A TTLSRule statement consists of a set of conditions that are compared
against the connection being checked. When a match is found, policy
lookup stops and the connection is assigned the actions associated
with the rule. The rule conditions are:
- LocalAddr - Local IP address or addresses
- RemoteAddr - Remote IP address or addresses
- LocalPortRange - Local port or ports
- RemotePortRange - Remote port or ports
- Jobname - Job name of the owning application or wildcard job name
- Userid - User ID of the owning process or wildcard user ID
- Direction - Inbound if applied to a passive socket (established
by accept), Outbound if applied to an active socket (established by
connect), or Both
Direction and at least one other condition must be specified. Other
rule considerations include:
- If a condition is not specified, that condition is not considered
when comparing the rule and the connection for a match.
- Multiple values can be specified for the IP address and port conditions,
either directly in the condition or as a referenced group.
- IPv6 addresses are valid in all environments.
Each TTLSRule statement can also have a priority. Priority values
can be integers in the range 1 - 2000000000, with 2000000000 being
the highest priority. When assigning priorities, you should skip some
values to allow for future rule insertion between existing rules.
Policy Agent orders rules in alphabetical order within priority.
Tip: If connections can map to more than one rule, always
use priority and leave priority space between rules.