|
|
campus - FTP-server for
BeOS®
Access configuration
Beginning with release 3.0 campus has the ability to allow and deny
accesses from other hosts based on the ip address and/or the hostname of the
remote host. To do this a new configuration option is introduced, using the
ip keyword.
There are two possible formats for this command:
IP Connect Deny|Allow Host|Hosts List of hosts
IP Connect Deny|Allow Network Network Netmask Netmask
Important notes:
- By default all accesses are allowed.
- If hostname resolving is disabled only IP-masks can be used to control
access!
- The Connect keyword must always be present although currently
it does not seem to be necessary. This is because in future releases of
campus there will be more options in the IP configuration.
The configuration of IP restriction is similar to that of the file
access. The lines either deny or allow access for the given argument
(see below for an explanation of possible masks) and are applied from
top to bottom whenever a user connects to the system.
Examples
The easiest way to explain possible host- and IP-masks are examples:
- IP Connect Deny Hosts *
This lines denies access for all machines, even the machine on
which campus is running.
- IP Connect Allow Host 127.0.0.1
This lines allows access for the local machine. The IP address
of the connecting machine has to match the given address exactly.
- IP Connect Allow Hosts *.be.com
Here all machines that are in the domain be.com are allowed to connect.
Remeber that for this to work you have to enable the resolving of hostnames!
- IP Connect Allow Network 10.0.0.0 Netmask 255.0.0.0
In this case a binary AND of the IP address of the host of the incoming
request and the Netmask is performed. The result is compared to the
Network argument. If it matches the access is allowed or denied depending
of the type of the IP line.
Notes:
- The keywords Host and Hosts are equivalent, you can use either
of them in your IP lines.
- You can specify multiple hosts when you seperate them by comma.
To get a bit more practical here is an example of a configuration, in the
following situation:
- The machine is connected to a local network with IP addresses 192.168.1.x
- The machine is connected to the inmternet on an arbitrary address
- Connections from the local network are allowed, from the internet only
certain machines will be allowed to access the server.
The IP access part of the configuration will look like this:
IP Connect Deny Hosts *
IP Connect Allow Hosts 192.168.1.*
or
IP Connect Allow Network 192.168.1.0 Netmask 192.168.1.255
IP Connect Allow Hosts *.be.com
Normally you won't need to have a lot of lines in the access configuration
if you don't plan to allow or deny access to your machine on a per-address
basis. But keep in mind that due to the automatic reload of the configuration
you have the possibility to deny access for a specific machine on the fly
if you for example spot a denial-of-service attack from it.
Copyright © 1997-2002 Stegemann & Co., Inc., All Rights reserved.
Created: May 7, 2000. Last modified: January 12, 2002.
|