Next: , Previous: , Up: Configuration   [Contents][Index]

3.4 Access Control Lists

Access control lists, or ACLs for short, are lists of permissions that control access to ‘inetd’, ‘accept’ and ‘meta1’-style components.

An ACL is defined using acl block statement:

Config: acl
acl {

This statement is allowed both in global context and within a ‘component’ block. If both are present, the global-level ACL is consulted first, and if it allows access, the component ACL is consulted. As a result, access is granted only if both lists allow it.

A named ACL is an access control list which is assigned its own name. Named ACLs are defined using the ‘defacl’ statement:

Config: defacl name
defacl name {

The name parameter specifies a unique name for that ACL. Named ACLs are applied only if referenced from another ACL (either global or a per-component one, or any named ACL, referenced from these). See ACL references, below.

In both forms, the part between the curly braces (denoted by definitions), is a list of access control statements. There are two types of such statements:

Config: acl: allow [user-group] sub-acl host-list
Config: acl: allow any

Allow access to the component.

Config: acl: deny [user-group] sub-acl host-list
Config: acl: deny any

Deny access to the component.

All parts of an access statement are optional, but at least one of them must be present. The user-group part is reserved for future use and is described in more detail in User-Group ACLs.

The sub-acl part, if present, allows to branch to another ACL. The syntax of this part is:

acl name

where name is the name of an ACL defined previously in ‘defacl’ statement.

The host-list group allows to match client addresses. It consists of the from keyword followed by a list of address specifiers. Allowed address specifiers are:


Matches if the client IP equals addr. The latter may be given either as an IP address or as a host name, in which case it will be resolved and the first of its IP addresses will be used.


Matches if first netlen bits from the client IP address equal to addr. The network mask length, netlen, must be an integer number in the range from 0 to 32. The address part, addr, is as described above.


The specifier matches if the result of logical AND between the client IP address and netmask equals to addr. The network mask must be specified in “dotted quad” form, e.g. ‘’.


Matches if connection was received from a UNIX socket filename, which must be given as an absolute file name.

The special form ‘allow any’ means to allow access unconditionally. Similarly, ‘deny any’, denies access unconditionally. Normally, one of these forms appears as the last statement in an ACL definition.

To summarize, the syntax of an access statement is:

allow|deny [acl name] [from addr-list]

where square brackets denote optional parts.

When an ACL is checked, its entries are tried in turn until one of them matches, or the end of the list is reached. If a matched entry is found, its command verb, allow or deny, defines the result of the ACL check. If the end of the list is reached, the result is ‘allow’, unless explicitly specified otherwise (using the “any” form.)

For example, the following ACL allows access for anybody coming from networks ‘’ and ‘’, or any connection that matches the named ACLmy-nets’ (which is defined elsewhere in the configuration file). Access is denied for anybody else:

acl {
    allow from (,;
    allow acl "my-nets";
    deny all;

Next: , Previous: , Up: Configuration   [Contents][Index]