X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=aclfile;fp=aclfile;h=6a265a8975f54aecf2e8c2b0106a77b43bc79546;hp=0000000000000000000000000000000000000000;hb=c75584ebcc79f939fb4ec9c8f842cef6692640c7;hpb=6acca0a8d156834bef2db2360ed68eb2e0ac51b3 diff --git a/aclfile b/aclfile new file mode 100644 index 00000000..6a265a89 --- /dev/null +++ b/aclfile @@ -0,0 +1,102 @@ +# Access Control List for the Internet Junkbuster 2.0 +# +# Copyright 1997-8 Junkbusters Corp. For distribution, modification and use +# under the GNU General Public License. These files come with NO WARRANTY. +# See http://www.junkbusters.com/ht/en/gpl.html or README file for details. +# +# Access controls are included at the request of some ISPs and systems +# administrators, and are not usually needed by individual users. +# Please note the warnings in the FAQ that this proxy is not +# intended to be a substitute for a firewall or to encourage anyone +# to defer addressing basic security weaknesses. +# For details see http://www.junkbusters.com/ht/en/ijbman.html#aclfile + +# For this file to have any effect, the line beginning "aclfile" +# must be commented in, with the name of this file following the word "aclfile" + +# If no access file is specified, the proxy talks to anyone that connects. +# If an access file is specified, the proxy talks only to IP addresses +# permitted somewhere in this file and not denied later in this file. +# +# Summary -- if using an ACL: +# +# Client must have permission to receive service +# LAST match in ACL file wins +# Default behavior is to deny service +# +# Syntax for an entry in an Access Control List is: +# +# ACTION SRC_ADDR[/SRC_MASKLEN] [ DST_ADDR[/DST_MASKLEN] ] +# +# where the fields are +# +# ACTION = "permit" | "deny" +# +# SRC_ADDR = client hostname or dotted IP address +# SRC_MASKLEN = number of bits in the subnet mask for the source +# +# DST_ADDR = server or forwarder hostname or dotted IP address +# DST_MASKLEN = number of bits in the subnet mask for the target +# +# field separator (FS) is whitespace (space or tab) +# +# IMPORTANT NOTE +# ============== +# If the junkbuster is using a forwarder or a gateway for a particular +# destination URL, the DST_ADDRR that is examined is the address of +# the forwarder or the gateway and NOT the address of the ultimate target. +# This is necessary because it may be impossible for the local +# junkbuster to determine the address of the ultimate target +# (that's often what gateways are used for). +# +# Here are a few examples to show how the ACL works: + +# localhost is OK -- no DST_ADDR implies that ALL destination addresses are OK +# permit localhost + +# a silly example to illustrate: +# +# permit any host on the class-C subnet with junkbusters to go anywhere +# +# permit www.junkbusters.com/24 +# +# except deny one particular IP address from using it at all +# +# deny ident.junkbusters.com + +# another example +# +# You can specify an explicit network address and subnet mask. +# Explicit addresses do not have to be resolved to be used. +# +# permit 207.153.200.0/24 + +# a subnet mask of 0 matches anything, so the next line permits everyone. +# +# permit 0.0.0.0/0 + +# Note: you cannot say +# +# permit .org +# +# to allow all .org domains; every IP-address listed must resolve fully. + +# An ISP may want to provide a junkbuster that is accessible by "the world" +# and yet restrict use of some of their private content to hosts on its +# internal network (i.e. its own subscribers). Say, for instance the +# ISP owns the Class-B IP address block 123.124.0.0 (a 16 bit netmask). +# This is how they could do it: + +# permit 0.0.0.0/0 0.0.0.0/0 # other clients can go anywhere +# with the following exceptions: +# +# deny 0.0.0.0/0 123.124.0.0/16 # block all external requests for +# sites on the ISP's network +# +# permit 0.0.0.0/0 www.my_isp.com # except for the ISP's main web site +# +# permit 123.124.0.0/16 0.0.0.0/0 # the ISP's clients can go anywhere + +# Note that some hostnames may be listed with multiple IP addresses; +# the primary value returned by gethostbyname() is used. +#