Optionally groups can be created and updated via web interface on manage connections.
Further information can be found here.
SourceIP;GatewayIP;GatewayPort;GatewayIP2;DestinationIP;DestinationPort;Expiration ;Type ;UID ;Comment ;eMail
* ;* ;99 ;manage ;300 ;30 ;* ;TINT:5,REFRH,REFRU,LOG:1, GRPUPD,RTUPD,OTPUPD, DELLOG:20,LGS,LGTIME,FLG:true, BPRI:AboveNormal;MGMT;Management;firstname.lastname@example.org
* ;* ;12321 ;status ; ; ;* ;LOG:2 ;STAT;Status ;
* ;* ;8080 ;* ;PrxFilter ;* ;2040-01-01 ;PRX ;PROX;Proxy ;
220.127.116.11 ;18.104.22.168 ;11000 ;* ;172.18.32.52 ;3389 ;* ;* ;1.1 ;
For incoming connections the table will be processed from the beginning. The first matching entry (SourceIP, GatewayIP, GatewayPort) will be selected.
22.214.171.124-126.96.36.199 ;188.8.131.52 ;11102 ;192.168.1.1;184.108.40.206 ;3389 ;* ;* ;1.2 ;
220.127.116.11/24 ;18.104.22.168 ;139-141 ;* ;22.214.171.124 ;* ;2020-10-20 ;* ;3 ;
#192.168.1.2 ;126.96.36.199 ;139,445 ;* ;188.8.131.52 ;* ;* ;* ;ABC ;
fe80::2e0:81ff:fe73:379a;fe80::20e:7fff:fe60:25fe%10;80;status;* ;* ;* ;* ;4 ; IPv6 addresses;email@example.com
SourceIP: comma separated list of IP addresses, range of IP addresses, IP subnets of clients,
... email addresses (lowercase!) or names of group table entries that may use this routing entry, * means: all clients
... or autologon or incoming. Valid combinations with the function codes in GatewayIP2 can be found here
GatewayIP: IP address where gateway is listening, * means: all available IP addresses
... RuleIDs (separated by |) in case SourceIP is autologon or one RuleID in case SourceIP is incoming
GatewayPort: comma separated list of ports, ranges of ports or names of group table entries, where gateway is listening
... if an entry of the group table is specified: Name must start with P_, entry may contain list of ports and/or ranges of ports.
... group table entries specifying ports will be read at routing table load only!
... if a port is prefixed with "r": connection is allowed for opposite direction (e.g. r3389), in this case SourceIP may be only one IP address
... GatewayPort=0 can be used to match any ports listening by succeeding rules, useful to block source addresses via deny rule
GatewayIP2: IP that gateway is using for outgoing connections, or * or :: ... IP address is chosen by system
... or one of the function codes below, valid combinations with autologon or incoming can be found here
... a second address may be chosen (separated by ,) to select an IPv4 or IPv6 destination, see IPv6
no outgoing connections, following functions are implemented only for TCP connections:
... status ... returns status information
... manage ... same as status plus management functions; stop and restart functions may be called only from local address 127.0.0.1.
....... favicon support for manage and status connections.
... logon ... logon to application gateway using smart card, any client certificate or OTP.
... web ... acts as simple web server
... reverselogon ... destination of remote autologon session
... forward ... forwards to existing local reverselogon session with matching RuleID
no outgoing connections, following functions are implemented for TCP and UDP connections:
... deny ... aborts incoming connection immediately
... echo ... implements a simple honeypot and other functions (ECHO, FTP, HTTP, NOECHO, PRTG, SESAM, SSRP, TELNET)
DestinationIP: IP address or DNS name of destination, a secondary address can be specified (see keyword LDB) or
... if DNS name starts with @, MX records will be searched and resolved, connections will be retried according to priority.
... if GatewayIP2=manage: maximum number of sessions allowed (optional, default is 500)
... if Type=PRX, SAPR or UDDEST:
.... for URL and destination checking: * (no restriction) or list of names of group tables (separated by |) to check for allowed destination IP addresses and ranges or names
.... Syntax of group table entries:
...... entries are separated by ","
...... optional port can be specified (e.g. www.aon.at!80)
...... names may start with * for wildcard, e.g. filter *.xyz.com matches a.xyz.com and xyz.com
.....Reverse proxy with keyword PRX:
...... At least one group must be specified and the names of groups must start with "X_".
...... Each entry consists of "host>destination" to map the requested host to the destination, e.g.
... RuleIDs or RuleID in case GatewayIP2 is reverselogon or forward
... In case the destination IP is reachable only via a proxy the CONNECT keyword has to be used.
... If necessary: NTLM authentication at the proxy is implemented using CNTLM.
DestinationPort: Port of destination, if * : use same port as connection to GatewayIP; if GatewayIP2=manage: default maximum idle time (TTL) of any link in minutes, if not set: TTL is 60
... if Type=PRX, SAPR or UDDEST: DestinationPort should be *
Expiration: Time, when rule will be disabled, usually format YYYY-MM-DD HH:MM:SS (date is mandatory, time may be omitted) or
* or empty (no expiration) or
name of a Timer Group (name must start with "T_").
Expiration is checked every timer interval, see keyword TINT.
Type: See list of keywords
UID: ... Unique ID (string) of routing table entry or *. It is used to have a unique reference to a routing table entry during life time and to build shortcuts.
Comment: ... any comment
eMail: ... comma separated list of email names or groups that contain emails, used to send mails for notification when rule expires (see also Group Notify)
If the line starts with #, the line will not be processed (comment).
To find the lines easily when editing the routing file (line numbers are shown when displaying the routing table), use an editor that supports line numbers.