Administrator's Guide
rule. For UDP and RAW, this rule applies to all inbound
packets.
• client: This rule applies outbound requests only. For
TCP, only connection initiations are controlled by this rule.
For UDP and RAW, this rule applies to all outbound
packets.
• bidir: This rule applies to both inbound and outbound
requests. For TCP, connections initiated and received by
the endpoint are controlled by this rule. For UDP and
RAW, this rule applies to all packets passing through the
endpoint.
Protocol Specifies the networking protocol that applies to this rule. The
options are:
• tcp: This rule applies to the TCP protocol.
• udp: This rule applies to the UDP protocol.
• raw: This rule applies to any other protocol in the INET
domain.
protonum The protocol number specified for this rule. The protonum
option is relevant only for raw specification.
port (Optional) Specifies that this rule applies to a specific port.
port Identifies the port specified in this rule.
peer (Optional) The port information applies to the peer endpoint
involved in the communication for this rule.
compartment_name Specifies the name of the compartment that is the target of the
rule. This is usually the interface compartment name, but can
also be specified as another compartment to indicate a
loopback communication.
For example:
/* allow all inbound TCP connections(any port)from interfaces labeled lancmpt1 */
grant server tcp lancmpt1
/* allow DNS client lookups (both TCP and UDP) through interface labeled lancmpt1 */
grant client tcp port 53 lancmpt1
grant bidir udp port 53 lancmpt1
/* allow only outbound telnet connections through interface labeled ifacelan0 */
grant client tcp peer port 23 ifacelan0
/* allow all TCP traffic except inbound telnet through interface labeled ifacelan0 */
/* the following two lines can be specified in either order */
grant bidir tcp ifacelan0
deny server tcp port 23 ifacelan0
/* allow inbound web server traffic through interface lan1cmpt */
6.4 Compartment Rules and Syntax 121