Help for FTP and Telnet Access Control Entry Format
The general format of an entry is either
'client_identifier'
or 'client_identifier EXCEPT
client_identifier'
. The FTP and Telnet Access pages allow you
to enter either format.
If you choose to use hostnames in an entry, use fully-qualified hostnames. For example, use foo.example.com, not foo.
Attention: if you try to block access based on hostnames, but the appliance fails to resolve the hostnames, the appliance will allow access. It is safer to only allow access to specified hosts than to try to block some hosts.
For example, the rule all except foo.example.com allows most hosts, but blocks foo.example.com. But if the appliance fails to resolve the name foo.example.com, then foo.example.com will be able to connect since the appliance will not recognize it.
On the other hand, the rule .ibm.com allows only hosts in the ibm.com domain to connect, and if the appliance fails to resolve ibm.com, then no hosts will be able to connect. Depending on your security needs, this might be a safer way for the security to fail.
The format of the client_identifier
is pattern [,
pattern [, pattern]]
-- that is, a list of one or more
patterns, separated by commas or spaces.
The format of each pattern is as follows:
Pattern Format | Pattern Type | Description | |
---|---|---|---|
'a.b.c.d' | IP address | The IP address ('a.b.c.d') of a specific host. Matches the remote system (host) with this IP address. | |
'a.' -or- 'a.b.' -or- 'a.b.c.' |
Partial IP address | Matches any host with an IP address beginning with the specified partial IP address. The partial IP address can be one, two, or three bytes (for example, '192.168.' matches any system with an IP address of 192.168.x.x). A partial IP address pattern must end with '.'. | |
'name' -or- 'name.domain' |
Host name | The host name of a specific host. Matches the remote system (host) with this host name. | |
'.domainname' | Domain name | Any host with a host name containing (ending with) the specified domain name (for example, '.ibm.com' matches any system with a host name ending in '.ibm.com'). A partial domain name pattern must begin with '.'. | |
'a.b.c.d/w.x.y.z' | Network address | 'a.b.c.d' is the network address and 'w.x.y.z' is the network mask. This entry matches any host within the subnet defined by the network address. (that is, the subnet is computed by applying the specified network mask to the IP address of the requesting system, and if the result equals the specified network address, the system matches the entry). | |
KNOWN | Known hosts | A wildcard that matches any host that is known (that is, can be resolved using DNS). | |
UNKNOWN | Unknown hosts | A wildcard that matches any host that is not known (that is, cannot be resolved using DNS). | |
LOCAL | Local hosts | A wildcard that matches any local host (that is, the host name does not contain a dot). | |
PARANOID | Spoofed hosts | A wildcard that matches any host whose host name does not match its IP address (that is, the host is being spoofed). | |
ALL | All hosts | A wildcard that matches all hosts. Usually used to grant access to all hosts in the network. |
Here are some examples:
.example.com EXCEPT a.example.com, b.example.com
9. 10. EXCEPT badhost.example.com 10.2.2.3
ALL EXCEPT PARANOID, badhost.example.com