- <div class="SECT3">
- <h4 class="SECT3">
- <a name="ACLS">7.4.7. ACLs: permit-access and deny-access</a>
- </h4>
- <a name="PERMIT-ACCESS"></a><a name="DENY-ACCESS"></a>
- <div class="VARIABLELIST">
- <dl>
- <dt>
- Specifies:
- </dt>
- <dd>
- <p>
- Who can access what.
- </p>
- </dd>
- <dt>
- Type of value:
- </dt>
- <dd>
- <p>
- <tt class="REPLACEABLE"><i>src_addr</i></tt>[:<tt class=
- "REPLACEABLE"><i>port</i></tt>][/<tt class=
- "REPLACEABLE"><i>src_masklen</i></tt>] [<tt class=
- "REPLACEABLE"><i>dst_addr</i></tt>[:<tt class=
- "REPLACEABLE"><i>port</i></tt>][/<tt class=
- "REPLACEABLE"><i>dst_masklen</i></tt>]]
- </p>
- <p>
- Where <tt class="REPLACEABLE"><i>src_addr</i></tt> and <tt
- class="REPLACEABLE"><i>dst_addr</i></tt> are IPv4 addresses
- in dotted decimal notation or valid DNS names, <tt class=
- "REPLACEABLE"><i>port</i></tt> is a port number, and <tt
- class="REPLACEABLE"><i>src_masklen</i></tt> and <tt class=
- "REPLACEABLE"><i>dst_masklen</i></tt> are subnet masks in
- CIDR notation, i.e. integer values from 2 to 30
- representing the length (in bits) of the network address.
- The masks and the whole destination part are optional.
- </p>
- <p>
- If your system implements <a href=
- "http://tools.ietf.org/html/rfc3493" target="_top">RFC
- 3493</a>, then <tt class="REPLACEABLE"><i>src_addr</i></tt>
- and <tt class="REPLACEABLE"><i>dst_addr</i></tt> can be
- IPv6 addresses delimeted by brackets, <tt class=
- "REPLACEABLE"><i>port</i></tt> can be a number or a service
- name, and <tt class="REPLACEABLE"><i>src_masklen</i></tt>
- and <tt class="REPLACEABLE"><i>dst_masklen</i></tt> can be
- a number from 0 to 128.
- </p>
- </dd>
- <dt>
- Default value:
- </dt>
- <dd>
- <p>
- <span class="emphasis"><i class="EMPHASIS">Unset</i></span>
- </p>
- <p>
- If no <tt class="REPLACEABLE"><i>port</i></tt> is
- specified, any port will match. If no <tt class=
- "REPLACEABLE"><i>src_masklen</i></tt> or <tt class=
- "REPLACEABLE"><i>src_masklen</i></tt> is given, the
- complete IP address has to match (i.e. 32 bits for IPv4 and
- 128 bits for IPv6).
- </p>
- </dd>
- <dt>
- Effect if unset:
- </dt>
- <dd>
- <p>
- Don't restrict access further than implied by <tt class=
- "LITERAL">listen-address</tt>
- </p>
- </dd>
- <dt>
- Notes:
- </dt>
- <dd>
- <p>
- Access controls are included at the request of ISPs and
- systems administrators, and <span class="emphasis"><i
- class="EMPHASIS">are not usually needed by individual
- users</i></span>. For a typical home user, it will normally
- suffice to ensure that <span class=
- "APPLICATION">Privoxy</span> only listens on the localhost
- (127.0.0.1) or internal (home) network address by means of
- the <a href="config.html#LISTEN-ADDRESS"><span class=
- "emphasis"><i class=
- "EMPHASIS">listen-address</i></span></a> option.
- </p>
- <p>
- Please see the warnings in the FAQ that <span class=
- "APPLICATION">Privoxy</span> is not intended to be a
- substitute for a firewall or to encourage anyone to defer
- addressing basic security weaknesses.
