+# 4.6. ACLs: permit-access and deny-access
+# ========================================
+#
+# Specifies:
+#
+# Who can access what.
+#
+# Type of value:
+#
+# src_addr[/src_masklen] [dst_addr[/dst_masklen]]
+#
+# Where src_addr and dst_addr are IP addresses in dotted decimal
+# notation or valid DNS names, and src_masklen and dst_masklen are
+# subnet masks in CIDR notation, i.e. integer values from 2 to 30
+# representing the length (in bits) of the network address. The
+# masks and the whole destination part are optional.
+#
+# Default value:
+#
+# Unset
+#
+# Effect if unset:
+#
+# Don't restrict access further than implied by listen-address
+#
+# Notes:
+#
+# Access controls are included at the request of ISPs and systems
+# administrators, and are not usually needed by individual
+# users. For a typical home user, it will normally suffice to
+# ensure that Privoxy only listens on the localhost (127.0.0.1)
+# or internal (home) network address by means of the listen-address
+# option.
+#
+# Please see the warnings in the FAQ that this proxy is not
+# intended to be a substitute for a firewall or to encourage
+# anyone to defer addressing basic security weaknesses.
+#
+# Multiple ACL lines are OK. If any ACLs are specified, then
+# the Privoxy talks only to IP addresses that match at least one
+# permit-access line and don't match any subsequent deny-access
+# line. In other words, the last match wins, with the default
+# being deny-access.
+#
+# If Privoxy is using a forwarder (see forward below) for a
+# particular destination URL, the dst_addr that is examined is
+# the address of the forwarder and NOT the address of the ultimate
+# target. This is necessary because it may be impossible for the
+# local Privoxy to determine the IP address of the ultimate target
+# (that's often what gateways are used for).
+#
+# You should prefer using IP addresses over DNS names, because
+# the address lookups take time. All DNS names must resolve! You
+# can not use domain patterns like "*.org" or partial domain
+# names. If a DNS name resolves to multiple IP addresses, only
+# the first one is used.
+#
+# Denying access to particular sites by ACL may have undesired
+# side effects if the site in question is hosted on a machine
+# which also hosts other sites.
+#
+# Examples:
+#
+# Explicitly define the default behavior if no ACL and
+# listen-address are set: "localhost" is OK. The absence of a
+# dst_addr implies that all destination addresses are OK:
+#
+# permit-access localhost
+#
+# Allow any host on the same class C subnet as www.privoxy.org
+# access to nothing but www.example.com:
+#
+# permit-access www.privoxy.org/24 www.example.com/32
+#
+# Allow access from any host on the 26-bit subnet 192.168.45.64
+# to anywhere, with the exception that 192.168.45.73 may not
+# access www.dirty-stuff.example.com:
+#
+# permit-access 192.168.45.64/26
+# deny-access 192.168.45.73 www.dirty-stuff.example.com