Rules in the gateway.cf configuration file have the form:
source allow/deny destination
A rule line is selected by the closest match to the incoming host first, and then by the closest match to the outgoing host. Thus, a rule line with an exact match on the incoming host and a general match on the outgoing host supersedes a rule line with a general match on the incoming host and an exact match on the outgoing host. If more than one line matches equally well, then the first rule encountered is used.
A blank incoming or outgoing host matches all hosts. This is the most general match possible. This can also be expressed as 0.0.0.0, or just `0'. Normally, the first line of the configuration file is:
deny
This rule denies access to everyone. Subsequent rules define exceptions which permit or deny access in specific ways. Here is an example to illustrate this:
deny
.xxx.com allow .yourdomain.com
.xxx.com deny securemachine.yourdomain.com
goodguy.xxx.com allow securemachine.yourdomain.com
These rules could have been listed in any order. The first rule says to deny all access unless overridden by another rule. The second line permits all machines whose official host name ends with .xxx.com (i.e., all machines in the xxx.com domain), to access all machines in the yourdomain.com domain. The third line disallows access to the specific machine securemachine.yourdomain.com from the xxx.com domain. Rules two and three allow machines in the xxx.com domain acces to all yourdomain.com machines except securemachine. The last rule specifically allows goodguy.xxx.com access to securemachine.