Next: User Authentication Up: Authorization Rule Database Previous: Hierarchy of Authorization

Example Authorization Rules

For clarity, here are several examples depicting typical rule entries in a gateway.cf file.

In our first example, a host named export, all machines in the .xxx.com domain, and all machines on the network numbered 192.92.2 have full access to the machine named mine or the domain named .yyy.xxx.com, but are denied ftp access to yours. In addition, the 192.92.2 network applies a subnet mask in which five bits are used for hosts, and the remaining three bits denote subnet addresses. The configuration entry looks like this:

export, .xxx.com, 192.92.2&5allow mine, yours(noftp), .yyy.xxx.com

In the next example we illustrate time limits. All machines from educational sites (.edu) are permitted ftp read-only access to the hosts in the .xxx.com domain from 9am to 5pm Monday through Friday, and noon to 4pm on Saturdays; telnet access is denied. The configuration entry would look like this:

.edu allow .xxx.com[Mon-Fri@9am-5pm;Sat@12pm-4pm](notelnet,ftp.getonly)

The following example shows how to change dynamic thresholds from the default. It states that that host marcus.com may try to connect to network localnet (which is defined in /etc/networks) up to 15 times per hour, and up to 50 times per day. This overrides the normal maximum connect limits for the period. More than 15 attempts during an hour, or more than 50 attempts in a day, will generate an alarm.

<15/hour, 50/day> marcus.com allow localnet

Next we illustrate how to set up the configuration file for an Eaglet Subnet Partitioner. (Note that the Eagle authorization file may contain rule(s) applying to one or more Eaglets in your network.) Suppose you want to limit users within a subnet so that they cannot access any systems outside their subnet, but you still want to allow people outside that subnet to log into those machines. The two lines below will only be used by the Eaglet named badguyseaglet to control network access by machines in the .badguys.net subnet. The first line states that all hosts (denoted by a blank source field) may access all machines (denoted by a blank in the destination field) in the subnet controlled by the Eaglet. The second line denies outgoing access for machines in the isolated subnet .badguys.net.

badguyseaglet: allow
badguyseaglet: .badguys.net deny



Next: User Authentication Up: Authorization Rule Database Previous: Hierarchy of Authorization


tkevans@delmarva.com