23.7.1 How Client Access Filters Work

The Messaging Server access-control facility is a program that listens at the same port as the TCP daemon it serves; it uses access filters to verify client identity, and it gives the client access to the daemon if the client passes the filtering process.

As part of its processing, the Messaging Server TCP client access-control system performs (when necessary) the following analyses of the socket end-point addresses:

• Reverse DNS lookups of both end points (to perform name-based access control)

• Forward DNS lookups of both end points (to detect DNS spoofing)

• Identd callback (to check that the user on the client end is known to the client host)

The system compares this information against access-control statements called filters to decide whether to grant or deny access. For each service, separate sets of Allow filters and Deny filters control access. Allow filters explicitly grant access; Deny filters explicitly forbid access.

When a client requests access to a service, the access-control system compares the client’s address or name information to each of that service’s filters—in order—using these criteria:

• The search stops at the first match. Because Allow filters are processed before Deny filters, Allow filters take precedence.

• Access is granted if the client information matches an Allow filter for that service.

• Access is denied if the client information matches a Deny filter for that service.

• If no match with any Allow or Deny filter occurs, access is granted—except in the case where there are Allow filters but no Deny filters, in which case lack of a match means that access is denied.

The filter syntax described here is flexible enough that you should be able to implement many different kinds of access-control policies in a simple and straightforward manner. You can use both Allow filters and Deny filters in any combination, even though you can probably implement most policies by using almost exclusively Allows or almost exclusively Denies.

The following sections describe filter syntax in detail and give usage examples. The section 23.7.4 To Create Access Filters for Services gives the procedure for creating access filters.