Help for FTP and Telnet Access Control Entry Format


The format of the FTP and Telnet access control entries is a subset of that used in the TCP Wrappers /etc/hosts.allow configuration file. Following is a summary of the possible entry formats. Please refer to documentation for the TCP Wrappers service (tcpd) for more information.

The general format of an entry is either 'client_identifier' or 'client_identifier EXCEPT client_identifier'. The FTP and Telnet Access pages allow you to enter either format.

If you choose to use hostnames in an entry, use fully-qualified hostnames. For example, use foo.example.com, not foo.

Attention: if you try to block access based on hostnames, but the appliance fails to resolve the hostnames, the appliance will allow access. It is safer to only allow access to specified hosts than to try to block some hosts.

For example, the rule all except foo.example.com allows most hosts, but blocks foo.example.com. But if the appliance fails to resolve the name foo.example.com, then foo.example.com will be able to connect since the appliance will not recognize it.

On the other hand, the rule .ibm.com allows only hosts in the ibm.com domain to connect, and if the appliance fails to resolve ibm.com, then no hosts will be able to connect. Depending on your security needs, this might be a safer way for the security to fail.

The format of the client_identifier is pattern [, pattern [, pattern]] -- that is, a list of one or more patterns, separated by commas or spaces.

The format of each pattern is as follows:

Pattern Format Pattern Type Description
'a.b.c.d' IP address The IP address ('a.b.c.d') of a specific host. Matches the remote system (host) with this IP address.
'a.' -or-
'a.b.' -or-
'a.b.c.'
Partial IP address Matches any host with an IP address beginning with the specified partial IP address. The partial IP address can be one, two, or three bytes (for example, '192.168.' matches any system with an IP address of 192.168.x.x). A partial IP address pattern must end with '.'.
'name' -or-
'name.domain'
Host name The host name of a specific host. Matches the remote system (host) with this host name.
'.domainname' Domain name Any host with a host name containing (ending with) the specified domain name (for example, '.ibm.com' matches any system with a host name ending in '.ibm.com'). A partial domain name pattern must begin with '.'.
'a.b.c.d/w.x.y.z'  Network address 'a.b.c.d' is the network address and 'w.x.y.z' is the network mask. This entry matches any host within the subnet defined by the network address. (that is, the subnet is computed by applying the specified network mask to the IP address of the requesting system, and if the result equals the specified network address, the system matches the entry).
KNOWN Known hosts A wildcard that matches any host that is known (that is, can be resolved using DNS).
UNKNOWN Unknown hosts A wildcard that matches any host that is not known (that is, cannot be resolved using DNS).
LOCAL Local hosts A wildcard that matches any local host (that is, the host name does not contain a dot).
PARANOID Spoofed hosts A wildcard that matches any host whose host name does not match its IP address (that is, the host is being spoofed).
ALL All hosts A wildcard that matches all hosts. Usually used to grant access to all hosts in the network.

Here are some examples: