# Access Control List for the Internet Junkbuster 2.0 # # Copyright 1997-8 Junkbusters Corp. For distribution, modification and use # under the GNU General Public License. These files come with NO WARRANTY. # See http://www.junkbusters.com/ht/en/gpl.html or README file for details. # # Access controls are included at the request of some ISPs and systems # administrators, and are not usually needed by individual users. # Please note the warnings in the FAQ that this proxy is not # intended to be a substitute for a firewall or to encourage anyone # to defer addressing basic security weaknesses. # For details see http://www.junkbusters.com/ht/en/ijbman.html#aclfile # For this file to have any effect, the line beginning "aclfile" # must be commented in, with the name of this file following the word "aclfile" # If no access file is specified, the proxy talks to anyone that connects. # If an access file is specified, the proxy talks only to IP addresses # permitted somewhere in this file and not denied later in this file. # # Summary -- if using an ACL: # # Client must have permission to receive service # LAST match in ACL file wins # Default behavior is to deny service # # Syntax for an entry in an Access Control List is: # # ACTION SRC_ADDR[/SRC_MASKLEN] [ DST_ADDR[/DST_MASKLEN] ] # # where the fields are # # ACTION = "permit" | "deny" # # SRC_ADDR = client hostname or dotted IP address # SRC_MASKLEN = number of bits in the subnet mask for the source # # DST_ADDR = server or forwarder hostname or dotted IP address # DST_MASKLEN = number of bits in the subnet mask for the target # # field separator (FS) is whitespace (space or tab) # # IMPORTANT NOTE # ============== # If the junkbuster is using a forwarder or a gateway for a particular # destination URL, the DST_ADDRR that is examined is the address of # the forwarder or the gateway and NOT the address of the ultimate target. # This is necessary because it may be impossible for the local # junkbuster to determine the address of the ultimate target # (that's often what gateways are used for). # # Here are a few examples to show how the ACL works: # localhost is OK -- no DST_ADDR implies that ALL destination addresses are OK # permit localhost # a silly example to illustrate: # # permit any host on the class-C subnet with junkbusters to go anywhere # # permit www.junkbusters.com/24 # # except deny one particular IP address from using it at all # # deny ident.junkbusters.com # another example # # You can specify an explicit network address and subnet mask. # Explicit addresses do not have to be resolved to be used. # # permit 207.153.200.0/24 # a subnet mask of 0 matches anything, so the next line permits everyone. # # permit 0.0.0.0/0 # Note: you cannot say # # permit .org # # to allow all .org domains; every IP-address listed must resolve fully. # An ISP may want to provide a junkbuster that is accessible by "the world" # and yet restrict use of some of their private content to hosts on its # internal network (i.e. its own subscribers). Say, for instance the # ISP owns the Class-B IP address block 123.124.0.0 (a 16 bit netmask). # This is how they could do it: # permit 0.0.0.0/0 0.0.0.0/0 # other clients can go anywhere # with the following exceptions: # # deny 0.0.0.0/0 123.124.0.0/16 # block all external requests for # sites on the ISP's network # # permit 0.0.0.0/0 www.my_isp.com # except for the ISP's main web site # # permit 123.124.0.0/16 0.0.0.0/0 # the ISP's clients can go anywhere # Note that some hostnames may be listed with multiple IP addresses; # the primary value returned by gethostbyname() is used. #