Aminet 31

home *** CD-ROM | disk | FTP | other *** search

/ Aminet 31 / Aminet 31 (1999)(Schatztruhe)[!][Jun 1999].iso / Aminet / comm / www / Lynx282dev24.lha / usr / local / inet / db / inet.access < prev next >

Wrap

Text File | 1999-01-23 | 3KB | 82 lines

# # $Id: inet.access,v 4.6 1994/12/19 03:59:41 ppessi Exp $ # # Access control list for AmiTCP/IP. # # Copyright © 1994 AmiTCP/IP Group, # Network Solutions Development Inc. # All rights reserved. # # # Comments are from ';' or '#' to end of line # # AmiTCP/IP implements an access control feature similar to `tcpd' inside the # protocol stack. This means connection doesn't even get established if the # connection is to be denied, remote end just gets the usual # `connection refused' error message. # # NOTE: The access control is functional on the commercial version of the # AmiTCP/IP only. # # When connection request arrives, the access entry list is searched through # sequentially line by line until a match is found. Access entry lines looks # like the following... # # <service> <host/mask> <access> [LOG] # # It is first checked whether the port where connection is made matches the # port given <service>. Service can be given as a port number, already # parsed netdb service entry, or `*', `@', or `$', meaning that check host # for every destination port, every privileged destination port, or every # service port, respectively. # # Now, if port matched the source host internet address is compared with the # host value given in current access entry. Mask can be used to ignore some # bits when comparing, for example whole subnet can be checked with only one # entry in access control list. The host value may also contain that mask # information by having `*' in place of some number in host value given in # internet not notation format (see the examples). # # A special hostname `$' matches to all hosts, except it does not allow # source routing. Source routing is disallowed also if connection matches to # an entry with a specified host. # # If host matched, The next thing to do is to see whether connection is to # be accepted or not. if <access> says `allow' connection is to be established, # if `deny' connection request is dropped. # # If LOG is written last in the access entry list, Info whether connection # was accepted or denied, with corresponding remote host and destination port # is written to the syslog. # # *Example list # # Service Host[/Mask] Access [LOG] # # finger 127.1 allow LOG # * 130.233.*.* allow # nntp 130.233.0/255.252.0.0 allow LOG # $ *.*.*.* deny LOG # * $ allow LOG # # The list tells that finger queries from local host is to be logged. (2) # All connections from hosts whose addresses start with 130.233 are to be # allowed and (3) hosts in a bit wider set of class b -networks can access # nntpd server of this host. and these connections will be logged. Next line # tells that connections to any incoming server ports are to be disallowed # and the last one will then allow the rest ports without source routing and # this activity will be logged. Without this line these connections would be # accepted silently, since that would be the default operation if no matches # were found. # # The last 2 lines in that example are quite useful. It does permit ftp to # work since it binds a data transfer socket greater than 1023, but it # disallows unwanted hosts to access normal features effectively. Also # nonstandard services, such as netfs and irc are access controlled in this # access control list. # # Service Host[/Mask] Access [LOG] # *** add your entries here *** # EOF