Manual Pages
Table of Contents
na_protocolaccess - Describes protocol access control
Protocol access control defines a method to restrict
access to the filer on a protocol-by-protocol basis. For
example, the command options rsh.access host=admin
restricts access to rsh to a host named admin. Access can
be restricted by host name, IP address, and/or network
interface name.
The syntax is as follows:
options protocol.access access_spec
[ AND | OR [ ( ] access_spec [ ) ] ... ]
protocol is currently one of the following: rsh, telnet,
ssh, httpd, httpd.admin, snmp, ndmpd, snapmirror, or snapvault.
access_spec is composed of keywords and their values.
Currently the following keywords and values are defined:
host [=|!=] host spec
netgroup [=|!=] netgroup spec
if [=|!=] network interface spec
all
none
legacy
*
host spec is a comma separated list consisting of either a
host name, an IP address, or an IP address with a netmask.
Valid host name is a string and cannot contain the following
characters: "=", "(", ")", "!", "*", and "," . IP
address can be either an IPv4 address or IPv6 address An
IPv4 address is of the format aa.bb.cc.dd . If the IP
address contains a netmask, then the format is:
aa.bb.cc.dd/mm where mm represents the number of bits from
the left. An IPv6 address is of the format
aaaa:bbbb:cccc:dddd:eeee:ffff:gggg:hhhh . If the IPv6
address contains a prefixlen, then the format is:
aaaa:bbbb:cccc:dddd:eeee:ffff:gggg:hhhh/mm where mm represents
the number of bits from the left.
network interface spec is a comma separated list of one or
more network interface names. Valid network interface
names can be obtained from the ifconfig -a command.
netgroup spec is a comma separated list consisting of
names of one or more netgroups(group of hosts).
The access specs may be and'ed and or'ed by the keywords
AND and OR respectively. The keywords AND and OR are not
case-sensitive.
Operational precedence is from left to right. Parentheses
may be used to force operational order.
The keyword all is used to allow access to all. The
keyword none is used to allow access to none. The legacy
keyword is used to specify previous behavior. For example,
the legacy behavior of telnet is to use
trusted.hosts, while the legacy behavior of rsh is to
allow all.
The access spec can be a "*" which matches all. This is
the same as the all keyword. If the access spec is a "-",
then all access is denied. This is the same as the none
keyword.
The difference between setting the host value to an IP
address or a host name becomes apparent when the matching
occurs. IP addresses are matched before the connection is
made. If access is denied, the connection is not made and
the client times out. Therefore, specifiyng the IP
address lessens the impact of denial of service attacks.
Host names are matched after the connection is made, and
therefore the client is informed that access is denied.
If httpd.admin.access is not set to legacy, then
trusted.hosts is ignored for httpd.admin. If telnet.access
is not set to legacy, then trusted.hosts is
ignored for telnet. If snapmirror.access is not set to
legacy, then the /etc/snapmirror.allow file is ignored for
snapmirror destination checking.
Here are some protocol access control examples:
Allow an NDMP server to accept control connection request
from any client.
options ndmpd.access legacy
Allow remote shell access for only one host named gnesha.zo.
options rsh.access "host = gnesha.zo"
Allow access for Telnet subnet 10.42.69.
options telnet.access host=10.42.69.1/24
Allow access for Telnet to all hosts with prefix matching
3FFE:81D0:107:2082
options telnet.access host=3FFE:81D0:107:2082::1/64
Allow ssh access for hosts abc and xyz when on network
interface e0.
options ssh.access "host=abc,xyz AND if=e0"
Allow access to SNMP for network interfaces e0, e1, and
e2.
options snmp.access if=e0,e1,e2
Do not allow access to HTTPD for network interface e3.
options httpd.access "if != e3"
Allow access to administrative HTTPD from for two hosts.
options httpd.admin.access host=champagne,tequilla
Disallow all access to Telnet.
options telnet.access "host=-"
Set httpd.admin to use previous trusted.hosts access
options httpd.admin.access legacy
Point SnapMirror to the (deprecated) /etc/snapmirror.allow
file to check access to sources from other filers.
options snapmirror.access legacy
Allow a SnapVault server to accept any client requests.
options snapvault.access all
Allow telnet access for all hosts in the netgroups
admin_hosts and it_hosts. Both netgroups admin_hosts and
it_hosts are defined in /etc/netgroup.
options telnet.access "netgroup =
admin_hosts,it_hosts"
Allow telnet access for all hosts except those in the netgroup
admin_hosts. Netgroup admin_hosts is defined in
/etc/netgroup.
options telnet.access "netgroup != admin_hosts"
Note: quotes are needed around access specifications that
include blanks.
na_options(1), na_http(8), na_rshd(8), na_snmpd(8),
na_netgroup(5)
Table of Contents