into the configuration editor.
Usage:
load "name_POLICY"
Any edits to the current policy must be saved or discarded before this operation will succeed.
ssadm lock manipulates the lock that protects a policy from simultaneous modification by multiple administrators.
Usage:
ssadm lock -w policy
ssadm lock -c policy
ssadm lock -w prints a line of text describing the status of the lock.
ssadm lock -c forcibly breaks the lock and attempts to terminate (with a SIGHUP signal) the previous holder of the lock.
For example:
# ssadm lock -w Initial Lock held by admin@198.41.0.6 process id:8977 # ssadm lock -c Initial # ssadm lock -w Initial Lock available |
Returns the status of the Lock relative to this editor. If this editor holds a lock, the type of lock is returned. If it does not hold a lock, another process acquired a WRITE lock, in which case, if that WRITE lock is still in effect, information about that WRITER is presented. If that WRITE lock is no longer in effect, then Lock available is returned.
Usage:
lock_status
Searches the Registry for objects that match specified criteria.
Usage:
search TYPE [SCREEN "name_SCREEN"] [ SUBTYPE subtype] Substring...
TYPE can be any of address, screen, service, stateengine, interface, certificate, or time. SUBTYPE values depend upon the TYPE being searched according to the following table.
Table B-6 Search TYPE
TYPE |
SUBTYPE |
---|---|
address |
HOST, RANGE, GROUP |
certificate |
SINGLE, GROUP |
screen |
|
stateengine |
|
service |
SINGLE, GROUP |
interface |
ADMIN, DISABLED, EFS, HA, SPF |
time |
|
Moves an indexed entry from its current location in the ordered list to the new location.
Usage:
move rule # #
move nat # #
move accesslocal # #
move accessremote # #
move vpngateway # #
Replaces an object at a specified index.
Usage:
replace rule # parameters...
replace nat # parameters...
replace accesslocal # parameters...
replace accessremote # parameters...
replace vpngateway # parameters...
replace is similar to insert, except it replaces the entry at the specified index. A short-hand for an insert n / del n+1 pair of requests. The same syntax used for add is used for replace, with the index coming immediately after the TYPE keyword.
Determines if a named-objects of a given TYPE is referred to in the common data or the current policy.
Usage:
refer address "name_ADDRESS"
refer screen "name_SCREEN"
refer service "name_SERVICE"
refer stateengine "name_STATEENGINE"
refer certificate "name_CERTIFICATE"
refer time "name_TIME"
refer vpn "name_VPN"
Displays a list of all entries in the common objects and/or the current policy that refer to a specified named-object of a given TYPE.
Usage:
referlist address "name_ADDRESS"
referlist screen "name_SCREEN"
referlist screen "name_SCREEN"
referlist service "name_SERVICE"
referlist stateengine "name_STATEENGINE"
referlist certificate "name_CERTIFICATE"
referlist time "name_TIME"
referlist vpn "name_VPN"
Renames a specified named-object of a given TYPE.
Usage:
rename address "name_ADDRESS" "name_ADDRESS"
*rename screen "name_SCREEN" "name_SCREEN"
rename service "name_SERVICE" "name_SERVICE"
rename interface "name_INTERFACE" "name_INTERFACE"
rename certificate "name_CERTIFICATE" "name_CERTIFICATE"
rename time "name_TIME" "name_TIME"
The following field may be necessary to uniquely identify an entry. If so it can be specified after the TYPE keyword except for the entries preceded by an "*" above:
SCREEN "name_SCREEN"
If an entry already exists with the new name, it is replaced by this operation.
Renames all references to a specified named-object of a given TYPE.
Usage:
renamereference address "name_ADDRESS" "name_ADDRESS"
renamereference screen "name_SCREEN" "name_SCREEN"
renamereference service "name_SERVICE" "name_SERVICE"
renamereference certificate "name_CERTIFICATE" "name_CERTIFICATE"
renamereference time "name_TIME" "name_TIME"
renamereference vpn "name_VPN" "name_VPN"
Saves all current edits to the common objects and policy.
Usage:
save
save "name_POLICY" [types...]
If a name is specified, then the current policy is written to the new name, but remains the policy in the editor.
The following types can be specified.
Rule
Nat
AccessLocal
AccessRemote
VPNGateway
Discards any and all edits (if any were made) and re-loads the data into the editor from the database. If another process has performed edits and saved them since the current editor process loaded its data, and the current editor process wants to perform edits, it must perform a reload first, to re-acquire its read lock and ensure that no saved edits are lost.
Usage:
reload
Takes no arguments and "verifies" the currently loaded policy.
Usage:
verify
Manipulates the list of mail relays used by the SMTP proxy.
Usage:
mail_relay parameters
Manipulates the list of spam domains used by the SMTP proxy.
Usage:
mail_spam add domain-string
mail_spam del domain-string
mail_spam list
Manipulates the list of proxy users.
Usage:
proxyuser add name parameters...
proxyuser delete name
proxyuser print
Manipulates variables used for RADIUS configuration.
Usage:
vars add variables
Causes the editor to terminate if there are no unsaved changes.
Usage:
quit
When the editor is used interactively, typing quit twice consecutively causes the editor to terminate even if there are unsaved changes.
QUIT (typed in upper case) causes the editor to terminate even if there are unsaved changes.
Usage:
QUIT