- </p>
- <p>
- Multiple ACL lines are OK. If any ACLs are specified, <span
- class="APPLICATION">Privoxy</span> only talks to IP
- addresses that match at least one <tt class=
- "LITERAL">permit-access</tt> line and don't match any
- subsequent <tt class="LITERAL">deny-access</tt> line. In
- other words, the last match wins, with the default being
- <tt class="LITERAL">deny-access</tt>.
- </p>
- <p>
- If <span class="APPLICATION">Privoxy</span> is using a
- forwarder (see <tt class="LITERAL">forward</tt> below) for
- a particular destination URL, the <tt class=
- "REPLACEABLE"><i>dst_addr</i></tt> that is examined is the
- address of the forwarder and <span class="emphasis"><i
- class="EMPHASIS">NOT</i></span> the address of the ultimate
- target. This is necessary because it may be impossible for
- the local <span class="APPLICATION">Privoxy</span> to
- determine the IP address of the ultimate target (that's
- often what gateways are used for).
- </p>
- <p>
- You should prefer using IP addresses over DNS names,
- because the address lookups take time. All DNS names must
- resolve! You can <span class="emphasis"><i class=
- "EMPHASIS">not</i></span> use domain patterns like <span
- class="QUOTE">"*.org"</span> or partial domain names. If a
- DNS name resolves to multiple IP addresses, only the first
- one is used.
- </p>
- <p>
- Some systems allow IPv4 clients to connect to IPv6 server
- sockets. Then the client's IPv4 address will be translated
- by the system into IPv6 address space with special prefix
- ::ffff:0:0/96 (so called IPv4 mapped IPv6 address). <span
- class="APPLICATION">Privoxy</span> can handle it and maps
- such ACL addresses automatically.
- </p>
- <p>
- Denying access to particular sites by ACL may have
- undesired side effects if the site in question is hosted on
- a machine which also hosts other sites (most sites are).
- </p>
- </dd>
- <dt>
- Examples:
- </dt>
- <dd>
- <p>
- Explicitly define the default behavior if no ACL and <tt
- class="LITERAL">listen-address</tt> are set: <span class=
- "QUOTE">"localhost"</span> is OK. The absence of a <tt
- class="REPLACEABLE"><i>dst_addr</i></tt> implies that <span
- class="emphasis"><i class="EMPHASIS">all</i></span>
- destination addresses are OK:
- </p>
- <p>
- </p>
- <table border="0" bgcolor="#E0E0E0" width="90%">
- <tr>
- <td>
-<pre class="SCREEN">
- permit-access localhost
-</pre>
- </td>
- </tr>
- </table>
-
- <p>
- Allow any host on the same class C subnet as
- www.privoxy.org access to nothing but www.example.com (or
- other domains hosted on the same system):
- </p>
- <p>
- </p>
- <table border="0" bgcolor="#E0E0E0" width="90%">
- <tr>
- <td>
-<pre class="SCREEN">
- permit-access www.privoxy.org/24 www.example.com/32
-</pre>
- </td>
- </tr>
- </table>
-
- <p>
- Allow access from any host on the 26-bit subnet
- 192.168.45.64 to anywhere, with the exception that
- 192.168.45.73 may not access the IP address behind
- www.dirty-stuff.example.com:
- </p>
- <p>
- </p>
- <table border="0" bgcolor="#E0E0E0" width="90%">
- <tr>
- <td>
-<pre class="SCREEN">
- permit-access 192.168.45.64/26
- deny-access 192.168.45.73 www.dirty-stuff.example.com
-</pre>
- </td>
- </tr>
- </table>
-
- <p>
- Allow access from the IPv4 network 192.0.2.0/24 even if
- listening on an IPv6 wild card address (not supported on
- all platforms):
- </p>
- <p>
- </p>
- <table border="0" bgcolor="#E0E0E0" width="90%">
- <tr>
- <td>
-<pre class="PROGRAMLISTING">
- permit-access 192.0.2.0/24
-</pre>
- </td>
- </tr>
- </table>
-
- <p>
- This is equivalent to the following line even if listening
- on an IPv4 address (not supported on all platforms):
- </p>
- <p>
- </p>
- <table border="0" bgcolor="#E0E0E0" width="90%">
- <tr>
- <td>
-<pre class="PROGRAMLISTING">
- permit-access [::ffff:192.0.2.0]/120
