[Techtalk] NNTPCache - Access List
k15a-list-linuxchix at theotherbell.com
Sat Jun 21 13:20:39 EST 2003
Quoting Subba Rao <subba9 at cablespeed.com>:
> I am new to NNTPCache server. The compilation and installation went
> fine but I
> am having little trouble understanding the configuration.
> The first line says the default policy is "no access" and yet it opens
> it up to
> pretty much everything. The configuration says that the developers have
> access no matter what the configuration file says. Is this the
> sick joke while documenting the configuration file or is it real?
I'm not familiar with NNTPCache, but the rules look a lot like firewall
rules. For instance, it appears that the server will process all the rules
in order from start to finish. That is, it looks at the first rule and
says "I think I'll let this user read"; then it moves to the second rule
and depending on what's there, it may change its mind and say "I think I'll
deny access". So forth and so on to the end of the rules at which point,
the final accumulation of rights determines what the user can or cannot do.
The "quick" directive terminates processing for the rest of the rules file.
So... if you go back and read the part about developers, it makes sense:
developers get full access regardless of what the rest of the rules say.
As for the default policy, they probably mean exactly that. If you don't
have any rules, all access is denied. But the very first rule allows
everyone to read and post, essentially disabling the default. Note that
the first rule does not include the quick directive, so a given user would
be granted a particular type of access only if they make it through the
rest of the rules without finding a match that says otherwise.
Does this make sense?
> According to the configuration.access file, there are a bunch of sites
> servers that can access the server. Although my iptables would limit
> access, is there lot careless access to the new servers these days?
Hmmm... I'm always amazed when I turn on full logging for my firewall and
watch what happens. If a server gives you a sophisticated facility for
exercising full control over who gets in, that's incentive enough for me to
use it :)
More information about the Techtalk