hosts_access.5 - OpenGrok cross reference for /freebsd-src/contrib/tcp_wrappers/hosts

Lines Matching +full:host +full:- +full:only
3 hosts_access \- format of host access control files
6 based on client (host name/address, user name), and server (process
7 name, host name/address) patterns.  Examples are given at the end. The
13 program build time by building with -DPROCESS_OPTIONS.
17 a host requesting service. Network daemon process names are specified
31 A non-existing access control file is treated as if it were an empty
57 of one or more host names, host addresses, patterns or wildcards (see
58 below) that will be matched against the client host name or address.
60 The more complex forms \fIdaemon@host\fR and \fIuser@host\fR are
72 A string that begins with a `.\' character. A host name is matched if
74 example, the pattern `.tue.nl\' matches the host name
77 A string that ends with a `.\' character. A host address is matched if
79 pattern `131.155.\' matches the address of (almost) every host on the
83 (formerly YP) netgroup name. A host name is matched if it is a host
88 `net/mask\' pair. A host address is matched if `net\' is equal to the
94 `[net]/prefixlen\' pair. A IPv6 host address is matched if
101 name. A host name or address is matched if it matches any host name
103 zero or more lines with zero or more host name or address patterns
105 a host name or address pattern can be used.
111 Matches any host whose name does not contain a dot character.
113 Matches any user whose name is unknown, and matches any host whose name
115 host names may be unavailable due to temporary name server problems. A
119 Matches any user whose name is known, and matches any host whose name
121 host names may be unavailable due to temporary name server problems.  A
125 Matches any host whose name does not match its address.  When tcpd is
126 built with -DPARANOID (default mode), it drops requests from such
128 without -DPARANOID when you want more control over such requests.
141 If the first-matched access control rule contains a shell command, that
157 The client (server) host address.
159 Client information: user@host, user@address, a host name, or just an
164 The client (server) host name or address, if the host name is
167 The client (server) host name (or "unknown" or "paranoid").
171 Server information: daemon@host, daemon@address, or just a daemon name,
196 The host_pattern obeys the same syntax rules as host names and
198 is available only with connection-oriented services.
200 When the client host supports the RFC 931 protocol or one of its
203 information, when available, is logged together with the client host
210 rule-driven username lookups (default) or to always interrogate the
211 client host.  In the case of rule-driven username lookups, the above
212 rule would cause username lookup only when both the \fIdaemon_list\fR
221 ALL and (UN)KNOWN are the only user name patterns that make sense.
223 Username lookups are possible only with TCP-based services, and only
224 when the client host runs a suitable daemon; in all other cases the
227 A well-known UNIX kernel bug may cause loss of service when username
231 Username lookups may cause noticeable delays for non-UNIX users.  The
247 service can be used to detect such and other host address spoofing
252 When the client host provides IDENT service, a negative IDENT lookup
253 result (the client matches `UNKNOWN@host') is strong evidence of a host
256 A positive IDENT lookup result (the client matches `KNOWN@host') is
274 The examples use host and domain names. They can be improved by
278 In this case, access is denied by default. Only explicitly authorized
303 in the host name) and from members of the \fIsome_netgroup\fP
308 Here, access is granted by default; only explicitly specified hosts are
312 that it can be omitted.  The explicitly non-authorized hosts are listed
317 ALL: some.host.name, .some.domain
319 ALL EXCEPT in.fingerd: other.host.name, .other.domain
327 host. The result is mailed to the superuser.
339 in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\
340 	/usr/ucb/mail -s %d-%h root) &
343 The safe_finger command is intended for use in back-fingering and should be
348 The expansion of the %h (client host) and %d (service name) sequences
351 Warning: do not booby-trap your finger daemon, unless you are prepared
355 The typical network firewall only provides a limited set of services to
357 tftp example. The result is an excellent early-warning system.
361 An error is reported when a syntax error is found in a host access
385 If a name server lookup times out, the host name will not be available
386 to the access control software, even though the host is registered.