Next: Authorization Rules Up: Required Authorization Fields Previous: The Default Authorization

Host/Network Designations in Authorization Rules

The source and destination fields of the authorization file may be very specific, referring to individual hosts, or general, referring to groups of hosts, to networks, or to entire Internet domains, or, if left blank, to all machines everywhere. For purposes of the authorization file, the term host may refer to any of the above and may be either remote (outside your local network) or local (inside your local network). Some examples follow.

host name
The name of an individual computer as returned by hostname lookups. This will match only exactly during a verification query by gwcontrol. Examples: export and express.army.mil.

Network name
The symbolic name of a network that has been entered into the /etc/networks file. The effect is the same as if replaced with the network's internet address. The netmask can be explicitly set using an ampersand (&) followed by a mask. The mask can be in 3 different forms: (1) a dotted quad; (2) a hex number; or (3) a decimal number of bits in the host part of the address. If you do not explicitly set the mask in this way, the file /etc/netmasks will be searched. If there is no entry for the network, a netmask will be generated based on the class of the network.

Internet address
The IP address of a machine in dotted quad format. This must be an exact match during verification. A network address (fewer than four numbers) will match any machine on a network. Examples: 128.195.28.2 matches the single machine at that address, while 128.57 matches all machines whose addresses start with 128.57 (all hosts on the 128.57 network). The second example may also be written as 128.57.0.0. For network addresses, a netmask is generated in the same manner as described above in .

Internet domain
This is the name of a network or group of networks, or the tail end of a fully-qualified domain name. It matches any fully-qualified domain name whose tail end matches it. This name begins with a `.' to separate it from a possible machine with the same name. For example, .edu and .cms.xxx.com. The first matches any machine from the educational (.edu) network domain; the second matches all machines on the cms.xxx.com commercial domain.

blank
If no machine is listed in either the source or destination field, all machines are matched. Note that the default rule (see above) contains blanks in both the source and destination fields. An address of 0.0.0.0 is the same as leaving the field blank; it matches all machines. Use blank fields with caution.

Under these rules, a single machine can match several different entries in the authorization file. The more specifically a rule matches a particular machine, the greater precedence it will have. If more than one entry matches equally well, then the first match encountered will take precedence. One should apply the following gwcontrol rules to disambiguate the sequence of rules in the file:

  1. Use an exact match to either a hostname or an numerical internet address.

  2. Use the lowest level (or most specific) internet domain or internet address. Therefore, mine.cms.xxx.com more closely matches .cms.xxx.com than .xxx.com. Similarly, 128.195.28.2 more closely matches 128.195.28 than 128.195.

  3. Use either a blank field or 0.0.0.0 for a rule which matches all machines.



Next: Authorization Rules Up: Required Authorization Fields Previous: The Default Authorization


tkevans@delmarva.com