The config file is parts from begining to end, with the first fully matching line returning the accessiblity. The config file format is as follows:
#
# Format:
# {permit, deny} src-addr src-mask [dst-addr dst-mask] [op dst-port]
#
# Deny all host to every host finger service
#
deny 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq finger
# Deny just lloyd.mips.com finger services to sgi.com
#
deny lloyd.mips.com 0.0.0.0 sgi.com 0.0.0.0 eq finger
#
# Allow all host on the 130.62 network access to the world
#
permit 130.62.0.0 0.0.255.255
The leading field of either ``permit'' or ``deny'' state if the remainder of the host part matches to allow/disallow the access. Fields two and three when masked together with the source host number, are equal then this field is considered to match (ie. addr & ~mask == sourceaddr & ~mask). Fields four and five are the destination host address and mask, which is the same as the source host address and mask. The final field is the port number for the socket, it is lead with the keyword ``eq'' for equal, ``neq'' for not equal, ``lt' for less, and ``gt' for greater than the destination port number (ie. true if port {eq,gt,neq,lt} destination port). Both the destination hostname and destination port fields are optional.