From 895e9a4a0bd2316302df63b1ae262264efde9246 Mon Sep 17 00:00:00 2001 From: yaroslavrosomakho Date: Sun, 6 Oct 2024 16:18:09 +0100 Subject: [PATCH 1/8] Replaced split-DNS with more generic destinations for hostnames, IP addresses and ports. --- draft-ietf-intarea-proxy-config.md | 62 ++++++++++++++++++++---------- 1 file changed, 41 insertions(+), 21 deletions(-) diff --git a/draft-ietf-intarea-proxy-config.md b/draft-ietf-intarea-proxy-config.md index e2cc5d7..663cba5 100644 --- a/draft-ietf-intarea-proxy-config.md +++ b/draft-ietf-intarea-proxy-config.md @@ -45,7 +45,7 @@ which proxies are associated with one another. Client can also benefit from learning about additional information associated with the proxy to optimize their proxy usage, such knowing that a proxy is configured -to only allow access to a limited set of next hops. +to only allow access to a limited set of destinations. These improvements to client behavior can be achieved through the use of Provisioning Domains. Provisioning Domains (PvDs) are defined in {{?PVD=RFC7556}} @@ -62,8 +62,8 @@ to use proxies: 1. A way to list one or more proxy URIs in a PvD, allowing clients to learn about other proxy options given a known proxy ({{proxy-enumeration}}). -1. A way to define a limited set of DNS zones that are accessible through the -proxy ({{split-dns}}). +1. A way to define a limited set of destinations that are accessible through the +proxy ({{destinations}}). Additionally, this document partly describes how these mechanisms might be used to discover proxies associated with a network ({{network-proxies}}). @@ -233,38 +233,58 @@ content-length = 222 The client would learn the URI template of the proxy that supports UDP using {{CONNECT-UDP}}, at "https://proxy.example.org/masque{?target_host,target_port}". -# Split DNS information for proxies {#split-dns} +# Destination information for proxies {#destinations} -Split DNS configurations are cases where only a subset of domains is routed through -a VPN tunnel or a proxy. For example, IKEv2 defines split DNS configuration in -{{?IKEV2SPLIT=RFC8598}}. +Destination configuration is used when only a subset of destinations is reachable through +a proxy. Destination restrictions are often used in VPN tunnel configurations such as split +DNS in IKEv2 {{?IKEV2SPLIT=RFC8598}}. -PvD Additional Information can be used to indicate that a proxy PvD has a split DNS -configuration. +PvD Additional Information can be used to indicate that a proxy PvD should be used for a limited +set of destinations. This document defines two optional keys that for subdictionaries in the `proxies` array that are used for split-DNS configuration. | JSON Key | Optional | Description | Type | Example | | --- | --- | --- | --- | --- | -| matchDomains | Yes | An array of DNS zones or subdomains that can be accessed over this proxy | Array of Strings | [ "example.com" ] | -| excludedDomains | Yes | An array of DNS zones or subdomains that cannot be accessed over this proxy, which should be more specific domains of entries in the matchDomains array | Array of Strings | [ "public.example.com" ] | +| matchDomains | Yes | An array of hostnames and wildcard FQDNs that can be accessed over this proxy | Array of Strings | [ "www.example.com", "*.local" ] | +| excludedDomains | Yes | An array of hostnames and wildcard FQDNs that cannot be accessed over this proxy, which should be more specific domains of entries in the matchDomains array | Array of Strings | [ "exclude.local" ] | +| matchIPs | Yes | An array of IP addresses and subnets that can be accessed over this proxy | Array of Strings | [ "2001:DB8::1", "192.168.1.0/24" ] | +| excludeIPs | Yes | An array of IP addresses and subnets that cannot be accessed over this proxy, which should be more specific addresses or subnets of entries in the matchIP array | Array of Strings | [ "192.168.1.0/25", "192.168.1.254" ] | +| matchPorts | Yes | An array of TCP or UDP port ranges accessible over this proxy | Array of Strings | [ "80", "443", "1024-65535" ] | +| excludePorts | Yes | An array of TCP or UDP port ranges that cannot be accessed over this proxy, which should be more specific than entries in the matchPorts array | Array of Strings | [ "3389", "8443" ] | When present in a PvD Additional Information dictionary that is retrieved for a proxy -as described in {{proxy-pvd}}, domains in the `matchDomains` array indicate specific zones -that are