-</pre>
- </td>
- </tr>
- </table>
- </dd>
- </dl>
- </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="ACLS" id="ACLS">7.4.7. ACLs: permit-access
+ and deny-access</a></h4><a name="PERMIT-ACCESS" id=
+ "PERMIT-ACCESS"></a><a name="DENY-ACCESS" id="DENY-ACCESS"></a>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>Who can access what.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>src_addr</i></tt>[:<tt class=
+ "REPLACEABLE"><i>port</i></tt>][/<tt class=
+ "REPLACEABLE"><i>src_masklen</i></tt>] [<tt class=
+ "REPLACEABLE"><i>dst_addr</i></tt>[:<tt class=
+ "REPLACEABLE"><i>port</i></tt>][/<tt class=
+ "REPLACEABLE"><i>dst_masklen</i></tt>]]</p>
+ <p>Where <tt class="REPLACEABLE"><i>src_addr</i></tt> and
+ <tt class="REPLACEABLE"><i>dst_addr</i></tt> are IPv4 addresses
+ in dotted decimal notation or valid DNS names, <tt class=
+ "REPLACEABLE"><i>port</i></tt> is a port number, and <tt class=
+ "REPLACEABLE"><i>src_masklen</i></tt> and <tt class=
+ "REPLACEABLE"><i>dst_masklen</i></tt> are subnet masks in CIDR
+ notation, i.e. integer values from 2 to 30 representing the
+ length (in bits) of the network address. The masks and the
+ whole destination part are optional.</p>
+ <p>If your system implements <a href=
+ "http://tools.ietf.org/html/rfc3493" target="_top">RFC
+ 3493</a>, then <tt class="REPLACEABLE"><i>src_addr</i></tt> and
+ <tt class="REPLACEABLE"><i>dst_addr</i></tt> can be IPv6
+ addresses delimeted by brackets, <tt class=
+ "REPLACEABLE"><i>port</i></tt> can be a number or a service
+ name, and <tt class="REPLACEABLE"><i>src_masklen</i></tt> and
+ <tt class="REPLACEABLE"><i>dst_masklen</i></tt> can be a number
+ from 0 to 128.</p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p><span class="emphasis"><i class=
+ "EMPHASIS">Unset</i></span></p>
+ <p>If no <tt class="REPLACEABLE"><i>port</i></tt> is specified,
+ any port will match. If no <tt class=
+ "REPLACEABLE"><i>src_masklen</i></tt> or <tt class=
+ "REPLACEABLE"><i>src_masklen</i></tt> is given, the complete IP
+ address has to match (i.e. 32 bits for IPv4 and 128 bits for
+ IPv6).</p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>Don't restrict access further than implied by <tt class=
+ "LITERAL">listen-address</tt></p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>Access controls are included at the request of ISPs and
+ systems administrators, and <span class="emphasis"><i class=
+ "EMPHASIS">are not usually needed by individual
+ users</i></span>. For a typical home user, it will normally
+ suffice to ensure that <span class="APPLICATION">Privoxy</span>
+ only listens on the localhost (127.0.0.1) or internal (home)
+ network address by means of the <a href=
+ "config.html#LISTEN-ADDRESS"><span class="emphasis"><i class=
+ "EMPHASIS">listen-address</i></span></a> option.</p>
+ <p>Please see the warnings in the FAQ that <span class=
+ "APPLICATION">Privoxy</span> is not intended to be a substitute
+ for a firewall or to encourage anyone to defer addressing basic
+ security weaknesses.</p>
+ <p>Multiple ACL lines are OK. If any ACLs are specified,
+ <span class="APPLICATION">Privoxy</span> only talks to IP
+ addresses that match at least one <tt class=
+ "LITERAL">permit-access</tt> line and don't match any
+ subsequent <tt class="LITERAL">deny-access</tt> line. In other
+ words, the last match wins, with the default being <tt class=
+ "LITERAL">deny-access</tt>.</p>
+ <p>If <span class="APPLICATION">Privoxy</span> is using a
+ forwarder (see <tt class="LITERAL">forward</tt> below) for a
+ particular destination URL, the <tt class=
+ "REPLACEABLE"><i>dst_addr</i></tt> that is examined is the
+ address of the forwarder and <span class="emphasis"><i class=
+ "EMPHASIS">NOT</i></span> the address of the ultimate target.
