crossroads

Git mirror of https://crossroads.e-tunity.com/
git clone git://git.finwo.net/app/crossroads
Log | Files | Refs

allow.yo (3160B)

      1 conf(allow* and deny* - Allowing or denying connections)
      2     (Crossroads can allow or deny
      3      connections based on the IP address of a client. There are four
      4      directives that are relevant: tt(allowfrom), tt(allowfile),
      5      tt(denyfrom) and tt(denyfile). When using tt(allowfrom) and
      6      tt(denyfrom) then the IP addresses to allow or deny connections are
      7      stated in tt(/etc/crossroads.conf).
      8 
      9      When tt(allow*) directives are used, then all connections are denied
     10      unless they match the stated allowed IP's. When tt(deny*) directives
     11      are used, then all connections are allowed unless they match the
     12      stated disallowed IP's. When denying and allowing is both used,
     13      then the Crossroads checks the deny list first.
     14 
     15      The statements tt(allowfrom) and tt(denyfrom) are followed by a
     16      list of filter specifications. The statements tt(allowfile) and
     17      tt(denyfile) are followed by a filename; Crossroads will read
     18      filter specifications from those external files. In both cases,
     19      Crossroads obtains filter specifications and places them in its
     20      lists of allowed or denied IP addresses. The difference between
     21      specifying filters in tt(/etc/crossroads.conf) or in external
     22      files, is that Crossroads will reload the external files when it
     23      receives signal 1 (tt(SIGHUP)), as in tt(killall -1 crossroads).
     24 
     25      The filter specifications must obey the following syntax: it
     26      consists of up to 
     27      four numbers ranging from 0 to 255 and separated by a decimal
     28      sign. Optionally a slash follows, with a bitmask which is also a
     29      decimal number.
     30 
     31      This is probably best explained by a few examples:
     32 
     33      itemization(
     34         it() tt(allowfrom 10/8;) will allow connections from
     35         tt(10.*.*.*) (a full Class A network). The mask tt(/8) means
     36         that the first 8 bits of the number (ie., only the tt(10)) are
     37         significant. On the last 3 positions of the IP address, all
     38         numbers are allowed. Given this directive, client connections
     39         from e.g. 10.1.1.1 and 10.2.3.4 will be allowed.
     40 
     41         it() tt(allowfrom 10.3/16;) will allow all IP addresses that
     42         start with tt(10.3).
     43 
     44         it() tt(allowfrom 10.3.1/16;) is the same as above. The third
     45         byte of the IP address is superfluous because the netmask
     46         specifies that only the first 16 bits (2 numbers) are taken
     47         into account.
     48 
     49         it() tt(allowfrom 10.3.1.15;) allows traffic from only the
     50         specified IP address. There is no bitmask; all four numbers
     51         are relevant.
     52 
     53         it() tt(allowfrom 10.3.1.15 10.2/16;) allows traffic from one
     54         IP address tt(10.3.1.15) or from a complete Class B network
     55         tt(10.2.*.*) 
     56 
     57         it() tt(allowfile /tmp/myfile.txt;) in combination with a file
     58         tt(/tmp/myfile.txt), with the contents tt(10.3.1.15 10.2/16),
     59         is the same as above.))
     60     (itemization(
     61 	it() tt(allowfrom) em(filter-specificication(s))
     62 	it() tt(denyfrom)  em(filter-specificication(s))
     63 	it() tt(allowfile)  em(filename)
     64 	it() tt(denyfile)  em(filename)))
     65     (In absence of these statements, all client IP's are accepted.)