[nos-bbs] Access controls

Barry Siegfried k2mf at k2mf.ampr.org
Wed Apr 9 14:52:32 EDT 2008 

["(Skip) K8RRA" <k8rra at ameritech.net> wrote]:

> My best information is that an "access.rc" file defines access controls
> for jnos.  I see "ip access" and "tcp access" commands I believe may be
> deprecated.  I see some #define(s) related to access control in
> config.h.  That's about it.
>
> Set me straight?

Neither the "access" commands nor their functionality is deprecated.
They are extremely useful for filter packets.  In fact, the "access"
command suite has been expanded by some to include "udp access" as
well.

> Point me to a valid descriptive document on some site?

I can't direct you to a site, but here is some cut and pasted "help"
from old JNOS ip.hlp and tcp.hlp files, respectively:

     ip access <delete,deny,ignore,permit> <protocol>
        <src ip addr>[/<bits>] <dest ip addr>[/<bits>]
        <interface> [low port] [high port]

     Display or set IP access controls.  Controls packet routing
via <interface> and determines which source IP addresses <src ip
addr> can route to which destination ip addresses <dest ip addr>.
The default is to permit all sources to access all destinations,
until the first IP access command is entered, at which point all
routes via <interface> are denied unless specifcally permitted by
subsequent IP access commands.

     Execution of this subcommand will add or delete an access
control entry in an internal table.  Entries are scanned for an
<interface> match, and then in the order they were added, to
determine if access will be granted.  Access will be granted only
if an entry matching <dest ip addr> and <src ip addr> is found
with 'permit' set before a match with 'deny' set, or no match is
found.  The optional /<bits> suffix to the IP addresses specifies
how many leading bits in the IP address are to be considered sig-
nificant in the routing comparisons.  If not specified, 32 bits
(i.e., full significance) is assumed.  Access can be made protocol
dependent via the <proto> parameter.  <proto> may be 'a' for any,
't' for TCP, 'u' for UDP, 'i' for ICMP, or the IP protocol number.
For UDP and TCP protocols, <low port> and <high port> specify the
port or range of TCP or UDP ports for which the access control com-
mand applies.  If none or all is specified, all ports are assumed.

     'ip access' will display the table of current access control
entrys.  Access commands should be entered from the most specific
to the least specific, since the first match (permit or deny)
encountered for a given interface in the internal table is
returned.

     >> Example:

        # Allow a specific AMPRnet host access to the internet
        ip access permit any 44.76.1.199 all eth0

        # But deny all others except DNS/Ping (UDP) access
        ip access permit udp 44/24 all eth0 all

        # Permit only AMPRnet hosts access to RF port
        ip access permit any 44/24 44/24 2m

     tcp access <delete,deny,ignore,permit> <ip addr>[/<bits>]
         [low port] [high port]

     Display or set TCP access controls, which determine which
TCP services (ports) are accessible to which IP addresses.  The
default is to permit all hosts to access all ports, until the
first TCP access command is entered, at which point all other
ports and addresses are denied unless specifically permitted
by subsequent 'tcp access' commands.

     This subcommand adds or deletes an access control entry
maintained in an internal table.  Entries are scanned in the
order that they were added, to determine if access will be
granted.  Access is granted only if an entry with matching
<ip addr> or range, and ports, is found with 'permit' set
before a match with 'deny' or no match is found.

     The optional /bits suffix to the <ip addr> specifies how
many leading bits in the <ip addr> are to be considered signi-
ficant in the IP address comparisons.  If not specified, 32 bits
(i.e., full significance) is assumed.  All addresses can be speci-
fied by "all".  <low port> and <high port> specify the port or
range of TCP ports for which the access control command applies.
If no port range is specified, all ports are assumed, i.e., 1 to
65534.

     "tcp access" will display the table of current access con-
trol entries.  Access commands should be entered from the most
specific <ip addr> to the least specific, since the first match
(permit or deny) encountered in the internal table is returned.

     >> Example:

        # Allow a specific AMPRnet host SMTP access
        tcp access permit 44.76.1.199 25

        # But deny all other services to him
        tcp access deny 44.76.1.199

        # Allow all other AMPRnet hosts full access to TCP
        # services
        tcp access permit 44.76.1/24 all

        # Allow a specific subnet access to ports 1 through 25,
        # which includes echo, discard, ftp, telnet, and smtp.
        tcp access permit 23.1.46/24 1 25

        # Note that all other hosts not matched above, are denied
        # access

I hope that helps you, Skip.

73, de Barry, K2MF >>
           o
          <|>      Barry Siegfried
+---------/-\---------------------------+
| Internet | bgs at mfnos.net              |
| HomePage | http://www.mfnos.net/~bgs  |
+----------+----------------------------+
| Amprnet  | k2mf at k2mf.ampr.org         |
| PBBS     | k2mf at k2ge.#cnj.nj.usa.noam |
+----------+----------------------------+

More information about the nos-bbs mailing list