XRPi Home

Documentation Index
Alphabetic Index

XRPi Documentation - System Files

TELGUEST.ACL

Name

TELGUEST.ACL -- TELNET Guest Egress Control File (Optional).

Description

The TELGUEST.ACL file contains "rules" to control which destinations are allowed to be accessed by "guest" users using the TELNET command.

The rules allow you to specify which destination IP addresses and TCP ports may be accessed by specified source IP ranges.

If the file is not present, or contains no valid rules, all destinations are blocked. Attempting to access a blocked destination causes the "Access Denied" response.

If the facility is enabled by suitable entries in ACCESS.SYS, "Guest" users are those who access XRPi via Telnet, using the password "guest". As it is not known if they are genuine Radio Hams, they are prevented from downlinking to any AX25 or NetRom destination, but the sysop may choose to allow them to access certain other destinations using this file.

Format

The format of the entries in TELGUEST.ACL is the same as other .ACL (Access Control List) files.

Each "rule" is specified on a separate line. Blank lines, or lines beginning with ';' or '#' are ignored. The maximum line length is 255 characters.

Within each rule, fields must be separated by one or more spaces or tabs. The fields are as follows: 

	<action> <src_ip>[/mask] <dst_ip>[/mask] <port(s)>

The fields have the following meaning: 

        <action>   PERMIT  Allow egress
                   DENY    Prevent egress

        <src_ip>   Source IP address (uplinked user).

        <dst_ip>   Destination IP address (target system).

        [mask]     Optional field.
                   Either: No. of bits (0-32) of address to
                           match from left to right,
                   Or:     Subnet mask in form n.n.n.n

        <port(s)>  One or more TCP service numbers (0-65535) on
                   the target system.  Allowed formats are "n",
                   "n,n,n", "n-n" or combination thereof.

In the <src_ip> and <dst_ip> fields, 0.0.0.0/0 specifies "all addresses".

Note

Rule testing stops at the *first* matching "permit" or "deny" statement, so it is vital that the list is ordered correctly. For instance, to allow Internet users to access all LAN ports except 513 it would be ok to use: 

	deny	0.0.0.0/0  192.168.0.0/24  513
	permit	0.0.0.0/0  192.168.0.0/24  1-65535

but if the entries were reversed, the "permit" rule would match every case and the "deny" rule wouldn't be actioned.

Examples

; Allow LAN users to telnet to anyone:
PERMIT 192.168.0.0/24  0.0.0.0/0  0-65535
;
; Allow Internet users to telnet only to ports 23
; and 80 on the BBS machine:
PERMIT 0.0.0.0/0  192.168.0.4  80,23
;
; Allow Amprnet users to access any Amprnet destination
PERMIT 44.0.0.0/8  44.0.0.0/8  0-65535

Files

If required, TELGUEST.ACL must be located in the same directory as the XRPi executable.

See also

ACCESS.SYS(8) -- Telnet Access Control File.
HTTP.ACL(8) -- HTTP Proxy Egress Control File
SOCKS.ACL(8) -- SOCKS Proxy Egress Control File
TELPROXY.ACL(8) -- Telnet Proxy Egress Control file.