Next: Authorization Rules
Up: Required Authorization Fields
Previous: The Default Authorization
The source and destination fields of the authorization
file may be very specific, referring to individual hosts, or general,
referring to groups of hosts, to networks,
or to entire Internet domains, or, if left blank, to all machines
everywhere. For purposes of the authorization
file, the term host may refer to any of the above and may be either
remote (outside your local network) or local (inside your local
network). Some examples follow.
- host name
-
The name of an individual computer as returned by hostname lookups. This
will match only exactly during a verification query by gwcontrol.
Examples: export and express.army.mil.
- Network name
-
The symbolic name of a network that has been entered into the
/etc/networks file. The effect is the same as if replaced with the
network's internet address. The netmask can be explicitly set
using an ampersand (&) followed by a mask. The mask can
be in 3 different forms: (1) a dotted quad; (2) a hex number; or (3)
a decimal number of bits in the host part of the address. If you do
not explicitly set the mask in this way, the file /etc/netmasks will
be searched. If there is no entry for the network, a netmask will be
generated based on the class of the network.
- Internet address
-
The IP address of a machine in dotted quad format. This must
be an exact match during verification. A network address (fewer
than four numbers) will match any machine on a network. Examples: 128.195.28.2 matches the single machine at that address, while 128.57 matches all machines whose addresses start with 128.57
(all hosts on the 128.57 network). The second example may
also be written as 128.57.0.0. For network addresses, a netmask
is generated in the same manner as described above in
.
- Internet domain
-
This is the name of a network or group of networks, or the tail
end of a fully-qualified domain name. It matches any fully-qualified
domain name whose tail end matches it. This name begins with a `.' to
separate it from a possible machine with the same name. For example,
.edu and .cms.xxx.com. The first matches any machine from
the educational (.edu) network domain; the second matches all machines
on the cms.xxx.com commercial domain.
- blank
- If no machine is listed in either the source or destination field, all machines are matched.
Note that the default rule (see above) contains blanks in both
the source and destination fields. An address of 0.0.0.0 is the same as leaving the field blank; it matches all machines.
Use blank fields with caution.
Under these rules, a single machine can match several different entries in
the authorization file. The more specifically a rule matches a particular
machine, the greater precedence it will have. If more than one entry matches
equally well, then the first match encountered will
take precedence.
One should apply the following gwcontrol rules to disambiguate the
sequence of rules in the file:
- Use an exact match to either a hostname or an numerical internet address.
- Use the lowest level (or most specific) internet
domain or internet address. Therefore,
mine.cms.xxx.com more closely matches .cms.xxx.com
than .xxx.com. Similarly, 128.195.28.2 more closely
matches 128.195.28 than 128.195.
- Use either a blank field or 0.0.0.0 for a rule which matches all machines.
Next: Authorization Rules
Up: Required Authorization Fields
Previous: The Default Authorization