accessible using the proxy. If a hostname is not included in the enumerated -zones, then a client SHOULD assume that the hostname will not be accessible through the -proxy. If a hostname is included in the `excludedDomains` array, then the client SHOULD NOT -access it through the proxy. +as described in {{proxy-pvd}}, entries in the `matchDomains` array indicate specific hosts +and zones that are accessible using the proxy. If a hostname is neither matching an specific +entry nor included in the enumerated zones, then a client SHOULD assume that the hostname +will not be accessible through the proxy. If a hostname is included in the `excludedDomains` +array, then the client SHOULD NOT access it through the proxy. Entries listed in `matchDomains` MUST NOT expand the set of domains that a client is willing to send to a particular proxy. The list can only narrow the list of domains that the client is willing to send through the proxy. For example, if the client -has a local policy to only send requests for "example.com" to a proxy +has a local policy to only send requests for "*.example.com" to a proxy "proxy.example.com", and the `matchDomains` array contains "internal.example.com" and "other.company.com", the client would end up only proxying "internal.example.com" through the proxy. +Wildcard prefix (`*.`) is used to differentiate between specific hostnames and zones. Note +that it is used to match multiple levels of sub-domain. For example "*.example.com" +matches "internal.example.com" as well as "www.public.example.com". + +Entries in `matchIPs` correspond to IP addresses and subnets that are available through the +proxy, while entries in `excludeIPs` define IP addresses and subnets that SHOULD NOT be used +with the proxy. IP address based destination information SHOULD only be used when +communicating with destinations defined by an IP address and not a hostname. + +`matchPorts` and `excludePorts` can be used to restrict relevant transport ports from being +accessible through the proxy. These lists may contain only specific port numbers (such as +"80") or inclusive ranges of ports. For example "1024-2048" matches all ports from 1024 to 2048 +including the boundaries. `matchPorts` provides a list of destination TCP or UDP ports that +can be communicated through the proxy while `excludePorts` provides a list of ports that SHOULD +NOT be communicated through the proxy. + ## Example Given a proxy URI template "https://proxy.example.org/masque{?target_host,target_port}", @@ -280,7 +300,7 @@ accept = application/pvd+json ~~~ If the proxy has a PvD definition for this proxy, it could return the following -response to indicate a PvD that has one accessible zone, "internal.example.org". +response to indicate a PvD that has one accessible zone, "*.internal.example.org". ~~~ :status = 200 @@ -299,14 +319,14 @@ content-length = 135 { "protocol": "connect-udp", "proxy": "https://proxy.example.org/masque{?target_host,target_port}", - "matchDomains": [ "internal.example.org" ] + "matchDomains": [ "*.internal.example.org" ] } ] } ~~~ The client could then choose to use this proxy only for accessing names that fall -within the "internal.example.org" zone. +within the "*.internal.example.org" zone. # Discovering proxies from network PvDs {#network-proxies} @@ -353,7 +373,7 @@ Example: [ { IANA is requested to create a new registry "Proxy Information PvD Keys", within the "Provisioning Domains (PvDs)" registry page. This new registry reserves JSON keys for use in sub-dictionaries under the `proxies` key. -The initial contents of this registry are given in {{proxy-enumeration}} and {{split-dns}}. +The initial contents of this registry are given in {{proxy-enumeration}} and {{destinations}}. New assignments in the "Proxy Information PvD Keys" registry will be administered by IANA through Expert Review {{!RFC8126}}. Experts are requested to ensure that defined keys do not overlap in names or semantics. From f75295470733c0532619daef66c0cb962502619e Mon Sep 17 00:00:00 2001 From: yaroslavrosomakho Date: Sun, 6 Oct 2024 16:30:46 +0100 Subject: [PATCH 2/8] Replaced another occurence of split-DNS with destinations. --- draft-ietf-intarea-proxy-config.