5-30
Configuration
The IP Security Function employs a TCP Wrapper program which allows the use of
standard, Linux operators, wild cards and net/mask pairs to create a host based access
control list.
As shown in Figures 5.13 and 5.14, the IP Security configuration menus include
"hosts.allow" and "hosts.deny" client lists. Basically, when setting up IP Security, you
must enter IP addresses for hosts you wish to allow in the Allow list, and addresses for
hosts you wish to deny in the Deny list. Since Linux operators, wild cards and net/mask
pairs are allowed, these lists can indicate specific addresses, or a range of addresses to
be allowed or denied.
When the IP Security feature is properly enabled, and a client attempts to connect, the
RSM will perform the following checks:
1. If the client’s IP address is found in the "hosts.allow" list, the client will be granted
immediate access. Once an IP address is found in the Allow list, the RSM will not
check the Deny list, and will assume you wish to allow that address to connect.
2. If the client’s IP address is not found in the Allow list, the RSM will then proceed to
check the Deny list.
3. If the client’s IP Address is found in the Deny list, the client will not be allowed to
connect.
4. If the client’s IP Address is not found in the Deny list, the client will be allowed to
connect, even if the address was not found in the Allow list.
Notes:
• If the RSM finds an IP Address in the Allow list, it will not check the Deny list,
and will allow the client to connect.
• If both the Allow and Deny lists are left blank, then the IP Security feature will
be disabled, and all IP Addresses will be allowed to connect (providing that
the proper password and/or SSH key is supplied.)
• When the Allow and Deny lists are defined, the user is only allowed to specify
the Client List; the Daemon List and Shell Command cannot be defined.
5.8.3.1. Adding IP Addresses to the Allow and Deny Lists
To add an IP Address to the Allow or Deny list, and begin configuring the IP Security
feature, proceed as follows.
Notes:
• Both the Allow and Deny list can include Linux operators, wild cards, and
net/mask pairs.
• In some cases, it is not necessary to enter all four "digits" of the IP Address.
For example, if you wish to allow access to all IP addresses that begin with
"192," then you would only need to enter "192."
• The IP Security Configuration menu is only available when the Supervisor
Mode is active.