OS/2 Spezial

home *** CD-ROM | disk | FTP | other *** search

/ OS/2 Spezial / SPEZIAL2_97.zip / SPEZIAL2_97.iso / ANWEND / ONLINE / IJB20OS2 / SACLFILE.TXT < prev next >

Wrap

Text File | 1997-09-16 | 4KB | 101 lines

# Access Control List for the Internet Junkbuster 2.0 # # Copyright 1997 Junkbusters Corporation. For distribution, modification and # use under the GNU General Public License. These files come with NO WARRANTY. # See http://www.junkbusters.com/ht/en/gpl.html or the README file for details. # # Note: we provided this feature due to popular demand from ISPs, # please be reminded that the FAQ states that this proxy is not # intended to be a substitute for a firewall or to encourage anyone # to defer addressing basic security weaknesses. # If no access file is provided, the proxy talks to anyone that connects. # If an access file is provided, the proxy talks only to IP addresses # permitted somewhere in this file and not denied later in this file. # # Summary -- if using an ACL: # # Client must have permission to receive service # LAST match in ACL file wins # Default behavior is to deny service # # Syntax for an entry in an Access Control List is: # # ACTION SRC_ADDR[/SRC_MASKLEN] [ DST_ADDR[/DST_MASKLEN] ] # # where the fields are # # ACTION = "permit" | "deny" # # SRC_ADDR = client hostname or dotted IP address # SRC_MASKLEN = number of bits in the subnet mask for the source # # DST_ADDR = server or forwarder hostname or dotted IP address # DST_MASKLEN = number of bits in the subnet mask for the target # # field separator (FS) is whitespace (space or tab) # # IMPORTANT NOTE # ============== # If the junkbuster is using a forwarder or a gateway for a particular # destination URL, the DST_ADDRR that is examined is the address of # the forwarder or the gateway and NOT the address of the ultimate target. # This is necessary because it may be impossible for the local # junkbuster to determine the address of the ultimate target # (that's often what gateways are used for). # # Here are a few examples to show how the ACL works: # localhost is OK -- no DST_ADDR implies that ALL destination addresses are OK # permit localhost # a silly example to illustrate: # # permit any host on the class-C subnet with junkbusters to go anywhere # # permit www.junkbusters.com/24 # # except deny one particular IP address from using it at all # # deny ident.junkbusters.com # another example # # you can specify an explicit network address and subnet mask # explict addresses do not have to be resolved to be used. # # permit 207.153.200.0/24 # a subnet mask of 0 matches anything, so the next line permits everyone. # # permit 0.0.0.0/0 # Note: you cannot say # # permit .org # # to allow all .org domains; every IP-address listed must resolve fully. # An ISP may want to provide a junkbuster that is accessible by "the world" # and yet restrict use of some of their private content to hosts on its # internal network (i.e. its own subscribers). Say, for instance the # ISP owns the Class-B IP address block 123.124.0.0 (a 16 bit netmask). # This is how they could do it: # permit 0.0.0.0/0 0.0.0.0/0 # other clients can go anywhere # with the following exceptions: # # deny 0.0.0.0/0 123.124.0.0/16 # block all external requests for # sites on the ISP's network # # permit 0.0.0.0/0 www.my_isp.com # except for the ISP's main web site # # permit 123.124.0.0/16 0.0.0.0/0 # the ISP's clients can go anywhere # Note that some hostnames may be listed with multiple IP addresses, # the primary value returned by gethostbyname() is used. #