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-intarea-proxy-config.md b/draft-ietf-intarea-proxy-config.md index 663cba5..1571267 100644 --- a/draft-ietf-intarea-proxy-config.md +++ b/draft-ietf-intarea-proxy-config.md @@ -144,7 +144,7 @@ Each proxy is defined by a proxy protocol, a proxy location (i.e., a hostname an This document defines two mandatory keys for the sub-dictionaries in the `proxies` array, `protocol` and `proxy`. There are also optional key, including -`alpn`, and keys for split-DNS defined in {{split-dns}}. +`alpn`, and destination keys defined in {{destinations}}. Other optional keys can be added to the dictionary to further define or restrict the use of a proxy. Clients that do not recognize or understand a key in a proxy sub-dictionary MUST ignore the entire From 68c964d2923981de31e5f36f6af6176f7021f401 Mon Sep 17 00:00:00 2001 From: yaroslavrosomakho Date: Mon, 14 Oct 2024 10:50:25 +0100 Subject: [PATCH 3/8] Consolidated port destinations into a single list. Provided guidance on matching lists with more elements than a client can process. Minor spelling fixes. --- draft-ietf-intarea-proxy-config.md | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/draft-ietf-intarea-proxy-config.md b/draft-ietf-intarea-proxy-config.md index 1571267..12c7e89 100644 --- a/draft-ietf-intarea-proxy-config.md +++ b/draft-ietf-intarea-proxy-config.md @@ -242,17 +242,16 @@ DNS in IKEv2 {{?IKEV2SPLIT=RFC8598}}. PvD Additional Information can be used to indicate that a proxy PvD should be used for a limited set of destinations. -This document defines two optional keys that for subdictionaries in the `proxies` -array that are used for split-DNS configuration. +This document defines five additional optional keys that for subdictionaries in the `proxies` +array that are used to signal information about destinations available through the proxy. | JSON Key | Optional | Description | Type | Example | | --- | --- | --- | --- | --- | | matchDomains | Yes | An array of hostnames and wildcard FQDNs that can be accessed over this proxy | Array of Strings | [ "www.example.com", "*.local" ] | | excludedDomains | Yes | An array of hostnames and wildcard FQDNs that cannot be accessed over this proxy, which should be more specific domains of entries in the matchDomains array | Array of Strings | [ "exclude.local" ] | | matchIPs | Yes | An array of IP addresses and subnets that can be accessed over this proxy | Array of Strings | [ "2001:DB8::1", "192.168.1.0/24" ] | -| excludeIPs | Yes | An array of IP addresses and subnets that cannot be accessed over this proxy, which should be more specific addresses or subnets of entries in the matchIP array | Array of Strings | [ "192.168.1.0/25", "192.168.1.254" ] | -| matchPorts | Yes | An array of TCP or UDP port ranges accessible over this proxy | Array of Strings | [ "80", "443", "1024-65535" ] | -| excludePorts | Yes | An array of TCP or UDP port ranges that cannot be accessed over this proxy, which should be more specific than entries in the matchPorts array | Array of Strings | [ "3389", "8443" ] | +| excludedIPs | Yes | An array of IP addresses and subnets that cannot be accessed over this proxy, which should be more specific addresses or subnets of entries in the matchIP array | Array of Strings | [ "192.168.1.0/25", "192.168.1.254" ] | +| ports | Yes | An array of TCP or UDP port ranges accessible over this proxy | Array of Strings | [ "80", "443", "1024-65535" ] | When present in a PvD Additional Information dictionary that is retrieved for a proxy as described in {{proxy-pvd}}, entries in the `matchDomains` array indicate specific hosts @@ -274,16 +273,22 @@ that it is used to match multiple levels of sub-domain. For example "*.example.c matches "internal.example.com" as well as "www.public.example.com". Entries in `matchIPs` correspond to IP addresses and subnets that are available through the -proxy, while entries in `excludeIPs` define IP addresses and subnets that SHOULD NOT be used +proxy, while entries in `excludedIPs` define IP addresses and subnets that SHOULD NOT be used with the proxy. IP address based destination information SHOULD only be used when communicating with destinations defined by an IP address and not a hostname. -`matchPorts` and `excludePorts` can be used to restrict relevant transport ports from being -accessible through the proxy. These lists may contain only specific port numbers (such as -"80") or inclusive ranges of ports. For example "1024-2048" matches all ports from 1024 to 2048 -including the boundaries. `matchPorts` provides a list of destination TCP or UDP ports that -can be communicated through the proxy while `excludePorts` provides a list of ports that SHOULD -NOT be communicated through the proxy. +`ports` in a list of strings that can be used to instruct the client that only specific destination +TCP or UDP ports are accessible through the proxy. The list may contain individual port numbers +(such as "80") or inclusive ranges of ports. For example "1024-2048" matches all ports from 1024 +to 2048 including the boundaries. + +Note that clients with limited resources MAY not be able to process and utilize all +entries of an excessively long list. In the case if the provided list is too long for a given +client, it SHOULD process as many records from the beginning of `matchDomains`, `matchIPs` and +`ports` lists. These lists SHOULD be sorted with the most important elements placed at +the start of the list. If a client cannot consume all the entries in `excludedDomains` or +`excludedIPs` it SHOULD NOT use given proxy configuration to avoid sending traffic that the proxy +cannot process. ## Example From 48cb2370f56963164ea95f6eb7881a6ddf2c26d1 Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Sun, 20 Oct 2024 20:04:58 -0700 Subject: [PATCH 4/8] Apply suggestions from code review --- draft-ietf-intarea-proxy-config.md | 42 +++++++++++++++--------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/draft-ietf-intarea-proxy-config.md b/draft-ietf-intarea-proxy-config.md index 12c7e89..a1a9ce3 100644 --- a/draft-ietf-intarea-proxy-config.md +++ b/draft-ietf-intarea-proxy-config.md @@ -143,8 +143,8 @@ Each proxy is defined by a proxy protocol, a proxy location (i.e., a hostname an {{!URITEMPLATE=RFC6570}}), along with potentially other keys. This document defines two mandatory keys for the sub-dictionaries in the -`proxies` array, `protocol` and `proxy`. There are also optional key, including -`alpn`, and destination keys defined in {{destinations}}. +`proxies` array, `protocol` and `proxy`. There are also optional keys, including +`alpn`, and destination accessibility keys defined in {{destinations}}. Other optional keys can be added to the dictionary to further define or restrict the use of a proxy. Clients that do not recognize or understand a key in a proxy sub-dictionary MUST ignore the entire @@ -233,25 +233,25 @@ content-length = 222 The client would learn the URI template of the proxy that supports UDP using {{CONNECT-UDP}}, at "https://proxy.example.org/masque{?target_host,target_port}". -# Destination information for proxies {#destinations} +# Destination accessibility information for proxies {#destinations} -Destination configuration is used when only a subset of destinations is reachable through +Destination accessibility information is used when only a subset of destinations is reachable through a proxy. Destination restrictions are often used in VPN tunnel configurations such as split DNS in IKEv2 {{?IKEV2SPLIT=RFC8598}}. -PvD Additional Information can be used to indicate that a proxy PvD should be used for a limited +PvD Additional Information can be used to indicate that a proxy PvD only allows access to a limited set of destinations. -This document defines five additional optional keys that for subdictionaries in the `proxies` +This document defines five optional keys for subdictionaries in the `proxies` array that are used to signal information about destinations available through the proxy. | JSON Key | Optional | Description | Type | Example | | --- | --- | --- | --- | --- | -| matchDomains | Yes | An array of hostnames and wildcard FQDNs that can be accessed over this proxy | Array of Strings | [ "www.example.com", "*.local" ] | -| excludedDomains | Yes | An array of hostnames and wildcard FQDNs that cannot be accessed over this proxy, which should be more specific domains of entries in the matchDomains array | Array of Strings | [ "exclude.local" ] | -| matchIPs | Yes | An array of IP addresses and subnets that can be accessed over this proxy | Array of Strings | [ "2001:DB8::1", "192.168.1.0/24" ] | -| excludedIPs | Yes | An array of IP addresses and subnets that cannot be accessed over this proxy, which should be more specific addresses or subnets of entries in the matchIP array | Array of Strings | [ "192.168.1.0/25", "192.168.1.254" ] | -| ports | Yes | An array of TCP or UDP port ranges accessible over this proxy | Array of Strings | [ "80", "443", "1024-65535" ] | +| matchDomains | Yes | An array of FQDNs and wildcard DNS domains that can be