Changed "permission" to "action" throughout.

[privoxy.git] / aclfile

#  Access Control List for the Internet Junkbuster 2.0
#
# Copyright 1997-8 Junkbusters Corp.  For distribution, modification and use
# under the GNU General Public License. These files come with NO WARRANTY.
# See http://www.junkbusters.com/ht/en/gpl.html or README file for details.
#
# Access controls are included at the request of some ISPs and systems
# administrators, and are not usually needed by individual users.
# Please note the warnings in the FAQ that this proxy is not
# intended to be a substitute for a firewall or to encourage anyone
# to defer addressing basic security weaknesses.
# For details see http://www.junkbusters.com/ht/en/ijbman.html#aclfile

# For this file to have any effect, the line beginning "aclfile"
# must be commented in, with the name of this file following the word "aclfile"

# If no access file is specified, the proxy talks to anyone that connects.
# If an access file is specified, the proxy talks only to IP addresses
# permitted somewhere in this file and not denied later in this file.
#
# Summary -- if using an ACL:
#
#  Client must have permission to receive service
#  LAST match in ACL file wins
#  Default behavior is to deny service
#
# Syntax for an entry in an Access Control List is:
#
# ACTION    SRC_ADDR[/SRC_MASKLEN]    [ DST_ADDR[/DST_MASKLEN] ]
#
# where the fields are
#
# ACTION      = "permit" | "deny"
#
# SRC_ADDR    = client hostname or dotted IP address
# SRC_MASKLEN = number of bits in the subnet mask for the source
#
# DST_ADDR    = server or forwarder hostname or dotted IP address
# DST_MASKLEN = number of bits in the subnet mask for the target
#
# field separator (FS) is whitespace (space or tab)
#
# IMPORTANT NOTE
# ==============
# If the junkbuster is using a forwarder or a gateway for a particular 
# destination URL, the DST_ADDRR that is examined is the address of
# the forwarder or the gateway and NOT the address of the ultimate target.
# This is necessary because it may be impossible for the local
# junkbuster to determine the address of the ultimate target
# (that's often what gateways are used for).
#
# Here are a few examples to show how the ACL works:

# localhost is OK --  no DST_ADDR implies that ALL destination addresses are OK
# permit localhost

# a silly example to illustrate:
#
# permit any host on the class-C subnet with junkbusters to go anywhere
#
# permit www.junkbusters.com/24
#
# except deny one particular IP address from using it at all
#
# deny      ident.junkbusters.com

# another example
#
# You can specify an explicit network address and subnet mask.
# Explicit addresses do not have to be resolved to be used.
#
# permit 207.153.200.0/24

# a subnet mask of 0 matches anything, so the next line permits everyone.
#
# permit 0.0.0.0/0

# Note:  you cannot say
#
# permit .org
#
# to allow all .org domains; every IP-address listed must resolve fully.

# An ISP may want to provide a junkbuster that is accessible by "the world"
# and yet restrict use of some of their private content to hosts on its
# internal network (i.e. its own subscribers).  Say, for instance the
# ISP owns the Class-B IP address block 123.124.0.0 (a 16 bit netmask).
# This is how they could do it:

# permit 0.0.0.0/0   0.0.0.0/0   # other clients can go anywhere 
#                with the following exceptions:
#
# deny   0.0.0.0/0   123.124.0.0/16 # block all external requests for
#                                         sites on the ISP's network
#
# permit 0.0.0.0/0   www.my_isp.com # except for the ISP's main web site
#
# permit 123.124.0.0/16 0.0.0.0/0   # the ISP's clients can go anywhere

# Note that some hostnames may be listed with multiple IP addresses;
# the primary value returned by gethostbyname() is used.
#