XRPi Home

Documentation Index
Alphabetic Index

XRPi Documentation - System Files

TELPROXY.ACL

Name

TELPROXY.ACL -- TELNET Proxy Egress Control File (Optional).

Description

The TELPROXY.ACL file contains "rules" to control which destinations are allowed to be accessed via the Telnet proxy.

The rules allow you to specify which destination IP addresses and TCP ports may be accessed by specified source IP ranges.

If the file is not present, or contains no valid rules, all destinations are blocked. Attempting to access a blocked destination causes the proxy session to disconnect.

If the rules in ACCESS.SYS are such that your Telnet proxy is accessible without password, then egress control is vital, to prevent miscreants using your telnet proxy to access other systems while hiding their IP address.

Format

The format of the entries in TELPROXY.ACL is the same as other .ACL (Access Control List) files.

Each "rule" is specified on a separate line. Blank lines, or lines beginning with ';' or '#' are ignored. The maximum line length is 255 characters.

Within each rule, fields must be separated by one or more spaces or tabs. The fields are as follows: 

        <action> <src_ip>[/mask] <dst_ip>[/mask] <port(s)>

The fields have the following meaning: 

	<action>   PERMIT  Allow egress
                   DENY    Prevent egress

        <src_ip>   Source IP address (uplinked user).

        <dst_ip>   Destination IP address (target system).

        [mask]     Optional field.
                   Either: No. of bits (0-32) of address to
                           match from left to right,
                   Or:     Subnet mask in form n.n.n.n

        <port(s)>  One or more TCP service numbers (0-65535) on
                   the target system.  Allowed formats are "n",
                   "n,n,n", "n-n" or combination thereof.

In the <src_ip> and <dst_ip> fields, 0.0.0.0/0 specifies "all addresses".

Note

Rule testing stops at the *first* matching "permit" or "deny" statement, so it is vital that the list is ordered correctly. For instance, to allow Internet users to access all LAN ports except 513 it would be ok to use: 

	deny	0.0.0.0/0  192.168.0.0/24  513
	permit	0.0.0.0/0  192.168.0.0/24  1-65535

but if the entries were reversed, the "permit" rule would match every case and the "deny" rule wouldn't be actioned.

Examples

; Allow LAN users to tunnel to anyone:
PERMIT 192.168.0.0/24  0.0.0.0/0  0-65535
;
; Allow Internet users to tunnel only to certain
; ports on the node machine:
PERMIT 0.0.0.0/0  192.168.0.245  23,87,1448,3600
;
; Allow Internet users to tunnel only to ports 23
; and 80 on the BBS machine:
PERMIT 0.0.0.0/0  192.168.0.4  80,23
;
; Allow Amprnet users to access any Amprnet destination
PERMIT 44.0.0.0/8  44.0.0.0/8  0-65535

Files

If required, TELPROXY.ACL must be located in the same directory as the XRPi executable.

See also

SOCKS.ACL(8) -- SOCKS Proxy Egress Control File
TELGUEST.ACL(8) -- Telnet Egress Control for Guest Users.
HTTP.ACL(8) -- HTTP Proxy Egress Control File