accessed over this proxy | Array of Strings | [ "www.example.com", "*.local" ] | +| excludeDomains | Yes | An array of FQDNs and wildcard DNS domains that cannot be accessed over this proxy. If matchDomains is specified, excludeDomains should list more specific domains within entries in the matchDomains array | Array of Strings | [ "exclude.local" ] | +| matchSubnets | Yes | An array of IP addresses and subnets that can be accessed over this proxy | Array of Strings | [ "2001:DB8::1", "192.168.1.0/24" ] | +| excludeSubnets | Yes | An array of IP addresses and subnets that cannot be accessed over this proxy. If matchSubnets is specified, excludeDomains should list more specific subnets within entries in the matchSubnets array | Array of Strings | [ "192.168.1.0/25", "192.168.1.254" ] | +| matchPorts | Yes | An array of TCP or UDP port ranges accessible over this proxy | Array of Strings | [ "80", "443", "1024-65535" ] | When present in a PvD Additional Information dictionary that is retrieved for a proxy as described in {{proxy-pvd}}, entries in the `matchDomains` array indicate specific hosts @@ -268,24 +268,24 @@ has a local policy to only send requests for "*.example.com" to a proxy "other.company.com", the client would end up only proxying "internal.example.com" through the proxy. -Wildcard prefix (`*.`) is used to differentiate between specific hostnames and zones. Note -that it is used to match multiple levels of sub-domain. For example "*.example.com" +A wildcard prefix (`*.`) is used to indicate matching entire domains or subdomains instead of specific hostnames. Note +that this can be used to match multiple levels of subdomains. For example "*.example.com" matches "internal.example.com" as well as "www.public.example.com". -Entries in `matchIPs` correspond to IP addresses and subnets that are available through the -proxy, while entries in `excludedIPs` define IP addresses and subnets that SHOULD NOT be used -with the proxy. IP address based destination information SHOULD only be used when -communicating with destinations defined by an IP address and not a hostname. +Entries in `matchSubnets` correspond to IP addresses and subnets that are available through the +proxy, while entries in `excludeSubnets` define IP addresses and subnets that SHOULD NOT be used +with the proxy. Subnet-based destination information SHOULD only be used when +applications are communicating with destinations identified by only an IP address and not a hostname. -`ports` in a list of strings that can be used to instruct the client that only specific destination +`matchPorts` in a list of strings that can be used to instruct the client that only specific destination TCP or UDP ports are accessible through the proxy. The list may contain individual port numbers (such as "80") or inclusive ranges of ports. For example "1024-2048" matches all ports from 1024 -to 2048 including the boundaries. +to 2048, including the 1024 and 1028. Note that clients with limited resources MAY not be able to process and utilize all entries of an excessively long list. In the case if the provided list is too long for a given -client, it SHOULD process as many records from the beginning of `matchDomains`, `matchIPs` and -`ports` lists. These lists SHOULD be sorted with the most important elements placed at +client, it SHOULD process as many records from the beginning of `matchDomains`, `matchSubnets` and +`matchPorts` lists. These lists SHOULD be sorted with the most important elements placed at the start of the list. If a client cannot consume all the entries in `excludedDomains` or `excludedIPs` it SHOULD NOT use given proxy configuration to avoid sending traffic that the proxy cannot process. From bca90b7e0be5532324ff46fa5545358f63fce89a Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Sun, 20 Oct 2024 20:06:45 -0700 Subject: [PATCH 5/8] Update draft-ietf-intarea-proxy-config.md --- draft-ietf-intarea-proxy-config.