+ This is necessary because it may be impossible for the local
+ <span class="APPLICATION">Privoxy</span> to determine the IP
+ address of the ultimate target (that's often what gateways are
+ used for).</p>
+ <p>You should prefer using IP addresses over DNS names, because
+ the address lookups take time. All DNS names must resolve! You
+ can <span class="emphasis"><i class="EMPHASIS">not</i></span>
+ use domain patterns like <span class="QUOTE">"*.org"</span> or
+ partial domain names. If a DNS name resolves to multiple IP
+ addresses, only the first one is used.</p>
+ <p>Some systems allow IPv4 clients to connect to IPv6 server
+ sockets. Then the client's IPv4 address will be translated by
+ the system into IPv6 address space with special prefix
+ ::ffff:0:0/96 (so called IPv4 mapped IPv6 address).
+ <span class="APPLICATION">Privoxy</span> can handle it and maps
+ such ACL addresses automatically.</p>
+ <p>Denying access to particular sites by ACL may have undesired
+ side effects if the site in question is hosted on a machine
+ which also hosts other sites (most sites are).</p>
+ </dd>
+ <dt>Examples:</dt>
+ <dd>
+ <p>Explicitly define the default behavior if no ACL and
+ <tt class="LITERAL">listen-address</tt> are set: <span class=
+ "QUOTE">"localhost"</span> is OK. The absence of a <tt class=
+ "REPLACEABLE"><i>dst_addr</i></tt> implies that <span class=
+ "emphasis"><i class="EMPHASIS">all</i></span> destination
+ addresses are OK:</p>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="SCREEN"> permit-access localhost</pre>
+ </td>
+ </tr>
+ </table>
+ <p>Allow any host on the same class C subnet as www.privoxy.org
+ access to nothing but www.example.com (or other domains hosted
+ on the same system):</p>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="SCREEN">
+ permit-access www.privoxy.org/24 www.example.com/32</pre>
+ </td>
+ </tr>
+ </table>
+ <p>Allow access from any host on the 26-bit subnet
+ 192.168.45.64 to anywhere, with the exception that
+ 192.168.45.73 may not access the IP address behind
+ www.dirty-stuff.example.com:</p>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="SCREEN"> permit-access 192.168.45.64/26
+ deny-access 192.168.45.73 www.dirty-stuff.example.com</pre>
+ </td>
+ </tr>
+ </table>
+ <p>Allow access from the IPv4 network 192.0.2.0/24 even if
+ listening on an IPv6 wild card address (not supported on all
+ platforms):</p>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="PROGRAMLISTING">
+ permit-access 192.0.2.0/24</pre>
+ </td>
+ </tr>
+ </table>
+ <p>This is equivalent to the following line even if listening
+ on an IPv4 address (not supported on all platforms):</p>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="PROGRAMLISTING">
+ permit-access [::ffff:192.0.2.0]/120</pre>
+ </td>
+ </tr>
+ </table>
+ </dd>
+ </dl>