next up previous contents
Next: Redirect commands Up: Configuration file format Previous: Configuration file format

Access control commands

Access control commands govern which machines are allowed to send packets to the client side of the proxy (rq2pc): the server side of the proxy will ignore any packets not sent by the right server.

Access control commands consist of the keyword global followed by an access control specification of the form:

[allow|deny] address </netmask> 
  <(<from portfrom> <-|to> <portto>|port [port])>

The [allow|deny] indicates whether hosts matching the succeeding address specification are to be allowed or denied access. A packet from host A, sent from port p matches an ACL command if (address)&netmask == (A&netmask) && (p>=portfrom && p<=portto).

If not given, the netmask is taken to be 255.255.255.255, portfrom is 0 and portto is 65535. If port [port] is specified, portfrom = portto = port.

Examples of ACL commands:

allow 192.168.1.1 port 23-45
allow 192.168.1.2/255.255.255.240 from 23-
allow 192.168.1.3
deny 192.168.1.4 from - 45
allow foo.bar.baz

ACL commands are processed in the order given in the configuration file: the result of the first matching entry (allow or deny) is the result of the match - hence, in a configuration file containing:

allow 192.168.1.1
deny 192.168.1.2/255.255.255.128
allow 192.168.1.24

192.168.1.1 would be allowed, and 192.168.1.2 and 192.168.1.24 denied.

If no rules match, the packet is rejected.

ACL processing occurs before redirect matching, so ACLs associated with redirects which specify hosts that don't match the access control commands are pointless and might as well not exist.


next up previous contents
Next: Redirect commands Up: Configuration file format Previous: Configuration file format
Richard Watts
1998-12-22