home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
OS/2 Spezial
/
SPEZIAL2_97.zip
/
SPEZIAL2_97.iso
/
ANWEND
/
ONLINE
/
IJB20OS2
/
SACLFILE.TXT
< prev
next >
Wrap
Text File
|
1997-09-16
|
4KB
|
101 lines
# Access Control List for the Internet Junkbuster 2.0
#
# Copyright 1997 Junkbusters Corporation. For distribution, modification and
# use under the GNU General Public License. These files come with NO WARRANTY.
# See http://www.junkbusters.com/ht/en/gpl.html or the README file for details.
#
# Note: we provided this feature due to popular demand from ISPs,
# please be reminded that the FAQ states that this proxy is not
# intended to be a substitute for a firewall or to encourage anyone
# to defer addressing basic security weaknesses.
# If no access file is provided, the proxy talks to anyone that connects.
# If an access file is provided, the proxy talks only to IP addresses
# permitted somewhere in this file and not denied later in this file.
#
# Summary -- if using an ACL:
#
# Client must have permission to receive service
# LAST match in ACL file wins
# Default behavior is to deny service
#
# Syntax for an entry in an Access Control List is:
#
# ACTION SRC_ADDR[/SRC_MASKLEN] [ DST_ADDR[/DST_MASKLEN] ]
#
# where the fields are
#
# ACTION = "permit" | "deny"
#
# SRC_ADDR = client hostname or dotted IP address
# SRC_MASKLEN = number of bits in the subnet mask for the source
#
# DST_ADDR = server or forwarder hostname or dotted IP address
# DST_MASKLEN = number of bits in the subnet mask for the target
#
# field separator (FS) is whitespace (space or tab)
#
# IMPORTANT NOTE
# ==============
# If the junkbuster is using a forwarder or a gateway for a particular
# destination URL, the DST_ADDRR that is examined is the address of
# the forwarder or the gateway and NOT the address of the ultimate target.
# This is necessary because it may be impossible for the local
# junkbuster to determine the address of the ultimate target
# (that's often what gateways are used for).
#
# Here are a few examples to show how the ACL works:
# localhost is OK -- no DST_ADDR implies that ALL destination addresses are OK
# permit localhost
# a silly example to illustrate:
#
# permit any host on the class-C subnet with junkbusters to go anywhere
#
# permit www.junkbusters.com/24
#
# except deny one particular IP address from using it at all
#
# deny ident.junkbusters.com
# another example
#
# you can specify an explicit network address and subnet mask
# explict addresses do not have to be resolved to be used.
#
# permit 207.153.200.0/24
# a subnet mask of 0 matches anything, so the next line permits everyone.
#
# permit 0.0.0.0/0
# Note: you cannot say
#
# permit .org
#
# to allow all .org domains; every IP-address listed must resolve fully.
# An ISP may want to provide a junkbuster that is accessible by "the world"
# and yet restrict use of some of their private content to hosts on its
# internal network (i.e. its own subscribers). Say, for instance the
# ISP owns the Class-B IP address block 123.124.0.0 (a 16 bit netmask).
# This is how they could do it:
# permit 0.0.0.0/0 0.0.0.0/0 # other clients can go anywhere
# with the following exceptions:
#
# deny 0.0.0.0/0 123.124.0.0/16 # block all external requests for
# sites on the ISP's network
#
# permit 0.0.0.0/0 www.my_isp.com # except for the ISP's main web site
#
# permit 123.124.0.0/16 0.0.0.0/0 # the ISP's clients can go anywhere
# Note that some hostnames may be listed with multiple IP addresses,
# the primary value returned by gethostbyname() is used.
#