# ACLs file for the plaintext module # # Example of ACL # ============== # # [Sample ACL] # gid=100,101 # which groups are concerned # gid=103 # several lines can be used # uid=100,101 # which user ids are concerned # uid=103 # several lines can be used # proto=6 # IP protocol: 1=ICMP, 6=TCP (default), 17=UDP # type=0 # Type, for ICMP protocol only # SrcIP=10.10.0.1 # Source IP, equivalent to 10.10.0.1/32 # SrcPort=1024-65535 # List of source ports (a single port is ok) # DstIP=10.10.0.5 # Destination IP address # DstIP=10.10.0.8, 10.10.1.0/24 # There can be several IP addresses/lines # DstPort=5150-5153 # List of destination ports # DstPort=22,25 # There can be several lines # decision=1 # 0=drop, 1=accept, 3=reject (2 is reserved: "no decide") # # Default values: # - decision: 1 (ACCEPT) # - protocol: 6 (TCP) # - SrcIP: any IP address # - DstIP: any IP address # - SrcPort: any port # - DstPort: any port # # Application filtering: # App=/usr/bin/perl # Several applications can be given: # App=/usr/bin/ssh # App=/usr/bin/nc # # OS checking: # OS = Linux # You can give the kernel release: # OS = Linux ; 2.6.8 # and the kernel version: # OS = Linux ; 2.6.8 ; #3 Fri Aug 27 20:37:38 CEST 2004 # (Several OS can be given) # # Interface checking: # [indev|outdev|physindev|physoutdev] = eth0 # You have to specify complete interface name and blob are # not allowed. # # Log prefix: # log_prefix = ssh # # You need to use period defined in your period handling module: # period = 24x7 # # ACL flags is an integer coding properties of the ACL: # flags = 1 # # Flags value are used by bit comparison. You can combien the following # value # * 1: do aysnchronous login on packet accepted by ACL, equivalent # to don't do Single Sign On on the ACL. # * 2: Don't log # * 4: Log synchronously (set it for SSO if not globally set) # * 8: Log strictly (set it for SSO) # Flag bits can be used to set a mark on packet. See mark_flag module. # Authentication quality can be used to limit authorization following the # type of authentication used # authquality = LEVEL # defined levels are: 0 auth by IP fallback method, 1 auth by SASL, 2 auth by certificate [ssh] gid=100 DstPort=22 App=/usr/bin/ssh OS=Linux [http] gid=100,102,103 DstPort=80 [https] gid=100 gid=102 DstPort=443 [full access for group 103] gid=103