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/draft-ietf-intarea-proxy-config.md b/draft-ietf-intarea-proxy-config.md index a1a9ce3..2e12bbc 100644 --- a/draft-ietf-intarea-proxy-config.md +++ b/draft-ietf-intarea-proxy-config.md @@ -282,14 +282,6 @@ TCP or UDP ports are accessible through the proxy. The list may contain individu (such as "80") or inclusive ranges of ports. For example "1024-2048" matches all ports from 1024 to 2048, including the 1024 and 1028. -Note that clients with limited resources MAY not be able to process and utilize all -entries of an excessively long list. In the case if the provided list is too long for a given -client, it SHOULD process as many records from the beginning of `matchDomains`, `matchSubnets` and -`matchPorts` lists. These lists SHOULD be sorted with the most important elements placed at -the start of the list. If a client cannot consume all the entries in `excludedDomains` or -`excludedIPs` it SHOULD NOT use given proxy configuration to avoid sending traffic that the proxy -cannot process. - ## Example Given a proxy URI template "https://proxy.example.org/masque{?target_host,target_port}", From ef2cbc972d88796d57d527d1c51c52097c23c4ae Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Sun, 20 Oct 2024 20:10:44 -0700 Subject: [PATCH 6/8] Update draft-ietf-intarea-proxy-config.md --- draft-ietf-intarea-proxy-config.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/draft-ietf-intarea-proxy-config.md b/draft-ietf-intarea-proxy-config.md index 2e12bbc..4585bca 100644 --- a/draft-ietf-intarea-proxy-config.md +++ b/draft-ietf-intarea-proxy-config.md @@ -271,6 +271,12 @@ through the proxy. A wildcard prefix (`*.`) is used to indicate matching entire domains or subdomains instead of specific hostnames. Note that this can be used to match multiple levels of subdomains. For example "*.example.com" matches "internal.example.com" as well as "www.public.example.com". +Entries that include the wildcard prefix also SHOULD be treated as if they match +an FQDN that only contains the string after the prefix, with no subdomain. So, +an entry in `matchDomains` of "*.example.com" would match the FQDN "example.com", +unless "example.com" were specifically included in `excludeDomains`. This is +done to prevent commonly needing to include both "*.example.com" and "example.com" +in the `matchDomains` list. Entries in `matchSubnets` correspond to IP addresses and subnets that are available through the proxy, while entries in `excludeSubnets` define IP addresses and subnets that SHOULD NOT be used From eacf04c382830bb8ed9d3f76d13e97e3c2c00191 Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Sun, 20 Oct 2024 20:11:18 -0700 Subject: [PATCH 7/8] Update draft-ietf-intarea-proxy-config.md --- draft-ietf-intarea-proxy-config.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-intarea-proxy-config.md b/draft-ietf-intarea-proxy-config.md index 4585bca..7c99fac 100644 --- a/draft-ietf-intarea-proxy-config.md +++ b/draft-ietf-intarea-proxy-config.md @@ -257,7 +257,7 @@ When present in a PvD Additional Information dictionary that is retrieved for a as described in {{proxy-pvd}}, entries in the `matchDomains` array indicate specific hosts and zones that are accessible using the proxy. If a hostname is neither matching an specific entry nor included in the enumerated zones, then a client SHOULD assume that the hostname -will not be accessible through the proxy. If a hostname is included in the `excludedDomains` +will not be accessible through the proxy. If a hostname is included in the `excludeDomains` array, then the client SHOULD NOT access it through the proxy. Entries listed in `matchDomains` MUST NOT expand the set of domains that a client is From 2a02c2cb55f2b70d35a674d18aa6227352504e23 Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Sun, 20 Oct 2024 20:16:31 -0700 Subject: [PATCH 8/8] Update draft-ietf-intarea-proxy-config.md --- draft-ietf-intarea-proxy-config.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-intarea-proxy-config.md b/draft-ietf-intarea-proxy-config.md index 9e5eb02..42ba519 100644 --- a/draft-ietf-intarea-proxy-config.md +++ b/draft-ietf-intarea-proxy-config.md @@ -291,8 +291,8 @@ with the proxy. Subnet-based destination information SHOULD only be used when applications are communicating with destinations identified by only an IP address and not a hostname. `matchPorts` in a list of strings that can be used to instruct the client that only specific destination -TCP or UDP ports are accessible through the proxy. The list may contain individual port numbers -(such as "80") or inclusive ranges of ports. For example "1024-2048" matches all ports from 1024 +TCP or UDP ports are accessible through the proxy. The list may contain individual port numbers +(such as "80") or inclusive ranges of ports. For example "1024-2048" matches all ports from 1024 to 2048, including the 1024 and 1028. ## Example