$Id: access-control.txt,v 1.2 2003/07/02 22:19:41 dancy Exp $

*hosts-allow* and *hosts-deny* control which hosts are allowed to
 access the NFS server.  When an NFS or mount request comes in, the IP
 address of the host making the request is matched against the entries
 in *hosts-allow* first, then the entries in *hosts-deny*, until a
 match is found.  The first match found is used.  If no match is
 found, access is allowed.  Therefore, if both *hosts-allow* and
 *hosts-deny* are empty lists, all clients will be allowed access.

 *hosts-allow* and *hosts-deny* should be list of IP addresses and
 optional masks.  An IP address/mask is a string like so:

 "a.b.c.d" -- Exact match of IP address a.b.c.d.
 "a.b.c.d/w.x.y.z" -- IP address/netmask format.  Matches a group of hosts.
 "a.b.c.d/m" -- CIDR network format.  Matches a group of hosts.
 t -- (the symbol, not a string) matches all hosts.

 Examples:

 "192.168.5.0/255.255.255.0" will match all 192.168.5.XXX hosts.
 "192.168.5.0/24" will match all 192.168.5.XXX hosts as well.
 
 If you want a "deny all but some" setup, you can use configuration
 values like so: (in nfs.cfg)

 (*hosts-allow* ("192.168.5.32" "192.168.5.99" "10.1.3.0/24"
                 "10.16.0.0/255.255.0.0"))
 (*hosts-deny* (t))

 This will allow hosts 192.168.5.32, 192.168.5.99, all 10.1.3.x hosts,
 and all 10.16.x.x hosts to talk to the NFS service and any other host
 will be denied.

 If you want a "allow all but some" setup, you can do something like:

 (*hosts-allow* nil)
 (*hosts-deny* ("192.0.0.0/8" "10.0.0.0/255.0.0.0"))

 This will allow all hosts except for 192.x.x.x and 10.x.x.x hosts to
 talk to the NFS server.


  


